Contract management security is absolutely critical. That’s why we employ the latest industry security practices, technology, processes, and policies to ensure the protection of all your contract information.
Contract Logix Security Highlights
SOC 2 Type II compliant
FISMA and HIPAA compliant
Logical separation of all customer data
Data is encrypted at rest (AES 256) and in transit (TLS 1.2)
Azure Key Vault (HSM encryption key management)
Data retention, archival and restore
Vulnerability and penetration testing including NIST 800-171
Password policy management, role-based security, and multi-factor authentication
Continuous security and monitoring with 3rd party qualified security assessor
Employee background checks, security, and regulatory training
Every customer has their own secure and logically separated data structure to ensure their data is never co-mingled with that of another customer. The Contract Logix distributed model helps to ensure enterprise-class security and scalability, while improving data-level performance and encryption efficiencies.
All data, documents, and assets within the Contract Logix platform are automatically encrypted at rest using AES 256-bit encryption.
All data and documents are encrypted in transit. All TLS/HTTPS configurations are kept up to date using the latest security standards and models so that data remains secure during transfer between our customers and services. We use TLS 1.2 (Transport Layer Security) as the preferred and primary transmission protocol. This ensures that if the data is intercepted, it is nearly impossible to decipher by anyone with unauthorized access.
In adherence to industry best practices, data encryption keys are stored and managed securely in Microsoft’s Azure Key Vault. Applications have no direct access to the keys used. Microsoft’s Azure Key Vault uses FIPS 140-2 Level 2 validated Hardware Security Model (HSM). For more information, please see Microsoft’s Azure Key Vault page.
Your administrator creates role-based and feature-based permissions for your organization’s users, giving your IT or business group full control over what information can be accessed by whom. Multiple user types, coupled with the ability to add & remove roles, enable your organization to leverage the granular controls required. Contract Logix furthers this approach within our platform by designating a “System Owner” from your organization. The System Owner can invite other users and grant access using easy, in-application tools.
All users of our products must be validated by email to use the application. Once verified, users will be required to provide a secure, policy-driven password before they can access the platform. Password complexity is configurable by your administrator using application settings.
In addition, administrators can enable Single Sign-On (SSO) using SAML2.0 for supporting Identity Provider (idP) services including Azure Active Directory, Okta, and Ping Identity to ensure easy application access for users already authenticated by their corporate system.
Every Contract Logix employees is thoroughly background checked and participates in routine privacy and security awareness training as well as regulatory training such as HIPAA compliance. Background checks include personal credit report, 7-year county criminal check, misc. court records search, federal criminal check, domestic terror watchlist, social security number trace, national criminal database check, sex offender list check, and employment history verification.
Contract Logix provides application and service-level controls required to support your data deletion and archiving policies. It allows you to set your requirements or policies around how your data should be deleted and archived. Further, only users with the appropriate role-based permissions can restore your data directly within the application. Contract Logix maintains your data using industry best practices. This includes providing industry-leading, real-time back-up file access for your administrator or privileged users. All back-ups utilize AES-256 bit encryption.
Contract Logix’ Secure Software Development Life Cycle (S-SDLC) integrates our development process with a “security-first” approach. Contract Logix has been third-party verified to be in compliance with the NIST 800-171 Cyber Security Framework (CSF). We use a third-party enterprise application security platform to continuously monitor the live production environment and identify any vulnerabilities in the application. These systems assess the technical vulnerabilities, including the Open Web Application Security Project’s (OWASP) Top 10 list.
Third-party penetration testing is performed prior to every major software release with all critical and high-level issues resolved prior to the software being approved for release. Penetration testing is performed annually, or as required by major release schedules. In addition, continual source code reviews are performed by our qualified personnel.
The Contract Logix platform allows your IT administrator to set mandatory employee password policies and define lockouts after failed logins. Mandatory password requirements greatly reduce the exploitation of default user credentials and/or roles. Account lockouts prevent “brute force attacks” by locking out the user after multiple failed logins. Your administrator also has the ability to monitor user access logs.
Multi-Factor Authentication (MFA) is also supported by the platform. Administrators can enable MFA to further authenticate users logging in to the system via username and password authentication.
Contract Logix is SOC 2 Type II, HIPAA, and FISMA compliant based on successful completion of third-party audits.
In addition, Contract Logix provides Microsoft Azure-based cloud products that are supported by a comprehensive network of technology that protects your data with industry-leading security standards that meet your organization’s toughest security requirements. Microsoft’s Azure data centers meet and exceed the SOC-2 Type certification requirements both from a physical security and environmental controls perspective. Microsoft’s Azure SOC-2 Type 2 Report can be provided separately upon request.
Microsoft Azure deploys Intrusion Detection Systems (IDS) on the network at critical points. Contract Logix leverages this technology to detect and alert in case of unauthorized attempts to access your critical contract data. Leveraging firewalls, data access is isolated and policed to ensure only the platform’s data access layer can access the data.
For more information, please see Microsoft Azure’s page.
To protect against hardware failure and data loss, Contract Logix continuously replicates all files, including data, documents, and indexes/logs across multiple storage clusters/environments. Real-time traffic management with fail-over capabilities & geolocated data centers further ensures no data loss or service outages. Contract Logix continuously monitors the status of the platform and will automatically fail-over in the event of an outage.