skip to content

Data Security and Compliance at Everlaw

Security is at the core of everything we do

  • Security Logo - SOC
  • Security Logo - FedRAMP
  • Security Logo - Cyber Essentials
  • Security Logo - HIPAA
  • Security Logo - ISO 27001
  • Security Logo - GDPR
  • Security Logo - StateRAMP
  • Security Logo - ISO27017
  • DPF program

Built on Trust

We know how sensitive your information is, and we work to protect it with trusted infrastructure, rigorous auditing, and best-in-class certifications. Everlaw’s security and compliance program is holistic and part of our core philosophy.


Protect your most sensitive litigation data with access controls including multi-factor authentication, single sign-on support, and granular user management.


All data is encrypted in transit and at rest, in Everlaw’s secure cloud infrastructure.

System Availability

Avoid slowdowns or disruption. Enjoy virtually uninterrupted access to Everlaw, with average annual uptimes exceeding 99.9%, including scheduled maintenance windows.

Proactive Security

Rest secure with Everlaw. We regularly perform proactive intrusion detection, vulnerability scanning, penetration testing, and continuous monitoring on our codebase to identify potential issues before they arise.



Everlaw customers’ data is encrypted, whether it is in transit or at rest. We use hybrid encryption techniques that constitute software-based encryption, hosting solutions (AWS), and self-encrypting drives to align with NIST Special Publication 800-53.

Encryption in Transit: Everlaw serves application data using HTTPS to ensure encryption in transit of all customer data. The Everlaw application uses Transport Layer Security (TLS) version 1.2 or higher to protect HTTPS communications. For email security, our platform leverages TLS opportunistic encryption (OE) by default.

Encryption at Rest: Everlaw leverages the default encryption at rest provided by AWS, which protects the data on disk with AES-256 encryption. We also configure all snapshots to encrypt backup data. Additionally, Everlaw encrypts data at rest using AES-256 to secure inactive data stored on any device or network.

Secure Development

As part of our system of internal control and secure Software Development Lifecycle (SDLC), Everlaw implements data protection and privacy by design principles. We take steps to securely develop and test against security threats to ensure the safety of our customer data. Training our developers and performing design and code reviews takes a prime role, while proper error handling and logging, input validation, and encryption are all part of our SDLC.

Everlaw leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others. Everlaw engineers participate annually in secure code training covering OWASP Top 10 security risks, common threat agents, and Everlaw security controls. In addition, on at least an annual basis, Everlaw employs third-party security experts to perform detailed penetration tests on our web application.

Access Management

Everlaw restricts employees’ access to customer data through role-based access controls. Employees who need to access customer data for the purpose of providing support must follow an access control procedure to gain temporary access. This procedure entails verification of the customer request and evaluation of the necessity for access, based on Everlaw’s security policies.

Everlaw maintains audit logs of requests and approvals per our internal procedures.

Disaster Recovery

Everlaw’s uptime exceeds 99.95% annually, including scheduled maintenance windows. Everlaw has a business continuity and disaster recovery plan that incorporates input from periodic risk assessments, vulnerability scanning and threat analysis, as well as third-party and vendor risk profiles. The business continuity and disaster recovery plans and incident response procedures are tested at least annually and inform the ongoing risk assessment and management process.

Vulnerability Management

Everlaw has an ongoing vulnerability management program that utilizes a variety of vulnerability scanning tools to assess its internal and external network environments against emerging security threats, including OWASP Top 10 security risks. These tools are carefully configured to match our infrastructure requirements and are updated monthly.

Everlaw has an established process to log, prioritize, and remediate discovered vulnerabilities. As described above, in addition to our internal scanning and testing program, Everlaw employs an independent testing team to perform vulnerability scanning and penetration testing on at least an annual basis.


SOC 2 Type 2

Everlaw is SOC 2 Type 2 certified in security, availability, confidentiality, and privacy.

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.

To request a copy of Everlaw’s SOC 2 report, contact your Everlaw account manager.

SOC 3 Report

Everlaw’s SOC 3 report is public and provides assurance about the controls at a service organization relevant to security, availability, confidentiality, and privacy Trust Services Principles (TSPs).

It includes a high-level overview of the organization and the control environment and offers a less detailed summary of the information that is generally included in a SOC 2 report. Download Everlaw’s SOC 3 report here.

FedRAMP Authorization

Everlaw has achieved FedRAMP Moderate Authorization for Everlaw’s federal cloud. The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. federal government program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services.

Government customers can learn more about our FedRAMP authorization, here. You may also request Everlaw’s FedRAMP package through the FedRAMP Program Management Office using its package request form.

StateRAMP Authorization

Everlaw has achieved StateRAMP Moderate Authorization. This authorization ensures Everlaw’s security and risk standards meet the critical needs of state government agencies who can securely implement Everlaw’s platform to manage litigation, investigations, public records requests and collaboration.

Click here to see Everlaw’s StateRAMP listing and learn more about the program.

HIPAA Compliance

Everlaw’s SOC 2 Type 2 certification includes an assessment of the applicable HIPAA and HITECH safeguards.

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those health care providers that conduct certain health care transactions electronically.


Everlaw supports our customers’ compliance with the General Data Protection Regulation (GDPR) in relation to the personal data of EU residents and the California Consumer Privacy Act (CCPA) that protects California residents’ privacy rights.

See our Privacy Policy for more information about your privacy rights and how Everlaw manages privacy.

Cyber Essentials Plus

Everlaw is Cyber Essentials Plus certified. Cyber Essentials is the UK government assurance scheme that is operated by the National Cyber Security Centre (NCSC) to help organizations demonstrate operational security and protect information against common threats.

You can view our certification details on the site here.

ISO 27001

Everlaw is ISO/IEC 27001:2022 certified.

The International Organization for Standardization 27001 Standard (ISO 27001) is an information security management system that ensures office sites, development centers, support centers, and data centers are securely managed.

See Everlaw’s ISO/IEC 27001:2022 certificate.

ISO 27017

Everlaw is ISO/IEC 27017:2015 certified.

The International Organization for Standardization 27017 (ISO 27107) is the information security best-practices framework for cloud service providers and their customers.

See Everlaw’s ISO/IEC 27017:2015 certificate.

Success Story

Securing Your Most Sensitive Data

See how the San Francisco District Attorney’s Office leverages the world’s most advanced ediscovery technology to get to the truth of a case, secure its data – and even to bring an abducted child home.

Partner with us by reporting any security issues

Report a concern