Working in law, security of data is a top concern. In principle, we develop on the following:
- Secure Storage: Your data is encrypted everywhere.
- Store the Bare-Minimum: We store only the data we create and what is specifically uploaded. In-transit documents are not stored.
- Data Freedom: We allow users to see what data is stored and delete all data associated with their account/firm at any point, no questions asked.
We outline the technical specifications of how we handle data and security below.
Business Controls
External vulnerability reports
Our public security policy is available at https://www.compact.legal/security.txt. Should external vulnerability reports come in, we will refer to our internal procedures to triage and remediate the reporter vulnerabilities. An outline of these procedures states that upon receiving an external vulnerability report, we will:
- Suspend service to the website and product while addressing the severity of the claim
- Perform thorough remediation checks across all systems involved in the reported vulnerability
- Respond to the report and update any affected individuals within two business days
- Produce and deploy security fixes within 15 days of discovery
- Publish a security bulletin detailing the vulnerability, root cause, and required actions if necessary from customers
Customer testing
On request, customers or their delegates are welcome to test the security of the application, either on production or a non-production mirror of the application which lacks production data. If planning to test on production, please notify us at least one week in advance. If planning to test on a non-production mirror, please give at least two weeks notice for us to prepare and test the environment.
External Testing
We contract an external security vendor at least once per year and upon major systemic changes to verify the authenticity of our systems.
Training
All developers working on the project first undergo training on access controls, cybersecurity, data safety, social engineering attacks, and encryption.
Compliance
At the moment, we are unable to ensure compliance with SOC type II, ISO27001, and GDPR. If these are required for your practice, we are temporarily unable to assist you.
If a different level of compliance is required (internal standards, corporate rules, contractual clauses), please notify us, we are happy to provide compliance for these areas.
Incident Handling
Upon the discovery of a security breach that affects sensitive information, all relevant parties will be notified after no later than 72 hours. Additional notifications will be sent out upon learning of additional details. The notifications contain the following information:
- Nature of the breach
- Relevant contact information
- Consequences of the breach
- Measures taken, or needing to be taken, to remediate the issue
Data Handling
All handled data is stored on secure providers that comply with NIST SP 800-88 media sanitation processes for production data.
Application Design Controls
Single Sign-on
Our authentication provider uses well-maintained industry-standard protocols for all customers, ensuring only a single sign-on is possible at any given time.
HTTPS-only
All site traffic is done through HTTPS. Strict-Transport-Security header is included, authentication cookies are set as Secure.
Security Headers
Application attack service is dramatically narrowed by use of security headers:
- Content Security Policy is minimally permissive
- No caching is used for sensitive data endpoints
- Framing controls implemented
Password Policy
Password authentication is maintained by modern standards. Character limits, reset questions, email verification, password encryption, password recovery, and brute-force lockout protection are up to modern, industry approved standards. Admins and developers have no access to your password or any other private account information.
Security Libraries
Our application is built on modern, well-maintained, industry standard frameworks and libraries.
Dependency Patching
Third-party dependencies are checked at least once weekly with build tests to ensure no vulnerabilities are present. Upon becoming aware of a known exploited vulnerability affecting a third party dependency, that dependency will be patched, upgraded, or switched for an equivalent migration.
Logging
Our software logs all of the following for 30 days
- Authentication events of any kind
- Create, Read, Update, and Delete operations on all users and objects within the application and systems
- Security relevant configuration changes
- Application owner access to customer data (access transparency)
Logs include the user ID, IP address, timestamp, type of action performed, and object of the action. The logs do not contain any of the following:
- The data in the object
- Passwords or keys of any kind
Encryption
We use modern, well-maintained industry-standard encryption libraries and practices. Our database provider is secured and encrypted both in-transit and at rest.
Application Implementation Controls
List of Data
We keep an internal list of sensitive data types the application uses in order to build systems that effectively store and handle the data we use.
Data Flow Diagram
We maintain an internal diagram showing how sensitive data reaches our systems and where it ends up being stored. Upon request, we will send you this diagram.
Vulnerability Protection
Our developers are trained for and given implementation guidelines to prevent a number of standard vulnerabilities. These include but are not limited to authorization bypass, insecure session management, injections, cross-site scripting, cross-site request forgery, and handling untrusted data.
Time to Fix Vulnerabilities
Upon discovering a vulnerability, patches will be developed and deployed in no more than 15 days. If we cannot deploy a fix within 15 days, the application will have suspended service indefinitely until it is fixed. In the event that we find evidence of active exploitation, the application will have suspended service until the issue is fixed. A security notice will be publicly posted detailing the vulnerability, its root cause, and actions required from customers if necessary.
Build and Release Process
The application uses secure version control detailing exactly how every build was made, including code changes between build and build logs. Credentials, tokens, and keys are stored securely and do not directly appear anywhere in the source code.
Operational Controls
Physical Access
All devices with access to data are kept secured, password protected, with automatic lockouts. Sensitive data including keys, database access, and API access are password protected.
Logical Access
Data access is kept logical:
- Sensitive data is only accessed by those with legitimate need
- Developers are not given access to tools or data they do not need for their work, and reviews of access are done monthly
- Remote access to any sensitive systems requires multifactor authentication
Sub-processors
We maintain an internal list of all companies providing services that use customer data, which is available upon request. An annual review is done to ensure all companies using the data are reliable and trustworthy.
Backup and Disaster Recovery
Our data is stored on servers with secure backups across multiple locations. All developers are made aware of, and help contribute to, disaster recovery plans, which are tested at least once annually or after significant changes.