Version 1.1, October 2019
We’re committed to safeguarding our product and protecting the personal data and confidential information we keep.
The purpose of this document is to provide an overview of our privacy and security practices. In line with that, we refer to companies who use Legal Monster ApS (“Legal Monster” or “we”, “us”, “our”) in this document as "you" and "your".
We make this document publicly available by publishing it on our website and on our Cloud Security Alliance page, and we share it with all of our employees (including our temporary workers and contractors), and our data processors and sub-data processors.
Review of this document and of our information security framework are completed at least annually and approved by our General Counsel.
We operate a compliance product primarily for use by companies who operate an online business.
Our mission is to help companies become compliant with regional and local privacy and anti-spam laws, such as the GDPR, the CCPA and the CAN-SPAM Act, without needing prior knowledge about this area.
Our services are focused on consent automation, where we provide services for companies to easily collect consents from users while at the same time having the required documentation in place.
We have mapped out consent and spam rules in specific jurisdictions and when we collect a consent from a user in one of these jurisdictions (on behalf of your company) we do so in a way that is compliant with the local laws of the user (unless your company chooses another consent collection method), and we collect and retain all necessary details for you to have evidence of the consent.
Companies can use our services through our widgets, through our API, through our standard integrations and through our administration web user interface.
We have a Data Protection Officer (DPO) to oversee our data privacy and data protection measures and lead our compliance program to ensure that it is up to date and compliant.
If you have questions about the data processing activities that we carry out on your company’s behalf, you’re most welcome to contact our DPO at email@example.com.
We have a highly skilled security team who govern our data protection and information security, and who are responsible for securing our product and services. When appropriate, we also engage external resources and experts.
Our DPO takes on the role of Chief Information Security Officer (CISO), and leads the security team.
We have security policies and other documents that form the basis of our information security framework. These policies and documents are reviewed on an annual basis.
The policies apply to everyone who works for us, including our employees and freelancers, and our employees are educated and trained in our information security practices.
The goal of our Information Security Policy is to protect all the data we retain and process.
We align with current international regulatory and industry best-practice guidance, and we’ve designed our security program around best-of-breed guidelines for cloud security. In particular, we make use of bodies like the Cloud Security Alliance, and we align our practices with ISO27001 and ISO27018.
Further details of our Information Security Policy are confidential.
In the event of a data incident, we have a documented policy and firm processes to guide our actions, as well as a Data Incident Response Team to handle the incident and a Data Incident Registry where we log forensics records, sequence of actions and decisions taken to analyze, mitigate and communicate an incident.
We comply with the GDPR and will notify you by email should we become aware of a data breach that affects you and requires notification. An email will be sent to the email addresses of the users registered in our product or as contact persons for your subscription with us. Feel free to email [email protected] if you wish to receive such alert to other email addresses.
We have a Business Continuity Policy in place to ensure the continuity and timely recovery of our critical business processes and services in the event of a disaster, and to ensure that our critical business processes operate at an appropriate level.
Our overall approach to business continuity involves ensuring that all our services are Software as a Service (“SaaS”), so if decided, or in the event of an incident or disaster, all of our employees can work remotely. Our continuity and recovery plans are based on a business impact analysis that we review on an annual basis.
We design our product to be highly available, fault-tolerant and fault-resilient. To achieve this, we follow industry best practices which we continuously improve on and review. Our product is hosted in a proven PaaS infrastructure, Heroku, which helps us minimize incidents, downtime and recovery time of our services.
We review our Business Continuity Policy annually and our most recent review showed no critical areas of risk.
Further details of our Business Continuity Policy are confidential.
As our customer, your use of our services is governed by a Service Subscription Agreement.
Our Service Subscription Agreement (“SSA”) sets out the rights and obligations for you and for us, including our obligation to keep your information and data confidential and thoroughly protected.
We expect those who use our product or do business with us to make decisions that reflect strong ethics and are consistent with our values. We therefore require our employees, data processors and sub-data processors, and business partners to adhere to the principles set out in our Code of Ethics.
As set out in our Code of Ethics, we’re committed to maintaining a high ethical standard, and we require that our employees and business partners comply with all the relevant anti-corruption laws of the countries that we do business in.
All of our employees need to know what they can and cannot do when handling confidential information and personal data. In addition to their obligation to follow our Code of Ethics, our employees must observe strict confidentiality with regard to our affairs. This requirement is included in all of our employment contracts.
The obligation of confidentiality includes not only our activities, but also extends to relationships with businesses and customers. It continues to apply after termination of the employment contract.
If an employee breaches their confidentiality obligations, intentionally or negligently, we consider it a material breach of their employment contract that can result in disciplinary action, including termination or immediate dismissal.
As part of our recruitment process for hiring new employees, we carry out reference checks where relevant. As a default, we do not perform any criminal or credit checks, but we may choose to do so for specific roles.
Our new employees go through a new hire program that includes education and training about how to protect and handle information. New hires learn about our commitment to information security and data privacy, our Code of Ethics, and our requirements for protecting and safeguarding information.
In addition to upholding their employment contract, our employees must read and comply with our Code of Ethics.
When employees leave us, we revoke their access to our services in a timely manner. For more information about this, please see section 7.2.
When you share personal data about your users with us, we act as a data processor and your company acts as a data controller, as defined in the EU’s General Data Protection Regulation (GDPR). Both our and your company must comply with the GDPR.
The terms “data processor” and “data controller” are defined in Article 28 of the GDPR, that require the data controller and data processor to have a “data processing agreement” (DPA) in place that documents the data processing activities being carried out.
We have created a DPA that meets the requirements outlined in the GDPR and it is incorporated into our SSA.
You can find a copy of our DPA on our website here. We recommend that you keep a copy of our DPA on file in case you need to show that you comply with Article 28 of the GDPR.
We consider any data relating to an identified or identifiable person as “personal data”; examples:
For avoidance of doubt, Legal Monster do not process sensitive data or special categories of data as a data processor.
This section covers aspects related to our role as data processor, where we on your behalf process personal data about those of your users who has given or retracted consent.
The core functionality of our product does not require you to share any personal data about your users with us. The only data you will need to share is an Id, where you should choose a value that cannot identify the user to anyone but you. However, some of our more advanced functionalities such as double opt-in and marketing consent, requires you to share e.g. the email address of the user with us, so if you need to use these functionalities you will need to share this personal data about your users with us.
You can find the full overview of all the personal data we collect and retain here.
If you chose to share personal data about your users with us, we ask you to limit what you share to what is needed for you to use our product. Please never share sensitive and special category personal data with us.
We limit our processing of the personal data that you have shared with us to the purpose of providing our services to you.
We believe the typical case is that our customers will be sharing personal data with us, and we have constructed our product, processes, methodologies, policies and controls accordingly.
When you use one of our widgets, we automatically capture the IP address of the user. When the user provides a consent, the IP address is kept in our product as part of the consent evidence. When the user chooses to not provide a consent, the IP address is automatically deleted within seven (7) days.
Should you chose to upload data files with existing consents to our product, our product will import the consents to your account, and automatically delete the data files within seven (7) days.
We comply with Data Subject Rights (aka “the rights of the individual”) pursuant to the GDPR and similar legislations.
Should we receive a request from one of your users who would like to exercise one or more of their rights, e.g. the right to information, the right to be deleted or the right to data portability, in relation to your data, we will defer the request to you - as our customer - because you are the data controller of this data.
You may download personal data about your users or delete your users from our product. To do so, please write to [email protected], and we will assist with your request. The downloaded data will be made available in a machine-readable text format.
In our role as data processor, and in order to provide you — as our customer — with the best possible service, we use specialized service providers who assist us with delivering parts of our services, such as providing our data centers. Pursuant to the GDPR, these service providers are called sub-data processors.
Before we engage a service provider as sub-data processor, we perform a thorough security and privacy assessment of the service provider’s services, typically done as part of the contract discussions. As part of our process we conduct a Data Protection Impact Assessment (“DPIA”).
Among the aspects we assess in the DPIA, we evaluate the service provider’s privacy and security aspects and practices, we perform a risk assessment of the personal data that we will share with the service provider, and we review the service provider’s DPA. We follow this process to determine whether the service provider is competent to process personal data in line with the legislation and meets our requirements and standards.
We will only enter into a contract and share personal data with a sub-data processor provided that the above mentioned requirements are in place.
We monitor the performance and fit of our service providers on an ongoing basis, and we review the assessment DPIA’s on an annual basis. We may find it necessary to add, replace or sunset use of a sub-data processor, and if we do, we will notify you via email to the persons we have registered as the owner of your subscription with us. Feel free to email [email protected] if you wish to receive such notification also to other email addresses.
We collect capacity and use data from our sub-data processors as needed for our information capacity planning and internal SLA performance.
When we no longer require a service provider as sub-data processor, we will remove the service provider from our product and infrastructure and request the deletion of any personal data in the possession of the service provider.
Data to and from our sub-data processors is encrypted during transit, and to safeguard the traffic between our users and our product, all web communication is 128-bit encrypted as minimum. All of our websites use Transport Layer Security 1.2, and we only supports data sent via web submissions that use HTTPS/SSL.
We have no subsidiaries, yet.
You will be able to see what sub-data processors we use to deliver the services to you here.
We do not host any data center facilities ourselves. For more details on our data centers, please see section 6.1.
We secure the emails we send with Transport Layer Security 1.2, Sender Policy Framework and DomainKeys Identified Mail. If the receiving email server doesn’t support Transport Layer Security, we use the next most secure protocol supported by the receiving email server. The emails we send with SendGrid to our customers are sent from the legalmonster.com domain. The emails we send with SendGrid on behalf of our customers are sent from the legalmails.com domain or from our customer's own domain.
This section covers aspects related to our role as data controller, where we process personal data about:
For details on the personal data we keep, and why, how and for how long we and our data processors retain this data, please request a copy of our Data Retention Policy by emailing [email protected].
We comply with Data Subject Rights (aka “the rights of the individual”) pursuant to the GDPR and similar legislations.
As a data subject we enable you to exercise your Data Subject Rights by simply logging into our product and perform the required action yourself after having authenticated yourself. However, you may also email your data subject access request to us at firstname.lastname@example.org, where we will process it with due respect for the timeliness required by the legislation.
Your request must be about your own personal data. There may be edge cases where this is not the case, and if so we will ask you for more information to understand the background before taking actions.
Like other companies, we have experienced requests where the sender tries to trick us into providing data about another person or delete the data of another person. To avoid this, we may ask for additional information or confirmation of the sender’s identity.
When you exercise your right to be deleted, we will delete your data. As required by law, we will register evidence of the deletion or anomization in our secure and limited access Deletion Log, from where the data will be deleted in accordance with our Data Retention Policy.
The Deletion Log will contain the following data:
Account owners are created, managed and deleted by us, done within our business systems.
When you exercise your right to information or right to download by emailing email@example.com, we will email you a machine-readable text copy of the personal data we hold about you in our business system.
We will keep your data on file in accordance with the data retention period outlined in our policy.
Business contacts are created, managed and deleted by us. We use our own product to keep track of the consents that a business contact may have given or retracted.
When you exercise your right to information or your right to download by emailing firstname.lastname@example.org, we will email you a machine-readable text copy of your personal data held within our business systems, and of the consents you have provided to our company that we hold within our product.
When you exercise your right to be deleted by emailing email@example.com, we will delete the related data within our business systems.
We will, however, not delete or remove personal data of a person that is, or has been, involved in contractual matters, compliance matters or where legislation requires us to keep this data.
In our role as data controller, we use specialized service providers who assist us with delivering parts of our services, our data center, our business systems, and our IT and office infrastructure. Pursuant to the GDPR, these service providers are called data processors.
We conduct the same assessment lifecycle of a data processor as we do of a sub-data processor, please see section 5.1.2
Data to and from our data processors is encrypted during transit, and to safeguard the traffic between our users and our product, all web communication is 128-bit encrypted as minimum. All of our websites use Transport Layer Security 1.2, and we only supports data sent via web submissions that use HTTPS/SSL.
Please see section 18.104.22.168
Please see section 22.214.171.124
Our business systems are hosted by the following service providers:
On our website, we use other service providers where we don’t share personal data, but because these service providers are technically implemented on our website, the user’s browser will automatically share the IP address of the user with the service provider. We have ensured that the service providers do not keep this data.
We follow the same assessment process for our data processors as we do for our sub-data processors (see section 5.1.2).
Access to our business systems is protected by secure multi-factor authentication. We operate on principles of least privilege first, which means that access is limited to those of our employees who have a genuine work-related need, which we monitor continuously.
We secure the emails we send with Transport Layer Security 1.2, Sender Policy Framework and DomainKeys Identified Mail. If the receiving email server doesn’t support Transport Layer Security, we use the next most secure protocol supported by the receiving email server.
The emails we send with Google Cloud Services and Mailchimp are sent from our domain, where the emails we send with Stripe are sent from Stripe’s domain on our behalf.
Our data centers are highly secure and use state-of-the-art electronic surveillance, intrusion detection and multi-factor access control. Trained security guards patrol the data centers around the clock, and access is authorized strictly for those who have a genuine business need, following the principle of least privilege. The environmental systems are designed to minimize the impact of disruptions to operations.
Our proven PaaS infrastructure provides us with best practice on many areas, such as availability, scalability, security, customer data segregation, protection against externally and internally generated attacks, and development process.
Operating systems, databases, and applications in our data centers have been hardened to reduce vulnerabilities and maximize their security.
Our data centers provide us with a synchronized time-service protocol to ensure all our functionalities have a common time reference.
Access to our data center services is protected by secure multi-factor authentication.
Temporary files are retained only for as long as they are needed, then deleted by means of automation.
We also host our staging and test environments in our data centers, but with no connection to our production environment.
We do not use production data outside of our production environment.
We consider security concepts, assessments and techniques fundamental to the development, reliability, and overall improvement of our product and services.
The physical security of our data centers are handled by our service providers, where our databases are encrypted at rest.
We operate on principles of least privilege first, which means that access is limited to those of our employees who have a genuine work-related need, which we monitor continuously.
The backend infrastructure of our data centers is frequently recreated via code to ensure a lean and clean (or “vanilla”) infrastructure that further enhances our immutable architecture.
We maintain documentation of our key management process, and provide controls to manage encryption keys throughout their lifecycle and to protect against unauthorized use. With the exception of our API keys, that are owned and managed by our technical leadership, our keys are owned and managed by our data center service providers.
We do not rely on outsourced development - all of our development is in-house.
We frequently conduct automated third party vulnerability scans and penetration tests of our products.
\ You’re welcome to conduct your own security scans and penetration tests of our services, as long as these are of a non-malicious nature and you ask us for pre-approval. We need the pre-approval solely because your scans and tests could trigger monitoring anomalies on our side, that we would like to react appropriately to. We also openly engage security researchers to challenge our services, identify and report any vulnerabilities to us so that we can address them. Please contact firstname.lastname@example.org to initiate any such.
Heroku’s PaaS builds our backend infrastructure with code and follow infrastructure as code principles, which means that our infrastructure is frequently rebuilt to ensure that it’s always complete, lean and clean, with the benefit that we don’t need to use anti-virus or anti-malware software on the server instances of our data center.
We continuously monitor our infrastructure and product for errors so that we can detect and address these quickly.
We have a formal process for management and correction of vulnerabilities (bugs, quality issues, etc.). Vulnerabilities should be reported to email@example.com. When we have identified the vulnerability as legitimate and requiring remediation, we log it as an issue, prioritize it according to severity, assign an owner and address it according to priority. We track the vulnerabilities and we follow up frequently until we can verify that the vulnerability has been remediated.
Heroku uses automation to apply all security patches to their AWS infrastructure programmatically.
We use Github Dependabot to keep the code libraries we use updated and with all security patches.
We send our logs to service providers where they are aggregated, reviewed, and analyzed. Our logs are confidential and unavailable outside our company.
Our logs are stored in a secure, tamper-proof manner and cannot be manipulated or changed.
We keep our logs for a limited period, after which they are deleted by means of automation. Examples of logged activities are:
We use Heroku’s PGBackups to manage our database backups. Our backup procedure includes, as a minimum, a daily full backup.
We perform backup recovery tests regularly. Our backups are stored in a secure, tamper-proof manner, and cannot be manipulated or changed.
You can access our product at https://app.legalmonster.com.
Once you have accepted, we will collect and process information about your use of our product.
Depending on your subscription with us, one or more of your employees may have been granted user access to work within our product. All of the employees will be granted the same rights.
You can log in to our business web portal using a native multi-factor login, where our password policy aligns with the recommendations of the National Institute of Standards and Technology (NIST). We currently don’t support single sign-on through SAML2, logging in with Google Account, or similar.
As part of your subscription, you have access to data via our API. API access requires an API key and secret, which are unique to your company.
When you establish your configuration in our product, we recommend that you use separate projects for testing purposes, so you keep your production and test data segregated.
We log all actions performed in our product. If needed, our administrators have the ability to lock or unlock access for a specific user.
To stop your use of our product, please contact our Support team at firstname.lastname@example.org, that will help you delete your account.
Before your account is deleted, you may choose to download all your data, including the data of your users, that will be presented in machine-readable form. To do so, please contact our Support team at email@example.com, that will assist you.
Please note that if you request deletion of your account this will mean that data connected to the account will also be deleted, including consent information.
You can see up-to-date information about our security and data incidents, as well as the operationality of our product and planned maintenance, at https://status.legalmonster.com/.
On the site you can subscribe to receive notifications by email.
Aside from maintaining and keeping an overview of our office networks and telephony services, our IT team manages our internal accounts, password security, access to systems and data, and protects our IT assets - covering both hardware and software.
All our employees are granted an individual @legalmonster.com personal user account. We don’t allow any two employees to share or use the same personal user account.
Access permissions for individual services and user roles are granted from our role-based access control model (RBAC) using least privilege first principles and granted according to work-related needs. Before we grant access, the internal owner of the respective service must approve the assignment of access rights and roles. We require a segregation of duties between the person requesting access and the person who approves it.
Access rights to our services and data are reviewed at least annually by dedicated staff, and employee access is removed or downgraded when it is longer required to carry out duties and responsibilities.
When an employee leaves, their user accounts are immediately disabled and, once they are no longer subject to other legal requirements, deleted. Any information security and legal responsibilities held by the employee remain valid after they leave our employment.
All internal user accounts are protected with a password which must meet the rules described in our Information Security Policy.
We use Google Account as our internal identity directory, where we have enforced multi-factor authentication. We only grant authorized employees with a work-related need access.
Our office is in a shared office environment with a shared secure wireless network aimed at employees and contractors for work related purposes. The shared office also provides a wireless guest network dedicated guests and employees using their own devices. There is no connection between the secure network and the guest network.
The electrical and network cabling is managed by the shared office, and installed and maintained by locally certified personnel.
Our product considers our office networks like any other Internet network, and doesn’t apply any added level of access to a device or user connecting from our office networks.
Individuals who use our devices are instructed not to carry out unauthorized downloads, store or share copyrighted or intellectual property material, or install or run unauthorized, untested, or unlicensed software without prior approval from our DPO.
All our devices are configured to automatically install software updates, security patches and firmware upgrades.
Our secure network acts as an online access point for our devices, and provides local services to employees such as printing and meeting room conferencing.
No application or file storage services are provided on our secure network, which is enforced by not having such servers in our shared office or elsewhere. We instead solely use collaborative cloud services such as Google G Suite, Close and HelpScout, that we can access securely from anywhere.
Access to our secure shared network is only granted to a user who successfully logs in with valid credentials.
Our secure wireless network uses WPA2 with 802.1x authentication.
Our guest network acts as an isolated and segregated Internet access point, where users authenticate using a unique, randomly generated key that expires after one day.
Our guest network acts as our BYOD (bring your own device) network.
We broadly define our network equipment, stationary devices, mobile devices, software, and removable media as IT assets.
We identify, register, and assign owners for all our IT assets.
Our IT team ensures that disk encryption, screen lock timeout, virus and malware detection, and protection software is enabled on all devices that we own.
Our IT team controls the encryption keys, and ensures that virus and malware definitions are updated daily, and that a full system scan is completed regularly.
After use, our devices and other hardware are recycled. We use an IT disposal company that collects and dismantles everything, including wiping hard drives. This process is recorded with certifications.
As a general rule, we don’t use removable digital media such as USBs, DVDs, or portable hard drives to store personal or confidential information. In special situations where we cannot avoid doing so, it is done under the supervision of our IT team who ensure that the media is appropriately wiped before and after use.
Our office cannot be accessed directly from the street and entry into our office requires access to a keycard or similar.
We maintain a paper-free environment and documents are not printed unless necessary.
We do not retain paper documents, and when disposed of, all paper documents containing personal data or sensitive information are shredded.
We have a clean desk policy and data is not stored on on-premise media.
Legal Monster ApS was established in 2018 by our three founders, and is located in Copenhagen. It has company registration number 39587408.
If you have any questions or concerns about our privacy or security practices, you’re welcome to send an email to our DPO at [email protected].