Built to Protect
the Evidence.

One position without exception: the security and integrity of your evidence comes before availability. A service that is temporarily offline is recoverable — compromised evidence is not. Here is the security monitoring, the privilege-aware email and hosting, and the Australian-sovereign infrastructure it all runs on.

Enterprise Security Monitoring & Threat Detection

Every White Rabbit deployment is protected by continuous, enterprise-grade security monitoring. We hold one position without exception: the security and integrity of your evidence comes before availability. A service that is temporarily offline is recoverable. Compromised evidence is not.

Security
Over availability — always
4,400+
Threat detection rules
Encrypted
All data in transit
Zero
Tolerance for compromise
security-monitor — live feed
09:41:02[OK]Security monitoring active — 8 services connected
09:41:15[OK]Network firewall — no blocked requests (1h)
09:42:03[TLS]Certificate renewed — ECC P-256 valid 90d
09:42:44[OK]Web application firewall — 0 threat events
09:43:11[SMTP]Email authenticated · Encrypted delivery confirmed
09:43:33[SMTP]Inbound forgery check — sender authentication verified · spam quarantined
09:43:52[WALL]Outbound privilege guard — opposing-counsel check passed
09:44:08[AUTH]Vault access — authenticated · 2FA verified
09:45:31[AI]Private AI inference — local only · 0 external calls
09:47:22[OK]Backup integrity verified — encrypted
09:48:00[OK]Critical alerts (24h): 0 — all clear
09:48:01[SYS]System status: SECURE

Email That Understands
Legal Professional Privilege

Most email systems treat all messages the same. Ours doesn't. LegalMatters email hosting is built around the realities of legal practice — who lawyers are, what privilege means, and what a negligent disclosure actually costs.

Automated Legal Privilege Recognition

Every email you send and receive is assessed against your matter files and correspondent database. Communications between solicitor and client that attract legal professional privilege are automatically identified and flagged — before they're forwarded, exported, or disclosed.

Negligent disclosure of privileged material is one of the most common — and most avoidable — professional conduct issues in Queensland practice. The system acts as a standing filter between your correspondence and inadvertent waiver.

Full Queensland Law Society Register — Built In

The complete register of Queensland solicitors, barristers, and law firms is part of the email platform. When a lawyer emails you, they are automatically identified — name, firm, practising certificate class, and current status — without you lifting a finger.

Know immediately whether the person writing to you is a currently practising solicitor, a principal or employee, whether their certificate is in good standing, and which firm they're attached to — all confirmed against QLS records on arrival.

Secure Legal Email Hosting

Your own domain. Your own server. Dedicated infrastructure — not a shared mailbox on someone else's platform. Authenticated sending prevents spoofing of your domain. All email in transit is encrypted. Deliverability is enterprise-grade.

Works with Outlook, Apple Mail, Thunderbird — any standard email client connects via IMAP and SMTP. Hosted email users also access the full platform webmail interface with matter-linked inbox.

Secure Law Firm Web Hosting

Professional website hosting with automated security scanning, strict content security policies, and full HTTPS enforcement. Designed for law firm websites and client-facing portals, with complete separation from your matter data.

Public and private infrastructure are physically isolated — a security event on a public-facing site cannot reach internal matter files.

Private Cloud — No Big Tech

Shared document storage, calendar sync, and client file exchange on a private cloud running on your own hardware. The functionality of a major cloud platform — without Microsoft's, Google's, or Dropbox's terms of service sitting over your client files.

Australian Privacy Principles and legal professional privilege obligations apply to data held on overseas cloud platforms in ways that remain unsettled. Hosting your own cloud eliminates the uncertainty.

Ingestion from Anywhere

Moving to LegalMatters doesn't mean starting from scratch. Existing emails, document archives, and file collections are imported through a structured migration process — connected to your existing matters and searchable from day one.

We support import from most practice management systems, standard email formats, and shared drives. If your data exists, we can bring it across.

Dedicated Infrastructure —
Inside Your Walls

Every service runs on dedicated hardware in Australia. Not a slice of a shared cloud. Not a rented virtual machine. Physical servers purpose-built for legal practice — eight fully isolated environments, each performing a single role, each replaceable without touching the others.

Dedicated Host Environment

All services run in hardware-isolated environments on a single bare-metal server — the same architecture used by banks and government agencies. Each service is contained: a compromise of one environment cannot reach another. Full point-in-time snapshots mean any service can be restored to a known-good state in minutes.

Hardware isolation Point-in-time snapshots Australian hardware 200 GB dedicated storage

Hardened Network Perimeter

All traffic — inbound and outbound — passes through an enterprise-grade firewall before reaching any service. Automated attack detection blocks known threats in real time. Rate limiting prevents brute-force attempts. Geographic filtering restricts access to Australian and permitted IP ranges. Everything entering or leaving the network is logged.

Enterprise firewall Automated threat blocking Rate limiting Full traffic logging Encrypted connections only
Private AI
All AI processing runs locally on your infrastructure. No prompts, documents, or client names are transmitted to any external service. The intelligence stays inside.
Email Security Gateway
Every incoming email is screened before delivery — spam filtered, malicious attachments quarantined, spoofed senders blocked. A dedicated security layer that your mail server never has to see.
Legal Email Server
Dedicated email with the full Queensland Law Society register integrated. Incoming correspondents are automatically identified against QLS records — their practising status, firm, and certificate class confirmed on arrival.
Private File Cloud
Secure document storage and sharing — the equivalent of a private Google Drive running on your own servers. No Microsoft. No Google. No cloud provider terms of service over your client files.
Firm File Management
Structured shared file access for the whole practice. Maps as a standard network drive on any computer. Files organised by matter, accessible to the right people, audited every time.
Compliance Archive
Long-term document storage aligned with Queensland's seven-year minimum retention requirement. Separate from operational storage — old matters archived, retention schedules enforced, destruction batches managed.
Web Services
Public-facing websites and client portals, completely isolated from all internal data. A web server breach cannot reach your matter files — by design, not just by policy.
Intelligence Vault
The secure database at the heart of the platform — matters, parties, correspondence, and legal intelligence. Encrypted, audited, backed up continuously, and never accessible from the public internet.
8
Isolated service environments
100%
Australian hosted
Zero
Third-party cloud access
Always
Encrypted at rest & in transit

For the technically minded — detailed architecture and security documentation:

The due-diligence page, written the way we'd want to read one.

Every claim here is either working today Built or clearly marked Roadmap — we will never blur that line. It's how we stay honest, and it's how you can hold us to it. Ask us any of these directly; we'll walk your IT adviser through it under NDA.

6,698
days without a data breach · since 13 March 2008
Zero unauthorised access to, or disclosure of, a client's data — across the whole life of the practice. "Breach" here means an outside party getting in or information getting out; it's the number we watch most.
Where does our data physically live, and can a foreign court reach it?

Built Your data lives on private servers we own and operate in Australia — not rented space in a global cloud, and not replicated offshore. Every node in our fleet is on Australian soil, Australian-owned and operated.

No provider can promise immunity from legal process, and we won't pretend otherwise. What we can do — and have — is remove the pathways foreign orders usually travel: there is no overseas cloud provider in the chain to be served a sealed order, and no foreign parent company to compel. In practice, any lawful demand runs through an Australian court under Australian law — a process you would ordinarily have notice of and standing to contest, rather than a warrant served on a foreign host you never hear about.

One honest exception: our phone apps are distributed through the Google and Apple stores, which handle app download/transaction data under their own terms. Your legal content — the vault and your mail — never touches them.

Who holds the encryption keys? Can one administrator quietly weaken them?

Built Data is encrypted in transit (TLS) across an encrypted site-to-site VPN mesh between our locations. Full-disk encryption at rest is deployed on newer nodes and being rolled out across the fleet Roadmap — we'd rather tell you it's in progress than claim it everywhere before it's true. Messaging uses end-to-end encryption — elliptic-curve key exchange (ECDH) with AES-256-GCM. What's distinctive is how change is controlled: our cipher configuration is governance-signed using threshold (multi-signature) cryptography — like a two-signatory trust account, no single administrator, including us, can unilaterally weaken the encryption; a change needs multiple independent signatures before any server will run it.

Engineer support access is authenticated and written to an append-only, hash-chained audit log (tamper-evident — any alteration is detectable) — every access is provable after the fact, a stronger guarantee than a certificate attesting a process exists. Roadmap Customer-held keys (bring-your-own-key / BYOK) and richer key custody are in development.

How is privileged material kept from being disclosed by mistake?

Built Every item in the vault carries a data classification (a privilege marking) — the same principle as a security classification on a defence document, enforced by the system rather than by habit. Disclosure runs under mandatory access control: privileged material cannot be exported or released without passing a gate and writing an audit record of who released what, when and how. Outbound mail passes an opposing-counsel / privilege (DLP) check before it leaves.

On top of that, our practitioner-intelligence layer cross-references the people in your matters and address books against the public legal registers — flagging restricted, struck-off or conflicted practitioners so you don't unknowingly correspond with, or disclose to, the wrong party. Roadmap Parts of the automated conflict-clearance workflow are still being wired in; we'll mark them Built when proven.

Is there a Security Operations Centre? Is it monitored around the clock?

Built Yes — we run a Security Operations Centre at our Australian headquarters: security monitoring (SIEM) ingesting logs from every server, firewall and mail gateway across the fleet, with automated rules that flag anomalies such as bulk downloads and unusual logins.

We're honest about the shape of it: detection is 24/7 and automated; response is by the named engineers who built and run your system — not an outsourced night-shift analyst seeing your firm's name for the first time. Alerts reach that team directly, so triage starts with full context. Automated containment (blocklisting, tripwires, isolation of a service or network segment) acts in the meantime. Roadmap Formal on-call hardening and a self-healing watchdog on the monitor itself are in progress.

Are you SOC 2 or ISO 27001 certified? What about our cyber-insurance requirements?

No — and we want to tell you why before you ask. Those frameworks audit a cloud vendor's internal processes over a period; they were built for the multi-tenant cloud model we deliberately reject. Our model gives you something a certificate can't: you can inspect the actual controls — the audit chain is verifiable, the monitoring console can be shown to your adviser, the servers are physically in Australia and identifiable.

We chose controls you can verify over certificates you have to trust. For insurance and compliance, we provide a controls-mapping document against the recognised Australian control families (ASD Essential Eight, ISO 27001 control areas, APRA CPS 234 principles) so your adviser can do a like-for-like assessment — covering two-factor authentication on vault access, log retention (see our data-retention page), patching, backups and segmentation. If a firm's insurer requires the certificate itself, tell us and we'll discuss it — we will never imply certification is underway when it isn't.

During a penetration test, how do we tell your authorised simulation from a real attack?

Built Our penetration testing is authorised, scheduled and run from known infrastructure, with written scope agreed before every engagement. Your team can tell it apart because an engagement is pre-notified to a named contact with a defined window and source details, and the test traffic is attributable after the fact. Anything that does not match a registered engagement is treated as a real attack — no benefit of the doubt.

Methodology is refreshed against current threat activity, including new ransomware behaviour, on an ongoing basis. We won't claim a continuous commercial threat-intelligence feed we don't run.

What specifically protects our email?

Built Email is the riskiest vector, so we treat it as untrusted. In front of the mail server sits a secure email gateway (SEG): inbound sender authentication — SPF, DKIM and DMARC (so spoofed and forged mail is caught), spam quarantine, honeypot decoy addresses that trip crawlers on first contact, and IP blocklists at the edge. Delivery is encrypted in transit with TLS (opportunistic STARTTLS, and MTA-STS where the far side supports it). Outbound, a data-loss-prevention (DLP) privilege guard checks mail before it leaves. Internal mail rides an isolated, network-segmented path. Roadmap Enforced (not just opportunistic) transport encryption is being tightened further.

Every present-tense claim on this page is true today; roadmap items are marked and carry no committed dates. We date-stamp and re-verify this page, because a claim that was true when written but stale when read is still misleading. Want the detail? We'll take your IT adviser through the live monitoring console and the controls mapping under NDA — verification over trust.