Cloud Security

LegalSifter is SOC 2 Type II certified and participates and is certified under both the VeraSafe Privacy Program, the EU-U.S. Data Privacy Framework (DPF), UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF (search for LegalSifter)*.

Last revised April 25, 2024

*UK Extension to the EU-US DPF, and Swiss-US DPF certifications are pending.

1. Privacy

LegalSifter understands that the integrity and confidentiality of our clients’ information are critical to their operations and our viability. At LegalSifter, we are particularly focused on protecting “personal data” or “PII” which is data that can be used to identify or locate a specific person. However, this Policy applies to all confidential and operational data that we process, including client Contracts, proprietary company data (e.g., data about sales prospects), and human resources data (collectively “confidential data”). We treat all client data as Confidential and protect with methods outlined below. We use multiple strategies to protect our clients’ information, and we are improving our processes and tools to meet the ongoing and increasing demands of security. Our primary strategy is to deploy our technology on and with the full support of Amazon Web Services (“AWS”), the global leader in the cloud services market. LegalSifter's policy reinforces LegalSifter’s Core Value of Security. We are vigilant and committed to maintaining the privacy of client data.

2. Secure Data Centers

AWS’ data centers are state of the art, housed in nondescript facilities, but controlled physically with the strictest of processes. These facilities include the following:

All authorized staff pass two-factor authentication a minimum of two times on data center floors.
All data centers include 24-hour manned security, including video surveillance, intrusion detection systems, and other electronic means.
All visitors and contractors must present identification and are continuously escorted.

LegalSifter uses AWS data centers as follows:

AWS US East (N. Virginia - Ashburn) - us-east-1
AWS Asia Pacific (Singapore) - ap-southeast-1
AWS Europe (Ireland - Dublin) - eu-west-1
AWS Europe (London) - eu-west-2

More details about AWS controls can be found here: AWS Data Center Controls.

3. Power, Environment, and Fire Detection / Suppression

Fully redundant, maintainable electrical power, 24 hours a day, seven days a week.
Uninterruptible Power Supply (UPS) units and back-up generators in the event of an electrical failure.
Constant humidity and temperature control for servers and hardware.
Automatic fire detection and suppression equipment in all data center environments.
Preventative maintenance performed on all electrical, mechanical and life support systems and equipment.

4. Storage Device Decommissioning

DoD 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST 800-88 (“Guidelines for Media Sanitization”) techniques followed when decommissioning storage devices to prevent client data from exposure to unauthorized individuals.
Decommissioned magnetic storage devices are degaussed and physically destroyed.

5. Continuity

Applications deployed in redundant N+1 configurations.
Amazon Incident Management teams provide 24x7x365 coverage to detect incidents and manage impact and resolution.

6. Network Security

Access control lists established on each managed interface to enforce the flow of traffic.
Connection to an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol designed to protect against eavesdropping, tampering, and message forgery.
Wide variety of automated monitoring systems designed to detect unusual or unauthorized activities.

For a complete description of Amazon Web Services Security Processes, please see the following: Amazon Web Services Security Whitepaper and Amazon Compliance.

7. Disaster Recovery

LegalSifter ensures that there is a level of redundancy in LegalSifter’s systems required to ensure the continued ability to provide access to Client Data, deliver the Service and meet agreed-to service level agreements (SLAs). This includes alternative/redundant Internet access methods.

8. Employee Policies

Data security is a team effort. Each LegalSifter employee is responsible for adhering to LegalSifter's security policy. Every staff member is trained on the security policy and signs it annually.
LegalSifter's security policy includes workstation and account practices that must be followed by all employees.
All current employees of LegalSifter have passed a background check. Any new employees are required to pass a background check before joining LegalSifter.
LegalSifter requires that all employees complete Security Awareness training within their first 30 days at the company.
All staff must immediately report any breach of security that compromises the confidentiality, integrity, or availability of confidential data (such as PII) to the ISO.
Terminated employees and subcontractors have all their access to information systems that contain operational or confidential data revoked as soon as possible and are required to return all confidential data in their possession.
LegalSifter reviews the DHHS OIG List of Excluded Individuals and Entities (LEIE list) and the GSA Excluded Parties Lists System (EPLS) prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member, or FDR, and monthly thereafter, to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs.

9. Internal Access Provisioning

Only authorized users, processes, or devices are permitted access to LegalSifter's systems and/or assets.
Access to the new employees is granted after approval from their supervisors/managers and if required system/application owner. Access is granted to the users according to their job responsibilities and should be based on the principle of least privilege.
Access privileges align to documented Security roles which are reviewed quarterly.
LegalSifter requires multi-factor authentication for all AWS accounts and Console Login; two-factor authentication is also required for Google Suite accounts.

10. Passwords and Multi-Factor Authentication

LegalSifter supports Multi-Factor Authentication (MFA) for all organizations and users. MFA requires knowledge of your password and possession of your cell phone.
Passwords must have a minimum of 15 characters, with complexity requirements enforced. Users must select a unique password up to 12 times before they may reuse an old password.
Users set their own initial password before logging on for the first time. Accounts are locked after 5 consecutive failed login attempts.
User accounts timeout after 30 minutes of inactivity.

11. Data Encryption

LegalSifter encrypts data at rest and in transit. Data that is encrypted at rest includes the underlying storage for database instances and its automated backups.
Data at rest, which includes Read Replicas, and snapshots, as well as S3 storage buckets, and application server storage, are encrypted using the industry-standard AES-256 encryption algorithm, with keys managed by AWS Key Management Service.
For data in transit, LegalSifter utilizes TLS 1.2. LegalSifter received an A+ grade from Qualys’ SSL Labs analyzer.
Communications between back-end infrastructure travel exclusively within a private network where connections are whitelisted as needed.

12. Multi-tenancy

LegalSifter deploys its solutions as software-as-a-service with multi-tenancy. LegalSifter Review and LegalSifter Organize use unique login keys to ensure that users are only able to access data that is available for their account.

13. Risk Management

IT security risks are identified, evaluated, and assessed for assets/IT systems owned and/or managed by LegalSifter.
Annual risk assessments are carried out using internal or external resources for all in-scope systems to identify the risks that the LegalSifter's IT systems are exposed to.

FAQ

What type of security does ReviewPro have?

ReviewPro uses industry-standard security practices to ensure your data is protected. For detailed information, please contact our team.

Are you SOC 2 compliant?

Yes. LegalSifter meets SOC 2 compliance standards.

How secure is the platform?

LegalSifter Control uses industry-standard security practices to ensure your data is protected. For detailed information, please contact our team.

I have a lot of security and privacy questions ... how do I get them answered?

LegalSifter has partnered with BBB and Amazon Web Services to ensure both cloud security and privacy. You can learn more as follows: 1) Please see the following pages, for more information. Cloud Security Privacy Statement California Consumer Privacy Act Notice for California Residents Amazon Web Services Cloud Security 2) Please submit your organization's cybersecurity and privacy questionnaire to help@legalsifter.com or your LegalSifter Growth contact. We will complete it and return it to you.

Does LegalSifter use my contract data?

Only with your permission. We use client and partner contracts to improve the quality of our Sifters for everyone as part of our Sifter Improvement Program. With more clients, partners, and contracts, we make our Sifters more accurate, faster. Essentially, we chop contracts up into little pieces—words, phrases and sentences—and feed them to our algorithms. If you consent, we will use your contracts for Sifter research and development. Under no circumstances will your contracts be disclosed or identifiable to any third party, other than subcontractors involved in Sifter research and development. Without your consent, we will not use your contracts, other than as needed to provide technical support on your account.

Is data encrypted at rest and in transit?

Yes. LegalSifter encrypts data at rest and in transit. Data that is encrypted at rest includes the underlying storage for database instances and its automated backups. Data at rest, which includes Read Replicas, and snapshots, as well as S3 storage buckets, and application server storage, are encrypted using the industry-standard AES-256 encryption algorithm, with keys managed by AWS Key Management Service. For data in transit, LegalSifter utilizes TLS 1.2. Communications between back-end infrastructure travel exclusively within a network where connections are whitelisted as needed.

Do you offer Single Sign-On (SSO)?

Yes. Clients may enroll their organizations in Single Sign-On (SSO). You are a good candidate for SSO if you are already using an identity management system. We support a wide variety of identity providers. We support the following: Active Directory Federation Services (ADFS) Active Directory / LDAPSAML Google Workspace Microsoft Azure AD OKTA Open ID Connect PingFederate SAML / SAML 2.0 Others upon request.

Do you offer Multi-Factor authentication (MFA)?

Yes. LegalSifter supports Multi-Factor Authentication (MFA) for all organizations and users. MFA requires knowledge of your password and possession of your cell phone. Passwords must have a minimum of 15 characters, with complexity requirements enforced. Users must select a unique password up to 12 times before they may reuse an old password. Users set their own initial password before logging on for the first time. Accounts are locked after 5 consecutive failed login attempts. User accounts timeout after 30 minutes of inactivity.