Taking Legal Tech Security Seriously
Here at Everlaw, we take security seriously. We know that our customers place a great deal of trust in us, and we work hard to keep that trust every day. Below are some of our key security policies and practices. While not an exhaustive list, it will hopefully demonstrate why we are relied upon by security-conscious law firms, corporations, and governments to handle their most sensitive data.
Hosting and Physical Security
Our primary data source is stored on secure AWS cloud servers, which surpass industry standard for privacy and security. AWS servers have SAS 70 Type II certification and are FIPS validated.
The data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms, as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff using video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Low-level Access Controls
All data is encrypted in transit via TLS, and at rest using AES-256. We use intrusion detection software to monitor our servers for break-ins. We are notified immediately if there is any unexpected activity. Our servers are firewalled to prevent external access via any ports other than 80 (http) and 443 (https).
We use key-only (no passwords) and multi-factor authentication for low-level server access to prevent password-guessing. We also impose IP restrictions limited to our office to prevent third parties from accessing our servers.
User Access Controls
We employ state-of-the-art practices to prevent cross-site scripting and cross-site request forgery. Access to data can be restricted by user or security group.
All user activity is fully logged on the system. We store when a user has logged in and logged out, and every action he or she has taken on the site – down to which pages of which documents he or she has viewed. This information is visible both to us and to administrators on the case, so any suspicious activity can be detected and acted upon quickly.
When two-factor authentication is activated for a case, users are required to authenticate every computer or device through which they access Everlaw by providing both their password and another piece of information. The second factor can either be a one-time code delivered to their email address, or a rolling code from the Google Authenticator app on their mobile device.
Except as required to provide the service or as otherwise required by applicable law, we do not disclose data to any third party.
We do not store any information not expressly provided by users, regardless of whether their browser sends a “Do Not Track” signal.
Data is stored in triplicate in different geographical locations, with 99.999999999% yearly durability. User work product is backed up in this same fashion 6 times a day. Recovery is provided as part of Amazon’s cloud offerings.
Unless otherwise specified, we will purge all copies of any user data at the conclusion of the case. That includes local, cloud, and original media.
We have never experienced any breach in security of client data and work hard to continue that trend. However, we are insured in case a loss of data causes our users economic harm. Should such an event occur due to our negligence, we would immediately put in place steps to minimize the damages and to improve our processes. Should such a breach occur as a result of malicious behavior by an employee of Everlaw, that person would be immediately released and his or her access to the platform revoked.
We have completed a SOC 2 Type 1 audit, in which we were certified in meeting the requisite compliance requirements. We will happily share the full results of that audit upon request. (Update: Since the date of this original post, Everlaw achieved a SOC 2 Type 2 certification in Security, Availability, and Confidentiality. Everlaw is also compliant with HIPAA business associate standards in protecting PHI and ePHI.)
Protecting data is our top priority. We hope that our continuing commitment to security, as well as our transparency regarding policies and practices, set your mind at ease. If you have any more questions about Everlaw’s security, don’t hesitate to comment below or to contact us.
Learn more about data security and compliance at Everlaw.