‍

Data Encryption

‍

We take data security seriously by ensuring that all information is protected through encryption, both in transit and at rest. For data in transit, we use Transport Layer Security (TLS) to encrypt all communication between the client and server. This ensures that sensitive information remains secure while being transmitted over the network.

When it comes to data at rest, we use the Advanced Encryption Standard (AES) algorithm with AES-256 encryption. This powerful encryption method secures all stored data. Additionally, all data at rest is encrypted server-side, with encryption keys managed and stored through Google Cloud’s Customer-managed encryption keys (CMEKs), offering an extra layer of security and control over key management.

‍

Data Integrity and Validation

Ensuring data integrity and validation is crucial to maintaining the security and reliability of our platform. We implement strict input validation measures, which involve validating and sanitising all user inputs to prevent malicious activities like injection attacks. This helps to ensure that any data entered into our system is safe and secure.

We also apply data integrity checks to maintain the accuracy and consistency of data during both transfer and storage. By using checksums and digital signatures, we can verify that data remains unaltered and trustworthy throughout its lifecycle.

‍

Data Isolation

We utilize dedicated resources for each client. The system operates on an isolated environment that has its own internal IP address. This setup guarantees that your data remains completely segregated from that of other clients, offering a high level of security and privacy.

By maintaining this isolation, we prevent any risk of cross-user data breaches or accidental data sharing. This ensures that your information remains secure and protected, with no chance of cross-contamination between different clients.

‍

Data Privacy & Compliance

One key aspect of our commitment is data locality, meaning that customer data is stored in a data center within their own jurisdiction. This ensures compliance with local laws and regulations regarding data residency.

We also respect the “right to be forgotten.” Upon request, we will permanently delete all customer data, ensuring that no trace remains within our systems. Additionally, at the end of a client’s relationship with Lawdify, client data is promptly and securely deleted from our systems, ensuring complete privacy and protection.

‍

Cloud Environment

We operate within a secure and reliable cloud environment, utilizing a multi-cloud architecture that spans both Google Cloud Platform and Microsoft Azure. This approach ensures greater flexibility, performance, and redundancy across our services.

To maintain tight security, we use Identity and Access Management (IAM) protocols to control access within our cloud environments. Only specifically designated Lawdify employees are granted access, ensuring that only authorised personnel can interact with or manage our cloud resources.

‍

Access Control

Access control is carefully managed to protect our systems and client data. By default, developers do not have access to the production environment unless explicitly granted, ensuring that sensitive areas of the system remain secure and restricted.

User access is further protected through Multi-Factor Authentication (MFA), which adds an extra layer of security by requiring multiple forms of verification. Additionally, we implement Role-Based Access Control (RBAC) to ensure that users can only access the resources necessary for their specific roles, limiting exposure to sensitive information.

‍

Network Security

Network security is a critical aspect of our infrastructure. We use firewalls to ensure that only specific ports and origins are allowed to connect, limiting access strictly to our own services. This helps to prevent unauthorized connections and protect the integrity of our systems.

We also employ Intrusion Detection and Prevention Systems (IDPS) to continuously monitor network traffic for any suspicious activity, allowing us to detect and respond to potential threats in real-time. Additionally, we utilise network segmentation, ensuring that our services are part of private, isolated network environments, further reducing the risk of unauthorized access or data exposure.

‍

Security Audits

At Lawdify, we are committed to maintaining the highest standards of security and regularly undergo security audits to ensure our systems are robust and secure. We have successfully passed a Black Box Penetration Test, demonstrating our ability to withstand external threats and attacks. Full report and certificate are available upon request.

Additionally, we are in the process of obtaining further certifications to enhance our security posture. Our SOC 2 Type 2 certification is currently pending to be conducted, as is our ISO 27001 certification, both of which will further validate our commitment to maintaining stringent security controls and best practices.

‍

Use of Artificial Intelligence

We utilise artificial intelligence to enhance our services, but with strict safeguards in place. Importantly, Lawdify does not train any machine learning models using client data. This ensures that your information is never used for model training purposes.

‍

Vendor and Third Party Management

We maintain full control over our development processes by ensuring that all work is handled internally by our own employees. We do not outsource any development tasks to vendors or third parties. This approach allows us to maintain high standards of quality, security, and accountability across all aspects of our platform.

‍

Incident Response and Disaster Recovery

At Lawdify, we have a comprehensive Incident Response and Disaster Recovery plan in place to ensure that your data remains secure and recoverable. We perform daily backups, which are encrypted to maintain the highest level of security. Our backup retention policy ensures that these backups are retained for the duration of a customer’s subscription, optimising storage while guaranteeing data availability for recovery purposes.

In the event of data loss, our Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are both set at 24 hours. This means that we aim to recover data and restore operations within a maximum of 24 hours from the time of the last backup.

Our data recovery process involves restoring the system from the most recent backup image, which includes all data, configurations, and applications as they were at the time of the backup. This backup is then deployed to a new or existing client’s instance, effectively restoring the system to its previous operational state.

Once the recovery process is complete, we conduct thorough verification and testing to ensure all functionalities are operating correctly and that data integrity is maintained. Post-recovery, we closely monitor the system to detect any potential issues or anomalies that could arise from the restoration process, allowing us to address any problems swiftly and effectively.