Security is not a feature.
It is the foundation.
Cite8 is built on Microsoft Azure with enterprise-grade security at every layer — from the network perimeter to the database row.
Network Perimeter
Every request to Cite8 passes through multiple Azure network security layers before it ever reaches application code.
All traffic enters through Azure Front Door with Web Application Firewall in Prevention mode. The WAF enforces the OWASP Core Rule Set, blocking SQL injection, XSS, RCE, and path traversal before reaching our servers. DDoS Protection Standard absorbs volumetric attacks automatically.
The API is not exposed directly to the internet. Every call routes through APIM, which enforces rate quotas, IP filtering, JWT pre-validation, and request transformation. Requests that don't conform to the defined schema are rejected before reaching backend services.
General endpoints are capped at 100 requests/min. Auth endpoints are strictly limited to 10 requests per 5 minutes per IP, making credential-stuffing attacks impractical. Requests exceeding these limits receive HTTP 429 with no further processing.
All communication is encrypted in transit using TLS 1.2+. HTTPS redirection is enforced at the application layer. Azure App Service certificates are automatically managed and renewed. No path through the platform allows unencrypted data transmission.
Cross-Origin Resource Sharing is configured to an explicit allowlist. Only requests originating from cite8.ai are permitted to call the API with credentials. AllowAnyOrigin is never used in production.
ASP.NET Core anti-forgery token validation is enforced on all state-changing requests, providing defense against CSRF attacks. Tokens are automatically rotated per session.
Authentication
Who you are is verified cryptographically on every single request.
The API uses JSON Web Tokens signed with HMAC-SHA256. Every token is validated on each request for correct issuer, audience, valid signature, and active lifetime. Tokens expire after 8 hours. Expired tokens are unconditionally rejected.
The web application uses HttpOnly, Secure, SameSite=Lax session cookies. Cookies are never accessible to JavaScript, eliminating XSS-based session hijacking. Sliding expiration is enabled with a 30-day window.
Passwords are never stored — only their PBKDF2-HMAC-SHA256 hashes, via ASP.NET Core Identity's PasswordHasher. Each hash includes a unique per-user salt, making rainbow-table attacks ineffective.
Failed login attempts are counted per account. After a configurable threshold of failures, the account is locked and LockoutEnd is set. Administrators can lock accounts indefinitely from the admin panel.
Admin-created accounts have MustChangePassword set. The user is redirected to the password change flow immediately on login and cannot access any other part of the platform until a new password is set.
No two accounts may share an email address. Uniqueness is enforced at registration and update time. Duplicate email errors return a generic message, preventing user enumeration attacks.
Authorization & Access Control
Authentication proves who you are. Authorization enforces what you are allowed to do — and the two are never confused.
Controllers are decorated with named policies enforced by ASP.NET Core authorization middleware. SuperAdmin-only endpoints are inaccessible to any other role regardless of token content. No endpoint relies solely on client-side gating.
All API controllers require authentication unless explicitly annotated [AllowAnonymous]. Public endpoints are individually reviewed and scoped to exactly the data required. PII, attorney data, and financial records are never reachable without a valid authenticated session.
Data Security & Storage
Your data is encrypted at rest and in transit, stored in geo-redundant Azure infrastructure, and accessible only through cryptographically authorized channels.
All application data is stored in Azure Cosmos DB with AES-256 encryption at rest enabled by default. Cosmos DB provides 99.999% availability SLAs with automatic multi-region replication. Data is logically partitioned by user and case context.
All documents are stored in Azure Blob Storage with PublicAccessType.None. No blob is publicly accessible via a direct URL. Access is granted only through time-limited, read-only SAS tokens generated per-request, scoped to the specific blob.
No data is hard-deleted on user request. An IsDeleted flag is set, making records invisible to queries while preserving them for legal hold and audit purposes. Full deletion can be performed by administrators on a case-by-case basis.
Documents are stored under randomly generated GUID prefixes ({Guid}/{FileName}) rather than predictable paths. This prevents enumeration attacks — a valid SAS token for one document cannot be used to guess any other document's path.
Cite8 uses Azure DefaultAzureCredential wherever possible, authenticating to Cosmos DB, Blob Storage, and Communication Services via system-assigned managed identity. There are no connection string credentials in environment variables.
Sensitive secrets — JWT signing keys, Stripe API keys, webhook secrets — are sourced from Azure Key Vault at startup. Secrets are never baked into container images, committed to source control, or logged. Access is controlled by managed identity.
Payment Security
Cite8 never touches your card number. Payment processing is handled entirely by Stripe, the world's most trusted payment infrastructure.
Cite8 has no access to raw card numbers, CVVs, or full PAN data. All payment collection uses Stripe's PCI-DSS Level 1 certified Checkout sessions — card data flows directly from your browser to Stripe and never touches Cite8 infrastructure.
All Stripe webhook events are cryptographically verified with HMAC-SHA256 webhook signatures before any business logic executes. Events with invalid signatures are rejected with HTTP 400. Events are deduplicated by Stripe event ID, preventing double-charges.
Attorney payouts are processed through Stripe Connect Express accounts. Platform fee splits are calculated automatically at the payment layer. Attorneys receive funds directly to their Stripe account; Cite8 never holds attorney funds.
Every payment event — success, failure, refund, or payout — is written to an immutable record in Cosmos DB with timestamps, amounts, Stripe event IDs, and processing status. Nothing is silently discarded.
AI & Document Handling
AI-generated content is treated as a draft, not a decision. Every document passes through attorney review before it carries any legal weight.
Cite8 uses Azure OpenAI Service for AI document generation. Microsoft's enterprise Azure AI agreement guarantees your data is never used to train AI models. Prompts and completions are not logged by Microsoft for model improvement.
No AI-generated document is ever delivered as a final legal document without passing through an attorney review workflow. Every AI draft is queued for review, editing, and approval before delivery.
Every document maintains a version counter and PreviousVersionId pointer. The full edit history is preserved — you can always see what the AI generated, what the attorney changed, and when. Privileged documents are access-gated by role.
Before an attorney is matched to a matter, a conflict-of-interest check runs server-side against existing matters and the opposing party registry. A conflicted attorney cannot be assigned to or view a matter.
Communications Security & Compliance
All platform communications — email and SMS — are handled through Azure Communication Services with legal compliance built in at the code level.
Every outbound email is checked for a compliant unsubscribe link before delivery. Email opt-out is respected immediately and permanently. Delivery status — sent, opened, clicked — is tracked per recipient.
SMS messages are never sent without explicit opt-in consent. Every SMS automatically appends 'Reply STOP to opt out.' Opt-out keywords are handled in real time and the opt-in flag is immediately revoked.
Every outbound communication is written to an immutable log with recipient ID, channel, subject, template ID, delivery status, and error messages. This is the authoritative record for any compliance inquiry.
In-platform real-time notifications are delivered via Azure SignalR Service. SignalR connections are authenticated — only the owner of a session receives their notifications. No sensitive events are broadcast.
Audit Trail & Observability
Everything that matters is logged. Nothing is opaque.
Every change to a plaintiff matter creates an immutable audit log entry capturing the acting user ID, action type, IP address, previous value, new value, and timestamp. This provides a court-admissible change history for every matter.
All application tiers emit structured telemetry to Azure Application Insights. Request traces, dependency calls, exceptions, and custom events are captured in real time. Alerts fire on error rate spikes and authentication failure surges.
Errors are logged with structured context — user ID, operation, request path, and stack trace. Authentication failures, webhook errors, and deactivation events all generate identifiable log entries. No PII or tokens are ever written to logs.
Azure APIM captures a complete API call log independent of the application layer — client IPs, response codes, latency, and policy outcomes. This provides a second, independent audit trail that cannot be tampered with at the application level.
100% Microsoft Azure
Every component of the Cite8 platform runs on Microsoft Azure in the United States.
Have a security question?
If you have discovered a potential vulnerability or have questions about our security posture, please contact our security team directly.
Contact Security Team