Security by design
— not an afterthought
top.legal is the first German contract intelligence platform with ISO/IEC 42001 certification
Your data is processed exclusively in Germany or Switzerland — encrypted, redundant, monitored
top.legal is the first German contract intelligence platform aligned with the international standard for AI management systems
// Infrastructure
Exclusively certified servers in Germany & Switzerland
Not a single byte of your contract data leaves the German-speaking region
top.legal operates its entire infrastructure on servers that meet the strictest international standards
Germany
Frankfurt am Main · primary data centres
Switzerland
Backup & failover location
Access only for authorised personnel
Production data is not visible to employees Access is granted exclusively via password plus 2FA — for authorised persons only
Zero Trust365-day monitoring
Our infrastructure is monitored around the clock Alerts are forwarded immediately WAF and third-party penetration tests complement the monitoring
24/7 activeSecured communication paths
Communication with our servers is only possible over encrypted connections IP addresses outside the access scope receive no access
// Encryption
State-of-the-art cryptography — in transit and at rest
From the browser connection to the database row — every data point is encrypted
top.legal relies exclusively on current, proven standards
TLS 1.3 & QUIC
All connections use TLS 1.3 or higher Certificates renew automatically The QUIC protocol is used optionally
TLS 1.3 / QUICAES-256 encryption at rest
All user data is encrypted at rest with 256-bit AES Data is never transmitted or stored unencrypted
AES-256-GCMJWT tokens with RS256
On login each user receives three JWT tokens Authenticity is verified server-side on every request via the RS256 public-private key procedure
RS256 Key-PairAPI gateway as the central entry
The API gateway is the only entry to our system Every call is checked for authenticity and authorisation Invalid requests are rejected
Zero Trust gatewayDDoS protection at Layer 3 & 7
The API gateway protects against distributed denial-of-service attacks — forged requests (Layer 7) and SYN floods (Layer 3) Per-route throttling
L3 & L7 protectionGranular permissions
Each individual database entry is secured with a unique access right Users receive only the rights they need — no more
Principle of Least Privilege// Access control
Nobody sees what isn't meant for them
Access rights and role-based permissions are the heart of our software architecture Technically excluded access — not just policies
Every call to the top.legal API gateway requires a valid encrypted security token — verified before any request passes the gateway
// High availability & disaster recovery
Three data centres Eleven nines of availability
Your data is always stored across three independent data centres If one fails the others take over seamlessly Serverless architecture eliminates manual server-error risk
Three independent data centres
Data is mirrored across all three Frankfurt data centres If one site fails the others take over and re-sync once it recovers
Continuous backups
On-demand backups secure entire database tables Point-in-time recovery for the last 35 days protects against accidental deletions
35-day PITRServerless backend
Each backend function runs in its own isolated environment — redundantly across Frankfurt Failures from misconfiguration are excluded
Multiply redundantAutomatic scaling
The entire infrastructure scales automatically with increasing load NoSQL databases with intelligent indexing ensure constant response times
Unbounded scaling// Incident management
Structured incident handling with defined SLAs
A clear framework for detecting, handling and reviewing security incidents — with fixed response times
Detection & analysis
Automatic error reporting alerts the developer team immediately — frontend and backend monitored separately
Severity classification
Incidents are classified and prioritised by impact and likelihood
Communication & notification
Affected parties are informed promptly
Escalation
Escalation paths are clearly defined and prepared
Containment & recovery
Isolating the incident and restoring normal operations
Resolution
Complete remediation and documentation
Post-incident review (PIR)
Systematic review for lasting improvement
// Response times (SLA)
Fixed SLAs by severity
Showstopper
Software no longer functional, business severely impacted
Critical
Functionality impaired, entire software affected
Major
Functionality impaired, rest of software running
Minor
No functional impact, general questions
// Risk management
ALARP principle
top.legal follows the ALARP principle (As Low As Reasonably Practicable) — risks are continuously assessed and reduced to a reasonable minimum All organisational units participate in risk assessment
// Development process
Security starts before the first line of code
Multi-layered development environments, separated production systems and automatic error reporting ensure that no vulnerability is overlooked
Local → Test → Beta → Production
New features pass through four clearly separated stages Production data is isolated Customers can be involved through the beta instance
Automatic error reporting
A deeply integrated error-reporting system monitors frontend and backend separately Every error creates a prioritised ticket — including version number
No manual reporting neededTask tracking & systematic handling
Bugs and improvement tasks are recorded, prioritised by severity and worked through systematically — transparently and traceably
// Ready for more?
Your contracts Our promise
See how top.legal doesn't sell security as a feature — but builds it as the foundation for every function