The Security, Privacy and Compliance Team facilitates the Security, Privacy and Compliance programs across DocJuris. This team reports to the CTO, who reports to the CEO.
Governance of these programs is performed by the Security and Privacy Steering Committee, comprised of executives and engineering leaders.
The Security Team conducts periodic risk assessments for the organization using a methodology based on the ISO 27005:2018 guidelines for information security risk management. Top risks are selected and risk treatment plans are prepared. The risk assessment, top risk selection, and risk treatment plans are reviewed by the Security and Privacy Steering Committee, which also monitors progress on the risk treatment plans.
Overview. DocJuris requires authentication for access to all application pages on the DocJuris Service, except for those intended to be public.
Secure Communication of Credentials. DocJuris currently uses 256 bit encryption to transmit authentication credentials to the DocJuris Service.
Password Management. We have processes designed to enforce minimum password requirements for the DocJuris Service. We currently enforce the following requirements and security standards for end user passwords on the DocJuris Service:
- Passwords are hashed using PBKDF2 with HMAC-SHA256 with a 128-bit salt.
- Password requirements are: minimum 8 characters, with at least 6 unique characters
Single Sign-On. DocJuris lets you implement Single Sign-On (SSO) through Azure AD. This allows your team to log in to DocJuris using their existing corporate credentials. SSO is an account-level feature that will apply across all projects and experiments. Single Sign-On is available on select packages only, so please consult your order form for eligibility.
2. Session Management
Overview. Each time a user signs into the DocJuris Service, the system assigns them a new, unique session identifier, currently consisting of 64 bytes of random data designed for protection against brute forcing.
Session Timeout. All sessions are designed to have a hard timeout (currently set to 7 days). Single Sign-On sessions are configured with an inactivity timeout as well (currently, 4 hours).
Sign Out. When signing out of the DocJuris Service, the system is designed to delete the session cookie from the client and to invalidate the session identifier on DocJuris servers.
Network and Transmission Controls
DocJuris monitors and updates its communication technologies periodically with the goal of providing network security.
By default all communications from your end users and your visitors with the DocJuris Service are encrypted using industry-standard communication encryption technology. All calls from client to app are over SSL (sha256). Please see https://app.docjuris.com for certificate details.
2. Network Security
DocJuris regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis. The network access to those services follow industry best practices and is limited to a select number of DocJuris engineering staff. Staff must use an encrypted connection to the production environment to make configuration changes or software updates. Finally, DocJuris itself uses standard encryption technologies for customer and staff access via a web browser.
DocJuris’ protection against data exfiltration involves a combination of physical/environmental security, logical or network security, and software level security and auditing. Since we are hosted completely within Microsoft’s cloud services environment (Azure), the physical security of the customer’s data is backed by an industry leader in cloud computing. The network access to those services follow industry best practices and is limited to a select number of DocJuris engineering staff. Staff must use an encrypted connection to the production environment to make configuration changes or software updates. Finally, DocJuris itself uses standard encryption technologies for customer and staff access via a web browser.
3. Infrastructure Security
DocJuris uses Microsoft’s Azure Cloud SQL Database for storing data and uses its transparent data encryption on both data, backups, and log files; and, DocJuris stores uploaded contracts inside Microsoft’s Azure Blob Storage which, by default, automatically encrypts data through 256-bit AES encryption.
DocJuris store an audit log of all the changes that are made (and who made them) to all major data entities (like playbooks and contracts). We can provide an export of this log upon request. Our product roadmap plans for functionality allowing client administrators to review these data inside the application.
Data Confidentiality and Job Controls
1. Internal Access to Data
Access to your visitor and account data stored on the DocJuris Service is restricted within DocJuris to employees and contractors who have a need to know this information to perform their job function, for example, to provide customer support, to maintain infrastructure, or for product enhancements (for instance, to understand how an engineering change affects a group of customers).
DocJuris currently requires the use of single sign-on, strong passwords and/or 2-factor authentication for all employees to access production servers for the DocJuris Service.
2. Job Controls
DocJuris has implemented several employee job controls to help protect the information stored on the DocJuris Service:
- All DocJuris employees are required to sign confidentiality agreements prior to accessing our production systems.
- All DocJuris employees are required to receive security and privacy training at time of hire, as well as quarterly security and/or privacy awareness training.
- Employee access to production systems that contain your data is logged and audited
- DocJuris employees are subject to disciplinary action, including but not limited to termination, if they are found to have abused their access to customer data
- Starting on May 18, 2017, new DocJuris employees are subject to background check prior to employment, where permitted by law
Security in Engineering
1. Product Security Overview
DocJuris's software security practices are measured using industry-standard security models (currently, the Building Security In Maturity Model (BSIMM)). The DocJuris software development lifecycle (SDLC) for the DocJuris Service includes many activities intended to foster security:
- Defining security requirements
- Design (threat modeling and analysis, security design review)
- Development controls (static analysis, manual peer code review)
- Testing (dynamic analysis, 3rd party security vulnerability assessments)
- We currently use unit, integration, and end-to-end tests, where applicable, to catch regressions
- Deployment controls (such as change management and canary release process).
DocJuris designs, reviews and tests the software for the DocJuris Service using applicable OWASP standards.
2. Code Assessments
The software we develop for the DocJuris Service is continually monitored and tested using processed designed to proactively identify and remediate vulnerabilities. We regularly conduct:
- Automated source code analysis designed to find common defects
- Peer review of all code prior to being pushed to production
- Manual source code analysis on security-sensitive areas of code
- When requested, third-party application security assessments and penetration tests performed annually
Further, we do not roll our own authentication/authorization system and leverage ASP.NET Core provided subsystem, which follows industry standard. We leverage an ORM (Microsoft Entity Framework Core) and do not construct/write any manual SQL statements.
1. Disaster Recovery
The infrastructure for the DocJuris Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:
- State of the art cloud providers: We use Microsoft Azure, which is trusted by thousands of businesses to store and serve their data and services.
- Data replication: To help ensure availability in the event of a disaster, we replicate data across multiple data centers.
- Backups: databases are fully backed up once per week and differential backups are created nightly, and log backups are performed every 5 minutes.
- Continuity plan: We have an office located in Houston, Texas to assist in business continuity should regional issues at our cloud service providers in anywhere in the world experiece a problem.
2. Incident Response
DocJuris has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.
3. Availability Monitoring
We monitor availability in real-time 24/7 using Azure App Insights. Via Azure, we pass through availability terms (e.g., https://azure.microsoft.com/en-us/support/legal/sla/app-service/v1_0/)
1. Data Segregation
2. User Roles
The DocJuris Service is designed for use cases ranging from single account holders to large teams. User roles specify different levels of permissions that you can use to manage the users on your DocJuris Service account. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project or experiment.
DocJuris uses industry-leading cloud platforms (currently Microsoft Azure) to host its production systems for the DocJuris Service. Access to these data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for these data centers include: on-premises security guards, closed circuit video monitoring, and additional intrusion protection measures. We rely on their third party attestations of their physical security. Within our headquarters, we employ a number of industry-standard physical security controls.
If you have additional questions about implementing any of these security measures, please contact us at firstname.lastname@example.org. Our security measures are constantly evolving to keep up with the changing security landscape, so we may update this page from time to time to reflect these technical and organizational changes.