Security at Litigaze
1. Security architecture and practices
Litigaze's security team uses industry best practices and frameworks to keep data secure. Our approach focuses on security governance, risk management and compliance. This includes encryption at rest and in transit, network security, administrative access control, system monitoring, and more.
HTTPS for secure connections
Litigaze forces HTTPS for all services using TLS (SSL), including our public website and our Litigaze App.
We regularly audit the details of our implementation:
- the certificates we serve;
- the certificate authorities we use; and
- the ciphers we support.
Encryption of sensitive data and communication
All passwords are encrypted at rest with a PBKDF2 algorithm with a SHA256 hash.
We maintain separate and distinct production, staging, and development environments for Litigaze.
Litigaze does not process payments or store credit card details. All payments go through our partner, Stripe, which is a leading global payments system that is PCI DSS compliant.
2. Storage and data centers
Litigaze production services are hosted on the Amazon Web Services (AWS) platform.
The physical servers are located in AWS data centers.
As at today's date, AWS:
- has certifications for compliance with ISO/IEC 27001:2013, 27017:2015 and 27018:2014;
- is certified as a PCI DSS 3.2 Level 1 Service Provider; and
- undergoes SOC 1, SOC 2 and SOC 3 audits (with semi-annual reports).
Further details about AWS compliance programs are available from the AWS website.
All user content is stored within US regions of AWS.
3. Access controls
All user data stored in Litigaze is protected and access to such data by Authorized Personnel is based on the principle of least privilege.
Litigaze maintains a list of Authorized Personnel with access to the production environment. Litigaze also maintains a list of personnel who are permitted to access Litigaze code, as well as the development and staging environments. These lists are reviewed regularly and upon role change.
4. Vulnerability disclosure
Our security team rapidly investigates all reported security issues. If you you’ve discovered a security bug or vulnerability in Litigaze, please contact us at firstname.lastname@example.org. We ask you to not publicly disclose security issues until we have fully investigated the mater.