LawPracticeZA Data Protection and Privacy Policies
The privacy of our customers is important to us. Therefore:
- We do not sell or rent personally identifiable information
- We do not spam, and our policies forbid use of our Services for spam
Product-Related Information Collection
We collect certain information in connection with your use of LawPracticeZA.
Upon subscribing to our services, we collect Business Information which would include your firm's contact details necessary for invoicing your clients, and user details including users email addresses.
When using LawPracticeZA, we store information relating to your clients and matters, your billing and the firm's financial information, captured by the firm's personnel, on our servers, which are housed in a secure data centre. For details on Security and Reliability of Record Keeping, access the document here.
Security and Reliability
All records are kept on our self-managed servers at the Xneelo Data Centres in Cape Town and Johannesburg who enforce very strict security measures with respect to geotechnical audits, surveillance, access control, fire prevention, power outages, etc. More information is here: https://xneelo.co.za/legal/security/
Encrypted Data Transmission
All access to the server is possible only via HTTPS and SSH both of which are encrypted connections using industry standards. Only our senior developers would have any access to these production servers. All of whom have over 20 years experience in security on Linux-based servers. All customer records are kept in their distinct databases and thus mitigates against the risk of cross-database data leaks due to potential bugs in the software.
Redundancy & Backups
Redundancy & Backups
We replicate all database traffic to a backup server, with an additional 7-day rotational backup of the database. Uploaded files are also backed up on a 7-day rotational basis. The security controls to the backup servers are as stringent as to the production servers.
In addition, a complete server back up is performed to external storage in ecrypted format. Access to the keys to decrypt the information are as stringent as the production servers.
Employee and Sub-contractor Confidentiality & Consent
All employees have consented to uphold and enforce these safeguards.
We have no interns.
Processes are underway to receive the information from our suppliers.
Audit logs of access to the servers are logged (both locally and remotely) and we have intrusion detection and rejection software installed to help against brute-force password guessing attacks. We have various testing systems that run periodically to test the stability of the servers as well as any database anomalies. Third-Party Data Sharing Data is not shared with any third party without explicit opt-in from the user, and then only the minimum data is shared for an integration to function. For example, the Gmail calendar integration shares matter names, diary dates and diary entry descriptions, and does not divulge anything to Google that isn’t necessary for each diary appointment. The integration with E4 gives their system the same access as a bookkeeper user as it is is necessary for this integration to be able to query accounting transactions and post fees. In all cases third party access is granted explicitly to each firm database, there is no third party API key with access to multiple databases.
Known weaknesses and regular assessments and updates to security
The senior development convene monthly to reconsider and re-assess the current security measures.
By far the greatest know security risk is with the users themselves. Obtaining a username and password from an employee at the users workspace would allow someone access to the data.
Operating System Security Updates & Firewall
All our servers run Ubuntu Linux-based OS and security updates are applied regularly. Only a minimal set of secured ports are open to the public. Port 80 / HTTP is used only to issue redirect responses to Port 443 / HTTPS.
We keep all records while the user is still a customer of LawPracticeZA and for 6 months after termination of their account. All records can be deleted upon request.
We use honeypot techniques and subtle data pollution techniques to try to assess if, when or how a breach has taken place. Should a breach be found to have taken place, notification will be provided as soon as reasonably possible after the discovery of the compromise is made, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the Responsible Party's information system.
Document Authored by: Edward van Kuik B.Sc. (Computer Science) UCTf
- Updated: 2018-10-10
- Updated: 2020-11-11
- Updated: 2021-06-29