Security at Kefilex.
How to report a vulnerability, our response targets, and the security posture you can expect from the platform. If you operate procurement for a Clio customer evaluating Kefilex, the answers to most of your security questions live here.
Last updated 13 May 2026.
1. Reporting a vulnerability.
Email security@kefilex.com with details. If the issue is sensitive enough to warrant encryption, say so in your first message and we'll exchange a PGP key.
We acknowledge every report within one UK working day and provide a status update at least weekly until resolution. Please do not open public GitHub issues for security reports.
2. Response targets.
| Severity | Patch timeline | Examples |
|---|---|---|
| High | ASAP. Active exploitation triggers out-of-hours response. | RCE, auth bypass, data exfiltration |
| Medium | Within 3 UK working days of confirmation | Privilege escalation (valid session), stored XSS (admin-only) |
| Low | Within 3 weeks; tracked in the public backlog | Low-sensitivity info disclosure, minor config drift |
3. Encryption posture.
In transit
- ·HTTPS-only across every endpoint of
app.kefilex.com,admin.kefilex.comandkefilex.com - ·TLS 1.2 minimum (TLS 1.3 preferred)
- ·Non-HTTPS redirected to HTTPS; HSTS enabled with a 365-day max-age
At rest
- ·Customer data in PostgreSQL hosted by Supabase, encrypted at-disk with AES-256
- ·Long-lived third-party integration credentials (Clio refresh tokens in particular) additionally encrypted at the application layer using a symmetric key held only in our hosting provider's environment variables
- ·Backups encrypted with the same algorithm and rotated daily; point-in-time recovery covers a 7-day window
Secrets
All API keys, client secrets and database credentials live only in Netlify environment variables. None are committed to the source repository. We scan every push and every pull-request for accidentally committed secrets via GitHub Advanced Security.
4. Sub-processors.
Each processes data on our behalf under written terms that mirror or exceed UK GDPR Article 28. Current as of the last-updated date above; we notify customers by email if the list changes, with at least 30 days' notice before the change takes effect.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | PostgreSQL database, authentication, file storage | UK (eu-west-2) |
| Netlify | Web hosting, edge + background functions | eu-west-2 builds |
| Resend | Transactional email delivery | EU |
| Stripe | Payment processing, subscription billing | EU |
| PostHog | Consent-gated product analytics, trial tenants only | EU (eu.posthog.com) |
| BetterStack | External uptime monitoring, status page | EU / global edge |
| Clio | Practice-management data source, per-tenant OAuth | Per Clio region |
5. Compliance posture.
- ·UK GDPR + EU GDPR. Data residency in the UK / EU. Subject-access requests honoured within statutory timelines. See the Privacy Policy.
- ·MVSP (Minimum Viable Secure Product). Self-attested against the MVSP v3 controls. Detailed control-by-control results published on the in-app security page at app.kefilex.com/security.
- ·SOC 2 / ISO 27001. Not certified today. On the roadmap once revenue justifies the audit cost. Procurement teams who need an independent third-party attestation today should ask us about timing before procurement.
6. Public status page.
Live uptime and recent incidents for app.kefilex.com, admin.kefilex.com and our public surfaces:
Monitored externally by BetterStack on a 3-minute cadence. Incidents are auto-published; subscribe by email on the status page if you want notifications.
7. Breach notification.
If we confirm a breach affecting customer data, we will:
- ·Notify the UK Information Commissioner's Office without undue delay and in any event within 72 hours of confirmation, as required by UK GDPR Article 33
- ·Notify affected customers in parallel by email to their registered administrator address with the information required by Article 33(3) — the nature of the breach, the categories and approximate volume of personal data affected, the contact point for further information, the likely consequences, and the measures we are taking to address it
8. Customer data deletion.
Disconnecting the Clio integration removes our active session immediately. Cached Clio-sourced data (matters, contacts, time entries, bills) is then retained for 30 days and permanently deleted. Customers can request immediate deletion at any time from the admin settings page in the application; the deletion is irreversible.
Account-level data (email, display name, subscription state) is retained while the account is active and is deleted on the same 30-day window after account cancellation, subject to the legal-retention exceptions stated in the Privacy Policy.
9. Codebase security controls.
- ·Continuous integration runs
tsc --noEmit,eslint, andnpm audit --audit-level=highon every pull request and push to main - ·Dependabot security updates enabled; high-severity advisories trigger automatic pull requests
- ·Secret scanning (GitHub Advanced Security) enabled; blocks pushes that contain detected credentials
- ·Deploys are HTTPS-only and signed by our hosting provider; production secrets are only injected at runtime via the hosting provider's environment variables
10. Bug bounty / responsible disclosure.
We do not at this time operate a paid bug-bounty programme. We will however publicly credit researchers in our changelog or security page, on request, for verified reports.
Do not test against another customer's account or any tenant other than your own. If you don't have a Kefilex account and want to research the platform, contact security@kefilex.com first for a sandbox arrangement.
11. Contact.
- ·Security reports: security@kefilex.com
- ·Privacy queries: privacy@kefilab.com
- ·General support: support@kefilex.com
This page describes the security posture we maintain today and is reviewed at least annually. Kefilab is based at 301 Bath Road, Hounslow, London TW3 3DB, United Kingdom.