Login | Sign up

Security FAQs

Michael Clarke

Security

The system implements comprehensive security measures to protect sensitive and confidential information. This article outlines our security framework, encryption standards, access controls, compliance certifications, and best practices.

Security Overview

We protect sensitive information through access controls, encryption, network segmentation, and regular security audits. Our infrastructure is hosted on Microsoft's cloud services within geographically designated regions for data residency compliance.

Data Location

Australian environments are hosted within Microsoft's Australian geographic region. UK and Ireland environments are hosted within Microsoft's United Kingdom geographic region. Backups are not stored outside of your elected data location.

Vulnerability Response

We respond to identified security vulnerabilities within 24 hours, deploying patches or updates as needed to protect your data and systems.

Data Encryption and Protection

Database Encryption

SQL databases are encrypted to ensure data security. We use industry-standard encryption protocols (AES-256) with robust key management practices.

Encryption Standards

All data at rest and in transit is protected using AES-256 encryption with strong key management. Encryption is applied consistently across all databases, backups, and file storage.

Access Control and Authentication

Data and Service Access

Access to your data and services is guaranteed 24/7, barring any unforeseen outages. We maintain high availability through redundant infrastructure and failover systems.

User Account Management

Creating, suspending, and deleting user accounts can be completed within a few hours. Specific costs depend on your subscription plan. The client application does not require local administrator rights on workstations.

Role-Based Access Controls

We use role-based access controls (RBAC) to manage permissions and ensure data security. Access is granted based on job function and the principle of least privilege.

Compliance and Certifications

Third-Party Assessments

We engage in third-party assessments for SOC 2 compliance. Our selected hosting infrastructure providers are fully compliant with ISO 27001 and SOC 2 Type II certifications.

Regulatory Compliance

Our hosting services comply with relevant data protection regulations including GDPR and HIPAA. We maintain compliance with industry-specific requirements and regular audit schedules.

Incident Response and Monitoring

Major Outage Response

In the event of a major outage at a cloud provider, our disaster recovery plans ensure minimal impact. Services are restored swiftly using backup data and failover systems, typically within hours.

Infrastructure Monitoring

We perform continuous monitoring of our infrastructure for performance, security, and compliance. Automated alerts notify our team of any anomalies or potential issues requiring attention.

Data Backup and Recovery

Backup Strategy

Backups of client production databases are continuous with point-in-time restore capability. We retain the following backup generations to ensure data recovery options:

  • Point-in-time-restore backups retained for up to 14 days
  • Weekly backups kept for 12 weeks
  • Monthly backups (first week) kept for 12 months
  • Annual backups (first week) kept for 7 years

Geo-Redundant Storage (GRS)

Three replicas of backup data are maintained to protect against hardware failures through geo-redundant storage:

  • Primary region: Three synchronous copies within a single physical location
  • Secondary region: Three synchronous copies copied asynchronously from the primary region to the paired secondary region

This configuration provides six total copies of your backup data across two geographic regions, ensuring protection against regional failures and hardware issues.

Backup Access

We manage all backups internally on our hosted platform. Clients do not have direct access to backups. We implement security measures including multi-factor authentication (MFA) for accessing our secure Azure vault where backups are stored. All backup and security processes are handled by our team to ensure data integrity and protection.

Backup Testing

Backup and restore processes are tested monthly. Full restoration and recovery tests of key server configurations and data from backups are conducted bi-annually to ensure reliability and recoverability.

Data Restoration

In the event of major data loss, we can restore your data (unaltered) from a backup within 24-48 hours. Our recovery processes are tested regularly to ensure they function reliably when needed.

Storage Expansion

Additional storage can be provisioned as needed if you run out of space. Contact support to request storage increases.

Third-Party Security

We engage in third-party security assessments and certifications to validate our security practices. Our hosting infrastructure providers maintain ISO 27001 and SOC 2 Type II certifications, independently verified through annual audits.

Customer Responsibilities

Server Decommissioning

Decommissioning your old server is your responsibility, though we can provide support and guidance as needed. We recommend securely wiping all data before decommissioning.

Record Purging

Records are purged based on your retention policies and regulatory requirements, typically on a periodic basis (e.g., quarterly or annually). You are responsible for defining and managing retention policies appropriate to your firm's needs.

Security Updates and Patch Management

Windows Updates

Windows updates and security patches are managed to avoid any service downtime. We schedule updates during maintenance windows and use redundant infrastructure to ensure continuity of service.

Additional Security Features

Network Security

Security measures include firewalls, intrusion detection systems, and regular security audits. Network traffic is monitored for suspicious activity and our infrastructure is regularly scanned for vulnerabilities.

Infrastructure Requirements

Users may need VPN access or secure internet connections for remote access. No significant additional costs are expected. We recommend using VPN for access from public networks and maintaining up-to-date endpoint security software.

Security Best Practices

Security is a shared responsibility. While we protect the infrastructure and data, you are responsible for managing user access, maintaining strong passwords, and following secure practices within your organization.

For Your Organization

  • Enforce strong password policies and encourage password managers
  • Implement multi-factor authentication for all user accounts
  • Regularly review user access and remove access for departed staff promptly
  • Train staff on security best practices and phishing awareness
  • Keep client and matter information confidential; share access only when necessary
  • Use secure internet connections when accessing the system remotely
  • Report suspicious activity or security concerns immediately

Reporting Security Concerns

If you identify a potential security vulnerability or have security concerns, report them immediately to support. Include details about the issue, how you discovered it, and any evidence or reproduction steps.

We take all security reports seriously and will acknowledge receipt within 24 hours. Critical vulnerabilities are prioritized for immediate remediation.