Security

How EuroLaw Hub protects authentication, secrets, content and your documents — written to match the actual production architecture, not a marketing promise.

Last updated · 26 February 2026

Transport and storage

All traffic between your browser and EuroLaw Hub is encrypted in transit over TLS 1.3 with modern cipher suites. HTTP is permanently redirected to HTTPS at the ingress layer.

Data at rest — user records, conversations, uploaded documents, embeddings, alerts and bulletins — is stored in encrypted MongoDB instances managed by our cloud provider, with provider- side disk encryption and access scoped to least-privilege service accounts.

Authentication and sessions

Sign-in today uses email and password. Passwords are hashed server-side with bcrypt (12+ rounds) and never logged, exported or returned in any API response. Sessions are HS256 JWTs with a 30-day expiry, signed with a secret kept exclusively on the backend. The frontend never has access to the signing key.

OAuth (Google + Microsoft Entra ID) is on the roadmap and will use the server-side authorization-code flow with state and PKCE protection. Suspended accounts are blocked at the dependency layer of every authenticated route.

Role-based access control

Every administrative endpoint is gated by a server-side require_admin dependency. Admin role is granted only to designated EuroLaw Hub staff and is never assigned by self- service. The admin dashboard exposes user management, plan overrides, bulletin moderation and activity logs — but not raw document contents or user prompts.

Within the application, a user can only read and modify their own documents, conversations, watches and alerts. Cross-user access is enforced at the data layer and verified by tests on every release.

Document handling and AI training

Documents that you upload to the Research Assistant are processed for the duration of your session and your future research queries. They are chunked, embedded and stored as vectors in our database to support retrieval-augmented research.

Your documents and your prompts are not used to train Anthropic's models. EuroLaw Hub's contractual arrangement with Anthropic prohibits training on customer content. You can delete any document at any time from the Research Assistant page — deletion removes both the original file and its derived embeddings within our standard retention window.

Data residency

EuroLaw Hub is operated from EU cloud regions. Primary database and application compute are hosted in the EU. Anthropic Claude inference may route to Anthropic-controlled infrastructure outside the EU; transfers rely on Anthropic's Data Processing Addendum and Standard Contractual Clauses. See the Privacy Policy for the full sub-processor list and transfer safeguards.

Backups and resilience

The primary database is backed up daily with point-in-time recovery enabled. Backups are encrypted at rest and retained for 30 days. Disaster recovery is tested at least annually.

Breach response (GDPR Art. 33)

In the event of a personal-data breach, EuroLaw Hub will notify the competent supervisory authority without undue delay and where feasible within 72 hours of becoming aware, per Article 33 GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, affected users will also be notified directly under Article 34 in clear and plain language, including a description of the breach, likely consequences and the measures taken or proposed.

Our internal incident-response runbook covers detection, containment, forensic preservation, regulator notification, user communication and post-incident review.

Responsible disclosure

Security researchers are welcome. If you believe you have found a vulnerability in EuroLaw Hub, please email altay@eurolawhub.com with a description of the issue and reproduction steps. We commit to acknowledge within three business days, work with you in good faith on remediation, and credit you publicly if you wish. Please refrain from accessing other users' data, automated load testing, or social engineering of the platform.