Security and Protecting our Clients' Data is Priority One

LawToolBox has partnered with Microsoft to build tools on a secure, enterprise-grade platform.

1. Security, Privacy and Compliance in Microsoft Azure

Each LawToolBox service is hosted on an independent resource so that no one LOB can impact the function of any other LOB or database.  Within minutes resources can be added to scale any LOB or database as circumstances require.  See, Microsoft Azure Security Overview, and Microsoft Azure Designed for Scaling.

Microsoft has already done the work to ensure that data flows help us comply with regulations, including the Personal Information Protection and Electronic Documents Act in Canada and HIPAA in the United States.  Azure datacenters are also FedRAMP-certified, which is critical in pursuing US federal government work.  The Azure platform uses some of the most rigorous security and compliance standards in the world.  Azure adheres to security controls for ISO 27001, ISO 27018, SOC 1, SOC 2, SOC3, FedRAMP, HITRUST, MTCS, IRAP, and ENS.  See, Security, Privacy, and Compliance in Microsoft Azure white paper.

2. Secure email communication platform

Customer information and our client’s data needs to be safeguarded. That’s why we invest heavily in integrating with a reputable third-party recommended by Microsoft that implements security features like user permissions and IP access management that protect sensitive information to keep email communication secure.

LawToolBox has three IP addresses that we send emails from, with these servers located in Denver, Colorado.  This approach to sending email reminders provides an enterprise-class email reminder system for our growing government-cloud and legal department customer base. See, Microsoft Documentation on SendGrid, Sendgrid Security statement, and Sendgrid for Enterprise.

3. Where is Data stored?

LawToolBox Azure servers are located on the Microsoft cloud databank on the US Central time zone. And LawToolBox uses three IP addresses to send emails from o SendGrid servers located in Denver, Colorado.  All data stored in the end-user Microsoft tenant is local to the client and is determined when the client has created their Microsoft subscription.

4. Data Backup

Another massive upgrade that we have rolled out is expanding time zones from the US, Canada, and a few other geographies to every time zone in the world.  Does your co-worker live in Asia?  When you set a time bound appointment in LawToolBox and share it to teammates in other locations the appointment will automatically show up on the right time for them.

Backups, security and redundancy are built in this platform:

lawtoolbox-azure-data-backup

5. Data stored behind Microsoft 365 Delegated Permission Firewall

The LawToolBox integration with office 365 has been designed to leverage the security features of the hardened security platform that Microsoft spends $1 billion a year protecting. 

By relying on delegated permissions LawToolBox outsources to Microsoft the enforcement of the access rights an organization has already granted a user.  We store the minimum level of information on the end-user organization, users and matters to serve as a dashboard to enhance and amplify Microsoft 365 with unique functions.  

Because the data stored within the end-user’s Microsoft tenant can only be unlocked usinfr Microsoft 365 Single-Sign-On (SSO) with a specific users Office 365 user name and password, the end-users data is safely stored behind Microsoft’s steel curtain, and LawToolBox never has access or visibility to this information.

LawToolBox does not have access to any information stored in Microsoft Office 365 groups (files, shared inbox, OneNote, or the group calendar).

LawToolBox does store the Microsoft group identifier which only allows it to generate links that when the end-user clicks on the link, and enters their own Microsoft credentials into Office365 using SSO, allows the end-user to quickly open these Microsoft products.

However, LawToolBox does not have any access or visibility to the end-users Microsoft credentials or environment.  Our matter structure within Office 365 is based on groups, and there are mechanisms/settings to hide and make matters secret within the GAL (global address list) within groups.

6. Data stored on LawToolBox Dedicated Microsoft Azure Servers

LawToolBox stores very limited user account info and some matter information. Matter information always includes basic information like matter name and litigation venue. Matter information can optionally include (if entered by client) client numbers, client name, and matter numbers. 

More specifically, LawToolBox stores the end-user’s Tenant ID, matter names, group ID, group name, user names, UPN, User Object AAD ID, OneNote ID, and any matter calendar event created through LawToolBox.  Information entered into the contact management system is also stored on our servers.

7. How is data stored/secured (encrypted at rest, replication of data, backup of data, logically separated from other LTB customers, data center physically secured)?

User tokens are encrypted and hashed and can only be unlocked by end-user client. All communications to LawToolBox Web App, APIs, and our Office 365 add-in – at rest and in transit – use standard https encryption.  LawToolBox leverages data-backup built into Microsoft Azure.  Data is also backed up to a different server location. Data is logically separated from other customers. The data center physically secured.

8. How is data transmitted (encrypted in transit, what type of encryption)?

All communications to LawToolBox Web App, APIs, and our Office 365 add-in – at rest and in transit – use standard https encryption.  We use PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations for hashing.  For accessing LawToolBox outside of the Office 365 apps we use .Net 4.5.1 library from Asp.Net core “Microsoft.AspNetCore.Cryptography.KeyDerivation” for hashing.

9. Who has access to the data and in what capacity?

No LawToolBox employee has any level of access to information stored in Office365 groups (including files, notes, shared inbox, or the matter calendar). LawToolBox employees who provide technical or customer support do have access to basic firm and user account information, and matter names. LawToolBox employees can only see matter deadlines for LawToolBox365 accounts if the end-user shares their screen during a web conference.

Occasionally during the sales process or during customer support, clients share confidential information with LawToolBox employees. Every employee of LawToolBox, including those doing customer support, undergoes a background check before hiring, and is required to sign an employment agreement where they agree to keep any client information they are exposed to during the sales or support process confidential and private.

10. Who owns the encryption keys?

APIs. Third party integrators that tie directly into our API’s can generate their own unique OATH

authentication token.

LTB365 Add-In. Global Admins for end-users using the LawToolBox365 add-in can log directly into

their Azure portal and manage/revoke their authentication token directly from Microsoft

https://portal.azure.com

Web App. End-user client does not have access to or own encryption keys to the web-app.

11. Single Sign On with multi-factor authentication

LawToolBox365 Office for Legal with Deadlines (Office 365 add-in) uses SSO OpenID as described. As of May 2017, LawToolBox is one of the first two companies to implement this protocol, which is the latest and most secure authentication method Microsoft uses.

12. Security Assessments related to advanced threats, Denial of Service Attacks and other malicious activity.

Microsoft Azure deploys a top of the line intrusion detection system, intrusion prevention system, netflow packet analysis, private VLANs, perimeter filtering and enterprise antivirus. 

Finally, LawToolBox employs a security expert full time who was formerly a Senior Software Development Engineer for McAfee and a certified “white-glove hacker” who periodically runs “whitebox” testing to simulate intrusions and anticipate security needs.