InterActive LegalSuite™ (Online Version) Security Overview
Updated July 19, 2023
Security Documentation – FAQ
This document summarizes the security features of the online version of InterActive LegalSuite™ published by ILS Management, LLC and addresses some Frequently Asked Questions regarding security and access to data. Please contact your Sales Representative if you have any additional questions regarding security or data access and storage.
For purposes of this document, “customer data” refers to all data relating to a firm’s account, including names and contact information for registered users, as well as all data relating to firm clients and other information entered by the firm in connection with the firm’s use of ILS.
Data storage and encryption in transit and at rest
- All customer data is stored and encrypted on AWS (Amazon Web Services) servers. Read more about AWS security here: https://aws.amazon.com/security/.
- ILS uses TLS 1.3 and SHA-256 to encrypt data sent between the user’s browser and ILS servers, to provide security for customer data as it is sent across the Internet.
Protection from Unauthorized Access
- ILS utilizes Cloudflare for added security to protect customer data against malicious bot attacks and mitigate DDoS attacks. Cloudflare’s WAF (Web Application Firewall) helps to keep ILS secure from OWAS Top 10 vulnerabilities.
- Access to ILS is secured by complex password requirements and optional MFA (Multi-Factor Authentication), to significantly mitigate risk of unauthorized access due to weak user credentials.
- To further reduce the possibility of brute-force attacks, password attempts are limited to 5 attempts per 15 minutes.
- MFA is optional, but highly recommended to secure client data. Please see the ILS MFA Policy for more information.
- All customer data is segregated by firm. ILS users outside of the firm will not have access to other firm data or even know that another firm exists on the system.
- ILS has partnered with ScienceSoft for an independent third-party Penetration Test. This tests measures in place to protect against potential risks of a cyberattack. Results of the latest Penetration Test can be found here: ScienceSoft Penetration Test Results.
- Customer data is stored in the ILS database (on the AWS servers referenced above) until the latter of such time as a user deletes it or the firm’s ILS subscription expires without renewal (at which time data will be deleted after 90 days). Please refer to the Data Retention Policy for further details.
Frequently Asked Security Questions
How does ILS limit control of access to customer data on a need-to-know basis?
- Only users of the same firm can access data from that firm. Once a user is removed from a firm, they immediately lose access to all data in the firm. You are responsible for notifying ILS of any changes to the users able to access the firm’s account. Please notify ILS Customer Service immediately if a user leaves your firm or the user should be removed from your account for any reason. All changes will be processed by the end of the next business day.
- A limited number of ILS employees and contractors have access to the backend database where client data is stored. Access is used only to perform maintenance and updates, and is restricted to those employees and contractors necessary to perform those functions. All client data is encrypted in the database and cannot be read directly from the database.
Does ILS log and monitor access to customer data?
- Nearly all actions performed by ILS subscribers and staff are logged in the ILS database for auditing. Should an incident arise within the site, ILS is able to tell what action led to the incident and who performed it.
- ILS collects and stores certain information regarding use of ILS for purposes of improving the platform and verifying compliance with the ILS End User License Agreement.
- Access to the database, where logs and encrypted client data is stored, is limited to only two members of the ILS team. This access is monitored by AWS and necessary for maintenance and updates to ILS system.
Does ILS store data outside of the United States?
- No. All data used by ILS is stored securely in AWS Data Centers located in the contiguous United States.