Security Controls

In order to protect the data that is entrusted to us, Cloud Court utilizes a defense-in-depth approach to implement layers of administrative, technical, and physical security controls throughout our organization.

​

Cloud Hosting Provider

Cloud Court does not host product systems or data within corporate offices. Cloud Court’s product infrastructure resides in Microsoft’s data centers located in the United States. We place reliance on Microsoft’s audited security and compliance programs for the efficacy of their physical, environmental, and infrastructure security controls. Microsoft’s compliance documentation and audit reports are publicly available. You can obtain them directly from Microsoft’s Service Trust portal.

​

Cloud Court Employee Access to Customer Data

Cloud Court’s internal data stores and production infrastructure may only be accessed via Microsoft Entra (formerly Azure Active Directory) login portal. Cloud Court sets app and data access to require device validation and Multi-factor Authentication (MFA). User access is strictly controlled. Cloud Court employees and customers are granted access using a role based access control model. Day-to-day access is minimized to members of the Engineering team and persistent administrative access is restricted.

​

Development and Release Management

One of Cloud Court’s greatest advantages is a rapidly advancing feature set, and we optimize our products through a modern continuous delivery approach to software development. Code reviews, testing, and merge approval is performed before deployment. Static code analysis runs regularly against code repositories and blocks known misconfigurations from entering the code base. Approval is controlled by designated repository owners and once approved, code is submitted to Cloud Court’s app environment where compilation, packaging and unit testing occur. Newly developed code is first deployed to a dedicated and separate QA environment for the last stage of testing before being deployed to production. Network-level segmentation prevents unauthorized access between QA and production environments. All code deployments create archives of existing production code in case failures are detected by post deployment hooks. Major feature changes are communicated through in-app messages and/or product update posts.

​

Background Checks and Onboarding

Cloud Court employees in the USA undergo an extensive third party background check prior to formal employment offers. In particular, employment, education, and criminal checks are performed for potential employees. Outside of the USA, employment checks are performed. Reference verification is performed at the hiring manager's discretion. Upon hire, all employees must read and acknowledge Cloud Court’s Information Security Policy, which helps to define employee security responsibilities in protecting company assets and data.

 

Policy Management

To help keep all our employees on the same page with regard to protecting data, Cloud Court documents and maintains a number of written policies and procedures. Cloud Court maintains a core Information Security Policy, which covers a variety of topics such as data handling requirements, privacy considerations, and disciplinary actions for policy violations. Policies are reviewed and approved at least annually and stored on the company intranet. Policies requiring acknowledgment by employees are incorporated into mandatory annual training.

​

Security Awareness Training

We consider employees to be our first line of defense, and we ensure Cloud Court employees are trained for their roles. Cloud Court employees are required to complete security awareness training within 14 days of commencing employment, and training is made available annually thereafter. In addition to awareness training, Cloud Court keeps employees aware of recent security news or initiatives with internal enablement. Cloud Court conducts phishing awareness training at least annually and provides additional role-based training for certain roles.

​

Risk Management

Cloud Court has a documented Risk Management policy, continual risk assessments, and a formal risk register. Risk mitigation and remediation activities are tracked and reviewed at a designated cadence. Further detail on the risk assessment and risk management program can be found within the SOC 2 report (available upon request).

​

Vendor Management

We leverage a number of third party service providers to support the development of our product as well as internal operations. We maintain a vendor management program to ensure that appropriate security and privacy controls are in place. The program includes inventorying, tracking, and reviewing the security programs of the vendors who support Cloud Court. 

Appropriate safeguards are assessed relative to the service being provided and the type of data being exchanged. Ongoing compliance with expected protections is managed as part of our contractual relationship with them. Our Security, Legal, and Compliance team members coordinate with our business stakeholders as part of the vendor management review process.

​

Endpoint Protection

Company-issued laptops are centrally managed and are configured to, among other things, maintain full disk encryption. Endpoints are also protected by a market leading Endpoint Detection and Response (EDR) solution and we incorporate extensive automation into our detection and response capabilities, capitalizing on signaling from our robust security stack to create a highly integrated ecosystem that is continually optimized to detect anonymous behavior.

​

Incident Management

Many automated processes feed into our incident response process, including malicious activity or anomaly alerts, vendor alerts, customer requests, privacy events, and others. Our Security team reviews all security related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.

​