Built on Trust
We know how sensitive your information is, and we work to protect it with trusted infrastructure, rigorous auditing, and best-in-class certifications. Everlaw’s security and compliance program is holistic and part of our core philosophy.
Protect your most sensitive litigation data with access controls including multi-factor authentication, single sign-on support, and granular user management.
All data is encrypted in transit and at rest, in Everlaw’s secure cloud infrastructure.
Avoid slowdowns or disruption. Enjoy virtually uninterrupted access to Everlaw, with average annual uptimes exceeding 99.9%, including scheduled maintenance windows.
Rest secure with Everlaw. We regularly perform proactive intrusion detection, vulnerability scanning, penetration testing, and continuous monitoring on our codebase to identify potential issues before they arise.
- Secure Development
- Access Management
- Disaster Recovery
- Vulnerability Management
Everlaw customers’ data is encrypted, whether it is in transit or at rest. We use hybrid encryption techniques that constitute software-based encryption, hosting solutions (AWS), and self-encrypting drives to align with NIST Special Publication 800-53.
Encryption in Transit: Everlaw serves application data using HTTPS to ensure encryption in transit of all customer data. The Everlaw application uses Transport Layer Security (TLS) version 1.2 or higher to protect HTTPS communications. For email security, our platform leverages TLS opportunistic encryption (OE) by default.
Encryption at Rest: Everlaw leverages the default encryption at rest provided by AWS, which protects the data on disk with AES-256 encryption. We also configure all snapshots to encrypt backup data. Additionally, Everlaw encrypts data at rest using AES-256 to secure inactive data stored on any device or network.
As part of our system of internal control and secure Software Development Lifecycle (SDLC), Everlaw implements data protection and privacy by design principles. We take steps to securely develop and test against security threats to ensure the safety of our customer data. Training our developers and performing design and code reviews takes a prime role, while proper error handling and logging, input validation, and encryption are all part of our SDLC.
Everlaw leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others. Everlaw engineers participate annually in secure code training covering OWASP Top 10 security risks, common threat agents, and Everlaw security controls. In addition, on at least an annual basis, Everlaw employs third-party security experts to perform detailed penetration tests on our web application.
Everlaw enforces role-based access controls. Employees are granted a limited set of default permissions to access company resources, such as company email and internal company portals. Privileged access requires formal account management and an access control procedure that involves review and approval from a line manager or other executives, as dictated by Everlaw’s security policies. All requests are logged and managed to maintain the audit records.
Everlaw’s uptime exceeds 99.95% annually, including scheduled maintenance windows. Everlaw has a business continuity and disaster recovery plan that incorporates input from periodic risk assessments, vulnerability scanning and threat analysis, as well as third-party and vendor risk profiles. The business continuity and disaster recovery plans and incident response procedures are tested at least annually and inform the ongoing risk assessment and management process.
Everlaw has an ongoing vulnerability management program that utilizes a variety of vulnerability scanning tools to assess its internal and external network environments against emerging security threats, including OWASP Top 10 security risks. These tools are carefully configured to match our infrastructure requirements and are updated monthly.
Everlaw has an established process to log, prioritize, and remediate discovered vulnerabilities. As described above, in addition to our internal scanning and testing program, Everlaw employs an independent testing team to perform vulnerability scanning and penetration testing on at least an annual basis.
- SOC 2 Type 2
- SOC 3 Report
- HIPAA Compliance
- GDPR & CCPA
- Cyber Essentials Plus
- ISO 27001
- ISO 27017
SOC 2 Type 2
Everlaw is SOC 2 Type 2 certified in security, availability, confidentiality, and privacy.
The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.
To request a copy of Everlaw’s SOC 2 report, contact your Everlaw account manager.
SOC 3 Report
Everlaw’s SOC 3 report is public and provides assurance about the controls at a service organization relevant to security, availability, confidentiality, and privacy Trust Services Principles (TSPs).
It includes a high-level overview of the organization and the control environment and offers a less detailed summary of the information that is generally included in a SOC 2 report. Download Everlaw’s SOC 3 report here.
Everlaw’s SOC 2 Type 2 certification includes an assessment of the applicable HIPAA and HITECH safeguards.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those health care providers that conduct certain health care transactions electronically.
GDPR & CCPA
Everlaw supports our customers’ compliance with the General Data Protection Regulation (GDPR) in relation to the personal data of EU residents and the California Consumer Privacy Act (CCPA) that protects California residents’ privacy rights.
Cyber Essentials Plus
Everlaw is Cyber Essentials Plus certified. Cyber Essentials is the UK government assurance scheme that is operated by the National Cyber Security Centre (NCSC) to help organizations demonstrate operational security and protect information against common threats.
You can view our certification details on the NCSC.gov.uk site here.
Everlaw is ISO/IEC 27001:2013 certified.
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security management system that ensures office sites, development centers, support centers, and data centers are securely managed.
Everlaw is ISO/IEC 27017:2015 certified.
The International Organization for Standardization 27017 (ISO 27107) is the information security best-practices framework for cloud service providers and their customers.
See how the San Francisco District Attorney’s Office leverages the world’s most advanced ediscovery technology to get to the truth of a case, secure its data – and even to bring an abducted child home.
Cybersecurity in the World of Ediscovery
Transitioning to the Cloud: Security Considerations