Security

Security by design

Molao handles the most confidential information in any legal matter. Security is not a feature — it is the foundation.

Matter isolation

Every matter is cryptographically scoped to its owner. No user can access another user's matter — by design. Access control is enforced at every API endpoint, not just the UI.

Authentication

JWT-based authentication with short-lived tokens. All API routes require a valid token. Failed authentication attempts are logged and rate-limited.

Audit logging

Every action on a matter — view, create, edit, AI invocation — is logged with timestamp, user, and IP address. Full audit trail available on Enterprise plans.

Data residency

Molao is deployed on South Africa-region infrastructure. Your matter data does not leave the African continent without your explicit consent.

Our security commitments

Matter data is never used to train AI models
Attorney-client privilege is a foundational design constraint
No matter data is shared with third parties without explicit consent
AI outputs are generated in isolated, stateless sessions per request
Every API request is authenticated and ownership-verified before execution
All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
Access is logged at the API layer — not just the UI
Enterprise plans include dedicated audit trail export

Responsible disclosure

If you discover a security vulnerability in Molao, please report it to us responsibly before public disclosure. We investigate all reports promptly.

security@molao.app