The Draftable team has talked to hundreds of law firms and legal teams about their security and compliance requirements for adopting new legal tech, ranging from the world’s largest law firms to in-house legal teams at public companies with global operations.
We’ve found that while these firms vary in size and industry, they all share the same concerns and obligations around security - and ask very similar questions when assessing Draftable on its security and compliance measures.
Our Chief Technology Officer, Samuel Leslie, has rounded up 10 of the most common security questions we get from law firms, how we answer them, and why they’re important.
While this is a non-exhaustive list, it’s a great starting point for legal teams to evaluate legal tech vendors’ security and compliance measures, and ensure their client data remains secure and confidential.
Draftable’s answer: Draftable is and remains independently audited as ISO 27001 compliant. The certificate of compliance is available for download here, along with supporting policies and documentation.
Why it’s important: Information security standards, such as ISO 27001, are benchmarks of a vendor's commitment to maintaining a high security standard. By asking this question, law firms can verify the tech provider meets international and industry-specific regulations, reducing the risk of data breaches and legal liabilities to counterparties and third parties.
Draftable’s answer: Yes, we are generally covered by professional indemnity and cybersecurity insurance policies that cover potential liabilities and damages arising from cyber incidents affecting our customers.
Why it’s important: Insurance coverage, such as professional indemnity and cybersecurity policies, is an important risk allocation measure sought by vendors, in that it can provide financial support and assistance in the event of events (such as losses arising from data breaches or certain other security incidents). This provides an additional form of risk protection for legal service providers, which among other things may allow for continuity of service and security.
Draftable’s answer: We encrypt all data both at rest and in transit using modern cryptography. We document approved cryptographic primitives in our Cryptography Policy, which can be accessed here.
Why it’s important: Encryption of data at rest and in transit protects it from unauthorised access. This is particularly important for law firms whose communications and stored information often contain highly confidential client details. Your legal tech vendor should be implementing modern cryptography for all data they handle, and documenting their usage of cryptography as part of their information security policies.
Draftable’s answer: Yes. We conduct regular penetration and vulnerability testing performed by third-party auditors, as well as our internal security team, to ensure our systems and software are secure. We provide executive summaries of third-party penetration tests here.
Why it’s important: Regular penetration and vulnerability testing are crucial for identifying and mitigating potential security flaws before they can be exploited by malicious entities. Law firms must confirm their vendors are proactive in detecting and addressing security vulnerabilities to protect sensitive client information.
Draftable’s answer: We perform a range of security testing and reviews, including (but not limited to):
Why it’s important: Understanding the extent and frequency of security testing and reviews helps law firms gauge how rigorously a vendor tests their systems against security breaches. Comprehensive testing is an indicator of cybersecurity maturity and provides additional assurance around a vendor’s ability to protect customer data.
Draftable’s answer: We perform regular vulnerability scanning via Continuous Integration (CI) automation and Cloud Security Posture Management (CSPM) platforms. We conduct manual scans quarterly and after any significant changes to our infrastructure or applications. You can find out more about our continuous monitoring here.
Why it’s important: The frequency of vulnerability scanning shows a vendor's commitment to continuous security assessment. Law firms need vendors who perform these scans frequently (ideally, as part of regular automated scans) to promptly discover and mitigate vulnerabilities.
Draftable’s answer: Yes, we perform reviews of all source code added to our products during software development and utilise security scanning tools during our development lifecycle to detect and remediate security issues before software deployment.
Why it’s important: Code reviews and security scanning help identify and rectify security flaws within the application code itself. These practices ensure that the software provided to law firms is secure from both known and emerging threats.
Draftable’s answer: We have comprehensive security and business continuity policies covering data protection, information security, system security, incident response, disaster recovery, and more. You can view them all here.
Why it’s important: Access to a vendor’s security and business policies allows law firms to understand how their data will be handled and protected. This transparency helps firms assess the vendor's preparedness to manage data securely and respond to security incidents.
Draftable’s answer: We utilise compliance and security platforms to continually monitor our information security and provide alerting of information security events. Internal audits for specific activities (such as user account reviews) are performed quarterly.
Why it’s important: Regular internal audits are essential for maintaining ongoing compliance and for identifying internal security weaknesses. Law firms should choose vendors who conduct these audits to ensure continuous improvement and adherence to security protocols.
Draftable’s answer: Yes. We publish all our security and compliance policies, practices, and documentation at our Trust Center.
Why it’s important: Having a consolidated document or repository of all security-related information simplifies the due diligence process for law firms. This enables a quick and comprehensive assessment of the vendor's security posture and practices.
Draftable takes security seriously. As an ISO 27001-certified company, we specialise in document comparison for large organisations with specific obligations around security and privacy. We'll work with your IT or Development teams to ensure a seamless deployment.
Get in touch to discuss your security questions and requirements and to learn more about our API (including self-hosted) options.
You can also read more about Draftable’s security practices.