Cover your bases
We take security very seriously - just ask the top law firms, companies, financial institutions and government entities that trust us with their data. We use a combination of enterprise-class security features and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected.
Audit and certification
We maintain a formal and comprehensive security program designed to ensure the security, integrity and availability of customer data, protect against security threats or data breaches, and prevent unauthorized access to our customers’ data. The specifics of our security program are detailed in our third-party security audit and international certification.
Third party audit and certification:
ISAE 3402 | We undergo routine audits by PwC to receive updated ISAE 3402 Type II reports. ISAE 3402 is an international assurance standard that describes Service Organization Control (SOC) engagements, which provides assurance to an organization's customer that the service organization has adequate internal controls. |
ISO 27001 | We are ISO 27001 certified by Bureau Veritas. ISO 27001 is a globally recognized, standards-based approach to security that outlines requirements for an organization’s Information Security Management System (ISMS). |
Vulnerability Assessments | Document Drafter contracts with third-party expert firms to conduct independent automated and manual internal and external network, system, and application vulnerability assessments. We contract a leading third-party security firm to perform an application-level security vulnerability assessment of our web application regularly and at least annually. The firm performs testing procedures to identify standard and advanced web application security vulnerabilities including, but not limited to the following: (a) Security weaknesses associated with AJAX, (b) Cross-site request forgery (CSRF), (c) Improper input handling (such as cross-site scripting, SQL injection, XML injection and cross site flashing), (d) XML and SOAP attacks, (e) Weak session management, (f) Data validation flaws and data model constraint inconsistencies, (g) Insufficient authentication or authorization, (h) HTTP response splitting, (i) Checklist of the OWASP Framework, and (j) Pre- and post-authentication attacks. |
Application Security
A Secure Software Development Life Cycle has been implemented to ensure the continued security of Document Drafter applications.
This program includes an in-depth security risk assessment and review of Document Drafter features. In addition, both static and dynamic source code analyses are performed to help integrate enterprise security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.
Organizational Security
Security is the responsibility of everyone and is overseen by top-management. All our employees receive security and compliance training from the time of onboarding with regular and at least annual updates. Our compliance team provides the knowledge and skills needed to avoid, mitigate, and manage security risks on an ongoing basis as part of our security training and awareness program.
Architectural Security
Our customers are data controllers, and we are the data-processor. This means that you have full control any data entered into the system as well as setup and configurations. This means you will not have to rely on us to;
Create and assign roles
Create templates and questionnaires
Assign access to templates
Create integrations with other systems
Monitoring transactions
Looking at historical data and configuration changes.
Data Encryption
Every attribute of customer data is encrypted before it’s persisted in the customer’s tenant.
Each customer has its own separate BLOB Storage for storing persistent application data as unstructured object data. All data in storage is protected by real-time 256-bit AES encryption and decryption.
The only service allowed for traffic to the Document Drafter application is HTTPS via SSL encryption to the Web App and Service endpoints. All other internet traffic to the Web App and Service endpoints is blocked. The SSL certificate utilized is Go Daddy Secure Certificate Authority – G2 SHA-256 RSA 2,048-bit public key.
Customers can also designate their own storage such as an external Azure BLOB, S3Bucket or SecureFTP which will allow customers to manage their own encryption keys.
Physical Security
Document Drafter applications are hosted in state-of-the-art Microsoft Azure data centers designed to protect mission critical computer systems with full redundancy and compartmentalized security zones. The data centers adhere to the strictest physical security measures including, but not limited to, the following:
physical security perimeters (e.g. fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) to safeguard sensitive data and information systems.
24x7 monitoring by security personnel.
environmental controls.
All physical access to the data centers is highly restricted and stringently regulated.
Network Security
Internal communication between key components where customer data is transmitted/involved is secured using encryption. Cryptographic controls are used for information protection within the Azure platform based on the Azure Cryptographic Policy and Key Management procedures.
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to protect wireless network environments, including the following:
Perimeter firewalls implemented and configured to restrict unauthorised traffic
Security settings enabled with strong encryption for authentication and transmission, replacing vendor default settings (e.g. encryption keys, passwords, and SMTP)
User access to wireless network devices restricted to authorised personnel
The capability to detect the presence of unauthorised (rogue) wireless network devices for a timely disconnect from the network.