10 security questions you should be asking your legal tech vendors

The Draftable team has talked to hundreds of law firms and legal teams about their security and compliance requirements for adopting new legal tech, ranging from the world’s largest law firms to in-house legal teams at public companies with global operations.

We’ve found that while these firms vary in size and industry, they all share the same concerns and obligations around security - and ask very similar questions when assessing Draftable on its security and compliance measures.

Our Chief Technology Officer, Samuel Leslie, has rounded up 10 of the most common security questions we get from law firms, how we answer them, and why they’re important.

While this is a non-exhaustive list, it’s a great starting point for legal teams to evaluate legal tech vendors’ security and compliance measures, and ensure their client data remains secure and confidential.

1. What information security standards are you compliant with?

Draftable’s answer: Draftable is and remains independently audited as ISO 27001 compliant. The certificate of compliance is available for download here, along with supporting policies and documentation.

Why it’s important: Information security standards, such as ISO 27001, are benchmarks of a vendor's commitment to maintaining a high security standard. By asking this question, law firms can verify the tech provider meets international and industry-specific regulations, reducing the risk of data breaches and legal liabilities to counterparties and third parties.

2. Are you covered under professional indemnity and cybersecurity insurance policies?

Draftable’s answer: Yes, we are generally covered by professional indemnity and cybersecurity insurance policies that cover potential liabilities and damages arising from cyber incidents affecting our customers.

Why it’s important: Insurance coverage, such as professional indemnity and cybersecurity policies, is an important risk allocation measure sought by vendors, in that it can provide financial support and assistance in the event of events (such as losses arising from data breaches or certain other security incidents). This provides an additional form of risk protection for legal service providers, which among other things may allow for continuity of service and security.

3. Do you encrypt data at rest and in transit?

Draftable’s answer: We encrypt all data both at rest and in transit using modern cryptography.  We document approved cryptographic primitives in our Cryptography Policy, which can be accessed here.

Why it’s important: Encryption of data at rest and in transit protects it from unauthorised access. This is particularly important for law firms whose communications and stored information often contain highly confidential client details. Your legal tech vendor should be implementing modern cryptography for all data they handle, and documenting their usage of cryptography as part of their information security policies.

4. Do you carry out regular penetration and vulnerability testing?

Draftable’s answer: Yes. We conduct regular penetration and vulnerability testing performed by third-party auditors, as well as our internal security team, to ensure our systems and software are secure. We provide executive summaries of third-party penetration tests here.

Why it’s important: Regular penetration and vulnerability testing are crucial for identifying and mitigating potential security flaws before they can be exploited by malicious entities. Law firms must confirm their vendors are proactive in detecting and addressing security vulnerabilities to protect sensitive client information.

5. What kind of security testing and security reviews do you perform?

Draftable’s answer: We perform a range of security testing and reviews, including (but not limited to):

• Security design reviews of software developed internally.
• Threat modelling during the design phase of development.
• Security code reviews of software developed internally.
• Vulnerability scanning of software dependencies.
• Insecure configuration scanning of cloud infrastructure.
• Red-team style penetration tests of externally exposed systems.

Why it’s important: Understanding the extent and frequency of security testing and reviews helps law firms gauge how rigorously a vendor tests their systems against security breaches. Comprehensive testing is an indicator of cybersecurity maturity and provides additional assurance around a vendor’s ability to protect customer data.

6. How often do you perform vulnerability scanning?

Draftable’s answer: We perform regular vulnerability scanning via Continuous Integration (CI) automation and Cloud Security Posture Management (CSPM) platforms. We conduct manual scans quarterly and after any significant changes to our infrastructure or applications. You can find out more about our continuous monitoring here.

Why it’s important: The frequency of vulnerability scanning shows a vendor's commitment to continuous security assessment. Law firms need vendors who perform these scans frequently (ideally, as part of regular automated scans) to promptly discover and mitigate vulnerabilities.

7. Do you perform source code review and security scanning?

Draftable’s answer: Yes, we perform reviews of all source code added to our products during software development and utilise security scanning tools during our development lifecycle to detect and remediate security issues before software deployment.

Why it’s important: Code reviews and security scanning help identify and rectify security flaws within the application code itself. These practices ensure that the software provided to law firms is secure from both known and emerging threats.

8. What security and business policies do you have, and can you provide them?

Draftable’s answer: We have comprehensive security and business continuity policies covering data protection, information security, system security, incident response, disaster recovery, and more. You can view them all here.

Why it’s important: Access to a vendor’s security and business policies allows law firms to understand how their data will be handled and protected. This transparency helps firms assess the vendor's preparedness to manage data securely and respond to security incidents.

9. How often do you perform internal information security and privacy audits?

Draftable’s answer: We utilise compliance and security platforms to continually monitor our information security and provide alerting of information security events. Internal audits for specific activities (such as user account reviews) are performed quarterly.

Why it’s important: Regular internal audits are essential for maintaining ongoing compliance and for identifying internal security weaknesses. Law firms should choose vendors who conduct these audits to ensure continuous improvement and adherence to security protocols.

10. I am looking for a copy of all your security and compliance information in one place. Do you have that?

Draftable’s answer: Yes. We publish all our security and compliance policies, practices, and documentation at our Trust Center.

Why it’s important: Having a consolidated document or repository of all security-related information simplifies the due diligence process for law firms. This enables a quick and comprehensive assessment of the vendor's security posture and practices.

Draftable takes security seriously. As an ISO 27001-certified company, we specialise in document comparison for large organisations with specific obligations around security and privacy. We'll work with your IT or Development teams to ensure a seamless deployment.

Get in touch to discuss your security questions and requirements and to learn more about our API (including self-hosted) options.

You can also read more about Draftable’s security practices.

‍