This ILAW Security Policy (“ISP”) governs the processing of Personal Data provided by the Subscriber in connection with their use of the ILAW by ILAW software and is incorporated into the Agreement. In the event of any conflict between the Agreement and the ISP, this ISP will prevail.
1. The Subscriber’s Compliance with GDPR
The Subscriber agrees that they are a Data Controller and that ILAW is a Data Processor for the purposes of processing Personal Data. The Subscriber shall at all times comply with the GDPR in connection with the processing of Personal Data. The Subscriber shall ensure all instructions given by it to ILAW in respect of Personal Data shall at all times be in accordance with the GDPR.
2. ILAW’s Compliance with GDPR
2.1 2.1 ILAW, acting as the Data Processor, shall process Personal Data in compliance with the obligations placed under it under the GDPR. ILAW shall:
(a) have technical and organisational measures in place, having regard to the state of technological development and the cost of implementing any measures, against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by it, appropriate to the harm that might result from such unauthorised or unlawful processing or loss, destruction or damage to Personal Data and the nature of the Personal Data;
(b) take reasonable steps, having regard to the state of technological development and the cost of implementing any measures, to ensure the reliability of any of its staff who have access to Personal Data processed in connection with the Terms and Conditions;
(c) not transfer the Personal Data provided by the Subscriber to a country or territory outside the EEA without ensuring the Personal Data is afforded adequate protection within the meaning of the GDPR;
(d) promptly inform the Subscriber, if in ILAW’s opinion, any of the instructions regarding the processing of Personal Data provided by the Subscriber, breach any applicable data protection laws.
(e) use reasonable endeavours to assist Subscriber by implementing appropriate technical and organisational measures (insofar as this is possible taking into account the nature of the Processing), for the fulfilment of Subscriber’s obligation to respond to requests for exercising Data Subject rights laid down GDPR; and
(f) act only on instructions from the Subscriber or the Regulator in respect of any Personal Data processed by ILAW. The parties acknowledge and agree that the Agreement (subject to any changes to the ILAW by ILAW software agreed between the parties) and this ISP shall be the Subscriber’s complete and final instructions to ILAW in relation to the processing of Subscriber Personal Data;
2.2 The Subscriber acknowledges that, with certain exceptions, ILAW does not have access to Personal Data and will require permission from a Subscriber if asked to provide services related to the ILAW by ILAW Software. The Subscriber shall provide access to the ILAW personnel only on an as-needed basis and to terminate such access promptly after the need for such access has expired. In the performance of helpdesk support where file-sharing is used, it is the responsibility of the Subscriber to ensure that all sharing sessions are terminated.
3. Data Ownership, Deletion and Portability
3.1 The Data contained within ILAW remains the property of the Subscriber.
3.2 If a Subscriber ends their Agreement, ILAW will retain the Subscribers Data for a period of seven (7) years before having it destroyed.
3.3 During the seven (7) years following termination, a subscription can be reactivated to gain access to the Data held.
3.4 The Subscriber can request that their Data is deleted upon their termination, or at any time before the seven (7) year expiration date.
3.5 ILAW will enable The Subscriber to delete Personal Data.
3.6 ILAW will enable The Subscriber to extract Personal Data on request.
4. Data Sovereignty and Integrations
4.1 The Subscribers Data, including Personal Data, is housed in a highly available, active-active scalable solution situated in the ISO 27001 certified AWS datacentres in Dublin.
4.2 ILAW shall not engage any other Sub-Processor for carrying out any processing activities in respect of Personal Data without the Subscriber’s written authorisation and ensuring sufficient provision of compliance with GDPR including a contract.
5. Data Encryption
5.1 The Workflow by ILAW software is accessed via HTTPS using Transport Layer Security (TLS). TLS is a cryptographic protocol designed to protect information transmitted over the internet, against eavesdropping, tampering, and message forgery.
5.2 All stored Data is encrypted at rest, using AES-256, military grade encryption. This is done to protect Data in the event an ILAW server is compromised by an unauthorised party.
6. Technical and organisational measures
Taking into account the state of technical development and the nature of processing, ILAW shall implement and maintain the technical and organisational measures set out in Appendix 3 in respect to Articles 32 to 36 to protect the Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Responsibility for Subject Access lies with the Subscriber as ILAW staff have no access to Personal Data contained in Workflow by ILAW software. Guidance can be provided on request.
7. Audits
ILAW shall, in accordance with GDPR, make available to the Subscriber such information that is in its possession or control as is necessary to demonstrate the ILAW's compliance with the obligations on each party imposed by Article 28 of the GDPR, and at the Subscriber’s expense, allow for and contribute to audits, including inspections, provided such audits or inspections are:
(a) limited in scope to matters specific to the Subscriber and agreed in advance;
(b) carried out during UK business hours and upon reasonable notice which shall be not less than 90-days’ notice unless an identifiable material issue has arisen; and
(c) conducted in a way which does not interfere with the ILAW’s day-to-day business.
8. Information Security Personnel
ILAW has a dedicated team of Information Security Specialists who continually monitor the AWS infrastructure and Workflow by ILAW software. All employees, agents, officers and contractors involved in the handling of Personal Data:
(a) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential;
(b) have received appropriate training on their responsibilities as a Data processor; and
(c) comply with the terms of this ISP.
9. Backup Policy and System Monitoring
ILAW servers are backed up multiple times daily, weekly and monthly, and are monitored 24 hours a day, 7 days a week, 365 days a year.
10. Data Breaches
ILAW shall notify the Subscriber without undue delay and in writing on becoming aware of (and in any event within 72 hours of discovering) any Data Breach in respect of any Personal Data.
ILAW will take all commercially reasonable measures to secure the Personal Data, to limit the effects of any Data Breach, and to assist Subscriber in meeting their obligations under the GDPR.
If a vulnerability is identified or Data is available publicly outside of the ILAW Services, please contact ILAW immediately via support@ilawsoftware.com
Appendix 1: Definitions
Unless otherwise defined in this policy, all terms in bold will have the meanings given them to them below:
Agreement means the agreement between the ILAW and the Subscriber for the provision of Workflow by ILAW software
AWS means Amazon Web Services based in the Dublin Region, acting as an agreed sub-processer
Data Breach has the meaning defined in the GDPR
Data Controller has the meaning defined in the GDPR
Data means all data held with the ILAW Services
Data Processor has the meaning defined in the GDPR
EEA means the European Economic Area
GDPR means the General Data Protection Regulation (EU) 2016/679
ISO 27001 certification means an ISO/IEC 27001:2013 certification or a comparable certification for the Audited Services
ILAW means ILAW Legal Ltd and its associated entities of 10 John Street, London, WC1N 2EB
Personal Data has the meaning defined in the GDPR
Regulator means the Solicitors Regulatory Authority, The Law Society of Scotland, The Law Society of Northern Ireland or The Law Society of Ireland
SSubscriber means a person or organisation who pays monthly for access to the Workflow by ILAW software
Sub-Processor means another Data Processor engaged by ILAW to carry out processing activities in respect of Personal Data on behalf of the Subscriber
Term means the period from the installation date until the end of ILAW’s provision of the Workflow by ILAW software, including, if applicable, any period during which provision of the Workflow by ILAW software may be suspended and any post-termination period during which ILAW may continue providing the Workflow by ILAW software for transitional purposes
Terms and Conditions means the supply and support terms and conditions contained in the Agreement
Appendix 2: Subject Matter and Details of the Data Processing
Subject Matter
ILAW’s provision of the Workflow by ILAW software to The Subscriber.
Duration of the Processing
The Term plus the period from the expiry of the Term until deletion of all Data by ILAW in accordance with the Security Policy
Nature and Purpose of the Processing
ILAW will process Personal Data for the purposes of providing the Workflow by ILAW software to the Subscriber in accordance with this ISP
Categories of Data
Data relating to individuals provided to ILAW via the Workflow by ILAW software, by (or at the direction of) the Subscriber or by the Subscriber’s customer
Data Subjects
Data subjects include the individuals about whom data is provided to ILAW via the Services by (or at the direction of) the Subscriber or by the Subscriber’s customer
Appendix 3: Technical Measures
Data subjects include the individuals about whom Data is provided to ILAW via the Workflow by ILAW software by (or at the direction of) the Subscriber or by the Subscriber’s customer
Local & Network Firewalls
Web Application Firewalls
Intrusion Detection & Prevention Systems
Multivendor Anti-Virus
Application White Listing
DDoS Throttling Services
Access Control Lists
Security Patch Management
ITIL Framework (release/incident/change)
Identity and Access Management
Centralised Log Management
Symmetric and Asymmetric Encryption systems
Two Factor Authentication
Secure Code reviews
Separation of Duties
Data Loss Prevention
Vulnerability Assessment
Anomaly Detection
Externally commissioned penetration testing
Externally commissioned audits
Remote Monitoring & Alerting