########################################## Security and Reliability of Record Keeping ########################################## *********** Data Centre *********** All records are kept on our self-managed servers at the underground Xneelo Data Centre in Cape Town and Johannesburg who enforce very strict security measures with respect to geotechnical audits, surveillance, access control, fire prevention, power outages, etc. More information is here: https://xneelo.co.za/legal/security/ ******** Security ******** All access to the server is possible only via HTTPS and SSH both of which are encrypted connections using industry standards. Only our senior developers would have any access to these production servers. All of whom have over 20 years experience in security on Linux-based servers. All customer records are kept in their distinct databases and thus mitigates against the risk of cross-database data leaks due to potential bugs in the software. ******************** Redundancy & Backups ******************** We replicate all database traffic to a backup server, with an additional 7-day rotational backup of the database. Uploaded files are also backed up on a 7-day rotational basis. Access to the backup servers are the same as the production servers. ********** Monitoring ********** Audit logs of access to the servers are logged (both locally and remotely) and we have fail2ban software installed to help against brute-force password guessing attacks. We have various testing systems that run periodically to test the stability of the servers as well as any database anomalies. Third-Party Data Sharing Data is not shared with any third party without explicit opt-in from the user, and then only the minimum data is shared for an integration to function. For example, the Gmail calendar integration shares matter names, diary dates and diary entry descriptions, and does not divulge anything to Google that isn’t necessary for each diary appointment. The integration with E4 gives their system the same access as a bookkeeper user as it is is necessary for this integration to be able to query accounting transactions and post fees. In all cases third party access is granted explicitly to each firm database, there is no third party API key with access to multiple databases. ********** Weaknesses ********** By far the greatest know security risk is with the users themselves. Obtaining a username and password from an employee at the users workspace would allow someone access to the data. ******************************************** Operating System Security Updates & Firewall ******************************************** All our servers run Ubuntu Linux-based OS and security updates are applied regularly. Only a minimal set of secured ports are open to the public. Port 80 / HTTP is used only to issue redirect responses to Port 443 / HTTPS. **************** Retention Policy **************** We keep all records while the user is still a customer of LawPracticeZA and for 6 months after termination of their account. All records can be deleted upon request. Document Authored by: Edward van Kuik B.Sc. (Computer Science) UCT Updated: 2018-10-10 Updated: 2020-11-11