LawPracticeZA Data Protection and Privacy Policies

We are committed to the security and privacy of our customers' data. This Privacy Policy explains our commitment to safeguarding our customers’ data and serves as our agreement with our customers about our data handling practices. This policy lists the types of data we collect, explains how we use and protect that data, and discloses our key procedures surrounding privacy.

This privacy policy is a binding agreement between you and LawPracticeZA. By accessing LawPracticeZA, you signify that you agree with the terms of this Privacy Policy. We may change this Privacy Policy from time to time by posting a new version here, and the new version will become effective immediately.

The privacy of our customers is important to us. Therefore:

Product-Related Information Collection

We collect certain information in connection with your use of LawPracticeZA.

Upon subscribing to our services, we collect Business Information which would include your firm's contact details necessary for invoicing your clients, and user details including users email addresses.

When using LawPracticeZA, we store information relating to your clients and matters, your billing and the firm's financial information, captured by the firm's personnel, on our servers, which are housed in a secure data centre. For details on Security and Reliability of Record Keeping, access the document here.

Cookies

We use Cookies to provide access to LawPracticeZA. Cookies are not designed to retrieve personal or business data from your hard drive, your email, or any other personal information.

Most browsers are initially set to accept Cookies, but users can change the setting to refuse Cookies or to be alerted when Cookies are being sent. You will need to accept Cookies in order to access LawPracticeZA.

Business Transfers

In the event that LawPracticecZA is bought or sold, Business Information will likely be included among the transferred business assets, but such information remains subject to this Privacy Policy or a Privacy Policy substantially similar to this privacy Policy.

We may change this Privacy Policy at any time by posting the then current policy to the Sites. Your use of the Sites constitutes acceptance of the provisions of this Privacy Policy and your continued LawPracticecZA after such changes are posted constitutes acceptance of each revised Privacy Policy.

Security and Reliability

Data Centre

All records are kept on our self-managed servers at the Xneelo Data Centres in Cape Town and Johannesburg who enforce very strict security measures with respect to geotechnical audits, surveillance, access control, fire prevention, power outages, etc. More information is here: https://xneelo.co.za/legal/security/

Encrypted Data Transmission

All access to the server is possible only via HTTPS and SSH both of which are encrypted connections using industry standards. Only our senior developers would have any access to these production servers. All of whom have over 20 years experience in security on Linux-based servers. All customer records are kept in their distinct databases and thus mitigates against the risk of cross-database data leaks due to potential bugs in the software.

Redundancy & Backups

Redundancy & Backups

We replicate all database traffic to a backup server, with an additional 7-day rotational backup of the database. Uploaded files are also backed up on a 7-day rotational basis. The security controls to the backup servers are as stringent as to the production servers.

In addition, a complete server back up is performed to external storage in ecrypted format. Access to the keys to decrypt the information are as stringent as the production servers.

Employee and Sub-contractor Confidentiality & Consent

All employees have consented to uphold and enforce these safeguards.

We have no interns.

Suppliers

Processes are underway to receive the information from our suppliers.

Monitoring

Audit logs of access to the servers are logged (both locally and remotely) and we have intrusion detection and rejection software installed to help against brute-force password guessing attacks. We have various testing systems that run periodically to test the stability of the servers as well as any database anomalies. Third-Party Data Sharing Data is not shared with any third party without explicit opt-in from the user, and then only the minimum data is shared for an integration to function. For example, the Gmail calendar integration shares matter names, diary dates and diary entry descriptions, and does not divulge anything to Google that isn’t necessary for each diary appointment. The integration with E4 gives their system the same access as a bookkeeper user as it is is necessary for this integration to be able to query accounting transactions and post fees. In all cases third party access is granted explicitly to each firm database, there is no third party API key with access to multiple databases.

Known weaknesses and regular assessments and updates to security

The senior development convene monthly to reconsider and re-assess the current security measures.

By far the greatest know security risk is with the users themselves. Obtaining a username and password from an employee at the users workspace would allow someone access to the data.

Operating System Security Updates & Firewall

All our servers run Ubuntu Linux-based OS and security updates are applied regularly. Only a minimal set of secured ports are open to the public. Port 80 / HTTP is used only to issue redirect responses to Port 443 / HTTPS.

Retention Policy

We keep all records while the user is still a customer of LawPracticeZA and for 6 months after termination of their account. All records can be deleted upon request.

Breaches

We use honeypot techniques and subtle data pollution techniques to try to assess if, when or how a breach has taken place. Should a breach be found to have taken place, notification will be provided as soon as reasonably possible after the discovery of the compromise is made, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the Responsible Party's information system.

Document Authored by: Edward van Kuik B.Sc. (Computer Science) UCTf