Security — access, sessions and local storage
The security model: OAuth with 2FA, a workspace passphrase, idle-lock, session caps, wipe, and browser-local storage.
OAuth and two-factor authentication
Sign-in uses your firm's existing Google or Microsoft identity over OAuth, which means two-factor authentication and any conditional-access policy you already enforce apply unchanged. Acta never sees or stores a password.
The workspace passphrase
On top of identity, the workspace is protected by a passphrase that unlocks the local data on a given device. It is the key to the encrypted material the workspace holds locally, and it is never transmitted.
Idle-lock (15 minutes)
After a period of inactivity the workspace locks itself and the passphrase is required again — a guard against an unattended, unlocked machine in a shared office.
Session cap (8 hours)
Sessions are capped so that an authenticated session cannot live indefinitely; after the cap, a fresh sign-in is required.
Wipe
A wipe clears the workspace's local data from the device. Because the durable record lives in the firm's own Drive or OneDrive, wiping a device removes the local copy without losing the matter.
Browser-local storage
The working data the app needs lives in the browser, on the device, not on an Acta server. The system of record is the firm's own cloud storage. The effect is that there is no central Acta database of client matters to breach, subpoena, or mishandle.