While the digitalization of legal documents is undoubtedly a boon in terms of efficiency, many professionals have their reservations about its security.
This is, after all, a sensible question: is it, in fact, safe to store sensitive documents such as company contracts in the Cloud? Here are a few questions worth considering if you want to ensure that your contract data are safe and sound in the Cloud.
What is the Cloud?
Nowadays, countless digital services are accessible through what is known as "the Cloud". Quite simply, this refers to any service that is available online and accessible via an Internet connection. The Cloud is the opposite of local software, which users install on their own computers.
Legal tech tools, along with a number of business tools such as CRMs, are often hosted in the Cloud. This operating model is also referred to as "SaaS", which stands for "Software as a Service".
The benefits and risks of the Cloud
The popularity of Cloud-based software has grown in leaps and bounds, which is unsurprising given its many advantages. Most notably:
- it requires no complex installation procedures, as all the installation is already done on the service provider's end: companies that wish to subscribe usually only need to create an account to get started;
- the Cloud provides access to data from any device and any location, which greatly facilitates remote working (be it working from home or employees spread over multiple locations);
- document sharing and collaboration are easier than ever before: those endless email chains where crucial details can get lost in the noise are a thing of the past!
Finally, these tools are generally very simple to use, with user-friendly interfaces that require no advanced technical skills. The aim is for as many collaborators as possible to be able to use them in their day-to-day work without running into any difficulties.
That said, like any technology, the Cloud is not without its risks. The most common concern raised by companies is the security of their data: if they are not stored on my personal computer, how can I be sure that they are well protected?
First of all, one key feature of databases in the Cloud is that they are configurable: companies have no obligation to grant all their employees the same access rights. As such, data protection is largely a matter of the choices you make! It is also worth noting that SaaS technologies are bound by increasingly stringent security standards.
At any rate, before selecting a Cloud-based software solution to store and manage your contracts, it is worth asking yourself a few important questions.
Five questions to consider to keep your contract data safe in the Cloud
#1 - Is the infrastructure secure?
The infrastructure in this case refers to the framework or "skeleton" of an information system: this includes the server, the network, the software used, and, of course, the databases. Solid data security is founded on the security of your SaaS software's infrastructure. That said, you can ask your partner:
- if there is an intrusion prevention system in operation on their network;
- if they have implemented any anti-flooding measures to prevent the network from being flooded;
- if the architecture itself is multitier - in other words, executed by multiple components, thus isolating the data and reducing the risk of leaks.
All of the above are key elements when it comes to determining a Cloud-based service's resistance to a possible attack. They also help give you an idea of the risks of data leaks or loss.
#2 - How are backups made?
Backups are crucial when it comes to protecting your data. It simply involves creating regular copies of your contract data so that you have an emergency copy in the event of data being mishandled, altered or lost entirely.
With this in mind, before committing to any legal tech solution, it is important to find out what its data backup and recovery policy is. The idea is to be able to retrieve your data in their original state, before they were lost or corrupted. We generally advise checking two factors:
- RTO, or recovery time objective (how long it takes to return to normal service after a data-related incident)
- RPO, or recovery point objective (the specifics of the backup cycle or frequency).
#3 - Are the data encrypted?
Encryption is the process of converting data from a readable format into an encrypted format, using a key. This encryption must be complemented by protocol protection. This prevents any malicious individuals from reading the data as they flow between your computers and the SaaS software itself. For example, at DiliTrust, this security is provided by the TLS 1.2 (Transport Layer Security) protocol.
As for the encryption of the data themselves, it allows for your contract data to remain unreadable and totally unusable, even in the event of a leak. At DiliTrust, we ensure that all data are encrypted at every stage of their circulation, protecting them by using keys that are specific to each document. The encryption key management service is hosted on a separate infrastructure, offering an additional layer of security.
#4 - How will I manage access rights?
The security built into your contract management tool alone is not enough to protect your data. Without perfectly watertight management of access rights to your documents, the latter remain vulnerable to attack.
For optimal protection of your contract database, the key principle is to compartmentalize access rights so that no employee has access to documents they do not need. It is always preferable to start off a little too strict about access rights and then gradually extend them on a case-by-case basis to suit your changing needs!
Like most Cloud-based software, DiliTrust allows for highly refined management of access permissions, both by team and by user. These rights can be applied at all stages of the contract lifecycle, from initial generation to ongoing monitoring.
# 5 - How does my software partner organize their operations?
Finally, we also recommend looking into how your software partner operates: how do they organize their day-to-day functions to ensure the security of the tool? More specifically, this question boils down to:
- how frequently audits are performed;
- whether the appropriate certifications have been obtained;
- the company's operational practices.
The more regular and comprehensive a publisher's audits, and the more up-to-date they are in terms of penetration testing, the greater the guarantee is that their software solutions will be secure. Of course, this does not mean you should not be carrying out your own audits!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.