We know how sensitive your information is, and we work to protect it with trusted infrastructure, rigorous auditing, and best-in-class certifications. Everlaw’s security and compliance program is holistic and part of our core philosophy.
Protect your most sensitive litigation data with access controls including multi-factor authentication, single sign-on support, and granular user management.
All data is encrypted in transit and at rest, in Everlaw’s secure cloud infrastructure.
Avoid slowdowns or disruption. Enjoy virtually uninterrupted access to Everlaw, with average annual uptimes exceeding 99.9%, including scheduled maintenance windows.
Rest secure with Everlaw. We regularly perform proactive intrusion detection, vulnerability scanning, penetration testing, and continuous monitoring on our codebase to identify potential issues before they arise.
Encryption
Everlaw customers’ data is encrypted, whether it is in transit or at rest. We use hybrid encryption techniques that constitute software-based encryption, hosting solutions (AWS), and self-encrypting drives to align with NIST Special Publication 800-53.
Encryption in Transit: Everlaw serves application data using HTTPS to ensure encryption in transit of all customer data. The Everlaw application uses Transport Layer Security (TLS) version 1.2 or higher to protect HTTPS communications. For email security, our platform leverages TLS opportunistic encryption (OE) by default.
Encryption at Rest: Everlaw leverages the default encryption at rest provided by AWS, which protects the data on disk with AES-256 encryption. We also configure all snapshots to encrypt backup data. Additionally, Everlaw encrypts data at rest using AES-256 to secure inactive data stored on any device or network.
Secure Development
As part of our system of internal control and secure Software Development Lifecycle (SDLC), Everlaw implements data protection and privacy by design principles. We take steps to securely develop and test against security threats to ensure the safety of our customer data. Training our developers and performing design and code reviews takes a prime role, while proper error handling and logging, input validation, and encryption are all part of our SDLC.
Everlaw leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others. Everlaw engineers participate annually in secure code training covering OWASP Top 10 security risks, common threat agents, and Everlaw security controls. In addition, on at least an annual basis, Everlaw employs third-party security experts to perform detailed penetration tests on our web application.
Access Management
Everlaw restricts employees’ access to customer data through role-based access controls. Employees who need to access customer data for the purpose of providing support must follow an access control procedure to gain temporary access. This procedure entails verification of the customer request and evaluation of the necessity for access, based on Everlaw’s security policies.
Everlaw maintains audit logs of requests and approvals per our internal procedures.
Disaster Recovery
Everlaw’s uptime exceeds 99.95% annually, including scheduled maintenance windows. Everlaw has a business continuity and disaster recovery plan that incorporates input from periodic risk assessments, vulnerability scanning and threat analysis, as well as third-party and vendor risk profiles. The business continuity and disaster recovery plans and incident response procedures are tested at least annually and inform the ongoing risk assessment and management process.
Vulnerability Management
Everlaw has an ongoing vulnerability management program that utilizes a variety of vulnerability scanning tools to assess its internal and external network environments against emerging security threats, including OWASP Top 10 security risks. These tools are carefully configured to match our infrastructure requirements and are updated monthly.
Everlaw has an established process to log, prioritize, and remediate discovered vulnerabilities. As described above, in addition to our internal scanning and testing program, Everlaw employs an independent testing team to perform vulnerability scanning and penetration testing on at least an annual basis.
SOC 2 Type 2
Everlaw is SOC 2 Type 2 certified in security, availability, confidentiality, and privacy.
The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.
To request a copy of Everlaw’s SOC 2 report, contact your Everlaw account manager.
SOC 3 Report
Everlaw’s SOC 3 report is public and provides assurance about the controls at a service organization relevant to security, availability, confidentiality, and privacy Trust Services Principles (TSPs).
It includes a high-level overview of the organization and the control environment and offers a less detailed summary of the information that is generally included in a SOC 2 report. Download Everlaw’s SOC 3 report here.
HIPAA Compliance
Everlaw’s SOC 2 Type 2 certification includes an assessment of the applicable HIPAA and HITECH safeguards.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those health care providers that conduct certain health care transactions electronically.
GDPR & CCPA
Everlaw supports our customers’ compliance with the General Data Protection Regulation (GDPR) in relation to the personal data of EU residents and the California Consumer Privacy Act (CCPA) that protects California residents’ privacy rights.
See our Privacy Policy for more information about your privacy rights and how Everlaw manages privacy.
Cyber Essentials Plus
Everlaw is Cyber Essentials Plus certified. Cyber Essentials is the UK government assurance scheme that is operated by the National Cyber Security Centre (NCSC) to help organizations demonstrate operational security and protect information against common threats.
You can view our certification details on the NCSC.gov.uk site here.
ISO 27001
Everlaw is ISO/IEC 27001:2022 certified.
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security management system that ensures office sites, development centers, support centers, and data centers are securely managed.
ISO 27017
Everlaw is ISO/IEC 27017:2015 certified.
The International Organization for Standardization 27017 (ISO 27107) is the information security best-practices framework for cloud service providers and their customers.
ISO 27018
Everlaw is ISO/IEC 27018:2019 certified.
The International Organization for Standardization 27018 (ISO 27018) is the security and privacy best-practices framework for protecting personal data in cloud environments. It provides guidelines for cloud service providers to ensure the safeguarding of personally identifiable information (PII).
Play this video on Vimeo
Success Story
See how the San Francisco District Attorney’s Office leverages the world’s most advanced ediscovery technology to get to the truth of a case, secure its data – and even to bring an abducted child home.
Partner with us by reporting any security issues
Overview
White Paper
White Paper
Webinar