Updated November 26, 2025

This Security Exhibit (“Exhibit”) describes the technical and organizational security measures implemented by LegalMate Inc. (“LegalMate”) to protect Customer Data Processed in connection with the LegalMate Platform.

This Exhibit is incorporated into the Main Services Agreement by and between LegalMate and Customer. Capitalized terms not defined herein shall have the meaning set forth in the Main Agreement or the Data Processing Addendum.

1.0 Information Security Program

LegalMate has implemented an information security program (“ISP”) designed to protect the confidentiality, integrity, and availability of Customer Data. The ISP is based on industry-standard frameworks and is reviewed and updated at least annually or in response to significant changes in the threat landscape. The program includes:

●      Governance: A dedicated team of senior personnel responsible for the development, implementation, and management of the ISP.

●      Risk Management: A risk assessment process to identify, analyze, and mitigate information security risks to LegalMate and its customers.

●      Policy Framework: Security best practices that are communicated to all personnel.

2.0 Security Controls

2.1. Personnel Security

●      Background Checks: Background verification checks are conducted for all new employees in accordance with local laws.

●      Confidentiality: All personnel are required to sign confidentiality agreements as a condition of their employment.

●      Security Training: Personnel undergo mandatory security awareness training upon hiring and on an annual basis thereafter.

2.2. Access Control

●      Least Privilege & RBAC: Access to systems that Process Customer Data is granted based on the principle of least privilege and role-based access control (RBAC). LegalMate granularly controls access to application resources, meaning all URLs and API endpoints are limited to only those users who require such access.

●      Authentication: Multi-Factor Authentication (MFA) is required for all access to production systems, critical infrastructure, and internal applications, enforced via Single Sign-On (SSO). LegalMate supports SSO integration with Google and Microsoft.

●      Access Reviews: User access rights to production environments are reviewed on a regular basis and revoked promptly upon termination of employment or change in role.

●      Session Management: Automatic session timeouts are implemented to reduce the risk of unauthorized access from unattended devices.

2.3. Data Encryption

●      Encryption in Transit: All Customer Data transmitted over public networks (e.g., between the customer and the Platform) is encrypted using Transport Layer Security (TLS) version 1.2 or higher.

●      Encryption at Rest: All Customer Data stored within the Platform’s production environment is encrypted at rest using industry-standard encryption algorithms (e.g., AES-256). Workstation and laptop hard drives are also encrypted.

2.4. Application Security

●      Secure Software Development Lifecycle (SDLC): LegalMate follows security best practices within its software development lifecycle.

●      Data Separation: Measures are implemented to ensure data collected for different purposes can be processed separately. This includes logical separation at the application and database level (e.g., separate API endpoints and database schemas for different services) to enforce clear boundaries in data processing.

●      Vulnerability Management: LegalMate performs regular vulnerability scanning of its application and infrastructure. Identified vulnerabilities are tracked, prioritized, and remediated based on severity within defined service level agreements.

2.5. Network and Infrastructure Security

●      Cloud Infrastructure: The Platform is hosted on leading cloud infrastructure providers (Google Cloud Platform) that maintain state-of-the-art physical and environmental security controls and certifications (e.g., SOC 2, ISO 27001, ISO 27017).

●      Network Protection: Production environments are logically isolated from non-production environments. LegalMate deploys protective technologies including firewalls, and DDoS mitigation services.

●      Endpoint Security: Company devices are configured with anti-virus software, firewalls, endpoint detection and response (EDR), and automatic desktop locking.

●      Logging and Monitoring: LegalMate maintains a robust logging system that records key events across its infrastructure, including user access, system changes, and network activity. Logs are monitored in real-time to detect and respond to potential threats. The integrity of log data is protected through secure storage and access controls.

3.0 Security Incident Management

LegalMate will take steps to detect, respond to, and recover from Security Incidents. In the event of a Security Incident affecting Customer Data, LegalMate will notify affected Customers in accordance with the terms of the Data Processing Addendum.

4.0 Third-Party Risk Management

LegalMate maintains a risk-based program to assess the security posture of its third-party vendors and Sub-processors. This process includes initial security due diligence and ongoing monitoring to ensure that vendors continue to meet LegalMate's security requirements. A current list of Sub-processors is maintained at https://legalmate.co/legal/subprocessors.

5.0 Business Continuity and Disaster Recovery

LegalMate leverages the geographically redundant infrastructure and backup capabilities of its cloud infrastructure provider to ensure the availability of the Platform in the event of a significant disruption. This includes regular data backups, failover testing, and geographically redundant infrastructure.

6.0 Customer Responsibilities

Customer is responsible for: (a) securely managing user accounts, credentials, and access rights within the Platform; (b) the accuracy and legality of all Customer Data; and (c) configuring the Platform’s security features as appropriate for its use case.

7.0 Updates to Security Measures

LegalMate may update or modify these Security Measures from time to time, provided that such updates or modifications do not result in a material degradation of the overall security of the Platform.

For security questions, please contact security@legalmate.co.