Themis Legal

A working brief

Themis Legal.
For advocates who keep their own counsel.

A confidential workspace for cases, hearing notes, and the privileged documents only your firm should ever see. Built so that nobody outside your firm — not even us — can ever read what you store here.

01

Privileged by default

Every document and note is encrypted on your device before it reaches our servers. Per-matter access control. An audit log entry on every privileged read.

02

Offline-first hearings

Take notes in court without wifi. The case file lives on your device; sync resumes when you do.

03

Bilingual, properly

English primary, Arabic secondary, full RTL with logical layout — no half-measures.

Privacy

Your files belong to you, and only to you.

Lawyers handle the most sensitive documents in any profession. Client confidentiality isn't a feature you can opt into — it is the contract you signed the day you took your oath. Themis is built from that single premise: your files belong to you, and to nobody else. Not our engineers, not our database administrators, not a court order served on us, not a state actor with subpoena power. The architecture itself makes those scenarios moot.

We can't read your case files because we don't have the keys. Your keys live on your devices, derived from a password only you know. Every privileged byte that crosses the network has already been encrypted on your side. What our servers see is ciphertext — opaque, unintelligible, useless on its own.

How it works

The technology, in plain English.

You don't need to be a cryptographer to understand what we do. Here's the whole story in four steps.

01

You choose a vault password.

It never leaves your device. It is not stored on our servers in any form. We could not give it away because we never see it. If you forget it, we cannot recover it — that is a deliberate trade-off, and the recovery kit you download at setup is what protects you against it.

02

Your password becomes a key.

Your device runs your password through a slow, deliberately expensive function (Argon2id) that turns it into a unique 256-bit cryptographic key. Slow on purpose: it makes brute-force guessing on a stolen device impractical for a determined adversary even with serious hardware.

03

Files are encrypted on your device.

Before any document leaves your browser or phone, it is encrypted with your firm's key (XChaCha20-Poly1305 — the same family of ciphers that protects modern messaging apps). What lands on our servers is a sealed envelope with no return address. Without the key, the bytes are indistinguishable from random noise.

04

The audit trail proves nothing was touched.

Every privileged action — every read, every grant, every export — writes a row to a tamper-evident ledger. Each row carries the cryptographic hash of the row before it; rewriting history means rewriting every link in the chain, which is detectable from a single anchor point we publish daily.

In practice

What that buys you.

  • We cannot turn your files over to anyone. Not because we choose not to — because we do not have the keys. A subpoena served on us produces ciphertext. The decision to decrypt and respond is yours, made on your hardware.
  • A breach of our database is not a breach of your files. The worst-case scenario — every row we hold leaks publicly — still doesn't expose a single document. The ciphertext is opaque without your password.
  • You can leave with everything you brought. At any time, from Settings → Your data, you can download a full export: every case, every client, every document blob, every audit row, plus an offline decryption tool. KVKK / GDPR data-portability is the floor, not the ceiling.
  • You can verify that nothing was tampered with. The audit log's hash chain lets an external auditor re-walk every row and confirm the ledger has not been rewritten — not by an attacker, not by us, not by a SUPERUSER who dropped the integrity triggers.
  • You can delete everything, for real. Account deletion is final after a 90-day support window: soft-deleted first so we can restore on your request, then hard-purged — every Storage object, every database row — by the weekly cron.