last modified on Apr. 25, 2023

Security

Policies and practices

Lawbrokr is committed to ensuring the confidentiality, integrity, and availability of our users' data. We continuously review and improve our security practices to ensure they remain effective in mitigating potential security threats.

Hiring and training

To ensure secure hiring and training of employees, Lawbrokr has implemented the following security measures:

- Non-disclosure agreements: Lawbrokr requires all new employees to sign a non-disclosure agreement (NDA) to protect sensitive information and data. 

- Security training: We provide security training to all new employees to ensure that they are aware of the company's security policies and procedures. The training covers topics such as password security, phishing, and social engineering.

- Account management: Lawbrokr monitors access rights to ensure that they are aligned with the company's policies and procedures. We promptly disable access for employees who are no longer employed by the company.


Network security

Lawbrokr utilizes Google Cloud Platform (GCP), a leading cloud service provider known for its robust and secure infrastructure designed to support global applications efficiently and safely. For more complete information on Google Cloud's security please see the white paper document provided by Google here.

Below is an overview of the security policies and measures implemented in our Google Cloud Platform setup:

Network security: Google Cloud Platform secures data transmissions using encrypted communication channels. Industry-standard protocols, such as SSL/TLS, are used to safeguard connections. Google Cloud includes comprehensive distributed denial-of-service (DDoS) protection to defend against attacks targeting network and application layers.

Application security: Our infrastructure on GCP leverages the principle of least privilege to ensure minimal access rights for users and services, increasing overall security. We utilize Google Cloud's Artifact Repository for safe container management and Google Compute Engine, both of which provide isolated and secure environments for application deployment. Google Cloud SQL adds another layer of security for our data, which include encryption at rest and in transit, following best practices for data protection.

Compliance and certifications: Google Cloud Platform complies with major industry-standard regulations, including GDPR, SOC 2, HIPAA, and ISO 27001, among others. The platform undergoes regular third-party audits to verify its compliance with rigorous global security standards, ensuring a secure and compliant environment for our operations.

Access Control and Identity Management: We implement strict access controls and identity management protocols on GCP to ensure that only authorized personnel have access to specific resources. This is facilitated through the use of Google’s identity and access management (IAM) services, which provide fine-grained access control and visibility into access events.

Monitoring and Logging: Continuous monitoring and logging mechanisms are employed to detect and respond to security incidents promptly. Google Cloud’s operations suite offers powerful logging capabilities that help maintain visibility and control over our infrastructure's security posture.

Encryption

In line with our commitment to secure data handling, encryption is enabled by default on all supported Google Cloud services. All data in transit, as well as data at rest, is encrypted to protect against unauthorized access, ensuring that sensitive information remains protected across all stages of data processing and storage. For data at rest, we utilize 256-bit AES encryption, a robust standard used by Google Cloud to secure data stored on our systems. For data in transit, we implement Transport Layer Security (TLS) 1.2, and where supported, TLS 1.3 to enhance security and performance. Encryption controls are reviewed periodically and adjusted in response to emerging threats and best practices.

Payment processing

Lawbrokr is not involved in processing or storing payment card information belonging to our customers. To ensure secure credit card processing, we rely on the services of Stripe, an external payment processing company. Stripe is a certified PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. 

Monitoring and logging

Lawbrokr monitors and logs all activities on its systems to detect and respond to any suspicious activity. We also regularly review logs to identify potential security breaches.

Secure software development

Lawbrokr employs a secure software development practice to ensure the confidentiality, integrity, and availability of data in software applications. 

- Threat modeling: Threat modeling is utilized to identify potential security threats to a software application and determine the best ways to mitigate them. The threat modeling process is conducted at the start of the software development lifecycle and continuously reviewed throughout the development process.

- Secure coding practices: Lawbrokr adheres to coding standards and guidelines, uses secure coding techniques, and avoids common programming errors that could lead to security vulnerabilities. Secure coding practices are integrated into the software development lifecycle and continuously reviewed throughout the development process.

- Code review: Code reviews are conducted through a combination of manual and automated processes. Code reviews are conducted regularly throughout the software development lifecycle to ensure that any potential security vulnerabilities are identified and addressed promptly.

- Testing and validation: Testing and validation are conducted at different stages of the software development lifecycle, including unit testing, integration testing, and acceptance testing. Automated testing tools and techniques help to identify potential security vulnerabilities and reduce the likelihood of security breaches.Data backup Lawbrokr maintains regular backups of all data stored on its systems to ensure data can be restored in the event of data loss. 

Incident response

Lawbrokr has a documented incident response plan in place and ensures that all employees are trained on the plan. The plan includes roles and responsibilities, communication procedures, and escalation protocols.

Disaster recovery

Lawbrokr has a disaster recovery plan in place to ensure that critical business operations can continue in the event of a natural or man-made disaster.

Contact Information

If you have any questions or comments about this notice please do not hesitate to contact us at:

Phone: 1-888-550-7647
Website: www.lawbrokr.com
Email: info@lawbrokr.com
Postal Address: Lawbrokr, Inc., 1 King Street W, Suite 4800-64, Toronto, Ontario, M5H 1A1