Security

1. Security architecture and practices

Litigaze's security team uses industry best practices and frameworks to keep data secure. Our approach focuses on security governance, risk management and compliance. This includes encryption at rest and in transit, network security, administrative access control, system monitoring, and more.

HTTPS for secure connections

Litigaze forces HTTPS for all services using TLS (SSL), including our public website and our Litigaze App.

We regularly audit the details of our implementation:

  • the certificates we serve;
  • the certificate authorities we use; and
  • the ciphers we support.
Encryption of sensitive data and communication

All passwords are encrypted at rest with a PBKDF2 algorithm with a SHA256 hash.

Production environment

We maintain separate and distinct production, staging, and development environments for Litigaze.

Payments

Litigaze does not process payments or store credit card details. All payments go through our partner, Stripe, which is a leading global payments system that is PCI DSS compliant.

2. Storage and data centers

Litigaze production services are hosted on the Amazon Web Services (AWS) platform.

The physical servers are located in AWS data centers.

As at today's date, AWS:

  • has certifications for compliance with ISO/IEC 27001:2013, 27017:2015 and 27018:2014;
  • is certified as a PCI DSS 3.2 Level 1 Service Provider; and
  • undergoes SOC 1, SOC 2 and SOC 3 audits (with semi-annual reports).

Further details about AWS compliance programs are available from the AWS website.

All user content is stored within US regions of AWS.

3. Access controls

All user data stored in Litigaze is protected and access to such data by Authorized Personnel is based on the principle of least privilege.

Only Authorized Personnel have direct access to Litigaze's production systems. Those who do have direct access to production systems are only permitted to view user data stored in Litigaze in the aggregate, for troubleshooting purposes or as otherwise permitted in our Privacy Policy.

Litigaze maintains a list of Authorized Personnel with access to the production environment. Litigaze also maintains a list of personnel who are permitted to access Litigaze code, as well as the development and staging environments. These lists are reviewed regularly and upon role change.

4. Vulnerability disclosure

Our security team rapidly investigates all reported security issues. If you you’ve discovered a security bug or vulnerability in Litigaze, please contact us at [email protected]. We ask you to not publicly disclose security issues until we have fully investigated the mater.