Security Measures

Plausity is an AI platform with enterprise security

This document describes the technical and organizational security measures and controls implemented by Plausity to protect Personal Data and ensure the ongoing confidentiality, integrity and availability of Plausity's products and services. More details on the measures we implement are available upon request. Plausity reserves the right to revise these technical and organizational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for Personal Data that Plausity processes in providing its products and services.

How Plausity works

The Plausity AI Platform is legal AI workspace which comprise a cloud service accessible via a web interface through a browser and/or desktop app (or, if specifically agreed in the Order Form, APIs offered by Plausity), plug-ins, add-ins to other software and any ancillary documentation and modules provided by Plausity and its Affiliates. The Plausity AI Platform is used for streamlining legal work on top of public legal information and the Subscriber's own documents. The platform is an all-in-one solution for teams to work with legal inquiries and simplify legal workflows seamlessly.

Sub-processors

Plausity engages carefully vetted sub-processors for specific purposes. For a list of sub-processors, please see Pre-approved Sub-processors.

Business continuity management

Data backup is one of the pillars of Plausity's IT continuity plan. Trained personnel manage and follow up on backup execution to ensure the integrity, confidentiality, and accuracy of the backup data. Backups are performed every 4 hours.

Another pillar is the IT and management processes and routines that would be carried out if a serious incident occurs. Plausity continually works on keeping processes and routines updated. The continuity plan is tested at intervals based on regular risk assessments.

Plausity has a high degree of digitization, and all the services and tools are digitally accessible using Google Accounts' SAML-based Federated SSO. As a result, most employees can continue to work from other locations even if Plausity's offices are closed or not accessible due to an extreme event.

Supplier relationship management

Plausity ensures that identified security requirements are met by external suppliers during the procurement process. A contract with a chosen supplier addresses the demands on the supplier's IT environment and information security measures. The supplier shall present and account for their technology, routines, and processes as well as IT and information security policies. Plausity conducts regular control of suppliers' access rights and other aspects of the agreement with the supplier. Suppliers agree to carry out assignments in compliance with the provisions specified in applicable laws and regulations in the countries where the assignments are performed.

Information security management

Plausity uses an Information Security Management System (ISMS) certified under ISO/IEC 27001:2022 as the basis for all security measures, Plausity is audited against the standard on a yearly basis. The ISO/IEC 27001 standard provides guidelines and general principles for planning, implementing, maintaining, and improving information security in an organization.

System access control

Measures that prevent unauthorized persons from using IT systems and processes:

• When provisioning access, Plausity adheres to the principle of least privilege and role-based permissions — meaning our employees are only authorized to access data that they reasonably must handle in order to fulfil their job responsibilities.
• Plausity utilizes multi-factor authentication for access to systems with highly confidential data, including our production environment which houses Personal Data.

Physical access control

Measures to prevent physical access of unauthorized persons to IT systems that handle Personal Data:

• Plausity partners with industry-leading data center and cloud infrastructure providers. Access to all data centers is strictly controlled. All data centers are equipped with 24x7x365 surveillance and biometric access control systems.
• Data centers are equipped with at least N+1 redundancy for power, networking, and cooling infrastructure.
• Plausity replicates data across separate, physically independent, and highly secure Microsoft Azure locations, ensuring high availability, and protection from local failures such as power outages and fires.
• Measures to prevent physical access of unauthorized persons to physical office locations:
• Plausity ensures that only authorized persons can access physical office locations through comprehensive access management consisting of redundant key-card access points. This is done by third-party office providers.
• Plausity ensures effective and immediate onboarding and offboarding of employees, contractors, and third parties, including the security training of said personnel and immediate return and / or destruction of sensitive documents and access cards upon termination

Data access control

Measures to ensure that persons authorized to use Plausity have access only to the Personal Data pursuant to their access rights:

• Plausity enforces password complexity to match OWASP password recommendations to ensure strong passwords are used.
• Recovery of lost passwords is done by requesting a signed link to the user's email account — no passwords are sent in plain text over email, chat, phone, or any other communication method.
• Plausity ensures passwords are hashed (and salted) securely using bcrypt according to best practices, and upon the Subscriber's request, requires single sign-on (SSO) powered by SAML 2.0, for secure user authentication.
• Plausity uses best-practice tools for vulnerability scanning, malicious activity detection, and blocks suspicious behavior automatically.
• Plausity utilizes firewalls to segregate unwanted traffic from entering the network and keeps internal systems in separate subnetworks with no outside access.

Transmission access control

Measures to ensure that Personal Data cannot be read, copied, altered, or deleted by unauthorized persons during electronic transmission or during transport or storage on data media and that those areas can be controlled and identified where transmission of Personal Data is to be done via data transmission systems:

• The Subscriber data at rest is encrypted with AES-256 or other algorithms with the same encryption strengths, and data in transit is encrypted with at least TLS 1.2.
• Plausity is alerted to encryption issues through periodic risk assessments and
• third-party penetration tests. Plausity performs third-party penetration tests on an annual basis, or as needed due to changes in the business.
• We also sign the data to ensure its integrity. An IT security and data flow diagram can be found on our Trust Center.

Entry control

Measures to ensure that it can be subsequently reviewed and determined if and from whom Personal Data was entered, altered, or deleted in the IT system:

• Systems are monitored for security events to ensure quick resolution.
• Logs are centrally stored and indexed. Critical logs, such as security logs, are retained for at least 12 months. Logs can be traced back to individual unique usernames with timestamps to investigate nonconformities or security events.

Availability control

Measures to ensure that Personal Data are protected against accidental destruction or loss:

• Plausity saves a full backup copy of production data every 4 hours to ensure rapid recovery in the event of a large-scale disaster. Incremental/point-in-time recovery is available for all primary databases. Backups are encrypted-in-transit and at rest using strong encryption.
• Plausity's patch management process ensures that systems are patched in time according to threat level. Monitoring, alerting, and routine vulnerability scanning occurs to ensure that all product infrastructure is patched consistently.
• When necessary, Plausity patches infrastructure in an expedited manner in response to the disclosure of critical vulnerabilities to ensure system uptime is preserved.
• The Subscriber environments are logically separated at all times. The Subscriber is not able to access accounts other than those given authorization credentials.

Separation control

Measures to ensure that Personal Data collected for different purposes can be processed separately:

• Plausity employs different data processing systems for different purposes. These systems are architecturally (logical and physically) separated. All systems require valid authorization to be accessed.
• To ensure against the unintentional amalgamation of data, Plausity separates development, testing, staging, and production environments.

Risk management

Measures to ensure appropriate risk management include but are not limited to:

• Plausity conducts periodic reviews and assessments of risks, monitoring and maintaining compliance with Plausity's policies and procedures.
• Plausity ensures periodic, effective reporting of information security conditions and compliance to senior internal management.
• Plausity hosts periodic security risk management training, including but not limited to data protection for all employees, including an initial onboarding training for new employees to review and ensure compliance with up-to-date security risk management procedures and policies.
• Plausity maintains a central IT policy covering guidelines for Internet usage.

Operations security

Measures to ensure that the appropriate operations security safeguarding against malicious code in place include but are not limited to:

• Plausity has different systems and methods to protect the IT infrastructure against malicious code, including various antivirus scanners, spam filters, security updates, and training.
• Plausity uses active monitoring to ensure that antivirus scanners and spam filters are active and updated.
• Plausity actively installs the latest security updates on systems and applications to minimize the risk for exploitation of vulnerabilities.

Measures to ensure that the appropriate operations security safeguarding email in place include but are not limited to:

• Plausity utilizes Google's world-class email security to protect all inbound and outbound emails from malware.
• Plausity leverages Google's email spam filtering services to guard against spam, virus, and phishing attacks.
• Employees of Plausity immediately notify staff of email identified as infected or harmful and ensure that the email sender is blocked and quarantined. The verification and assessment of whether an email is malicious or not is automated and based on the rules but rather based on the competency of each Plausity employee — educated on a periodic basis to identify harmful emails.

Security regarding personnel

Measure to ensure that Plausity's personnel comply with applicable laws and regulations, and ensuring that personnel abides by the relevant terms and conditions of supplier and customer agreements:

• Plausity's personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Plausity conducts reasonably appropriate background checks in relation to the employee's role to the extent legally permissible.
• Personnel is required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Plausity's confidentiality and privacy policies. Personnel is provided with security training. Plausity's personnel will not process customer data without authorization.

Retention of personal data

During the term of the DPA, the Personal Data processed by Plausity will be subject to the retention requirements instructed from time to time by the Subscriber. After the termination or expiration of the DPA, Clause 11 of the DPA shall apply.