Workflow

Information Security Practices

Version 1.2, November 2020

1. Purpose

We’re committed to safeguarding our product and protecting the personal data and confidential information we keep.

The purpose of this document is to provide insight to our privacy and security practices. In line with that, we refer to companies who use Legal Monster ApS (“Legal Monster” or “we”, “us”, “our”) in this document as "you" and "your".

We make this document publicly available by publishing it on our website and on our Cloud Security Alliance page, and we share it with all of our staff members (including our temporary workers and contractors), and our processors and sub-processors.

Review of this document and of our information security framework is completed at least annually and needs approval by our General Counsel, our CISO and our DPO.

2. Our business and services

We operate a compliance product primarily for use by companies who operate an online business.

Our mission is to help companies become compliant with regional and local privacy related legislation and practises without needing prior knowledge about this area.

Our services are focused on consent automation, where we provide services for companies to easily collect consents from users while at the same time having the required evidence of the consent in place.

We have mapped out the relevant legislation and practises in multiple jurisdictions and when we collect a consent on your behalf from a user in one of these jurisdictions, we by default do so in a way that is compliant with the user’s jurisdiction.

Companies can use our services through our widgets, through our API, through our standard integrations and through our administration web user interface.

3. Our privacy and security organization

3.1 Our DPO

We have a Data Protection Officer (“DPO”) to oversee our data privacy and data protection measures and lead our compliance program to ensure that it is up to date and compliant.

If you have questions about the data processing activities that we carry out on your company’s behalf, you’re most welcome to contact our DPO at privacy@legalmonster.com.

3.2 Our security team

We have a highly skilled security team who govern our data protection and information security, and who are responsible for securing our product and services. When appropriate, we also engage external resources and experts.

Our CTO takes on the role of Chief Information Security Officer and leads our security team.

4. Information security framework

We have security policies and other documents that form the basis of our information security framework. These policies and documents are reviewed on an annual basis.

The policies apply to everyone who works for us, including our staff members and freelancers, and everyone who works for us is educated and trained in our information security practices.

4.1 Information Security Policy

The goal of our Information Security Policy is to protect all the data we retain and process.

We align with current international regulatory and industry best-practice guidance, and we’ve designed our security program around best-of-breed guidelines for cloud security. In particular, we make use of bodies like the Cloud Security Alliance and Vendor Security Alliance, and we align our practices with ISO 27001, ISO27002, ISO 27018 and ISO 27701.

Please find our Cloud Security Alliance “Consensus Assessments Initiative Questionnaire v3.1” document here.

Please find our Vendor Security Alliance “VSA Questionnaire 2019 FULL Final” document here, and our “VSA CORE FINAL 2019“ document here.

Further details of our Information Security Policy are confidential.

4.2 Data Incident Policy

In the event of a data incident, we have a documented policy and firm processes to guide our actions, as well as a Data Incident Response Team to handle the incident and a Data Incident Registry where we log forensics records, sequence of actions and decisions taken to analyze, mitigate and communicate an incident.

Our Data Incident Policy outlines how we will document, investigate and report on potential data incidents. You can request a copy of the policy by emailing [email protected].

We comply with the GDPR and will notify you by email should we become aware of a data breach that affects you and requires notification. An email will be sent to the email addresses registered in our product or as contact persons for your subscription with us. Feel free to email [email protected] if you wish to receive such alerts to other email addresses.

4.3 Business Continuity Policy

Our Business Continuity Policy helps us to ensure the continuity and timely recovery of our critical business processes and services in the event of a disaster, and to ensure that our critical business processes operate at an appropriate level.

Our continuity and recovery plans are based on a business impact analysis that we review on an annual basis.

We design our product to be highly available, fault-tolerant and fault-resilient. To achieve this, we follow industry best practices which we continuously improve on and review. Our product is hosted in a proven PaaS infrastructure, Heroku, which helps us minimize incidents, downtime and recovery time of our services.

As a principle, all our processors and sub-processors are Software as a Service. This gives us multiple advantages in the event of an incident or disaster, such as having our teams work from anywhere and much faster being able to replace a (sub-)processor that is causing issues.

We review our Business Continuity Policy annually and our most recent review showed no critical areas of risk.

Further details of our Business Continuity Policy are confidential.

4.4 Contractual obligations

As our customer, your use of our services is governed by a Service Subscription Agreement and a Data Processing Agreement.

Our Service Subscription Agreement sets out the rights and obligations for you and for us, including our obligation to keep your information and data confidential and thoroughly protected.

Our Data Protection Agreement is described in section 5.1.

4.5 Code of Ethics and anti-bribery

We expect those who use our product or do business with us to make decisions that reflect strong ethics and are consistent with our values. We therefore require our staff members, sub-processors and processors, and business partners to adhere to the principles set out in our Code of Ethics.

As set out in our Code of Ethics, we’re committed to maintaining a high ethical standard, and we require that our staff members and business partners comply with all the relevant anti-corruption laws of the countries that we do business in.

4.6 Human resources

All of our staff members need to know what they can and cannot do when handling confidential information and personal data. In addition to their obligation to follow our Code of Ethics, our staff members must observe strict confidentiality with regard to our affairs. This requirement is included in all of our employment contracts and in our Employee Handbook.

The obligation of confidentiality includes not only our activities, but also extends to relationships with businesses and customers. It continues to apply after termination of the employment contract.

If a staff member breaches their confidentiality obligations, intentionally or negligently, we consider it a material breach of their employment contract that can result in disciplinary action, including termination or immediate dismissal.

4.6.1 Hiring

As part of our recruitment process for hiring new staff members, we carry out reference checks where relevant. As a default, we do not perform any criminal or credit checks, but we may choose to do so for specific roles.

4.6.2 Training

Our new staff members go through a new hire program that includes education and training about how to protect and handle information. New hires learn about our commitment to information security and data privacy, our Code of Ethics, and our requirements for protecting and safeguarding information.

4.6.3 Confidentiality

In addition to upholding their employment contract, our staff members must read and comply with our Code of Ethics.

4.6.4 Leaving

When staff members leave us, we revoke their access to our services in a timely manner. For more information about this, please see section 7.2.

5. Privacy

5.1 Data Processing Agreement

We use the terms “data controller”, “processor” and “sub-processor” below. The terms are defined in Article 28 of the EU’s General Data Protection Regulation (“GDPR”), where the data controller and the processor, and the processor and the sub-processor, are required to have a “data processing agreement” (“DPA”) in place that documents the data processing activities being carried out.

Our DPA meets the requirements outlined in the GDPR and is part of our Services Subscription Agreement. You can find a copy of our DPA on our website here. We recommend that you keep a copy of our DPA on file in case you need to show that you comply with Article 28 of the GDPR. If you need a signed copy of our DPA, you can request this on our website or send us an email at [email protected] and include the following information:

  • The official name of your company
  • Your company’s address (number, street, city, postal code and country)
  • Your company registration number
  • The name, title and email of the person who will be signing the DPA on behalf of your company.

5.2 Personal data

We consider any data relating to an identified or identifiable person as “personal data”; examples:

  • Basic identity information such as name, address, email address, and Id numbers, other HR related data that identifies the individual
  • Financial information that identifies the individual
  • Voice, transcript text and video data that identifies the individual
  • Web data such as location, IP address, cookie data and other technologies serving similar purposes, and device identifiers

We do not process sensitive data or special categories of data.

When we build products, Privacy by Design is part of our development process so we ensure that we have legitimate purpose when we process specific personal data, limit our processing of data, and retain data securely and only for as long as the purpose legitimates.

For details on the personal data we keep, and why and how we and our processors and sub-processors retain and delete this data, please see Section 5.4 and 5.5.

5.3 Processors and Sub-processors

We use specialized companies to assist us with delivering our services to you, such as providing our data centers. Pursuant to the GDPR, these companies are, depending on our own role, called “processors” or “sub-processors”.

Before we engage a processor or a sub-processor, we perform a thorough security and privacy risk assessment of the company’s services. The risk assessment aligns with the Data Protection Impact Assessment (“DPIA”) process and is a requirement of the GDPR. As part of this process, we evaluate the company’s privacy and security practices, we carry out risk assessment of the personal data that we would be sharing with the company, and we review the company’s DPA. We follow this process to determine whether the company is competent to process personal data in line with the legislation and meets our requirements and standards. We will only share personal data of your users with a company provided that these requirements are in place.

We monitor the performance and applicability of our processors and sub-processors on an ongoing basis, and we review the DPIA’s on an annual basis. We may find it necessary to add or replace a company as a processor or sub-processor, and if we do, we will notify you through the email we have registered as the owner of your account. Feel free to email [email protected] if you wish to receive such notification also to other email addresses.

When we stop using a company as a processor or sub-processor, we will remove the company from our product and infrastructure, and we will request the deletion of all personal data about you and your users retained by the company.

Data to and from our processors and sub-processors is encrypted during transit, and to safeguard the traffic between our users and our product, all web communication is 128-bit encrypted as minimum. All of our websites use TLS 1.2, and we only support data sent via web submissions that use HTTPS.

Access to our processors and sub-processors is protected by secure multi-factor authentication. We operate on principles of least privilege first, which means that access is limited to those of our employees who have a genuine work-related need, which we monitor continuously.

We secure the emails we send through our product with TLS 1.2, SPF and DKIM. If the receiving email server doesn’t support TLS, we automatically use the next most secure protocol supported by the receiving email server.

The emails we send to you and your users are sent from the legalmails.com domain, from the legalmonster.com domain or from your own domain, except for the emails we send from Stripe that are sent from Stripe’s domain on our behalf.

5.4 Protecting the personal data about your users

When you share personal data about your users with us, your company acts as data controller and we act as processor.

We process this data solely on your behalf, and we use the data solely for the purpose of providing our services to you. We kindly ask you to limit the data shared to what is needed for you to use our product. Please never share sensitive and special category personal data with us.

Please note that our basic functionality does not require you to share such personal data with us, the only data you would need to share is an Id that to us would be anonymous in nature. However, some of our more advanced functionalities, such as double opt-in or marketing consent, will require you to share personal data about your users, e.g. the user’s email address.

When one of your users provides or retracts consent for specific purposes, done through one of the integrations we make available to you, we capture an evidence of the consent. You can see the data we include in the consent evidence here. If you do not request us to delete a consent evidence, we will retain it for as long as you retain your account with us.

Should you use our consent widgets, we will automatically capture the IP address of the user as part of the consent evidence.

Should you choose to upload files with existing consents to our product, our product will import the consents to your account and immediately delete the uploaded files.

If we need to send an email to your user as part of the consent process, e.g. as part of a double opt-in or as a request to provide re-consent of a new document version, we will delete this email from our product within thirty-one (31) days.

5.4.1 Data Subject Rights

We comply with Data Subject Rights (aka “the rights of the individual”) pursuant to the GDPR and similar legislation.

Should we receive a request from one of your users to exercise one or more of their rights, e.g. their right to information or their right to be deleted, we will defer the request to you.

To help you in responding to such requests, we provide you with the option to download or delete any consent evidence that your users have provided. To initiate this, please write to [email protected] and we will be happy to assist. We will provide downloaded data in a machine-readable format.

Please note that once one of your users has been deleted, it may take up to ninety (90) days before the data is deleted from all parts of our systems, including our sub-processors, our technical logs and our backups.

5.4.2 Our sub-processors

You can see the list of the sub-processors we use to process personal data about your users here.

5.5 Protecting your personal data

Individuals who use our product are referred to as “employees”. When you as an employee share personal data about yourself, we act as a data controller.

We process your personal data for the purpose of providing the various functionalities of our product to you, enabling you to e.g. sign-up for an account, sign-in to the account, consent to cookies, give access to others to your account, configure your account, review consent evidence, receive newsletters, receive transactional emails, and receive invoices.

Employees in your account are created, managed and deleted by you within our product. If you do not delete an employee, or have one of your colleagues do it, or ask us to delete it on your behalf, we will retain the employee for as long as you retain your account with us.

In our Privacy Policy, we set out what types of information we process as a data controller related to our website and product, including information about our cookies, and how we process personal data.

5.5.1 Data Subject Rights

We comply with Data Subject Rights (aka “the rights of the individual”) pursuant to the GDPR and similar legislations.

Should you choose to exercise one or more of your rights, e.g. your right to information or your right to be deleted, you can log into our product and perform the required action yourself. Alternatively, you can email your request to us at privacy@legalmonster.com, where we will process it with due respect for the timeliness required by the law. Should you contact us by email, your request must be about your own personal data. Like other companies, we have experienced requests where the email sender tries to trick us to provide or delete personal data of another person. To avoid this we reserve the right to ask for confirmation of your identity.

When you exercise your right to be deleted, we will delete your personal data unless you are, or have been, involved in contractual matters, compliance matters or similar with us. The reason is that other legislation requires us to keep your personal data in such situations.

When we delete your personal data, we will confirm the deletion to you by email, and we will register evidence of the deletion in our secure and limited access Deletion Log, and retain it for three (3) years after which it is automatically deleted.

Please note that once data has been deleted, it may take up to ninety (90) days before the data is deleted from all parts of our systems, including our processors, our technical logs and our backups.

Should you request us not to sell or resell your data, we will duly register and confirm your request, however please note that we would not sell or resell your data in any case.

5.5.2 Our processors

You can see the list of the processors we use to process personal data about you here.

6. Our Product

6.1 Data Centers

We host our data centers with our processors and sub-processors, re. Section 5.4.2 and 5.5.2. We do not host any data center facilities ourselves.

Our data centers are highly secure and use state-of-the-art electronic surveillance, intrusion detection and multi-factor access control. Trained security guards patrol the data centers around the clock, and access is authorized strictly for those who have a genuine business need, following the principle of least privilege. The environmental systems are designed to minimize the impact of disruptions to operations.

Our proven PaaS infrastructure provides us with best practice in many areas, such as availability, scalability, security, customer data segregation, data input controls, protection against externally and internally generated attacks, and development process.

Operating systems, databases, and applications in our data centers have been hardened to reduce vulnerabilities and maximize their security.

Our data centers provide us with a synchronized time-service protocol to ensure all our functionalities have a common time reference.

Access to our data center services is protected by secure multi-factor authentication.

Temporary files are retained only for as long as they are needed, then deleted by means of automation.

We host our production environment, our staging environment and our test environment in our data centers, where we keep our production environment, and the data therein, strictly separate from the staging and test environments.

Our product provides a sandbox environment to customers for testing.

6.2 Security

We consider security concepts, assessments and techniques fundamental to the development, reliability, and overall improvement of our product and services.

The physical security of our data centers are handled by our processors and sub-processors, where our databases are encrypted at rest with AES-256, block-level storage encryption.

We operate on principles of least privilege first, which means that access is limited to those of our employees who have a genuine work-related need. We monitor and lign this continuously.

The backend infrastructure of our data centers is frequently recreated via code to ensure a lean and clean infrastructure that further enhances our immutable architecture.

We run an agile, dual-track software development lifecycle (SDLC) process. We pass all software changes through a formalized code review process prior to being released into isolated environments. We test all changes to mobile code, which we limit to JavaScript, on all commonly used browser environments. Upon successful testing and quality assurance, and after removing any debugging and test code elements, the changes are promoted into production. We train new staff in our SDLC using peer training.

We maintain documentation of our key management process, and provide controls to manage encryption keys throughout their lifecycle and to protect against unauthorized use. With the exception of our API keys, that are owned and managed by our technical leadership, our keys are owned and managed by our processors and sub-processors.

We do not rely on outsourced development - all of our development is in-house.

We do not supply custom-built software to customers, we strictly limit our scope to our generic products.

We frequently conduct automated third party vulnerability scans and penetration tests of our products. You can request a copy of the most recent vulnerability scan and penetration test by emailing [email protected].

You are welcome to conduct your own security scans and penetration tests of our services, as long as these are of a non-malicious nature and you ask us for pre-approval. We need the pre-approval solely because your scans and tests could trigger monitoring anomalies on our side that we would like to react appropriately to. We also openly engage security researchers to challenge our services, identify and report any vulnerabilities to us so that we can address them. Please contact privacy@legalmonster.com to initiate any such.

6.3 Malicious code management

Heroku’s PaaS builds our backend infrastructure with code and follow infrastructure-as-code principles, which means that our infrastructure is frequently rebuilt to ensure that it’s always complete, lean and clean, with the benefit that we don’t need to use anti-virus or anti-malware software on the server instances of our data center.

We maintain a bill of materials of third party libraries and code used in our product.

We continuously monitor our infrastructure and product for errors so that we can detect and address these quickly.

6.4 Software patch management

We have a formal process for management and correction of vulnerabilities (bugs, quality issues, etc.). Vulnerabilities should be reported to hello@legalmonster.com. When we have identified the vulnerability as legitimate and requiring remediation, we log it as an issue, prioritize it according to severity, assign an owner and address it according to priority. We track the vulnerabilities and we follow up frequently until we can verify that the vulnerability has been remediated.

Heroku uses automation to apply all security patches to their AWS infrastructure programmatically.

We use Github Dependabot to keep our code libraries updated and with all security patches.

6.5 Logging

We send our logs to our processors and sub-processors where they are aggregated, reviewed, and analyzed.

Our logs are confidential and unavailable outside our company.

Our logs are stored in a secure, tamper-proof manner and cannot be manipulated or changed.

We retain our logs for a maximum of ninety (90) days, after which the logs are automatically deleted.

Examples of activities we log are:

  • Application exceptions
  • Stack trace
  • Traffic statistics
  • Backend changes and deployments
  • Malicious activity and exceptions

6.6 Data backup

We use Heroku’s PGBackups to manage our database backups.

Our backup procedure includes, as a minimum, a daily full backup.

We perform backup recovery tests regularly.

Our backups are stored in a secure, tamper-proof manner, and cannot be manipulated or changed.

We retain our backups for a maximum of ninety (90) days, after which a backup is deleted.

6.7 Access

You can access our product at https://app.legalmonster.com.

Before you use our product, you need to accept our Terms of Service and Privacy Policy.

Once you have accepted, we will collect and process information about your use of our product.

Depending on your subscription with us, one or more of your employees may have been granted user access to work within our product. All of the employees will be granted the same rights.

You can log in to our business web portal using a native multi-factor authentication login, where our password policy aligns with the recommendations of the National Institute of Standards and Technology (NIST). We use bcrypt to hash the passwords.

As part of your subscription, you may have access to data via our API. API access requires an API key and secret, which are unique to your company.

When you establish your configuration in our product, we recommend that you use separate projects for testing purposes, so you keep your production and test data segregated.

We log all user actions performed in our product. If needed, our administrators have the ability to deactivate a specific user.

One of our staff members may need to access your account to assist you with setting it up, maintaining it, investigating support issues, etc. When this is needed, it will be captured in the audit trail of your account including the reason for access. You can request a copy of your account’s audit trail by emailing [email protected].

6.8 Stop use of our product

To stop your use of our product, please contact our Support team at hello@legalmonster.com, that will assist you in deleting your account.

When you request deletion of your account all the data connected to the account will be deleted at the same time, including the consent evidence provided by your users. To not lose this data, you may choose to download your data in machine-readable form. To do so, please contact our Support team at hello@legalmonster.com, that will assist you.

Please note that once an account has been deleted, it may take up to ninety (90) days before the data is deleted from all parts of our systems, including our technical logs and backups.

6.9 Product status and maintenance

You can see up-to-date information about our security and data incidents, as well as the operationality of our product and planned maintenance, at https://status.legalmonster.com/, and you can subscribe to receive notifications about incidents by email.

7. Our IT

Our IT team manages our internal accounts, password security, access to systems and data, and IT assets - covering both hardware and software.

7.1 Provisioning of access

All our staff members are granted an individual @legalmonster.com personal user account. We don’t allow any two staff members to share or use the same personal user account.

Access permissions for individual services and user roles are granted from our role-based access control model using least privilege first principles and granted according to work-related needs. Before we grant access, the internal owner of the respective service must approve the assignment of access rights and roles. We require a segregation of duties between the person requesting access and the person approving.

7.2 Review and removal of access

Access rights to our services and data are reviewed at least annually, and staff member access is removed or downgraded when it is longer required to carry out duties and responsibilities.

When a staff member leaves, their user accounts are immediately disabled and, once they are no longer subject to other legal requirements, deleted. Any information security and legal responsibilities held by the staff member remains valid after they leave our employment.

7.3 Passwords

All internal user accounts are protected with a password which must meet the rules described in our password policy that aligns with the recommendations of the National Institute of Standards and Technology (NIST).

We use Google as our internal identity directory, where we have enforced multi-factor authentication. We only grant access for authorized staff members with work-related need access.

7.4 Office networks

We rely on the principle of “working from anywhere”, where our staff are free to work from wherever they are located.

Our office networks therefore do not provide any protection or security specific to our product, and our product considers our office networks as any Internet connected network.

To enable this, no application or file storage services are provided by our office networks, and we instead make use of our processors and sub-processors, that can all be accessed securely from anywhere.

7.5 Assets

We broadly define our network equipment, stationary devices, mobile devices, software, and removable media as IT assets.

We identify, register, and assign owners for all our IT assets.

7.5.1 Devices

All our devices are configured to automatically install software updates, security patches and firmware upgrades.

Our IT team ensures that disk encryption, screen lock timeout, virus and malware detection, and protection software is enabled on all devices that we use to access our technical environment.

Our staff members are instructed not to carry out unauthorized downloads, store or share personal data, copyrighted or intellectual property material, or install or run unauthorized, untested, or unlicensed software without prior approval from our DPO.

After use, our devices and other hardware are recycled. Our IT team collects and dismantles everything, including wiping hard drives.

7.5.2 Removable media

As a general rule, we don’t use removable digital media such as USBs, DVDs, or portable hard drives to store personal or confidential information. In special situations where we cannot avoid doing so, we require it done under the supervision of our IT team who ensure that the media is appropriately wiped before and after use.

7.6 Physical security

Our office cannot be accessed directly from the street and entry into our office requires access to a keycard or similar.

7.7 Paper documents

We maintain a paper-free environment and documents are not printed unless necessary. We do not unnecessarily retain paper documents.

When disposed of, all paper documents containing personal data are shredded.

We have a clean desk policy and data is not stored on on-premise media.

8. Company information

Legal Monster ApS was established in 2018 by our three founders, and is located in Copenhagen. Our company registration number is 39587408.

9. Contact us

If you have any questions or concerns about our privacy or security practices, you’re welcome to send an email to our DPO at [email protected].