Privacy-first · Case study

Security and infrastructure for a legal aid nonprofit

6 min read

The organization

A legal aid nonprofit providing free legal services to immigrant communities. The organization employs eight attorneys, four paralegals, and a small administrative team. They handle asylum cases, family law matters, and civil rights complaints — work that generates a large volume of privileged client records including immigration status, personal histories, and case strategy documents.

Their funding comes from a mix of foundations, government grants, and individual donors. Several funders had begun asking more pointed questions about how client data was protected, and a recent grant application had specifically required a data security plan.

The problems

Attorney-client privilege meets cloud ambiguity. Case files lived in a commercial cloud storage platform that the organization had adopted years ago for convenience. No one on staff knew exactly where the data was stored, which subprocessors had access, or whether the configuration met their ethical obligations around privileged communications. An attorney at a partner organization had recently been flagged by their state bar for inadequate data protections — a cautionary tale that accelerated the conversation.
No security baseline. The organization had never had a security assessment. Workstations ran consumer antivirus. The WiFi password hadn't changed in three years. Two-factor authentication was enabled on some accounts but not others. The IT "team" was one paralegal who was good with computers.
Funders wanted evidence, not promises. Multiple grant reports now included questions about cybersecurity controls, data breach notification procedures, and data handling practices. The organization could describe what they thought they were doing, but couldn't produce evidence or documentation that would satisfy a serious review.
Client confidentiality in a hostile environment. Some of their clients had active deportation proceedings. A data breach wouldn't just be embarrassing — it could put clients at physical risk. The staff understood the stakes but didn't have the technical knowledge to know what "good enough" looked like.

What we did

Phase 1: Security assessment

We ran a practical security assessment scaled to the organization's size and risk profile. This wasn't an enterprise pentest — it was a focused evaluation of the controls that mattered most for protecting privileged legal records.

We assessed endpoint security, access controls, network configuration, email security, and cloud storage settings. We mapped out where sensitive data actually lived (which turned out to be significantly more places than anyone expected), identified who had access to what, and documented the gaps between their current state and where they needed to be.

The output was a prioritized remediation plan with clear, actionable steps — ordered by risk impact, not by what was easiest to fix. We also produced a compliance-ready summary document their grants team could use immediately.

Phase 2: Hardening and quick wins

We implemented the highest-priority fixes from the assessment: enforcing two-factor authentication across all accounts, configuring email security (SPF, DKIM, DMARC), updating endpoint protections, segmenting the guest WiFi, and locking down the cloud storage permissions that had been over-provisioned since initial setup.

We also ran a focused training session for the legal team — covering phishing recognition, secure file sharing practices, and what to do if they suspected a compromised account. The training was built around examples drawn from actual attacks targeting legal aid organizations, not generic corporate scenarios.

Phase 3: Secure file storage migration

We migrated the organization's case files and internal documents to a self-hosted Nextcloud instance on our Iceland/EU infrastructure. This gave them:

Encrypted file storage with clear data residency — no ambiguity about where privileged records are stored
Granular access controls with per-folder permissions, so case teams only access the files relevant to their matters
Version history and audit logging for compliance documentation
Desktop and mobile sync clients that work the same way the attorneys were already used to working

The migration was staged over two weeks — running the new system in parallel with the old one so no one's workflow was disrupted. By the end, every active case file had been moved to the new system and the old cloud storage was decommissioned.

Phase 4: Ongoing support

Because the organization doesn't have dedicated IT staff, we provide ongoing managed hosting for their Nextcloud instance — handling updates, backups, monitoring, and user management. When a new attorney joins or a case team needs a new shared workspace, they email us and it's done within hours.

The outcome

A documented security baseline with evidence their funders can review — produced from actual testing, not self-reported questionnaires
Hardened endpoints, email, and access controls across the organization
Privileged case files stored in a known jurisdiction with encryption, access controls, and audit logging
A clear, defensible answer to "where is client data stored and who has access?" — for funders, for the state bar, and for their own peace of mind
Managed infrastructure with predictable monthly costs and no IT staffing requirement

"We were one bad grant report away from a real problem. Now we have a security posture we can actually document — and client data in a place we can explain and defend."

Services used

Does this scenario sound like your organization?

Every engagement starts with a scoping call — no sales pitch, just a conversation about your threats, your team, and what you need.

Schedule a call