ESQx.IT was built inside a practicing Phoenix litigation firm, where client confidentiality is a professional obligation, not an afterthought. Security is designed into the platform at every layer. This page summarizes how we protect your firm’s and your clients’ information. It describes current platform capabilities and evolves as the product does.
Authentication & sign-in
- Single sign-on with Microsoft Entra ID (Microsoft 365) and Google, using OAuth 2.0 with PKCE and signed state parameters.
- Strong password storage, passwords are never stored in plain text; they are hashed with bcrypt.
- Two-factor authentication (2FA) available via time-based one-time passcodes (TOTP) with one-time backup codes. Repeated failed attempts trigger temporary account lockout.
- Server-side sessions tracked per device. Sessions can be revoked in real time, on sign-out, password change, or by an administrator, and a password change immediately invalidates every existing session.
- Session cookies are HttpOnly, Secure, and SameSite-restricted outside local development.
Authorization & least privilege
- Role-based access control with roles, granular permissions, and groups, access is default-deny, so users only reach what they have been explicitly granted.
- Per-firm isolation. The platform is multi-tenant: every record is scoped to its organization, so one firm can never see another firm’s data.
- Sensitive administrative views, such as the audit log, are restricted to management and administrator roles.
Encryption
- In transit: all traffic is served over HTTPS/TLS.
- At rest: sensitive credentials and integration secrets, including 2FA secrets and third-party access tokens, are encrypted using authenticated encryption (AES via Fernet), with encryption keys held separately from data.
Audit trails & accountability
The platform maintains a comprehensive audit log across the systems that matter. Recorded events include sign-in and sign-out, two-factor setup and use, session creation and revocation, password changes, and create/read/update/delete and assignment actions on records. Each entry captures the actor, the action, the affected record, before-and-after values for changes, and the originating IP address and device, giving your firm a complete, reviewable history.
Integrations, handled safely
ESQx.IT connects to the tools your firm already uses, Microsoft 365 and SharePoint, iManage, DocuSign, LawPay, Google, and Twilio. Across these integrations:
- Third-party access and refresh tokens are encrypted at rest.
- Outbound webhooks are signed with HMAC-SHA256, and inbound webhooks from partners are verified before they are trusted.
- Outbound connections use TLS certificate verification.
Abuse protection
Rate limiting protects sensitive and automated endpoints from abuse, and public-facing forms use anti-bot measures to reduce spam.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability, please email support@jaburgwilk.com with the details and steps to reproduce. Please give us a reasonable opportunity to investigate and remediate before any public disclosure.
This overview is provided for informational purposes and describes the platform’s security architecture in general terms. It is not a warranty or a contractual commitment. For security questions specific to an engagement, contact us directly.