LegalSifter® participates and is certified under the VeraSafe Privacy Program.
Last revised January 5, 2024
LegalSifter understands that the integrity and confidentiality of our clients’ information are critical to their operations and our viability. At LegalSifter, we are particularly focused on protecting “personal data” or “PII” which is data that can be used to identify or locate a specific person. However, this Policy applies to all confidential and operational data that we process, including client Contracts, proprietary company data (e.g., data about sales prospects), and human resources data (collectively “confidential data”). We treat all client data as Confidential and protect with methods outlined below. We use multiple strategies to protect our clients’ information, and we are improving our processes and tools to meet the ongoing and increasing demands of security. Our primary strategy is to deploy our technology on and with the full support of Amazon Web Services (“AWS”), the global leader in the cloud services market. LegalSifter's policy reinforces LegalSifter’s Core Value of Security. We are vigilant and committed to maintaining the privacy of client data.
2. Secure Data Centers
AWS’ data centers are state of the art, housed in nondescript facilities, but controlled physically with the strictest of processes. These facilities include the following:
- All authorized staff pass two-factor authentication a minimum of two times on data center floors.
- All data centers include 24-hour manned security, including video surveillance, intrusion detection systems, and other electronic means.
- All visitors and contractors must present identification and are continuously escorted.
More details about AWS controls can be found here: AWS Data Center Controls.
3. Power, Environment, and Fire Detection / Suppression
- Fully redundant, maintainable electrical power, 24 hours a day, seven days a week.
- Uninterruptible Power Supply (UPS) units and back-up generators in the event of an electrical failure.
- Constant humidity and temperature control for servers and hardware.
- Automatic fire detection and suppression equipment in all data center environments.
- Preventative maintenance performed on all electrical, mechanical and life support systems and equipment.
4. Storage Device Decommissioning
- DoD 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST 800-88 (“Guidelines for Media Sanitization”) techniques followed when decommissioning storage devices to prevent client data from exposure to unauthorized individuals.
- Decommissioned magnetic storage devices are degaussed and physically destroyed.
- Applications deployed in redundant N+1 configurations.
- Amazon Incident Management teams provide 24x7x365 coverage to detect incidents and manage impact and resolution.
6. Network Security
- Access control lists established on each managed interface to enforce the flow of traffic.
- Connection to an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol designed to protect against eavesdropping, tampering, and message forgery.
- Wide variety of automated monitoring systems designed to detect unusual or unauthorized activities.
7. Disaster Recovery
- LegalSifter ensures that there is a level of redundancy in LegalSifter’s systems required to ensure the continued ability to provide access to Client Data, deliver the Service and meet agreed-to service level agreements (SLAs). This includes alternative/redundant Internet access methods.
8. Employee Policies
- Data security is a team effort. Each LegalSifter employee is responsible for adhering to LegalSifter's security policy. Every staff member is trained on the security policy and signs it annually.
- LegalSifter's security policy includes workstation and account practices that must be followed by all employees.
- All current employees of LegalSifter have passed a background check. Any new employees are required to pass a background check before joining LegalSifter.
- LegalSifter requires that all employees complete Security Awareness training within their first 30 days at the company.
- All staff must immediately report any breach of security that compromises the confidentiality, integrity, or availability of confidential data (such as PII) to the ISO.
- Terminated employees and subcontractors have all their access to information systems that contain operational or confidential data revoked as soon as possible and are required to return all confidential data in their possession.
- LegalSifter reviews the DHHS OIG List of Excluded Individuals and Entities (LEIE list) and the GSA Excluded Parties Lists System (EPLS) prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member, or FDR, and monthly thereafter, to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs.
9. Internal Access Provisioning
- Only authorized users, processes, or devices are permitted access to LegalSifter's systems and/or assets.
- Access to the new employees is granted after approval from their supervisors/managers and if required system/application owner. Access is granted to the users according to their job responsibilities and should be based on the principle of least privilege.
- Access privileges align to documented Security roles which are reviewed quarterly.
- LegalSifter requires multi-factor authentication for all AWS accounts and Console Login; two-factor authentication is also required for Google Suite accounts.
10. Passwords and Multi-Factor Authentication
- LegalSifter supports Multi-Factor Authentication (MFA) for all organizations and users. MFA requires knowledge of your password and possession of your cell phone.
- Passwords must have a minimum of 15 characters, with complexity requirements enforced. Users must select a unique password up to 12 times before they may reuse an old password.
- Users set their own initial password before logging on for the first time. Accounts are locked after 5 consecutive failed login attempts.
- User accounts timeout after 30 minutes of inactivity.
11. Data Encryption
- LegalSifter encrypts data at rest and in transit. Data that is encrypted at rest includes the underlying storage for database instances and its automated backups.
- Data at rest, which includes Read Replicas, and snapshots, as well as S3 storage buckets, and application server storage, are encrypted using the industry-standard AES-256 encryption algorithm, with keys managed by AWS Key Management Service.
- For data in transit, LegalSifter utilizes TLS 1.2. LegalSifter received an A+ grade from Qualys’ SSL Labs analyzer.
- Communications between back-end infrastructure travel exclusively within a private network where connections are whitelisted as needed.
- LegalSifter deploys its solutions as software-as-a-service with multi-tenancy. LegalSifter Review and LegalSifter Organize use unique login keys to ensure that users are only able to access data that is available for their account.
13. Risk Management
- IT security risks are identified, evaluated, and assessed for assets/IT systems owned and/or managed by LegalSifter.
- Annual risk assessments are carried out using internal or external resources for all in-scope systems to identify the risks that the LegalSifter's IT systems are exposed to.