Legalica Security Infrastructure & Compliance

Last UpdatedJune 23, 2026
Effective DateUpon company registration
Infrastructure ProviderGoogle Cloud Platform (GCP)
CRITICAL NOTICE TO USERS:THE LEGALICA PLATFORM RUNS ENTIRELY ON GOOGLE CLOUD PLATFORM INFRASTRUCTURE. ALL DATA STORAGE, PROCESSING, AUTHENTICATION, AND COMPUTATION OCCURS ON GOOGLE-OWNED AND OPERATED SYSTEMS. LEGALICA IS A SOFTWARE APPLICATION THAT OPERATES ON TOP OF GOOGLE CLOUD SERVICES. LEGALICA DOES NOT OWN, OPERATE, OR CONTROL ANY PHYSICAL SERVERS, DATA CENTERS, OR NETWORK INFRASTRUCTURE. BY USING THE PLATFORM, YOU ACKNOWLEDGE AND ACCEPT THAT SERVICE QUALITY, SECURITY, AND AVAILABILITY ARE DEPENDENT ON GOOGLE CLOUD AND OTHER THIRD-PARTY PROVIDERS OVER WHICH LEGALICA HAS NO DIRECT CONTROL. THIS ACCEPTANCE IS A MATERIAL CONDITION OF YOUR SUBSCRIPTION.

Table of Contents

  • Infrastructure Architecture Overview
  • Google Cloud Platform Terms Summary
  • Firebase Authentication Terms
  • Third-Party LLM Provider Terms
  • External Registry Data Sources
  • Liability Allocation Framework
  • Data Residency and Sovereignty
  • Infrastructure Provider Incident Response
  • Business Continuity and Disaster Recovery
  • Infrastructure Changes and Service Continuity
  • User Protections and Best Practices
  • Subprocessor Governance
  • Infrastructure Audit Rights
  • Contact Information

1. INFRASTRUCTURE ARCHITECTURE OVERVIEW

1.1 Full Technology Stack

The Legalica Platform operates exclusively on the following third-party infrastructure:

┌─────────────────────────────────────────────────────────────┐
│                    LEGALICA APPLICATION                        │
│              (Software Layer — Legalica's Control)           │
│  • Application code, business logic, AI orchestration        │
│  • User interface, API endpoints, data models                │
│  • Security rules, access controls, encryption keys          │
└──────────────────────────┬──────────────────────────────────┘
                           │
┌──────────────────────────▼──────────────────────────────────┐
│              GOOGLE CLOUD PLATFORM (GCP)                      │
│         (Infrastructure Layer — Google's Control)            │
│                                                              │
│  ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐   │
│  │Cloud Firestore│ │Firebase Auth │ │Cloud Storage     │   │
│  │ (Database)    │ │(Authentication)│ │ (File Storage)  │   │
│  └──────────────┘ └──────────────┘ └──────────────────┘   │
│  ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐   │
│  │Cloud Functions│ │Cloud CDN     │ │Cloud Monitoring  │   │
│  │ (Serverless)  │ │ (Delivery)   │ │ (Observability)  │   │
│  └──────────────┘ └──────────────┘ └──────────────────┘   │
│  ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐   │
│  │Vertex AI      │ │Cloud Armor   │ │Cloud KMS         │   │
│  │ (AI/ML)      │ │ (Security)   │ │ (Key Management) │   │
│  └──────────────┘ └──────────────┘ └──────────────────┘   │
│                                                              │
│  Physical Infrastructure: Google-owned data centers         │
│  Location: europe-west3 (Frankfurt), europe-west2 (London) │
└─────────────────────────────────────────────────────────────┘
                           │
┌──────────────────────────▼──────────────────────────────────┐
│              THIRD-PARTY SERVICES (External)                  │
│                                                              │
│  ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐   │
│  │ Google Gemini│ │ Moonshot AI  │ │ Groq / Meta      │   │
│  │ (Primary LLM)│ │ (Kimi, #2)   │ │ (Llama 3, #3)    │   │
│  └──────────────┘ └──────────────┘ └──────────────────┘   │
│  ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐   │
│  │ Ollama       │ │ Stripe       │ │ GLEIF            │   │
│  │ (Local, #4)  │ │ (Payments)   │ │ (LEI Data)       │   │
│  └──────────────┘ └──────────────┘ └──────────────────┘   │
│  ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐   │
│  │OpenCorporates│ │ Postmark/    │ │ Google           │   │
│  │(Registry)    │ │ SendGrid     │ │ Workspace        │   │
│  └──────────────┘ │ (Email)      │ │ (Optional)       │   │
│                   └──────────────┘ └──────────────────┘   │
└─────────────────────────────────────────────────────────────┘

1.2 What Legalica Controls vs. What Google Controls

AspectControlled by LegalicaControlled by Google
Application code✅ Yes❌ No
Business logic✅ Yes❌ No
User interface✅ Yes❌ No
API design✅ Yes❌ No
AI orchestration✅ Yes❌ No
Security rules (Firebase)✅ Yes (configuration)❌ No
Encryption key management✅ Yes (Customer-Managed Keys)❌ No
Physical servers❌ No✅ Yes
Data center facilities❌ No✅ Yes
Network infrastructure❌ No✅ Yes
Power and cooling❌ No✅ Yes
Hardware maintenance❌ No✅ Yes
Operating system patches❌ No✅ Yes
Hypervisor security❌ No✅ Yes
Container orchestrationPartialPartial
Authentication infrastructure❌ No (Firebase)✅ Yes
CDN edge locations❌ No✅ Yes
DDoS protection❌ No (Cloud Armor)✅ Yes
Database engine❌ No (Firestore)✅ Yes

2. GOOGLE CLOUD PLATFORM TERMS SUMMARY

2.1 Applicable Terms: Legalica's use of Google Cloud is governed by the Google Cloud Platform Terms of Service (cloud.google.com/terms). Key provisions affecting Platform users include:

2.2 Google's Limitation of Liability: Under Section 12 of the Google Cloud Terms:

AspectGoogle's Position
Indirect damagesExcluded — no liability for indirect, consequential, special, incidental, or punitive damages
Liability capTotal fees paid by Legalica to Google in the 12 months preceding the event
Free servicesLiability capped at US$5,000
Unlimited liabilitiesFraud, IP infringement, indemnification, payment obligations, and matters non-excludable by law

2.3 Google's Disclaimer: Under Section 11: "EXCEPT AS EXPRESSLY AGREED, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW: (a) GOOGLE DOES NOT MAKE ANY WARRANTY OF ANY KIND; (b) GOOGLE IS NOT RESPONSIBLE FOR THE DELETION OF OR FAILURE TO STORE ANY CUSTOMER DATA; (c) CUSTOMER IS RESPONSIBLE FOR SECURING AND BACKING UP ITS APPLICATION AND CUSTOMER DATA."

2.4 Google's Data Incident Policy: Under Section 7.2: (a) Google will notify promptly after becoming aware of a Data Incident; (b) Google's notification is not an acknowledgment of fault or liability; (c) Google has no obligation to assess Customer Data for legal compliance; (d) Google will describe the nature of the incident and measures taken.

2.5 Google's Modification Rights: Google may: (a) update services with commercially reasonable changes; (b) modify terms with 30 days' notice for material changes; (c) change SLAs with 90 days' notice; (d) discontinue services with appropriate notice.

2.6 Google's Subprocessor Governance: Google: (a) maintains a public subprocessor list; (b) provides 30 days' notice for new subprocessors; (c) remains liable for subprocessor acts and omissions; (d) ensures subprocessor contracts include equivalent data protection obligations.

2.7 Google's AI Terms: Under Section 14 of GCP Service Specific Terms: "Google will not use Customer Data to train or fine-tune any AI/ML models without Customer's prior permission or instruction"; Customer retains all rights to Customer Models; Google owns rights in Google Pre-Trained Models and Fine-Tuned Models.

3. FIREBASE AUTHENTICATION TERMS

3.1 Service Terms: Firebase Authentication is governed by: (a) Firebase Terms of Service; (b) Google Cloud Platform Terms of Service; (c) Firebase Data Processing and Security Terms.

3.2 Data Processing: Under Firebase Data Processing Terms: Google processes authentication data as a processor; SCC 2021/914 applies to international transfers; EU-US Data Privacy Framework certification applies; data may be processed anywhere Google maintains facilities unless data location is configured. Legalica has configured Firebase Authentication to process data in the EU (europe-west3).

3.3 Authentication Security: Firebase Authentication provides: (a) secure password hashing (bcrypt/scrypt); (b) multi-factor authentication (TOTP/SMS); (c) OAuth 2.0 integration with Google, Microsoft, and other providers; (d) email verification; (d) password reset functionality; (e) brute force protection; (f) account lockout after failed attempts.

Legalica's Responsibility: Configuring Firebase Security Rules, enabling MFA, setting password policies, and monitoring for suspicious login patterns.

Google's Responsibility: Maintaining authentication infrastructure security, patching vulnerabilities in Firebase libraries, and providing service uptime according to Google's service level agreements.

4. THIRD-PARTY LLM PROVIDER TERMS

4.1 API Integrations: Legalica utilizes API-level integrations with third-party Large Language Model (LLM) providers for processing text prompts and generating AI Output. These models do not run on Legalica's local hardware, but are queried as microservices.

4.2 Zero-Data Retention Policies: Legalica contractually enforces zero-data retention (ZDR) and no-training policies with LLM subprocessors to protect client confidentiality.

ProviderModel SeriesData Retention PeriodModel Training Policy
Google (Gemini API)Gemini 1.5 Pro / Flash — Primary AI Cascade (#1)0 days (Transient / Zero Retention)❌ Excluded (No model training permitted)
Moonshot AI (Kimi)Kimi (moonshot-v1-8k / 32k) — Cascade Fallback #20 days (Transient / Zero Retention)❌ Excluded (No model training permitted)
Groq / Meta (Llama)Meta Llama 3 via Groq API — Cascade Fallback #30 days (Transient / Zero Retention)❌ Excluded (No model training permitted)
Ollama (self-hosted)Qwen local model — Cascade Fallback #4 (local execution, no network transfer)N/A — no external transfer❌ Excluded (processed locally, no third-party involved)

4.3 API Service SLAs: LLM providers do not guarantee 100% availability. Service interruptions on LLM provider APIs are handled by fallback mechanisms, routing queries to alternative providers where possible. Uptime and response speed for these elements are subject to third-party SLAs.

4.4 Sovereign Eight Cascade:

The Platform uses a multi-provider AI inference cascade. Queries are routed through providers in the following priority order:

PriorityProviderModelRegionRole
1Google Vertex AIGemini 1.5/2.5/3.1 ProEU (europe-west3)Primary inference
2Moonshot AIKimi k2.6China (api.moonshot.ai)Deep analysis fallback
3Groq CloudLlama 3.3 70BUS (api.groq.com)Speed fallback
4OllamaQwen 3 CoderLocal / US-EUSpecialized tasks

If a provider is unavailable, the system automatically falls back to the next provider in the priority list. Users are not notified of individual provider switches unless a complete cascade failure occurs.

5. EXTERNAL REGISTRY DATA SOURCES

5.1 Registry Ingestion: To perform corporate intelligence, KYC mapping, and beneficial owner (UBO) tracing, Legalica queries public registries and company databases via encrypted secure APIs.

5.2 Data Integrity and Freshness: Information retrieved from registries is cached for performance optimization. Cached registry data is refreshed regularly.

SourceData IngestedPrimary JurisdictionsFreshness / Cache TTL
GLEIF APILegal Entity Identifier (LEI) recordsGlobalLive query (no caching)
OpenCorporates APICompany profile details, directors, status140+ jurisdictionsLive query / 30-day cache fallback (Firestore-backed)
Estonian Ariregister APIBoard members, share capital, corporate historyRepublic of EstoniaLive query (no cache)

6. LIABILITY ALLOCATION FRAMEWORK

6.1 Shared Responsibility Model: Similar to cloud provider models, liability on the Legalica platform is divided based on control. Legalica does not assume liability for infrastructure failures, model hallucinations, or user decisions made without independent verification.

6.2 Responsibility Matrix:

Incident TypePrimary Responsible PartyLegalica's Position
Application software bugsLegalicaRemediation of code; liability capped at fees paid in past 12 months.
Google Cloud downtimeGoogle Cloud PlatformSubject to Google Cloud SLAs. Legalica is not liable for infrastructure downtime.
AI output hallucinations / errorsUser / Professional Attorney❌ Excluded. Mandatory attorney review required. Legalica is not liable.
Registry data inaccuraciesRegistry Provider (GLEIF/OpenCorp)❌ Excluded. Legalica is not liable for public registry inaccuracies.
Account credential leakageUser (unless Firebase infrastructure breach)User responsible for securing password and enforcing MFA.

7. DATA RESIDENCY AND SOVEREIGNTY

7.1 EU Sovereign Cloud: Legalica operates on Google Cloud infrastructure in Europe. All databases and file storage are configured within the European Union (europe-west3 — Frankfurt). Certain serverless compute functions (Cloud Functions) execute in us-central1 (Iowa, USA) for specific workloads; no Customer Data persists in us-central1 — all structured data storage remains in the EU. See Section 7.2 for data flow details.

7.2 Data Transfer Flow

EU Data Subject ──► HTTPS (TLS 1.3) ──► Frankfurt GCP (europe-west3)
                                         │
                   ┌─────────────────────┴─────────────────────┐
                   ▼                                           ▼
         Vertex AI (EU region)                    US LLM Endpoints (ZDR, TLS 1.3)
         • Zero retention                         • Zero retention
         • No training                            • No training

Data Sovereignty Gavel: All Customer Data remains inside the Frankfurt region at rest. In transit, LLM queries route through secure pipelines to either EU Vertex AI locations or US-based LLM provider endpoints under Standard Contractual Clauses (SCC 2021/914).

8. INFRASTRUCTURE PROVIDER INCIDENT RESPONSE

8.1 Joint Detection and Escalation: In the event of a security incident originating on Google Cloud infrastructure or LLM provider networks, Legalica relies on notifications provided by Google Cloud's DPO.

8.2 Notification Timelines: If Google Cloud notifies Legalica of a data incident affecting customer data, Legalica will notify affected customers within 36 hours.

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

9.1 Backup Systems: Cloud Firestore relies on Google Cloud's native regional redundancy within europe-west3 (Frankfurt). On-demand snapshots can be initiated manually via the Firebase Console. Automated daily cross-region backup replication to europe-west2 (London) is planned but not yet implemented. Enterprise customers may request on-demand data exports for independent backup purposes.

9.2 Recovery Metrics:

  • Recovery Point Objective (RPO): Dependent on Google Cloud Firestore native regional redundancy and last manual snapshot. No automated snapshot schedule is currently active.
  • Recovery Time Objective (RTO): Dependent on Google Cloud platform recovery timelines and Firebase infrastructure restoration. Target: best effort within Google Cloud's SLA parameters.

10. INFRASTRUCTURE CHANGES AND SERVICE CONTINUITY

Google Cloud may deprecate, modify, or update infrastructure features. Legalica is responsible for updating application code to adapt to Google Cloud API changes and ensure continuous service. Legalica will provide at least 14 days' notice to users of any planned system maintenance.

11. USER PROTECTIONS AND BEST PRACTICES

To maintain the integrity of the technology stack, users must adhere to security best practices:

  • Enable Multi-Factor Authentication (MFA) on accounts.
  • Ensure browser software is updated to support secure TLS 1.3 encryption.
  • Refrain from uploading unencrypted sensitive credentials to document workspaces.

12. SUBPROCESSOR GOVERNANCE

12.1 Vendor Selection: Legalica conducts security reviews of all subprocessors in the infrastructure chain.

12.2 Subprocessor Governance Hierarchy:

TierProviderCompliance StandardData Agreement
Tier 1 InfrastructureGoogle LLCSOC 2 Type II, ISO 27001GCP DPA + Standard Contractual Clauses (SCC)
Tier 1 AI InferenceGoogle Gemini (primary), Moonshot AI/Kimi (#2), Groq/Meta Llama (#3), Ollama local (#4)SOC 2 Type II, HIPAAB2B zero-data retention agreements
Tier 2 PaymentsStripe, Inc.PCI-DSS Level 1 CompliantB2B Data Processing Agreement

13. INFRASTRUCTURE AUDIT RIGHTS

Enterprise tier subscribers may request access to SOC 2 Type II compliance audit reports for Legalica and the underlying Google Cloud Platform infrastructure. Access is provided under a Non-Disclosure Agreement (NDA) and limited to once per calendar year.

14. CONTACT INFORMATION

For questions regarding the infrastructure, technology stack, security systems, or data residency:

Security Team: security@legalica.app
Legal Team: legal@legalica.app
BY USING THE LEGALICA PLATFORM, YOU ACKNOWLEDGE AND AGREE THAT SERVICE DELIVERY AND DATA SECURITY ARE DEPENDENT ON GOOGLE CLOUD AND OTHER THIRD-PARTY SUBPROCESSORS AS DESCRIBED IN THIS MASTER INFRASTRUCTURE & THIRD-PARTY TERMS.