Document Vault
The Document Vault is your secure, searchable repository for all legal documents — signed policies, unsigned drafts, matter-related documents, and attorney-client privileged communications. Every document is encrypted at rest with keys stored exclusively in Azure Key Vault.
Security Architecture
The Document Vault uses a Data Encryption Key (DEK) architecture. Each document or conversation thread has its own DEK. DEKs are stored exclusively in Azure Key Vault — they are never written to the database. This means even if the database were compromised, document contents cannot be decrypted without Azure Key Vault access.
- Encryption: AES-256-GCM for all document content
- Key storage: Azure Key Vault (separate from document storage)
- Access control: Vault access requires active authentication + RBAC authorization
- Audit log: Every document access (view, download, share) is recorded
- Key revocation: DEKs can be revoked, immediately preventing access to associated documents
Accessing the Vault
Navigate to Vault in the left sidebar, or access documents contextually from:
- A client policy's Acknowledgements tab → View Signed Document
- A matter's Documents tab
- CRM → Company record → Legal Documents tab
Document Organization
Documents in the vault are organized by:
| Category | What's Included |
|---|---|
| Client Policies | All signed and unsigned client policy documents |
| Matters | Documents attached to open or closed matters |
| Contracts | Contracts submitted for review and completed reviews |
| Templates | Snapshots of policy templates at publish time |
| Correspondence | Formal legal correspondence attached to matters |
| Custom Work | Documents produced for customization requests |
Searching the Vault
The vault search bar supports:
- By client name — Shows all documents for a specific organization
- By document type — Filter to policies, contracts, correspondence, etc.
- By status — Filter to signed, unsigned, draft, archived
- By date range — Documents created or signed within a time window
- By policy template — All instances deployed from a specific template
- By signer — All documents signed by a specific contact
Document Status Indicators
| Badge | Meaning |
|---|---|
| Signed | All required signatures collected |
| Pending | Awaiting one or more signatures |
| Draft | Not yet sent to client |
| Archived | Superseded by a newer version |
| Privileged | Attorney-client privilege flag — restricted access |
Viewing a Document
- Find the document in the vault search results
- Click View to open the document viewer
- The viewer decrypts and renders the document in-browser — no download required for viewing
- Signature blocks, version information, and metadata are shown in the sidebar
- Your vault access is recorded in the audit log
Downloading Documents
- Open the document viewer
- Click Download PDF in the top-right corner
- A signed PDF with metadata is generated and downloaded
- For signed documents, the PDF includes the full signature block with all acknowledgement metadata
Downloaded PDFs include a document ID and hash in the footer. This allows you to verify the authenticity of a printed document matches the vault record.
Version History
Every document that has been updated or replaced shows a version history:
- Open any document
- Click Version History in the sidebar
- Each version shows: version number, date, who made changes, and change summary
- Click View on any prior version to see the document exactly as it was
Previous versions of signed documents include the original signature blocks, preserving the integrity of the historical record.
Attorney-Client Privilege Documents
Documents marked as Privileged have additional access restrictions:
- Only the MSP owner, assigned attorney, and explicitly authorized team members can view them
- Privileged documents are flagged with a badge in all list views
- Access attempts by unauthorized users are blocked and logged
- Your attorney controls which documents receive the privilege flag
To flag a document as privileged:
- Open the document in the vault
- Click Mark Privileged (available to attorney accounts only)
- The document is immediately restricted to privileged access only
Sharing Documents
You can share a signed document with a client or third party from the vault:
- Open the document
- Click Share
- Choose sharing method:
- TheOnePortal — The document becomes viewable in the client's portal (no download link)
- Secure Link — Generates a time-limited download link (expires in 24h or 7d, your choice)
- Email — Send a notification to a specific email address with a secure link
- All shares are recorded in the audit log
Sharing a privileged document removes the privilege protection for the shared copy. Consult your attorney before sharing any attorney-client privileged material.
Audit Trail
Every vault action is logged with:
- User identity (authenticated session)
- Action type (view, download, share, revoke)
- Target document ID and version
- Timestamp
- IP address and user agent
To view the audit trail for a document:
- Open the document
- Click Audit Trail in the sidebar
- All access events for that document are listed in reverse chronological order
For account-wide audit exports, contact support.
Retention Policy
Documents in the vault are retained indefinitely unless explicitly deleted. Deletion requires:
- Admin permission
- Confirmation that the document is not required for any active compliance obligation
- Attorney approval for signed documents
Deleting a signed document removes it permanently from the vault. This action is irreversible. The document should be archived rather than deleted in most cases.