Security Policy

Last updated: May 2024

Overview

As an industry pioneer in legal tech and the foremost provider of legal solutions, ensuring information security, legal compliance, and data privacy is paramount in our organization.

We prioritize implementing data privacy by design and default principles throughout the development of our legal tech platform.

Our Security Certifications

ISO 27001 Certification

Miramis Technologies uses an Information Security Management System (ISMS) certified under ISO/IEC 27001 as the basis for all information security measures.

The ISO/IEC 27001 standard provides guidelines and general principles for planning, implementing, maintaining, and improving information security in an organization.

SOC 2 Type 2 Certified

In addition to our ISO certification, Miramis Technologies is SOC 2 Type 2 certified.

This certification demonstrates that we manage our data in accordance with the five trust service principles: security, availability, processing integrity, confidentiality, and privacy.

GDPR Compliance

Miramis Technologies' use and processing of data are compliant with the EU General Data Protection Regulation (“GDPR”). For additional information, please refer to our Privacy Policy.

Annual Penetration Testing

To ensure the robustness of our security measures, Miramis Technologies conducts annual penetration testing.

This rigorous testing, performed by an independent third party, is designed to identify and rectify any vulnerabilities in our systems. The results are used to continuously enhance our security posture.

How We Partner With Sub-Processors And Subcontractors

We carefully vet suppliers during the procurement process and only use suppliers for specific and necessary purposes to enhance Miramis Technologies for our end-users.

We expect the same technical and security measures from our suppliers as we uphold for ourselves. We require ISO 27001 certification and GDPR compliance for our most critical sub-processors.

All contracts with chosen suppliers address our demands on the supplier's IT environment and information security measures. Each supplier is obligated to account for their technology, routines, and processes as well as their IT and information security policies.

Our suppliers sign non-disclosure agreements and other relevant regulatory agreements before the service is taken into service, and we regularly monitor suppliers' access rights and other aspects of the agreement with them.

How We Ensure Business Continuity

Testing

We perform automated and manual QA assessments for every Miramis Technologies release.

Our automated testing infrastructure covers 100% of the critical user flows and is triggered for release candidates to manage defects in production code.

Data Backup

Trained personnel manage and follow up on backup execution to ensure the backup data's integrity, confidentiality, and accuracy.

Disaster Recovery

We carry out rigorous IT and management processes when a serious incident occurs and continuously update our processes and routines.

AWS best practices play a central role in our disaster recovery routines. The continuity plan is tested at intervals based on regular risk assessments.

High Degree of Digitization

All services and tools are digitally accessible using at least MFA, and critical systems are secured by SSO. Most employees can continue working from alternative locations if offices are inaccessible due to an extreme event.

How We Prevent Unauthorized Access

Access Control To Systems

We adhere to the principle of least privilege using role-based permissions and multi-factor authentication for systems containing highly confidential data.

Authorized users only have access to data relevant to their access rights. We conduct routine vulnerability scanning, malicious activity detection, and block suspicious behavior automatically. Firewalls segregate unwanted traffic from entering the network.

Data Encryption

Customer data at rest is encrypted with AES-256, and data in transit is encrypted with TLS 1.2.

We are alerted to encryption issues through periodic risk assessments and annual third-party penetration tests.

How We Manage Risk

We conduct periodic reviews and assessments of risks, monitor compliance with internal policies and procedures, and maintain an up-to-date risk mapping signed off by senior management.

How We Secure Operations

We safeguard operations against malicious code through active monitoring, updated antivirus and spam filters, timely installation of security patches, and mandatory annual security training for all employees.

How We Uphold Security With Our Staff

We require employees to conduct themselves in accordance with confidentiality, business ethics, and professional standards.

All personnel sign confidentiality agreements and acknowledge compliance with our confidentiality and privacy policies.