Documate is now Gavel! Read more about why we’re excited about this rebrand.
Learn more
Core Capabilities
Word Document Automation
Automate your Word docs with custom rules
PDF Document Automation
Automate your PDF forms with custom rules
Start with Your Documents
Upload templates to get started
No-Setup Automated Forms
Pre-built court forms and other templates
Legal Commerce Tools
Package and bill for your online legal services
Integrations
Easily link Clio, Docusign, Zapier and more
Product
Solutions
By practice area
Estate Planning LawProbate LawReal Estate LawCorporate LawFamily LawBankruptcy LawImmigration LawEmployment LawPersonal Injury LawIPOther Practice Areas
By company size
Solo PracticesSMB Law FirmsLarge Law FirmsLegal Startups
By use case
Automate Any DocumentManage Client Intake DataMake Custom WorkflowsSell Online Legal ServicesCreate Client-Facing Tools
Resources
Learn
Resources
Enjoy legal tech insights for lawyers
Learning Center
Get started quickly with help articles
Hire an Automator
Find an expert to automate your docs
Guides
Actionable resources for your practice
YouTube
Watch our how-to videos and webinars
Connect
Contact Us
Get in touch with Sales
Events Calendar
Register for Gavel webinars and events
Legal Automation Community
Join our Slack community
Legal App Marketplace
Browse legal apps built with Gavel
Case Studies
Plans & Pricing
Log InGet a Demo
menu-to-close
Get Started
No Credit Card Required
Product
Core Capabilities
Word Document Automation
PDF Document Automation
No-Setup Automated Forms
Legal Commerce Tools
Integrations
Solutions
By practice area
Estate Planning LawProbate LawReal Estate LawCorporate LawFamily LawBankruptcy LawImmigration LawEmployment LawPersonal Injury LawIPOther Practice Areas
By company size
Solo PracticesSMB Law FirmsLarge Law FirmsLegal Startups
BY USE CASE
Automate Any DocumentManage Client Intake DataMake Custom WorkflowsSell Online Legal ServicesCreate Client-Facing Tools
Resources
LearN
Resources
Enjoy LegalTech insights for lawyers
Learning Center
Get started quickly with help articles
Hire an Automator
Find an expert to automate your docs
Guides
Actionable resources for your practice
YouTube
Watch our how-to videos and webinars
Connect
Contact Us
Get in touch with Sales
Events Calendar
Register for Gavel webinars and events
Legal Automation Community
Join our Slack community
Legal App Marketplace
Browse legal apps built with Gavel
Case Studies
Plans & Pricing
Get StartedGet a Demo

Security

The software solution you can trust. Gavel protects your data and your clients' information with top security features and protocols.

Law firms, government organizations, and courts across the world trust Gavel with their sensitive data. As a result, we take several measures to ensure the collection, storage, and transfer of this data is secure. Each Gavel customer is set up on their own subdomain and isolated database.

We continuously monitor for potential vulnerabilities and review and update our code and systems configuration to ensure your data is always protected. Gavel also maintains high standards for code quality, mandatory code reviews, and constant internal security consultations.

Regular Security Tests

Each year, Gavel works with a leading cybersecurity firm that tests the software using the most advanced techniques to ensure that Gavel's platform is secure. This includes implementing a Secure Software Development Life Cycle (SSDLC) to integrate security measures–such as:

  • Static and dynamic source code analyses to incorporate enterprise security; 
  • Security training for developers; and
  • Penetration testing– into the existing development process.

Regular Security Training

Upon onboarding and at least annually afterwards, all employees receive security and compliance training from Gavel’s compliance team.  In these trainings, employees are taught how to avoid, mitigate, spot and manage security risks. 

Data Collection and Transfer

All of the data you and your users collect and transmit is encrypted in transit and at-rest using industry best practices, including Transport Layer Security (TLS). Gavel requires all third party integrations (configurable by you) that receive data from Gavel to provide secure, encrypted endpoints that will receive the data.

Gavel is also the “data processor” and our customers are the “data controllers” as further described in our Terms of Service.  This relationship means Gavel merely provides the infrastructure for customers who then are solely responsible for the set up, configuration, solicitation, collection and storage of data. 

Data Storage

Your data is encrypted at rest with AES-256 encryption in AWS data centers. AWS data centers are managed in accordance with SOC 1-3, PCI DSS Level 1 and ISO 9001/ISO 27001.  For users who use Gavel for payment processing, our payment processing vendors are also PCI compliant.

You have full control over whether the data collected by your workflows is stored in your account.  If you do choose to store data, you also have full control over immediately deleting any and all data in your account. 

Data Encryption

Automatic Encryption
  • Gavel automatically encrypts all data collected on its software before it is persisted in the customer’s tenant.  
Stored Data
  • Each customer has its own separate file, data storage, and database for storing persistent application data. 
  • All data in storage is protected by real-time 256-bit AES encryption and decryption.
Traffic to Gavel’s Application
  • Only HTTPS via SSL encryption to the Web App and Service endpoints–and no other internet traffic–are allowed for traffic to Gavel’s application. 

Data Residency

By default, Gavel will store your data in the United States via Amazon Web Services (AWS) data centers. AWS data centers are equipped to protect mission critical computer systems with full redundancy and compartmentalized security zones. Gavel also offers hosting options in the European Union, Canada, Australia, or any other AWS region (see here). 

The data centers comply with the strictest physical security measures which are detailed here.  Measures include, but are not limited to:

  • CCTV recordings for all physical access points to server rooms;
  • Professional security staff equipped with surveillance, detection systems and other electronic means, at all physical access points; and
  • Restriction and vetting of personnel access to data centers. 

Data centers in all AWS regions securely decommission their storage devices using techniques detailed in NIST 800-88.

Network Security

Internal communication

Internal communication involving or transmitting customer data is encrypted.  Cryptographic controls are also used to protect customer data as outlined in the Data Protection in AWS Key Management Service.

Protecting Wireless Network Environments

To further protect customer data, policies and procedures should be implemented to protect wireless network environments, including but not limited to: 

  • Industry standard firewall protection to restrict unauthorized traffic;
  • Access control so that only vetted and authorized personnel have access to the data;
  • Intrusion Prevention Systems (IPS) to prevent network security attacks; and 
  • Security settings with stronger protections than vendor default settings (e.g. passwords, encryption keys).

PCI Compliant

Gavel only uses and integrates with payment vendors who are operating in accordance with PCI legislation. Gavel does not store any payment information.

Internal Security Protocols

Gavel enforces physical, technical, and administrative protocols, including but not limited to:

  • Two-factor authentication;
  • Background checks;
  • Regular employee security training; and
  • Secure access policies.

Other Vulnerability Evaluations

Gavel is subject to periodic vulnerability assessments by third-party expert cybersecurity firms. Regularly and at least annually, the vulnerability of Gavel’s standard and advanced web application is assessed to identify security vulnerabilities including but not limited to:  

  • Security weaknesses associated with AJAX;
  • Improper input handling (including, but not limited to, cross-site scripting, SQL injection, XML injection and cross site flashing);
  • Cross-site request forgery (CSRF);
  • XML and SOAP attacks;
  • Data validation flaws / data model constraint inconsistencies;
  • Weak session management;
  • Insufficient authentication or authorization;
  • HTTP response splitting;
  • Checklist of the OWASP Framework; and
  • Pre- and post-authentication attacks.

Authentication

Gavel customers may set up two-factor authentication and/or single sign-on (SSO) with your preferred provider in order to further limit access through your organization. We also enforce strong passwords, regular password resets, and will also automatically lock your account for a period of time after too many failed login attempts.

Start a free trial to see Gavel in action.
Book Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Start for Free
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Practice Areas
Estate Planning
Family Law
Real Estate
Probate
Corporate
Bankruptcy
Immigration
Employment
IP
Personal Injury
Other Practice Areas
Use Cases
Automate Any Document
Create Client-Facing Tools
Sell Online Legal Services
Legal Startups
Large Firms
Small Firms
Solo Practices
Gavel Blueprint
Gavel + Docusign
Legal Intake Software
Legal Workflow Software
Legal Form Software
Legal Contract Automation
Estate Planning Software
Legal Document Assembly Software
Legal Letter Generation Software
Resources
Learning Center
Templates
Guides
Marketplace
Hire an Automator
Other Resources
Newsletter
YouTube Channel
Legal Clauses
Court Forms
TermsPrivacySecurity
© 2025 Documate, Inc. d/b/a Gavel ("Gavel"). All rights reserved.