External security policy

ART. 1 - Definitions

In this security policy, the following terms, whether singular or plural, shall have the meanings outlined below:

GDPR (General Data Protection Regulation)
Regulation 2016/679 of the European Parliament and Council of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

Application Programming Interface ('API')
An application that allows the Platform to exchange data with software, a program, or component provided by a third-party service provider;

End User
A user within the Client's organization who, based on a usage right, has their own account on the Platform;

Data Protection Impact Assessment (DPIA)
The process carried out in accordance with Article 35.7 of the GDPR by the Data Controller whenever a data processing is likely to result in high risks to the rights and freedoms of natural persons, in which the processing of personal data is described, the necessity and proportionality of the processing is assessed, and the associated risks to the rights and freedoms of individuals are managed;

Data
Client data and personal data that are necessary for the operation of the Platform;

Data Breach
Any security incident that compromises the confidentiality, integrity, or availability of personal data and may lead to the destruction, loss, alteration, unauthorized disclosure, or unauthorized access to transmitted, stored, or otherwise processed data;

Hash, Hashing, Hashed
A cryptographic technique in which a random amount of data is converted into a unique string via an algorithm;

Client
The office, legal entity, or sole proprietorship, as stated in the special conditions, with whom LawCloud enters into an agreement;

Client Data
All content, materials, and data entered, managed, and stored by the Client and its authorized End Users in the Platform, as well as all content, materials, and data derived from them (secondary data);

Personal Data
Any information relating to an identified or identifiable natural person (“Data Subject”), as defined in Article 4(1) of the GDPR;

Profiling
Any form of automated processing of personal data in which certain personal aspects of a natural person are evaluated, including the analysis or prediction of aspects related to their professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;

Pseudonymization
Any processing of personal data in such a way that the personal data can no longer be attributed to a data subject without the use of additional data, provided that such additional data is kept separately and technical and organizational measures are taken to ensure that the personal data cannot be attributed to an identified or identifiable natural person;

Salt, Salting, Salted
A cryptographic technique in which random data is used as additional input for a one-way function that hashes data, a password, or passphrase in order to protect stored passwords;

Subprocessor
Potential subcontractors of LawCloud who process certain personal data on behalf of LawCloud;

Processor
A natural or legal person, a public authority, agency, or another body that processes personal data on behalf of the Data Controller;

Processing
An operation or set of operations performed on personal data or a set of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, updating or altering, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of data;

Processing Controller
A natural or legal person, a public authority, agency, or another body that, alone or jointly with others, determines the purposes and means of the processing of personal data; when the purposes and means of processing are determined by Union or Member State law, the controller or the criteria for its designation may be specified therein.

ART. 2 - Objectives and Roles

2.1. In this security policy (hereinafter the "Policy"), we, LawCloud BV, with its registered office at Amerikalei 122, 2000 Antwerp, and registered in the Crossroads Bank for Enterprises under number 0680.741.644 (hereinafter "we" or "LawCloud"), explain to the Client the appropriate technical and organizational measures we take to ensure the security of the SaaS LawCloud management package (hereinafter the "Platform") that we provide to the Client in accordance with the signed general and specific terms and conditions.

2.2. The Client acknowledges and accepts that information security is a shared responsibility between us, as the provider of the Platform, and the Client, along with its authorized End Users. LawCloud acts solely as the Processor of the Personal Data that the Client and its authorized End Users enter, manage, and store in the Platform. The Client will, at its own responsibility, take the necessary security measures to avoid cyber incidents of any kind, including, but not limited to, any loss, destruction, or unavailability of Data.

2.3. LawCloud hereby grants the Client explicit permission to use this Policy if necessary to carry out a Data Protection Impact Assessment (hereinafter "DPIA") for the processing activities carried out via the Platform. LawCloud will assist the Client as the Processor in the execution of the DPIA by providing the necessary information to the Client.

ART. 3 - Processing Activities

3.1. General Description
The Platform is a "web-based" application hosted "in the cloud." The Client is provided with the ability to access the Platform via the provided accounts from any location with a suitable internet connection. The purpose of using the Platform is to facilitate and digitalize the daily activities of the Client as a lawyer/law firm. Processing activities such as entering, managing, storing, and retaining Data are an essential part of this. Using the Platform, the Client and its End Users can create, manage, and track cases entirely online.

The Personal Data that can be Processed through the Platform is outlined in Article 4 of this Policy. The list provided in this Article 4 is merely indicative, with the understanding that Personal Data obtained by the Client and/or their authorized End Users through derived data are not included. Any Processing of Data is done at the initiative and under the responsibility of the Client, in accordance with the terms of the data processing agreement between the Client and LawCloud.

3.2 Third-Party Services
LawCloud utilizes services from trusted third parties that are offered alongside the Platform, including:

Name of third-party service provider — Type of service provided

• Amazon Web Services (AWS) — Application environment hosting
• OVH — Hosting migration environment
• Microsoft Azure Hosting — PDF-conversion
• MariaDB skySQL Hosting — Databasecluster
• skySQL Hosting
• Team.blue (Transip) — Domainhosting

The general terms and conditions of these service providers can be consulted here:

• https://aws.amazon.com/
• https://www.ovhcloud.com/nl/terms-and-conditions/
• https://azure.microsoft.com/en-us/support/legal/
• https://mariadb.com/legal/
• https://skysql.com/tos/
• https://www.transip.nl/legal-and-security/algemene-voorwaarden/

3.3 API's
LawCloud hereby expressly agrees to allow the Client to integrate third-party software and services into the Platform via connections (whether or not via APIs) provided by LawCloud. However, LawCloud provides no guarantees, nor can it or its affiliated companies and/or representatives be held liable and/or responsible for any adverse consequences of any kind, including as a result of Processing activities and/or cyber incidents arising from the use of such software and/or APIs. It is also the sole responsibility of the Client, as the Data Controller, to ensure that any Processing (if applicable) complies with the relevant legislation.

ART. 4 - Categories of Personal Data that may be Processed on the Platform

4.1. The Client, as the Data Controller, will determine which categories of Personal Data will be processed by the Platform, how long the Personal Data will be retained, and when it will be deleted.

4.2. The following Personal Data may be processed on the Platform by the Client, including but not limited to:

Functional data category — Types of Personal Data

• Personal Identification Data — Name, title
• Contact Information — Address, phone/cell number
• Financial transactions — Amounts recorded in a file, amounts to be paid, amounts paid, payment overview, account numbers
• Professional Activities — Professional activities of a person included in a file
• Contracts and Settlements — Legal agreements and settlements
• Personal Details — Age, gender, date of birth, place of birth, marital status, nationality
• Family Composition — Marital status, identification data of family members
• Judicial Data — Judicial data concerning allegations, convictions and penalties, legal measures, administrative sanctions, legal proceedings
• National Identification Number — National Identification Number
• Results of Legally Required Investigations — Results of customer due diligence investigation, results of UBO check (Ultimate Beneficial Owner)
• Image Recordings — Camera footage, photographic images, video recordings, digital photos
• Sound Recordings — Tape recordings, phone recordings
• Special Categories of Personal Data — Personal data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health data, data related to someone's sexual behavior or sexual orientation
• Other — Client data entered by the Client or an End User

ART. 5 - Security Measures on the Platform

5.1. Security Measures Taken by LawCloud
As the Data Processor of Personal Data on the Platform, LawCloud has implemented appropriate technical and organizational security measures in accordance with Article 32 of the GDPR.

LawCloud has taken the following organizational security measures:

• Every person who processes Personal Data on the Platform for LawCloud is subject to a contractual confidentiality obligation, and persons who are not subject to such confidentiality obligations are not allowed to process Personal Data.
• Assignment of specific access rights for LawCloud employees on a "need to know" basis.
• Management of the software and hardware used for the Platform in a register.
• Management of changes in the software and hardware used for the Platform.
• Closing of necessary agreements with Sub-processors of the Platform.
• Regular training and education of LawCloud employees in data protection and security procedures for the Platform.
• Annual security audit by a certified LawCloud partner.
• Appointment of a Chief Technology Officer responsible for the implementation of the security measures taken.

LawCloud heeft de volgende technische beveiligingsmaatregelen genomen:

• Use of basic infrastructure and software components for the protection of the information systems used on the Platform, such as firewalls, anti-malware protection, and virus scans.
• Access control and authentication with complex passwords.
• Regular full backups of the software used for the Platform.
• Encryption of data transmitted over the internet.
• Passwords are always stored with Salt and Hashing.
• Prevention of unauthorized access to Data via the LawCloud legal system.
• Offering multi-factor authentication to End Users and the ability for the Client to enforce it at the office level.

5.2. Security of the Used Servers
Data security is a priority for LawCloud. All LawCloud employees are aware of the most common techniques for cracking web applications so they can secure the Platform optimally. In addition to the security measures provided by the service providers for the servers used for the Platform, LawCloud takes the following additional security measures for the servers:

• LawCloud employees follow the “best security practices” of OWASP (https://www.owasp.org) and AWS.
• All servers are continuously monitored for anomalies by an automated monitoring system. Detected deviations are reported via SMS so that the team can intervene immediately.
• All servers are regularly updated with prioritized treatment of security updates.
• News about discovered vulnerabilities in the software we use for the Platform is systematically followed up to ensure appropriate action is taken immediately.
• All servers are isolated from the internet and can only be accessed via a VPN connection, with additional private key authentication.
• The Platform is only accessible via the AWS load balancer.
• HTTP traffic is always encrypted with SSL (HTTPS).
• SSL termination occurs on the AWS load balancers.
• All application file storage is encrypted and only accessible via the internal LawCloud network.
• Communication with the database servers is only possible over the internal network.
• Data flow to and from the used databases is encrypted with SSL.
• Only application servers have direct but limited access to the database servers.
• At-rest database storage is encrypted.

5.3. Best Practices by the Client
In addition to the security measures taken by LawCloud in 5.1 and 5.2, the Client can take additional organizational and technical security measures as best practices when using the Platform, including:

• Adopting an access policy based on the "need to know" principle.
• Implementing a password policy requiring strong passwords for End Users.
• Enabling multi-factor authentication provided by LawCloud for End Users.
• Training End Users in the fundamental principles of cybersecurity.
• Implementing anti-malware software, firewalls, and virus scanners.
• Using a cloud access security broker.

ART. 6 - Location of Personal Data Processed on the Platform

All Personal Data stored on the Platform is kept on servers located within the European Union.

ART. 7 - Responsible disclosure

LawCloud places great importance on the security of its Platform. Despite the security measures taken by LawCloud on the Platform, vulnerabilities may still exist. If the Customer discovers a vulnerability in the Platform, LawCloud requests that it be reported so that the security measures can be adjusted or additional measures can be implemented.

7.1. Reporting a Vulnerability
If the Customer discovers a vulnerability, LawCloud requests that the Customer report it as soon as possible after discovery.
The Customer can report the findings by creating a ticket in the help center and selecting the subject ‘Bug or Issue.’ LawCloud asks for sufficient information to reproduce the vulnerability and resolve it as quickly as possible. The Customer may attach any relevant documents or images to support the description of the vulnerability.

7.2. Customer's Obligations
Upon discovering a vulnerability, the Customer shall refrain from the following actions:

• Disclosing the vulnerability publicly until LawCloud has had the opportunity to correct it.
• Misusing the vulnerability to unnecessarily copy, delete, modify, view, or download more data than required to demonstrate the vulnerability.
• Introducing malware into the Platform.
• Making changes to the Platform.
• Repeatedly accessing the Platform or sharing access with third parties.
• Using automated scanning tools.
• Engaging in brute-force access attempts to the Platform.
• Performing attacks on physical security, denial-of-service attacks, social engineering, spam, or third-party applications.
• Performing any action that may impact the proper functioning of the Platform, including but not limited to availability and performance, and the confidentiality and integrity of data within the Platform.
  The Customer shall immediately delete any data obtained through the vulnerability after reporting it to LawCloud.

7.3. LawCloud's Obligations
LawCloud will indemnify the Customer, subject to any legal exceptions and under the same terms outlined for its liability in Article 15 of the General Terms and Conditions of the Agreement, against any form of liability arising from the discovery of the vulnerability in the Platform.
LawCloud will treat the vulnerability report from the Customer confidentially and will not disclose any Personal Data of the Customer and/or End User without their consent unless required to comply with a legal obligation on LawCloud.

ART. 8 - Version Control and Changes

LawCloud may amend this Policy at any time and will communicate the new version on its own initiative to the Customer, provided that it will at all times guarantee its confidential nature. LawCloud may amend, remove, and add new security measures included in the Policy.