Trust & Security Center

1. Our Approach to Security

A2J Suites handles sensitive legal aid data — case details, client communications, court schedules, and legal documents. We recognize the gravity of this responsibility. Our security posture is designed around a defense-in-depth model, incorporating encryption at every layer, strict access controls, continuous monitoring, and well-rehearsed incident response procedures.

This Trust Center provides a transparent overview of how we protect your organization's data and maintain the reliability of the Platform.

🔒

Encryption

TLS 1.3 for data in transit. AES-256 for data at rest. End-to-end encryption for all ClientBridge messages between attorneys and clients.

✉️

Email Authentication

SPF, DKIM (2048-bit), and DMARC with p=reject. Full envelope/header alignment enforced on all outbound transactional mail.

☁️

Infrastructure

Hosted on AWS US-East-1 with multi-AZ redundancy, VPC isolation, network firewalls, and auto-scaling for consistent availability.

📊

Monitoring

24/7 uptime monitoring, real-time alerting, automated anomaly detection, and delivery-quality dashboards reviewed daily by operations staff.

2. Security Practices

2.1 Access Controls

Role-Based Access Control (RBAC): Permissions are assigned based on job function. The principle of least privilege is strictly enforced.
Multi-Factor Authentication (MFA): Required for all internal staff and recommended for all Client accounts. Hardware keys (FIDO2) supported.
Single Sign-On (SSO): SAML 2.0 SSO available for Enterprise-tier subscribers.
Session Management: Sessions expire after 30 minutes of inactivity. Concurrent sessions are limited and monitored.

2.2 Data Protection

All sensitive data is encrypted both in transit (TLS 1.3) and at rest (AES-256).
ClientBridge messages use end-to-end encryption — messages are readable only by the intended participants.
Database backups are encrypted and stored in geographically separate regions.
Data masking is applied in non-production environments.

2.3 Application Security

Secure Development Lifecycle (SDL) integrated into every release.
Regular vulnerability scanning and dependency auditing (weekly automated, quarterly manual).
Annual penetration testing conducted by independent third-party security firms.
Real-time dependency monitoring and automated patching for critical CVEs.

3. Infrastructure Details

3.1 Cloud Hosting

A2J Suites is hosted on Amazon Web Services (AWS) in the US-East-1 (N. Virginia) region. Key infrastructure features:

Multi-AZ deployment for high availability and automatic failover.
Virtual Private Cloud (VPC) with private subnets for application and data layers.
AWS WAF (Web Application Firewall) and AWS Shield for DDoS protection.
Auto-scaling groups maintain consistent performance during load spikes.

3.2 Email Delivery Infrastructure

Provider: Mailgun (Sinch) for transactional email delivery.
IP Configuration: Dedicated sending IP with established reputation.
Average Daily Volume: ~12,000 transactional emails across all subscribing organizations.
Complaint Rate: Consistently below 0.03%.
Bounce Rate: Maintained below 1.8%.
Authentication: SPF + DKIM (2048-bit) + DMARC (p=reject) enforced on all outbound mail.
Suppression Management: Unified suppression list across hard bounces, complaints, and manual removals. Checked before every send.

4. Email Practices (Detailed)

This section provides in-depth information about how A2J Suites manages its email sending infrastructure.

4.1 Recipient Verification

Every recipient address is validated at the point of account creation or client enrollment. Confirmation links must be clicked to activate the email address. Disposable and invalid domains are blocked at intake by checking against known throwaway-domain lists and performing real-time MX verification.

4.2 Suppression List Management

Our global suppression list is maintained in real time and shared across all sending events. Sources of suppression entries include:

Hard bounces (immediate permanent suppression)
Soft bounces (retry 3× over 24 hours, then permanently suppress)
Complaint-based suppressions (via ISP feedback loops)
Manual removal requests (processed within 24 hours)

The suppression list is consulted prior to every individual send — no exceptions.

4.3 Bounce & Complaint Workflows

Hard Bounces: Trigger immediate suppression and alert the Client administrator to update their records.
Soft Bounces: Retried up to 3 times over 24 hours. If unresolved, the address is permanently suppressed.
Complaints (FBL): The complaining address is suppressed instantly. An incident report is generated and reviewed by the operations team within 4 hours.
Escalation: If any organization's complaint rate exceeds 0.05%, their sending is paused and a manual review is initiated.

4.4 Feedback Loop (FBL) Monitoring

A2J Suites is enrolled in FBL programs with major mailbox providers (including Microsoft JMRP, Yahoo CFL). Complaint data is ingested in near-real-time and feeds directly into the suppression engine. FBL reports are reviewed daily by the deliverability team.

4.5 Rate Limiting & Anomaly Detection

Per-organization rate limits are enforced to prevent volume spikes.
Per-template rate caps prevent any single notification type from dominating send volume.
Anomaly detector flags any organization sending >2× its established weekly average. Flagged sends are held for manual release.
New organizations undergo a warm-up period with gradually increasing daily limits.

4.6 Access Control for Sending (RBAC)

Only designated Administrator roles can create or modify email templates.
Template changes require peer review and approval before deployment.
API keys are scoped to specific sending permissions and rotated quarterly.
All sending-related configuration changes are logged with the user identity and timestamp.

4.7 Audit Trail

Delivery Logs: Retained for 90 days. Include message ID, recipient (hashed), status, timestamps, and bounce/complaint classification.
Template Change History: Retained for 12 months. Every edit, approval, and deployment is recorded.
Access Logs: Retained for 12 months. Cover logins, role changes, API key usage, and administrative actions.
Logs are available to authorized Client administrators on request.

4.8 How to Report Abuse

If you believe you have received an unauthorized message from A2J Suites or observed misuse of the Platform, please contact:

Email: abuse@a2jsuites.com
All abuse reports are acknowledged within 24 hours and investigated within 3 business days.

5. Incident Response

A2J Suites maintains a documented Incident Response Plan with the following stages:

Detection & Triage (0–2 hours): Automated monitoring triggers alerts. On-call engineer assesses severity and classifies the incident.
Containment (2–6 hours): Affected systems are isolated to prevent further impact. Impacted users are notified via alternative communication channels if email service is affected.
Investigation (6–24 hours): Root cause analysis is conducted. Forensic evidence is preserved. External specialists are engaged if needed.
Remediation (24–72 hours): Vulnerabilities are patched, configurations hardened, and affected credentials rotated.
Post-Incident Review (within 7 days): A detailed post-mortem is conducted. Lessons learned are documented and preventive measures implemented.

GDPR Notification: In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay, as required by Article 33 and Article 34 of the GDPR.

6. Logging & Audit Trail

Email Delivery Logs: Retained for 90 days. Include message ID, recipient (hashed), delivery status, timestamps, and any bounce/complaint codes.
Access Logs: Retained for 12 months. Cover user authentication, authorization events, API key usage, and administrative actions.
Change Management Logs: All configuration changes, template modifications, and permission updates are logged with actor identity and timestamp. Retained for 12 months.
Logs are stored in append-only storage with integrity verification. Access to raw logs is restricted to Security and DevOps personnel.

7. Compliance

A2J Suites is designed and operated to comply with:

GDPR (General Data Protection Regulation): Data processing agreements, DPIA support, 72-hour breach notification, exercise-of-rights workflows.
CCPA (California Consumer Privacy Act): Right to know, delete, and opt-out. Privacy policy disclosures and non-discrimination commitments.
CAN-SPAM Act: Accurate header and subject-line information. Physical address in every message. Functional unsubscribe mechanism honored within 10 business days.
CASL (Canada's Anti-Spam Legislation): Express consent mechanisms, clear identification, and functional unsubscribe in every message.

8. Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities from the security research community. If you discover a potential vulnerability in A2J Suites:

Email: security@a2jsuites.com
Acknowledgment: We will acknowledge receipt of your report within 48 hours.
Assessment: Our security team will assess and classify the vulnerability within 5 business days.
Resolution: Critical vulnerabilities will be prioritized for remediation. We will keep you informed of progress.
We will not pursue legal action against researchers who follow responsible disclosure practices and act in good faith.

9. Contact

For questions about our security practices, compliance posture, or to request additional documentation:

Security & Compliance Team — A2J Suites, Inc.
4712 Burnet Road, Suite 210
Austin, TX 78756, United States
Security: security@a2jsuites.com
Privacy: privacy@a2jsuites.com
Phone: +1 (512) 843-7190