This ILAW Security Policy (“ISP”) governs the processing of Personal Data provided by the Subscriber in connection with their use of the ILAW by ILAW software and is incorporated into the Agreement. In the event of any conflict between the Agreement and the ISP, this ISP will prevail.

1. The Subscriber’s Compliance with GDPR

The Subscriber agrees that they are a Data Controller and that ILAW is a Data Processor for the purposes of processing Personal Data. The Subscriber shall at all times comply with the GDPR in connection with the processing of Personal Data. The Subscriber shall ensure all instructions given by it to ILAW in respect of Personal Data shall at all times be in accordance with the GDPR.

2. ILAW’s Compliance with GDPR

2.1 2.1 ILAW, acting as the Data Processor, shall process Personal Data in compliance with the obligations placed under it under the GDPR. ILAW shall:

(a) have technical and organisational measures in place, having regard to the state of technological development and the cost of implementing any measures, against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by it, appropriate to the harm that might result from such unauthorised or unlawful processing or loss, destruction or damage to Personal Data and the nature of the Personal Data;

(b) take reasonable steps, having regard to the state of technological development and the cost of implementing any measures, to ensure the reliability of any of its staff who have access to Personal Data processed in connection with the Terms and Conditions;

(c) not transfer the Personal Data provided by the Subscriber to a country or territory outside the EEA without ensuring the Personal Data is afforded adequate protection within the meaning of the GDPR;

(d) promptly inform the Subscriber, if in ILAW’s opinion, any of the instructions regarding the processing of Personal Data provided by the Subscriber, breach any applicable data protection laws.

(e) use reasonable endeavours to assist Subscriber by implementing appropriate technical and organisational measures (insofar as this is possible taking into account the nature of the Processing), for the fulfilment of Subscriber’s obligation to respond to requests for exercising Data Subject rights laid down GDPR; and

(f) act only on instructions from the Subscriber or the Regulator in respect of any Personal Data processed by ILAW. The parties acknowledge and agree that the Agreement (subject to any changes to the ILAW by ILAW software agreed between the parties) and this ISP shall be the Subscriber’s complete and final instructions to ILAW in relation to the processing of Subscriber Personal Data;

2.2 The Subscriber acknowledges that, with certain exceptions, ILAW does not have access to Personal Data and will require permission from a Subscriber if asked to provide services related to the ILAW by ILAW Software. The Subscriber shall provide access to the ILAW personnel only on an as-needed basis and to terminate such access promptly after the need for such access has expired. In the performance of helpdesk support where file-sharing is used, it is the responsibility of the Subscriber to ensure that all sharing sessions are terminated.

3. Data Ownership, Deletion and Portability

3.1 The Data contained within ILAW remains the property of the Subscriber.

3.2 If a Subscriber ends their Agreement, ILAW will retain the Subscribers Data for a period of seven (7) years before having it destroyed.

3.3 During the seven (7) years following termination, a subscription can be reactivated to gain access to the Data held.

3.4 The Subscriber can request that their Data is deleted upon their termination, or at any time before the seven (7) year expiration date.

3.5 ILAW will enable The Subscriber to delete Personal Data.

3.6 ILAW will enable The Subscriber to extract Personal Data on request.

4. Data Sovereignty and Integrations

4.1 The Subscribers Data, including Personal Data, is housed in a highly available, active-active scalable solution situated in the ISO 27001 certified AWS datacentres in Dublin.

4.2 ILAW shall not engage any other Sub-Processor for carrying out any processing activities in respect of Personal Data without the Subscriber’s written authorisation and ensuring sufficient provision of compliance with GDPR including a contract.

5. Data Encryption

5.1 The Workflow by ILAW software is accessed via HTTPS using Transport Layer Security (TLS). TLS is a cryptographic protocol designed to protect information transmitted over the internet, against eavesdropping, tampering, and message forgery.

5.2 All stored Data is encrypted at rest, using AES-256, military grade encryption. This is done to protect Data in the event an ILAW server is compromised by an unauthorised party.

6. Technical and organisational measures

Taking into account the state of technical development and the nature of processing, ILAW shall implement and maintain the technical and organisational measures set out in Appendix 3 in respect to Articles 32 to 36 to protect the Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Responsibility for Subject Access lies with the Subscriber as ILAW staff have no access to Personal Data contained in Workflow by ILAW software. Guidance can be provided on request.

7. Audits

ILAW shall, in accordance with GDPR, make available to the Subscriber such information that is in its possession or control as is necessary to demonstrate the ILAW's compliance with the obligations on each party imposed by Article 28 of the GDPR, and at the Subscriber’s expense, allow for and contribute to audits, including inspections, provided such audits or inspections are:

(a) limited in scope to matters specific to the Subscriber and agreed in advance;

(b) carried out during UK business hours and upon reasonable notice which shall be not less than 90-days’ notice unless an identifiable material issue has arisen; and

(c) conducted in a way which does not interfere with the ILAW’s day-to-day business.

8. Information Security Personnel

ILAW has a dedicated team of Information Security Specialists who continually monitor the AWS infrastructure and Workflow by ILAW software. All employees, agents, officers and contractors involved in the handling of Personal Data:

(a) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential;

(b) have received appropriate training on their responsibilities as a Data processor; and

(c) comply with the terms of this ISP.

9. Backup Policy and System Monitoring

ILAW servers are backed up multiple times daily, weekly and monthly, and are monitored 24 hours a day, 7 days a week, 365 days a year.

10. Data Breaches

ILAW shall notify the Subscriber without undue delay and in writing on becoming aware of (and in any event within 72 hours of discovering) any Data Breach in respect of any Personal Data.

ILAW will take all commercially reasonable measures to secure the Personal Data, to limit the effects of any Data Breach, and to assist Subscriber in meeting their obligations under the GDPR.

If a vulnerability is identified or Data is available publicly outside of the ILAW Services, please contact ILAW immediately via support@ilawsoftware.com

Appendix 1: Definitions

Unless otherwise defined in this policy, all terms in bold will have the meanings given them to them below:

Agreement means the agreement between the ILAW and the Subscriber for the provision of Workflow by ILAW software

AWS means Amazon Web Services based in the Dublin Region, acting as an agreed sub-processer

Data Breach has the meaning defined in the GDPR

Data Controller has the meaning defined in the GDPR

Data means all data held with the ILAW Services

Data Processor has the meaning defined in the GDPR

EEA means the European Economic Area

GDPR means the General Data Protection Regulation (EU) 2016/679

ISO 27001 certification means an ISO/IEC 27001:2013 certification or a comparable certification for the Audited Services

ILAW means ILAW Legal Ltd and its associated entities of 10 John Street, London, WC1N 2EB

Personal Data has the meaning defined in the GDPR

Regulator means the Solicitors Regulatory Authority, The Law Society of Scotland, The Law Society of Northern Ireland or The Law Society of Ireland

SSubscriber means a person or organisation who pays monthly for access to the Workflow by ILAW software

Sub-Processor means another Data Processor engaged by ILAW to carry out processing activities in respect of Personal Data on behalf of the Subscriber

Term means the period from the installation date until the end of ILAW’s provision of the Workflow by ILAW software, including, if applicable, any period during which provision of the Workflow by ILAW software may be suspended and any post-termination period during which ILAW may continue providing the Workflow by ILAW software for transitional purposes

Terms and Conditions means the supply and support terms and conditions contained in the Agreement

Appendix 2: Subject Matter and Details of the Data Processing

Subject Matter

ILAW’s provision of the Workflow by ILAW software to The Subscriber.

Duration of the Processing

The Term plus the period from the expiry of the Term until deletion of all Data by ILAW in accordance with the Security Policy

Nature and Purpose of the Processing

ILAW will process Personal Data for the purposes of providing the Workflow by ILAW software to the Subscriber in accordance with this ISP

Categories of Data

Data relating to individuals provided to ILAW via the Workflow by ILAW software, by (or at the direction of) the Subscriber or by the Subscriber’s customer

Data Subjects

Data subjects include the individuals about whom data is provided to ILAW via the Services by (or at the direction of) the Subscriber or by the Subscriber’s customer

Appendix 3: Technical Measures

Data subjects include the individuals about whom Data is provided to ILAW via the Workflow by ILAW software by (or at the direction of) the Subscriber or by the Subscriber’s customer

Local & Network Firewalls

Web Application Firewalls

Intrusion Detection & Prevention Systems

Multivendor Anti-Virus

Application White Listing

DDoS Throttling Services

Access Control Lists

Security Patch Management

ITIL Framework (release/incident/change)

Identity and Access Management

Centralised Log Management

Symmetric and Asymmetric Encryption systems

Two Factor Authentication

Secure Code reviews

Separation of Duties

Data Loss Prevention

Vulnerability Assessment

Anomaly Detection

Externally commissioned penetration testing

Externally commissioned audits

Remote Monitoring & Alerting

Start automating your matters today and streamline your firm