LegalTech information security checklist

Ensuring legal software meet information security standards is critical to any procurement decision. This checklist will help you to move through the Q&A stage as quickly as possible.


How do you ensure your legal and company information is kept securely, and appropriate measures are taken to protect against data loss? This 8-point information security checklist will ensure you can get some immediate comfort from your cloud based legal matter software provider before making a purchasing or 'try before you buy' decision.

1. Where is the data stored? eg. onshore / offshore?

Some organizations have policies to maintain data - particularly data about their clients - onshore, or in the same jurisdiction as their head office. By knowing where your data is stored, you will be able to give consideration to adherence to data sovereignty and privacy regulation. There is a shift towards cloud storage solutions like Amazon S3 or Google Cloud, which provide robust security features.

2. Who is your data host? eg. AWS, Microsoft Azure

A reputable data host satisfies a very wide range of information security requirements, particularly around architecture, physical infrastructure, firewall and redundancy.

3. Do you undertake regular independent application penetration testing?

Whilst a good data host is important, the application itself should also be built to ensure high levels of security.  The best way to test this security is with regular, independent penetration testing by a reputable firm specialising in this work. Penetration testing is important to an organization's security, as you can detect any potential problems and address them quickly before any malicious attacks occur. One of the main reasons for regular penetration testing is to verify that remediation efforts were effective. Penetration testing should be performed on a at least once or twice a year.

information security

4. Is our data encrypted?

Encryption at rest and in transit should be standard in the application. Encryption at rest protects your data in the event of a matter management system compromise or data theft by encrypting data while stored. Encryption in transit protects your data if communications are intercepted while data moves across the internet or a network.

5. Will your staff have access to our data?

It's sometimes necessary for your legal matter management software provider to have access to your data, to provide you with the service you require. However, you should understand how this access is gained, whether an audit history is kept of access to the data and the policies and processes which govern access to your data. 

6. What is the information security training schedule for staff?

It's useful to understand that your legal matter management software provider has built a culture of protecting client data. Staff should have a regular and thorough training schedule to be reminded of policies and processes, and kept up to date on new developments on information security and cybersecurity best practices. Information security awareness training for employees is important as it helps them understand the importance of cybersecurity, the potential risks and threats and how to prevent breaches.

7. Do you have a data breach policy?

Even mega corporations get hacked - ensuring that your legal matter management software provider has given careful consideration to what it will do in such an event will mean that in the unlikely but unfortunate circumstance in which it occurs, protection of your data and communication of the risks and steps being taken, are the #1 priority. 

8. Do you have a disaster recovery policy?

Losing data is one thing, losing access to an entire matter management software is the next step up, and can be crippling if you have come to rely on technical tools to conduct business. If your matter management system goes down, be sure that your provider has a cloud-based disaster recover solution in place to minimize downtime and data loss in case of a system failure and they're able to bring it back to full operation as quickly as possible.

This checklist covers LegalTech information security questions only. A more comprehensive look at IT questions can be seen in this blog post - 10 questions to ask before you go to your CIO.

If you are getting started on building a legal technology roadmap for your in-house legal department, download the white paper and template to help you get started.

The best legal matter management software with world-class security

Xakia takes your security seriously. Xakia is certified as compliant with ISO/IEC 27001:2013. To learn more about our security, get in touch with the friendly team today or get a demo to see our legal matter management software in action.

Other posts you might like

Legal teams large and small rely on Xakia