Security

Last Updated: March 13, 2025

1. Security Program Overview

Our security program follows a defense-in-depth approach with multiple layers of protection:

• Designated Security Officer responsible for our security program
• Regular third-party security assessments and penetration testing
• Continuous security monitoring and threat detection
• Comprehensive incident response plan
• Annual security training for all employees
• Security reviews integrated into our development lifecycle

2. Data Encryption

We implement industry-standard encryption to protect your data:

• In Transit: All data transmitted to and from our servers is encrypted using TLS 1.3 with secure cipher suites
• At Rest: All stored data is encrypted using AES-256 encryption
• Database Encryption: Our databases employ transparent data encryption
• Secure Key Management: Encryption keys are stored in a separate secure key management service with strict access controls

3. Infrastructure Security

Our infrastructure is built with security as a priority:

• Cloud Security: We use enterprise-grade cloud services with SOC 2 and ISO 27001 certifications
• Network Segmentation: Our infrastructure is segmented to limit the impact of potential breaches
• Firewalls and WAF: Advanced firewall protection and web application firewall to prevent attacks
• DDoS Protection: Integrated DDoS mitigation to ensure service availability
• Regular Patching: Automated systems ensure all software is updated with security patches
• Infrastructure as Code: All infrastructure changes follow secure code review processes

4. Access Controls

We maintain strict controls over who can access your data:

• Principle of Least Privilege: Staff only have access to the specific data and systems necessary for their job functions
• Multi-Factor Authentication: Required for all staff access to systems containing customer data
• Role-Based Access Control: Access permissions are determined by job responsibilities
• Access Auditing: All access to sensitive data is logged and reviewed
• Regular Access Reviews: Quarterly reviews of all access permissions
• Employee Offboarding: Strict procedures ensure immediate access revocation when staff leave

5. Application Security

Our application development follows secure coding practices:

• Secure SDLC: Security is integrated into all phases of software development
• Code Reviews: All code undergoes security-focused peer review
• Automated Testing: Static and dynamic application security testing
• Dependency Scanning: Regular monitoring for vulnerabilities in third-party components
• Input Validation: Strict validation of all user inputs to prevent injection attacks
• Output Encoding: Proper encoding to prevent XSS and other client-side attacks

6. Monitoring and Incident Response

We employ continuous monitoring and have a robust incident response plan:

• 24/7 Monitoring: Continuous monitoring of our systems for suspicious activity
• Intrusion Detection: Advanced systems to detect potential security breaches
• Logging and Alerting: Comprehensive logging with real-time alerts for security events
• Incident Response Team: Dedicated team with defined procedures for handling security incidents
• Regular Drills: Simulated security incidents to test our response capabilities
• Customer Notification: Prompt notification processes for any incidents affecting customer data

7. Physical Security

Our data centers and offices maintain strict physical security:

• Secured Data Centers: All data is stored in facilities with 24/7 security personnel, biometric access controls, and video surveillance
• Environmental Controls: Systems to protect against fire, flood, and other environmental threats
• Redundant Power: Backup power systems to ensure continuous operation
• Office Security: Visitor management, access cards, and monitoring systems protect our physical premises

8. Compliance and Certifications

We maintain compliance with relevant standards and regulations:

• SOC 2 Type II: Annual audits verify our security, availability, and confidentiality controls
• HIPAA Compliance: Our systems are designed to protect health information in accordance with HIPAA requirements
• GDPR Compliance: Our procedures support compliance with EU data protection regulations
• Bar Association Guidelines: Our security controls align with legal industry ethics guidelines
• Regular Assessments: Independent third-party security assessments

9. Vendor Management

We thoroughly vet and monitor our third-party service providers:

• Security Assessments: All vendors undergo security review before engagement
• Contractual Requirements: Security and confidentiality obligations in all vendor contracts
• Regular Reviews: Ongoing monitoring of vendor security practices
• Data Processing Agreements: Formal agreements governing data handling by third parties

10. Security Recommendations for Users

To maximize the security of your account and data, we recommend:

• Enable multi-factor authentication for your account
• Use strong, unique passwords for your Asbestos Deposition Summary account
• Regularly review authorized users with access to your organization's account
• Access our service only from trusted networks and devices
• Keep your web browser and operating system updated
• Be vigilant against phishing attempts and suspicious emails
• Contact us immediately if you suspect any unauthorized access

11. Bug Bounty Program

We maintain a bug bounty program to encourage responsible disclosure of potential security vulnerabilities. If you discover a security issue, please report it to [email protected]. We commit to:

• Acknowledge receipt of your report within 24 hours
• Provide updates on our investigation and remediation
• Not pursue legal action against security researchers following responsible disclosure practices
• Recognize contributors who help improve our security (with permission)

12. Contact Information

For security-related inquiries or to report security concerns, please contact our Security Team at [email protected].

For information about our latest security measures or compliance certifications, please contact us at the same email address.