The Security, Privacy and Compliance Team facilitates the Security, Privacy, and Compliance programs ("Program") across DocJuris. This team reports to the CTO, who reports to the CEO (collectively, the "Security Team"). All employees including management is responsible for overseeing the Program.
Governance of the Program is performed by the Security and Privacy Steering Committee, comprised of executives and engineering leaders. All new and existing employees are trained on the Program. Further, the program is reviewed quarterly by the Security Team.
The Security Team conducts periodic risk assessments for the organization using a methodology based on the ISO 27005:2018 guidelines for information security risk management. Top risks are selected and risk treatment plans are prepared. The risk assessment, top risk selection, and risk treatment plans are reviewed by the Security and Privacy Steering Committee, which also monitors progress on the risk treatment plans.
Overview. DocJuris requires authentication for access to all application pages on the DocJuris Service, except for those intended to be public.
Secure Communication of Credentials. DocJuris currently uses 256 bit encryption to transmit authentication credentials to the DocJuris Service.
Password Management. We have processes designed to enforce minimum password requirements for the DocJuris Service. We currently enforce the following requirements and security standards for end user passwords on the DocJuris Service:
- Passwords are hashed using PBKDF2 with HMAC-SHA256 with a 128-bit salt.
- Password requirements are: minimum 8 characters, with at least 6 unique characters
Single Sign-On. For an additional fee, DocJuris enables you to implement Single Sign-On (SSO) through Azure AD or SAML. This allows your team to log in to DocJuris using their existing corporate credentials.
2. Session Management
Overview. Each time a user signs into the DocJuris Service, the system assigns them a new, unique session identifier, currently consisting of 64 bytes of random data designed for protection against brute forcing.
Session Timeout. All sessions are designed to have a hard timeout (currently set to 7 days). Single Sign-On sessions are configured with an inactivity timeout as well (currently, 4 hours).
Sign Out. When signing out of the DocJuris Service, the system is designed to delete the session cookie from the client and to invalidate the session identifier on DocJuris servers.
Network and Transmission Controls
DocJuris monitors and updates its communication technologies periodically with the goal of providing network security.
By default all communications from your end users and your visitors with the DocJuris Service are encrypted using industry-standard communication encryption technology. All calls from client to app are over SSL (sha256). Please see https://app.docjuris.com for certificate details.
2. Network Security
DocJuris regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis. The network access to those services follow industry best practices and is limited to a select number of DocJuris engineering staff. Staff must use an encrypted connection to the production environment to make configuration changes or software updates. Finally, DocJuris itself uses standard encryption technologies for customer and staff access via a web browser.
DocJuris’ protection against data exfiltration involves a combination of physical/environmental security, logical or network security, and software level security and auditing. Since we are hosted completely within Microsoft’s cloud services environment (Azure), the physical security of the customer’s data is backed by an industry leader in cloud computing. The network access to those services follow industry best practices and is limited to a select number of DocJuris engineering staff. Staff must use an encrypted connection to the production environment to make configuration changes or software updates. Finally, DocJuris itself uses standard encryption technologies for customer and staff access via a web browser.
3. Infrastructure Security
DocJuris uses Microsoft’s Azure Cloud SQL Database for storing data and uses its transparent data encryption on both data, backups, and log files; and, DocJuris stores uploaded contracts inside Microsoft’s Azure Blob Storage which, by default, automatically encrypts data through 256-bit AES encryption.
DocJuris stores an audit log of all the changes that are made (and who made them) to all major data entities (e.g., playbooks and contracts). Further, audit trails include user ID and date/time for login/logoff, data read/write, data export/download and administrative activities.
Data Confidentiality and Job Controls
1. Internal Access to Data
Access to your visitor and account data stored on the DocJuris Service is restricted within DocJuris to employees and contractors who have a need to know this information to perform their job function, for example, to provide customer support, to maintain infrastructure, or for product enhancements (for instance, to understand how an engineering change affects a group of customers).
2. Internal Security Protocols
DocJuris utilizes a variety of security protocols including, without limitation, the following.
- DocJuris currently requires the use of single sign-on, strong passwords and/or 2-factor authentication for all employees to access production servers for the DocJuris Service (e.g., email, chat, and source code).
- Workstations have anti-malware protection installed. Such protection is locked down and closely monitored.
- DocJuris also deploys data leakage controls that prevent the movement of data via removable media (e.g. USB, CDs), internet data sharing sites (e.g. web email, internet chat, file sharing), and the corporate email system.
3. Job Controls
DocJuris has implemented several employee job controls to help protect the information stored on the DocJuris Service:
- All DocJuris employees are required to sign confidentiality agreements prior to accessing our production systems.
- All DocJuris employees are required to receive security and privacy training at time of hire, as well as quarterly security and/or privacy awareness training.
- Employee access to production systems that contain your data is logged and audited
- DocJuris employees are subject to disciplinary action, including but not limited to termination, if they are found to have abused their access to customer data
- DocJuris employees are subject to background check prior to employment, where permitted by law
Security in Engineering
1. Product Security Overview
DocJuris' software security practices are measured using industry-standard security models (currently, the Building Security In Maturity Model (BSIMM)). The DocJuris software development lifecycle (SDLC) for the DocJuris Service includes many activities intended to foster security:
- Defining security requirements
- Design (threat modeling and analysis, security design review)
- Development controls (static analysis, manual peer code review)
- Testing (dynamic analysis, 3rd party security vulnerability assessments)
- We currently use unit, integration, and end-to-end tests, where applicable, to catch regressions
- Deployment controls (such as change management and canary release process).
DocJuris designs, reviews and tests the software for the DocJuris Service using applicable OWASP standards.
2. Code Assessments and Change and Release Management
The software we develop for the DocJuris Service is continually monitored and tested using processed designed to proactively identify and remediate vulnerabilities. We regularly conduct:
- Automated source code analysis designed to find common defects
- Peer review of all code prior to being pushed to production
- Manual source code analysis on security-sensitive areas of code
- When requested, third-party application security assessments and penetration tests performed annually
Further, we do not roll our own authentication/authorization system and leverage ASP.NET Core provided subsystem, which follows industry standard. We leverage an ORM (Microsoft Entity Framework Core) and do not construct/write any manual SQL statements.
1. Disaster Recovery
The infrastructure for the DocJuris Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:
- State of the art cloud providers: We use Microsoft Azure, which is trusted by thousands of businesses to store and serve their data and services.
- Data replication: To help ensure availability in the event of a disaster, we replicate data across multiple data centers.
- Backups: databases are fully backed up once per week and differential backups are created nightly, and log backups are performed every 5 minutes.
- Continuity plan: We have an office located in Houston, Texas to assist in business continuity should regional issues at our cloud service providers in anywhere in the world experience a problem.
2. Availability Monitoring
We monitor availability in real-time 24/7 using Azure App Insights. Via Azure, we pass through availability terms (e.g., https://azure.microsoft.com/en-us/support/legal/sla/app-service/v1_0/)
1. Data Segregation
DocJuris' systems for the DocJuris Service are designed to logically separate your data from that of other customers. DocJuris's application logic is designed to enforce this segmentation by permitting each end user access only to accounts that the user has been granted access to. Further, controls are in place to prevent data movement to the corporate network, to file mounts, or unauthorized cloud storages or to any source external to the production environment.
2. User Roles
The DocJuris Service is designed for use cases ranging from single account holders to large teams. User roles specify different levels of permissions that you can use to manage the users on your DocJuris Service account. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project or experiment.
DocJuris' datacenters are co-located in some of the most respected datacenter facility providers in the world. DocJuris leverages all of the capabilities of these providers including physical security and environmental controls to secure our infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry. Security controls provided by our datacenter facilities includes but is not limited to:
- 24/7 Physical security guard services
- Physical entry restrictions to the property and the facility
- Physical entry restrictions to our co-located datacenter within the facility
- Full CCTV coverage externally and internally for the facility
- Biometric readers with two-factor authentication
- Facilities are unmarked as to not draw attention from the outside
- Battery and generator backup
- Generator fuel carrier redundancy
- Secure loading zones for delivery of equipment
Incident Response Plan
DocJuris has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis. In summary, DocJuris' procedure requires a thorough investigation resulting in notification to impacted clients within 48 hours of discovery.
If you have additional questions about implementing any of these security measures, please contact us at email@example.com. Our security measures are constantly evolving to keep up with the changing security landscape, so we may update this page from time to time to reflect these technical and organizational changes.