Data Security and Compliance at Everlaw

Secure Development

As part of our system of internal control and secure Software Development Lifecycle (SDLC), Everlaw implements data protection and privacy by design principles. We take steps to securely develop and test against security threats to ensure the safety of our customer data. Training our developers and performing design and code reviews takes a prime role, while proper error handling and logging, input validation, and encryption are all part of our SDLC.

Everlaw leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others. Everlaw engineers participate annually in secure code training covering OWASP Top 10 security risks, common threat agents, and Everlaw security controls. In addition, on at least an annual basis, Everlaw employs third-party security experts to perform detailed penetration tests on our web application.

Access Management

Everlaw enforces role-based access controls. Employees are granted a limited set of default permissions to access company resources, such as company email and internal company portals. Privileged access requires formal account management and an access control procedure that involves review and approval from a line manager or other executives, as dictated by Everlaw’s security policies. All requests are logged and managed to maintain the audit records.

Disaster Recovery

Everlaw’s uptime exceeds 99.95% annually, including scheduled maintenance windows. Everlaw has a business continuity and disaster recovery plan that incorporates input from periodic risk assessments, vulnerability scanning and threat analysis, as well as third-party and vendor risk profiles. The business continuity and disaster recovery plans and incident response procedures are tested at least annually and inform the ongoing risk assessment and management process.

Vulnerability Management

Everlaw has an ongoing vulnerability management program that utilizes a variety of vulnerability scanning tools to assess its internal and external network environments against emerging security threats, including OWASP Top 10 security risks. These tools are carefully configured to match our infrastructure requirements and are updated monthly.

Everlaw has an established process to log, prioritize, and remediate discovered vulnerabilities. As described above, in addition to our internal scanning and testing program, Everlaw employs an independent testing team to perform vulnerability scanning and penetration testing on at least an annual basis.

SOC 3 Report

Everlaw’s SOC 3 report is public and provides assurance about the controls at a service organization relevant to security, availability, confidentiality, and privacy Trust Services Principles (TSPs).

It includes a high-level overview of the organization and the control environment and offers a less detailed summary of the information that is generally included in a SOC 2 report. Download Everlaw’s SOC 3 report here.

FedRAMP Authorization

Everlaw has achieved FedRAMP Moderate Authorization for Everlaw’s federal cloud.

Request Everlaw’s FedRAMP package here. The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. federal government program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services.

StateRAMP Authorization

Everlaw has achieved StateRAMP Moderate Authorization. This authorization ensures Everlaw’s security and risk standards meet the critical needs of state government agencies who can securely implement Everlaw’s platform to manage litigation, investigations, public records requests and collaboration.

Click here to see Everlaw’s StateRAMP listing and learn more about the program .

HIPAA Compliance

Everlaw’s SOC 2 Type 2 certification includes an assessment of the applicable HIPAA and HITECH safeguards.

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those health care providers that conduct certain health care transactions electronically.

GDPR & CCPA

Everlaw supports our customers’ compliance with the General Data Protection Regulation (GDPR) in relation to the personal data of EU residents and the California Consumer Privacy Act (CCPA) that protects California residents’ privacy rights.

See our Privacy Policy for more information about your privacy rights and how Everlaw manages privacy.

Cyber Essentials Plus

Everlaw is Cyber Essentials Plus certified. Cyber Essentials is the UK government assurance scheme that is operated by the National Cyber Security Centre (NCSC) to help organizations demonstrate operational security and protect information against common threats.

You can view our certification details on the NCSC.gov.uk site here.

ISO 27001

Everlaw is ISO/IEC 27001:2013 certified.

The International Organization for Standardization 27001 Standard (ISO 27001) is an information security management system that ensures office sites, development centers, support centers, and data centers are securely managed.

See Everlaw’s ISO/IEC 27001:2013 certificate.

ISO 27017

Everlaw is ISO/IEC 27017:2015 certified.

The International Organization for Standardization 27017 (ISO 27107) is the information security best-practices framework for cloud service providers and their customers.

See Everlaw’s ISO/IEC 27017:2015 certificate.