Legalica Security Infrastructure & Compliance
Table of Contents
- Infrastructure Architecture Overview
- Google Cloud Platform Terms Summary
- Firebase Authentication Terms
- Third-Party LLM Provider Terms
- External Registry Data Sources
- Liability Allocation Framework
- Data Residency and Sovereignty
- Infrastructure Provider Incident Response
- Business Continuity and Disaster Recovery
- Infrastructure Changes and Service Continuity
- User Protections and Best Practices
- Subprocessor Governance
- Infrastructure Audit Rights
- Contact Information
1. INFRASTRUCTURE ARCHITECTURE OVERVIEW
1.1 Full Technology Stack
The Legalica Platform operates exclusively on the following third-party infrastructure:
┌─────────────────────────────────────────────────────────────┐
│ LEGALICA APPLICATION │
│ (Software Layer — Legalica's Control) │
│ • Application code, business logic, AI orchestration │
│ • User interface, API endpoints, data models │
│ • Security rules, access controls, encryption keys │
└──────────────────────────┬──────────────────────────────────┘
│
┌──────────────────────────▼──────────────────────────────────┐
│ GOOGLE CLOUD PLATFORM (GCP) │
│ (Infrastructure Layer — Google's Control) │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐ │
│ │Cloud Firestore│ │Firebase Auth │ │Cloud Storage │ │
│ │ (Database) │ │(Authentication)│ │ (File Storage) │ │
│ └──────────────┘ └──────────────┘ └──────────────────┘ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐ │
│ │Cloud Functions│ │Cloud CDN │ │Cloud Monitoring │ │
│ │ (Serverless) │ │ (Delivery) │ │ (Observability) │ │
│ └──────────────┘ └──────────────┘ └──────────────────┘ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐ │
│ │Vertex AI │ │Cloud Armor │ │Cloud KMS │ │
│ │ (AI/ML) │ │ (Security) │ │ (Key Management) │ │
│ └──────────────┘ └──────────────┘ └──────────────────┘ │
│ │
│ Physical Infrastructure: Google-owned data centers │
│ Location: europe-west3 (Frankfurt), europe-west2 (London) │
└─────────────────────────────────────────────────────────────┘
│
┌──────────────────────────▼──────────────────────────────────┐
│ THIRD-PARTY SERVICES (External) │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐ │
│ │ Google Gemini│ │ Moonshot AI │ │ Groq / Meta │ │
│ │ (Primary LLM)│ │ (Kimi, #2) │ │ (Llama 3, #3) │ │
│ └──────────────┘ └──────────────┘ └──────────────────┘ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐ │
│ │ Ollama │ │ Stripe │ │ GLEIF │ │
│ │ (Local, #4) │ │ (Payments) │ │ (LEI Data) │ │
│ └──────────────┘ └──────────────┘ └──────────────────┘ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐ │
│ │OpenCorporates│ │ Postmark/ │ │ Google │ │
│ │(Registry) │ │ SendGrid │ │ Workspace │ │
│ └──────────────┘ │ (Email) │ │ (Optional) │ │
│ └──────────────┘ └──────────────────┘ │
└─────────────────────────────────────────────────────────────┘1.2 What Legalica Controls vs. What Google Controls
| Aspect | Controlled by Legalica | Controlled by Google |
|---|---|---|
| Application code | ✅ Yes | ❌ No |
| Business logic | ✅ Yes | ❌ No |
| User interface | ✅ Yes | ❌ No |
| API design | ✅ Yes | ❌ No |
| AI orchestration | ✅ Yes | ❌ No |
| Security rules (Firebase) | ✅ Yes (configuration) | ❌ No |
| Encryption key management | ✅ Yes (Customer-Managed Keys) | ❌ No |
| Physical servers | ❌ No | ✅ Yes |
| Data center facilities | ❌ No | ✅ Yes |
| Network infrastructure | ❌ No | ✅ Yes |
| Power and cooling | ❌ No | ✅ Yes |
| Hardware maintenance | ❌ No | ✅ Yes |
| Operating system patches | ❌ No | ✅ Yes |
| Hypervisor security | ❌ No | ✅ Yes |
| Container orchestration | Partial | Partial |
| Authentication infrastructure | ❌ No (Firebase) | ✅ Yes |
| CDN edge locations | ❌ No | ✅ Yes |
| DDoS protection | ❌ No (Cloud Armor) | ✅ Yes |
| Database engine | ❌ No (Firestore) | ✅ Yes |
2. GOOGLE CLOUD PLATFORM TERMS SUMMARY
2.1 Applicable Terms: Legalica's use of Google Cloud is governed by the Google Cloud Platform Terms of Service (cloud.google.com/terms). Key provisions affecting Platform users include:
2.2 Google's Limitation of Liability: Under Section 12 of the Google Cloud Terms:
| Aspect | Google's Position |
|---|---|
| Indirect damages | Excluded — no liability for indirect, consequential, special, incidental, or punitive damages |
| Liability cap | Total fees paid by Legalica to Google in the 12 months preceding the event |
| Free services | Liability capped at US$5,000 |
| Unlimited liabilities | Fraud, IP infringement, indemnification, payment obligations, and matters non-excludable by law |
2.3 Google's Disclaimer: Under Section 11: "EXCEPT AS EXPRESSLY AGREED, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW: (a) GOOGLE DOES NOT MAKE ANY WARRANTY OF ANY KIND; (b) GOOGLE IS NOT RESPONSIBLE FOR THE DELETION OF OR FAILURE TO STORE ANY CUSTOMER DATA; (c) CUSTOMER IS RESPONSIBLE FOR SECURING AND BACKING UP ITS APPLICATION AND CUSTOMER DATA."
2.4 Google's Data Incident Policy: Under Section 7.2: (a) Google will notify promptly after becoming aware of a Data Incident; (b) Google's notification is not an acknowledgment of fault or liability; (c) Google has no obligation to assess Customer Data for legal compliance; (d) Google will describe the nature of the incident and measures taken.
2.5 Google's Modification Rights: Google may: (a) update services with commercially reasonable changes; (b) modify terms with 30 days' notice for material changes; (c) change SLAs with 90 days' notice; (d) discontinue services with appropriate notice.
2.6 Google's Subprocessor Governance: Google: (a) maintains a public subprocessor list; (b) provides 30 days' notice for new subprocessors; (c) remains liable for subprocessor acts and omissions; (d) ensures subprocessor contracts include equivalent data protection obligations.
2.7 Google's AI Terms: Under Section 14 of GCP Service Specific Terms: "Google will not use Customer Data to train or fine-tune any AI/ML models without Customer's prior permission or instruction"; Customer retains all rights to Customer Models; Google owns rights in Google Pre-Trained Models and Fine-Tuned Models.
3. FIREBASE AUTHENTICATION TERMS
3.1 Service Terms: Firebase Authentication is governed by: (a) Firebase Terms of Service; (b) Google Cloud Platform Terms of Service; (c) Firebase Data Processing and Security Terms.
3.2 Data Processing: Under Firebase Data Processing Terms: Google processes authentication data as a processor; SCC 2021/914 applies to international transfers; EU-US Data Privacy Framework certification applies; data may be processed anywhere Google maintains facilities unless data location is configured. Legalica has configured Firebase Authentication to process data in the EU (europe-west3).
3.3 Authentication Security: Firebase Authentication provides: (a) secure password hashing (bcrypt/scrypt); (b) multi-factor authentication (TOTP/SMS); (c) OAuth 2.0 integration with Google, Microsoft, and other providers; (d) email verification; (d) password reset functionality; (e) brute force protection; (f) account lockout after failed attempts.
Legalica's Responsibility: Configuring Firebase Security Rules, enabling MFA, setting password policies, and monitoring for suspicious login patterns.
Google's Responsibility: Maintaining authentication infrastructure security, patching vulnerabilities in Firebase libraries, and providing service uptime according to Google's service level agreements.
4. THIRD-PARTY LLM PROVIDER TERMS
4.1 API Integrations: Legalica utilizes API-level integrations with third-party Large Language Model (LLM) providers for processing text prompts and generating AI Output. These models do not run on Legalica's local hardware, but are queried as microservices.
4.2 Zero-Data Retention Policies: Legalica contractually enforces zero-data retention (ZDR) and no-training policies with LLM subprocessors to protect client confidentiality.
| Provider | Model Series | Data Retention Period | Model Training Policy |
|---|---|---|---|
| Google (Gemini API) | Gemini 1.5 Pro / Flash — Primary AI Cascade (#1) | 0 days (Transient / Zero Retention) | ❌ Excluded (No model training permitted) |
| Moonshot AI (Kimi) | Kimi (moonshot-v1-8k / 32k) — Cascade Fallback #2 | 0 days (Transient / Zero Retention) | ❌ Excluded (No model training permitted) |
| Groq / Meta (Llama) | Meta Llama 3 via Groq API — Cascade Fallback #3 | 0 days (Transient / Zero Retention) | ❌ Excluded (No model training permitted) |
| Ollama (self-hosted) | Qwen local model — Cascade Fallback #4 (local execution, no network transfer) | N/A — no external transfer | ❌ Excluded (processed locally, no third-party involved) |
4.3 API Service SLAs: LLM providers do not guarantee 100% availability. Service interruptions on LLM provider APIs are handled by fallback mechanisms, routing queries to alternative providers where possible. Uptime and response speed for these elements are subject to third-party SLAs.
4.4 Sovereign Eight Cascade:
The Platform uses a multi-provider AI inference cascade. Queries are routed through providers in the following priority order:
| Priority | Provider | Model | Region | Role |
|---|---|---|---|---|
| 1 | Google Vertex AI | Gemini 1.5/2.5/3.1 Pro | EU (europe-west3) | Primary inference |
| 2 | Moonshot AI | Kimi k2.6 | China (api.moonshot.ai) | Deep analysis fallback |
| 3 | Groq Cloud | Llama 3.3 70B | US (api.groq.com) | Speed fallback |
| 4 | Ollama | Qwen 3 Coder | Local / US-EU | Specialized tasks |
If a provider is unavailable, the system automatically falls back to the next provider in the priority list. Users are not notified of individual provider switches unless a complete cascade failure occurs.
5. EXTERNAL REGISTRY DATA SOURCES
5.1 Registry Ingestion: To perform corporate intelligence, KYC mapping, and beneficial owner (UBO) tracing, Legalica queries public registries and company databases via encrypted secure APIs.
5.2 Data Integrity and Freshness: Information retrieved from registries is cached for performance optimization. Cached registry data is refreshed regularly.
| Source | Data Ingested | Primary Jurisdictions | Freshness / Cache TTL |
|---|---|---|---|
| GLEIF API | Legal Entity Identifier (LEI) records | Global | Live query (no caching) |
| OpenCorporates API | Company profile details, directors, status | 140+ jurisdictions | Live query / 30-day cache fallback (Firestore-backed) |
| Estonian Ariregister API | Board members, share capital, corporate history | Republic of Estonia | Live query (no cache) |
6. LIABILITY ALLOCATION FRAMEWORK
6.1 Shared Responsibility Model: Similar to cloud provider models, liability on the Legalica platform is divided based on control. Legalica does not assume liability for infrastructure failures, model hallucinations, or user decisions made without independent verification.
6.2 Responsibility Matrix:
| Incident Type | Primary Responsible Party | Legalica's Position |
|---|---|---|
| Application software bugs | Legalica | Remediation of code; liability capped at fees paid in past 12 months. |
| Google Cloud downtime | Google Cloud Platform | Subject to Google Cloud SLAs. Legalica is not liable for infrastructure downtime. |
| AI output hallucinations / errors | User / Professional Attorney | ❌ Excluded. Mandatory attorney review required. Legalica is not liable. |
| Registry data inaccuracies | Registry Provider (GLEIF/OpenCorp) | ❌ Excluded. Legalica is not liable for public registry inaccuracies. |
| Account credential leakage | User (unless Firebase infrastructure breach) | User responsible for securing password and enforcing MFA. |
7. DATA RESIDENCY AND SOVEREIGNTY
7.1 EU Sovereign Cloud: Legalica operates on Google Cloud infrastructure in Europe. All databases and file storage are configured within the European Union (europe-west3 — Frankfurt). Certain serverless compute functions (Cloud Functions) execute in us-central1 (Iowa, USA) for specific workloads; no Customer Data persists in us-central1 — all structured data storage remains in the EU. See Section 7.2 for data flow details.
7.2 Data Transfer Flow
EU Data Subject ──► HTTPS (TLS 1.3) ──► Frankfurt GCP (europe-west3)
│
┌─────────────────────┴─────────────────────┐
▼ ▼
Vertex AI (EU region) US LLM Endpoints (ZDR, TLS 1.3)
• Zero retention • Zero retention
• No training • No trainingData Sovereignty Gavel: All Customer Data remains inside the Frankfurt region at rest. In transit, LLM queries route through secure pipelines to either EU Vertex AI locations or US-based LLM provider endpoints under Standard Contractual Clauses (SCC 2021/914).
8. INFRASTRUCTURE PROVIDER INCIDENT RESPONSE
8.1 Joint Detection and Escalation: In the event of a security incident originating on Google Cloud infrastructure or LLM provider networks, Legalica relies on notifications provided by Google Cloud's DPO.
8.2 Notification Timelines: If Google Cloud notifies Legalica of a data incident affecting customer data, Legalica will notify affected customers within 36 hours.
9. BUSINESS CONTINUITY AND DISASTER RECOVERY
9.1 Backup Systems: Cloud Firestore relies on Google Cloud's native regional redundancy within europe-west3 (Frankfurt). On-demand snapshots can be initiated manually via the Firebase Console. Automated daily cross-region backup replication to europe-west2 (London) is planned but not yet implemented. Enterprise customers may request on-demand data exports for independent backup purposes.
9.2 Recovery Metrics:
- Recovery Point Objective (RPO): Dependent on Google Cloud Firestore native regional redundancy and last manual snapshot. No automated snapshot schedule is currently active.
- Recovery Time Objective (RTO): Dependent on Google Cloud platform recovery timelines and Firebase infrastructure restoration. Target: best effort within Google Cloud's SLA parameters.
10. INFRASTRUCTURE CHANGES AND SERVICE CONTINUITY
Google Cloud may deprecate, modify, or update infrastructure features. Legalica is responsible for updating application code to adapt to Google Cloud API changes and ensure continuous service. Legalica will provide at least 14 days' notice to users of any planned system maintenance.
11. USER PROTECTIONS AND BEST PRACTICES
To maintain the integrity of the technology stack, users must adhere to security best practices:
- Enable Multi-Factor Authentication (MFA) on accounts.
- Ensure browser software is updated to support secure TLS 1.3 encryption.
- Refrain from uploading unencrypted sensitive credentials to document workspaces.
12. SUBPROCESSOR GOVERNANCE
12.1 Vendor Selection: Legalica conducts security reviews of all subprocessors in the infrastructure chain.
12.2 Subprocessor Governance Hierarchy:
| Tier | Provider | Compliance Standard | Data Agreement |
|---|---|---|---|
| Tier 1 Infrastructure | Google LLC | SOC 2 Type II, ISO 27001 | GCP DPA + Standard Contractual Clauses (SCC) |
| Tier 1 AI Inference | Google Gemini (primary), Moonshot AI/Kimi (#2), Groq/Meta Llama (#3), Ollama local (#4) | SOC 2 Type II, HIPAA | B2B zero-data retention agreements |
| Tier 2 Payments | Stripe, Inc. | PCI-DSS Level 1 Compliant | B2B Data Processing Agreement |
13. INFRASTRUCTURE AUDIT RIGHTS
Enterprise tier subscribers may request access to SOC 2 Type II compliance audit reports for Legalica and the underlying Google Cloud Platform infrastructure. Access is provided under a Non-Disclosure Agreement (NDA) and limited to once per calendar year.
14. CONTACT INFORMATION
For questions regarding the infrastructure, technology stack, security systems, or data residency: