Data Privacy & Security

“At Contract Logix we understand that our products are storing data about agreements that are the bedrock upon which our customers’ businesses are built. Because of that we have no choice but to maintain the highest standards of data privacy and security in our people, processes, and technology. We take it very seriously, and continually test to ensure your information is safe.”

– Timothy Donaghy, Chief Technology Officer, Contract Logix

Highest Data Security Standards for Your Contracts.

Our customers must be absolutely guaranteed that they are the ONLY ones who can access and view their contract information. We take every precaution possible to make sure that’s the case, including:

Physical separation of customer data.

Data is encrypted at rest (AES 256) and in-transit (TLS 1.2).

Azure Key Vault (HSM encryption key management).

Data retention, archival and restore.

Employee background checks.

Vulnerability and penetration testing.

Password policy management.

Final Encyption at Rest Certification
Final Encyption in Transit Certification

Physical Separation of Customer Data

Customer data is critical to Contract Logix. Every customer has their own secure, physically separated data to ensure data is never co-mingled between customers. Our distributed model helps to ensure enterprise-class security and scalability, while improving data-level performance and encryption efficiencies.

Data Encryption at Rest

Contract Logix was designed with data privacy in mind and takes no chances with customer-owned data. Customer data is encrypted at rest using AES 256-bit encryption.

Data Encryption In-Transit

To ensure customer data is remains secure during the transfer between our customers and the Contract Logix services, Contract Logix uses TLS 1.2 (Transport Layer Security) encryption.

Azure Key Vault Encryption Key Management

As part of industry best practices, data encryption keys are stored and managed securely in Microsoft’s Azure Key Vault. Applications have no direct access to the keys used, and this helps increase security and control over keys. Microsoft Azure Key Vault uses FIPS 140-2 Level 2 validated Hardware Security Model (HSMs.) For more information, please see Microsoft’s Azure Key Vault page.

Contract Logix Employee Access

Contract Logix employees and trusted vendors cannot access customer data without expressly granted permission from our customers – even to perform certain business or support functions. This ensures only the customer has access to your sensitive contract data. Every Contract Logix employee is thoroughly background checked and participates in routine privacy and security awareness training. Data is also encrypted at rest using AES 256-bit encryption to ensure no unauthorized access. For more information, please see our privacy policy.

Data Retention, Archival & Restoration

Contract Logix provides application and service-level controls customers need to support their data retention and archive policies. Customers can set their requirements or policies around how their data should be retained and archived. Further, only users with the appropriate role-based permissions, can restore data directly in the application.

Contract Logix maintains customer data using industry best practices. This includes providing customers with industry-leading, real-time back-ups. All back-ups are encrypted using AES 256-bit encryption at rest for security purposes.

Data destruction policies ensure all customer data is destroyed and sanitized according to the retention needs of each customer throughout all phases of implementation or the contract terms.

Vulnerability and Penetration Testing

Contract Logix’ Secure Software Development Life Cycle (S-SDLC) integrates our development process with a “security-first” approach. From the outset of a new project, consideration for security protocols, design/product reviews, and security awareness training is required. Additionally, Contract Logix uses a third-party enterprise application security platform (Qualys and Microsoft App Insights) to continuously monitor the live production sites and to identify any vulnerabilities in the application. These systems assess the technical vulnerabilities, including the Open Web Application Security Project’s (OWASP) Top 10 list.

Third-party penetration testing is performed prior to every major release. Penetration testing is performed not less than two times annually or as-required by major release schedules.

Password Policy Management

Contract Logix allows customer IT administrators to set mandatory employee password policies and to leverage account lockouts after failed logins. Mandatory password requirements greatly reduce the exploitation of default user credentials and/or roles. Account lockouts prevent brute force attacks, by immediately locking out the access point (AP) after multiple failed login attempts. Once set up, customer administrators can monitor user access and logs for monitoring purposes.



Contract Logix