
Cloud Security
LegalSifter participates and is certified under both the VeraSafe Privacy Program and both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
Last revised June 2, 2022.
​
1. Privacy
LegalSifter understands that the integrity and confidentiality of our clients’ information are critical to their operations and our viability. At LegalSifter, we are particularly focused on protecting “personal data” or “PII” which is data that can be used to identify or locate a specific person. However, this Policy applies to all confidential and operational data that we process, including client Contracts, proprietary company data (e.g., data about sales prospects), and human resources data (collectively “confidential data”). We treat all client data as Confidential and protect with methods outlined below.
​
We use multiple strategies to protect our clients’ information, and we are improving our processes and tools to meet the ongoing and increasing demands of security. Our primary strategy is to deploy our technology on and with the full support of Amazon Web Services (“AWS”), the global leader in the cloud services market.
​
LegalSifter's policy reenforces LegalSifter’s Core Value of Security. We are vigilant and committed to maintaining the privacy of client data.
2. Secure Data Centers
AWS’ data centers are state of the art, housed in nondescript facilities, but controlled physically with the strictest of processes. These facilities include the following:
​
-
All authorized staff pass two-factor authentication a minimum of two times on data center floors.
-
All data centers include 24-hour manned security, including video surveillance, intrusion detection systems, and other electronic means.
-
All visitors and contractors must present identification and are continuously escorted
​
More details about AWS controls can be found here: AWS Data Center Controls.
3. Power, Environment, and Fire Detection / Suppression
​
-
Fully redundant, maintainable electrical power, 24 hours a day, seven days a week.
-
Uninterruptible Power Supply (UPS) units and back-up generators in the event of an electrical failure.
-
Constant humidity and temperature control for servers and hardware.
-
Automatic fire detection and suppression equipment in all data center environments.
-
Preventative maintenance performed on all electrical, mechanical and life support systems and equipment.
4. Storage Device Decommissioning
​
-
DoD 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST 800-88 (“Guidelines for Media Sanitization”) techniques followed when decommissioning storage devices to prevent client data from exposure to unauthorized individuals.
-
Decommissioned magnetic storage devices are degaussed and physically destroyed.
5. Continuity
​
-
Applications deployed in redundant N+1 configurations.
-
Amazon Incident Management teams provide 24x7x365 coverage to detect incidents and manage impact and resolution.
6. Network Security
​
-
Access control lists established on each managed interface to enforce the flow of traffic.
-
Connection to an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol designed to protect against eavesdropping, tampering, and message forgery.
-
Wide variety of automated monitoring systems designed to detect unusual or unauthorized activities.
For a complete description of Amazon Web Services Security Processes, please see the following: Amazon Web Services Security Whitepaper and Amazon Compliance.
7. Disaster Recovery
​
-
LegalSifter ensures that there is a level of redundancy in LegalSifter’s systems required to ensure the continued ability to provide access to Client Data, deliver the Service and meet agreed-to service level agreements (SLAs). This includes alternative/redundant Internet access methods.
8. Employee Policies
​
-
Data security is a team effort. Each LegalSifter employee is responsible for adhering to LegalSifter's security policy. Every staff member is trained on the security policy and signs it annually.
-
LegalSifter's security policy includes workstation and account practices that must be followed by all employees
-
All current employees of LegalSifter have passed a background check. Any new employees are required to pass a background check before joining LegalSifter.
-
LegalSifter requires that all employees complete Security Awareness training within their first 30 days at the company.
-
All staff must immediately report any breach of security that compromises the confidentiality, integrity, or availability of confidential data (such as PII) to the ISO.
-
Terminated employees and subcontractors have all their access to information systems that contain operational or confidential data revoked as soon as possible and are required to return all confidential data in their possession.
-
LegalSifter reviews the DHHS OIG List of Excluded Individuals and Entities (LEIE list) and the GSA Excluded Parties Lists System (EPLS) prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member, or FDR, and monthly thereafter, to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs.
​
9. Internal Access Provisioning
-
Only authorized users, processes, or devices are permitted access to LegalSifter's systems and/or assets.
-
Access to the new employees is granted after approval from their supervisors/managers and if required system/application owner. Access is granted to the users according to their job responsibilities and should be based on the principle of least privilege.
-
Access privileges align to documented Security roles which are reviewed quarterly.
-
LegalSifter requires multi-factor authentication for all AWS accounts and Console Login; two-factor authentication is also required for Google Suite accounts.
​​
10. Passwords and Multi-Factor Authentication
​​
-
LegalSifter supports Multi-Factor Authentication (MFA) for all organizations and users. MFA requires knowledge of your password and possession of your cell phone.
-
Passwords must have a minimum of 15 characters, with complexity requirements enforced. Users must select a unique password up to 12 times before they may reuse an old password.
-
Users set their own initial password before logging on for the first time. Accounts are locked after 5 consecutive failed login attempts.
-
User accounts timeout after 30 minutes of inactivity.
​
11. Data Encryption
​
-
LegalSifter encrypts data at rest and in transit. Data that is encrypted at rest includes the underlying storage for database instances and its automated backups.
-
Data at rest, which includes Read Replicas, and snapshots, as well as S3 storage buckets, and application server storage, are encrypted using the industry-standard AES-256 encryption algorithm, with keys managed by AWS Key Management Service.
-
For data in transit, LegalSifter utilizes TLS 1.2. LegalSifter received an A+ grade from Qualys’ SSL Labs analyzer.
-
Communications between back-end infrastructure travel exclusively within a private network where connections are whitelisted as needed.
12. Multi-tenancy
​
-
LegalSifter deploys its solutions as software-as-a-service with multi-tenancy. LegalSifter Review and LegalSifter Organize use unique login keys to ensure that users are only able to access data that is available for their account.
13. Risk Management
​
-
IT security risks are identified, evaluated, and assessed for assets/IT systems owned and/or managed by LegalSifter.
-
Annual risk assessments are carried out using internal or external resources for all in-scope systems to identify the risks that the LegalSifter's IT systems are exposed to.
​
14. Privacy Shield Certified
​
-
LegalSifter is an active participant and certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
-
The Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union, the United Kingdom, and Switzerland to the United States.
-
The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organization is required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements.
​
​
Frequently Asked Questions
1. How will you provide assurance that you are meeting your compliance requirements? (For example, SOC 2 report)
​​
-
LegalSifter has achieved SOC 2 and will provide its report upon request.
-
We host LegalSifter Review and LegalSifter Organize on Amazon Web Services. Attached is their SOC compliance site: Amazon SOC Compliance Site.
​
2. Please provide a listing of where your data centers and offsite data storage (DR) facilities are located.
​
-
We host LegalSifter Review and LegalSifter Organize environments at Amazon Web Services Northern Virginia, Singapore, London, Ireland, and Beijing - see Amazon Global Infrastructure.
-
We will host LegalSifter Review and LegalSifter Organize data at other Amazon Web Services locations at the request of the client or partner.
3. Are any of your data centers, servers, or data storage locations outside of the US?
​
-
In general, no. We offer locations outside of the US for some non-US clients.
4. If we must retain and generate data to support a legal matter, will you allow data to be put on retention hold?
​
-
Yes.
5. What if data is co-mingled with another client's data?
​
-
Client data is not co-mingled with another client's data, except in the case of research and development and only if you give us permission to use such data for research and development.
6. What type of database environment is used to store data (multi-instance or multi-tenant)?
​
-
We are primarily a multi-tenant company, as of 2017.
​​
7. What integrations are required?
​
-
LegalSifter Review and LegalSifter Organize do not require integrations.
​
8. Does LegalSifter acquire any rights to our data through the agreement, including intellectual property rights? Do you use client data to promote your business, such as collating client data as market information or selling the client behavior for third party marketing?
​
-
We ask our clients if they will allow us to use their contracts for research purposes only - to further our machine learning algorithms (“Sifters”). All clients benefit from our improved Sifters, and our Sifters need client data to do that. Each client may decline to give us such permission when we work through our subscription agreement. We will also ask each client for permission to use their name and logo in marketing materials. If we do not have a client’s express written permission on either front, we will not acquire any rights to its data, and we will not use a client's name and logo for marketing purposes.
​
9. For an audit or security incident, will we be able to audit controls via a third party?
​
-
Yes.
10. What is the process to export data?
-
LegalSifter Organize has an export button available at all times to clients, allowing them to export their data into xls format.
-
LegalSifter Review has an export button available to all clients, allowing them to export their sifted documents to docx format.
​
11. How long is my data stored in LegalSifter Review?
​
-
15 days after a user deletes a contract in the LegalSifter Review (moves to Trash, then Deletes from Trash), LegalSifter permanently excises the associated contract files. LegalSifter retains the name of the file, the document type, and the account that uploaded it for reporting purposes as long as the account is open.
-
LegalSifter Review allows organizations to disable excision of deleted documents via a setting. This can be done for litigation hold or any other client need.
-
30 days after a company or individual terminates their contract or trial for LegalSifter Review, LegalSifter permanently excises all data in the database and datastore.
-
Please note this refers to the LegalSifter Review, not the data that is in the R&D research repository. Copies of contracts are there if the client allowed so in their executed agreement with LegalSifter.
​
12. How long is my data stored in LegalSifter Organize?
​
-
30 days after a company or individual terminates their contract, project, or trial for LegalSifter Organize, LegalSifter permanently excises all data in the database and datastore.
-
Please note this refers to the LegalSifter Organize product, not the data that is in the R&D research repository. Copies of contracts are there if the client allowed so in their executed agreement with LegalSifter.
​
13. What happens if I need extended access to documents, in cases such as litigation hold?
​
-
LegalSifter ensures that clients may specify when Client Data is deleted from LegalSifter’s systems, and to separate content and manage Client Data under differing scenarios (e.g., for litigation hold).
​
14. What will LegalSifter do in the case of a data breach?
​
-
LegalSifter will notify client(s) of any data breach within twenty-four (24) hours of becoming aware of any confirmed (a) breach of network or computing assets that result in potential or actual unauthorized access to any Client Data, or (b) misuse, potential disclosure or loss of, or inability to account for, any Client Data.