At Legale.io, protecting personal data is not just a legal requirement — it’s a foundational principle in the way we design, develop, and operate our services. As a platform that manages sensitive digital documents and electronic signatures, we handle personally identifiable information (PII) with the highest standards of confidentiality, integrity, and availability, in full alignment with the ISO/IEC 27001 framework.
What Personal Data We Protect
Our platform may process various categories of personal data, including:
• Full names, national IDs, and digital signatures
• Email addresses, phone numbers, and session metadata
• IP addresses and geolocation data
• Sensitive documents uploaded for signing (e.g., employment contracts, NDAs, health-related forms)
We apply data minimization and purpose limitation principles to ensure we only collect and process what is strictly necessary for our services, and only for the intended and consented purposes.
ISO/IEC 27001: Framework for Data Security
Legale.io’s approach to personal data protection is structured within our Information Security Management System (ISMS), certified under ISO/IEC 27001, the leading global standard for managing information security risks.
As part of this system, we have implemented and continuously maintain controls from ISO 27001 Annex A, including:
• A.9 Access Control – Role-based, least-privilege access and secure identity management
• A.10 Cryptographic Controls – Encryption of data at rest and in transit using AES-256 and TLS 1.2+
• A.12 Operational Security – Hardening of servers, patch management, and log auditing
• A.13 Communication Security – Secure APIs, VPN tunneling, and endpoint protection
• A.18 Compliance – Adherence to privacy laws and contractual data handling agreements
Backed by Microsoft Azure: A Secure and Compliant Cloud Foundation
Our infrastructure is hosted entirely on Microsoft Azure, one of the most secure and globally compliant cloud platforms. Azure provides us with a robust, enterprise-grade foundation to support our data protection commitments.
Some of the key advantages include:
• Geo-redundant storage and automated backups, ensuring high availability and disaster recovery
• Azure Defender & Security Center for real-time threat detection and risk scoring
• Compliance with over 100 global standards, including ISO/IEC 27001, SOC 2, GDPR, and more
• Virtual Network Isolation, Private Endpoints, and Azure Key Vault for secure key and credential management
• Full support for Data Residency Requirements — your data can be hosted in-region, in compliance with national laws
By combining our ISO 27001-certified practices with Azure’s built-in security and compliance controls, we deliver a resilient and auditable environment for handling personal data at scale.
Legal Compliance & Regulatory Readiness
We actively comply with international and local privacy regulations, including:
• General Data Protection Regulation (GDPR – EU)
• California Consumer Privacy Act (CCPA – US)
• Ley 19.628 sobre Protección de la Vida Privada (Chile)
• Data protection obligations of specific verticals or clients, as required
We maintain up-to-date Data Processing Agreements (DPAs) and enable the exercise of data subject rights — including access, correction, deletion, objection, and portability — through secure workflows.
Privacy by Design and by Default
From system architecture to UI/UX, our platform follows Privacy by Design principles:
• Privacy Impact Assessments (PIA) for every new feature
• Default opt-outs where applicable
• Anonymization or pseudonymization techniques for analytics and internal processing
• Minimal exposure of PII during document workflows
Monitoring, Auditing & Continuous Improvement
Our ISMS includes a continuous improvement model based on:
• Regular internal audits and control effectiveness reviews
• Automated monitoring of Azure resources and data access logs
• Third-party penetration testing and ethical hacking
• A documented Corrective and Preventive Action (CAPA) process for identified risks
We use Drata to automate and monitor ISO 27001 control performance in real time, ensuring that our personal data protection practices remain compliant, transparent, and continuously improving.
Transparency and Client Trust
Transparency is key to our relationship with clients. That’s why we provide:
• Publicly available Privacy Policy and Data Protection Addendum
• Real-time compliance status via our Drata portal
• Detailed documentation of how your data is processed, stored, and protected
At Legale.io, personal data protection is built into every layer of our infrastructure and processes — from our codebase to our hosting provider. By combining ISO 27001-certified controls with the advanced security architecture of Microsoft Azure, we ensure that your data is always managed in a secure, auditable, and compliant environment you can trust.
