wakiliiwakilii
Legal Intelligence
Security & Privacy
Wakilii handles sensitive legal work, so security and data privacy are part of how the platform is built — not an afterthought.
Your data is encrypted on the wire and at rest, and your credentials are stored so that even we cannot read them.
All traffic is served over HTTPS with modern TLS. HTTP Strict Transport Security (HSTS) is enforced so browsers refuse to connect insecurely.
Application data is stored on managed infrastructure that encrypts data at rest. Backups inherit the same protection.
Passwords are hashed with scrypt — a deliberately slow, memory-hard algorithm. We never store plaintext passwords, and password hashes are excluded from data exports.
Session cookies are HttpOnly, Secure and SameSite-scoped; the token itself is stored only as a hash, so a database leak exposes no usable session.
The application is hardened against the common web attack classes by default.
A nonce-based Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options, a restrictive Permissions-Policy and Cross-Origin-Opener-Policy ship on every response.
Every state-changing request is checked against its Origin and Referer, so a malicious site cannot act on your behalf.
Failed sign-ins are rate-limited and locked out per account and per IP address, blunting credential-stuffing and brute-force attempts.
Public forms are guarded by an invisible CAPTCHA and a content-delivery layer that absorbs DDoS and filters automated abuse.
Your work product stays yours. We are deliberate about what leaves the platform and what it is used for.
We do not use your questions, documents, or results to train or fine-tune AI models.
Wakilii is built on a "no claim without a source" principle: every answer is traceable to the primary authority that supports it, so you can review the reasoning and verify each citation before you rely on it. This is the same grounding engine behind our Veritas citation-verification tooling.
The platform is hosted in the European Union (Frankfurt) region, giving your data a stable, single-region home rather than moving it across jurisdictions.
We keep the list of third parties that process platform data short and transparent:
| Provider | Purpose | Region |
|---|---|---|
| Anthropic | AI support. | US |
| Render | Application hosting & infrastructure | EU (Frankfurt) |
| Cloudflare | DNS, CDN, TLS, DDoS & bot protection | Global edge |
Search relevance and embeddings run on models we host ourselves, so the text of your corpus queries is not sent to a third-party embedding service.
You can see, take, and delete your data at any time.
Download a complete machine-readable copy of everything tied to your account from your account page.
Permanently delete your account and all associated history yourself, instantly, from your account page — no support ticket required.
We retain account and history data for as long as your account is active; deleting your account removes it. Details are in our Privacy Policy.
Access to the platform is invite-gated, administrative functions are separated from ordinary accounts, and security-relevant events are logged for review.
We build to recognised standards. The formal, independently-audited certifications below are part of our standards.
We welcome good-faith security research. If you believe you have found a vulnerability, please tell us before disclosing it publicly, and don't access data that isn't yours.
Email [email protected] · Policy: /.well-known/security.txt
Wakilii provides legal research assistance, not legal advice. This page describes our security and privacy practices; it is informational and does not itself form a contract. For binding terms see our Terms of Use and Privacy Policy.