For lawyers
Web security for law firms whose duty of confidentiality reaches the website too.
A leaking website isn’t just a tech issue at a law firm — it’s a duty-of-confidentiality issue. Client intake forms, document upload portals, secure messaging, the contact page on a sensitive matter: every one of them sits on top of the website infrastructure your IT support contact maintains.
Law firm websites collect things you really do not want leaking. The intake form on a family-law page. The conflicts-check questionnaire. The link an opposing counsel sent over an unrelated matter that turned out to be hosted on a shared subdomain. None of this is hypothetical — we have seen it.
AuraWatch checks your website continuously for the security flaws that would expose client information. Findings come in plain English. If your firm operates in the EU or has EU clients, GDPR raises the bar. The website-side controls — encryption, secure form submission, no data leaks via mixed content — are part of what the regulator expects to see evidence of.
Every plan includes your whole team, so your IT partner and your practice manager can both see the dashboard without a second invoice.
Real findings law firms see in their first week
- Client intake form submitted over weak encryption.
The form works, but the server still allows old, retired encryption standards, or a cipher a modern auditor would flag. Confidential information should not cross a connection that fails a public SSL grade.
- Document upload portal with stale software.
The portal vendor released a security fix four months ago. The upgrade has not been applied. Confidential documents are flowing through software with a known security flaw.
- Forgotten subdomain hosting a 2021 microsite.
A dormant
events.orcle.subdomain still resolving and still publicly reachable. Subdomain discovery finds it; the vulnerability checks tell you what older software is running underneath and what is exposed. - Secure-message system without standard browser protections.
The page loads over a secure connection, but a browser can be tricked into downgrading. A handful of modern server settings close that gap; a lot of law-firm portals do not set them.
A note on regulatory and bar obligations
Different jurisdictions, different rules: ABA Model Rule 1.6 in the US, the SRA Standards and Regulations in England & Wales, GDPR for EU client data, equivalent rules in most Commonwealth countries. They all share a common thread: the duty of confidentiality reaches the systems you use to handle client information — including the website. AuraWatch does not replace your professional-conduct counsel, but it gives you the website-side evidence and findings the rules want you to be on top of.
Start free — no card, no payment info.
One target, weekly scans, the core security checks, plain-English findings. Add your client-portal and document-upload subdomains when you upgrade.