Company and Solutions
Cloud Court is a LegalTech software company that delivers solutions to help litigation teams leverage and optimize testimony to save time and improve outcomes. Our products are offered as Software-as-a-Service (SaaS) solutions. These solutions are available to customers through purpose-built web applications.
Our primary security focus is to safeguard our customers’ data. To this end, Cloud Court has invested in the appropriate controls to protect and service our customers. This investment includes the implementation of dedicated Product, Infrastructure, and Security programs. Our Security team is responsible for Cloud Court’s comprehensive security program, partnering with our compliance and legal functional owners to manage the governance process. Our Chief Technology Officer oversees the implementation of security safeguards across the enterprise.
Our Security and Compliance Objectives
We have developed our security framework using best practices for the SaaS industry. Our controls governing the availability, confidentiality, and security of customer data meet or exceed the Security SOC 2 Trust Service Criteria established by the American Institute of Certified Public Accountants (AICPA).
SOC 2 Compliance
SOC 2 Type I Compliant
Cloud Court has completed a full third-party SOC 2 Type I audit. An independent auditor has evaluated our product, infrastructure, and policies, and certifies that Cloud Court complies with their stringent requirements for compliance. Cloud Court will undergo rigorous SOC 2 Type II audits on an annual basis to attest to the controls that we have in place governing the security, availability, and confidentiality of customer data and Cloud Court products. These controls map to Trust Services Criteria (TSCs) established by the American Institute of Certified Public Accountants (AICPA). Our SOC 2 Type I report is available upon request.
Request a copy of our SOC 2 Type I independent auditor’s report.
In order to protect the data that is entrusted to us, Cloud Court utilizes a defense-in-depth approach to implement layers of administrative, technical, and physical security controls throughout our organization.
Cloud Hosting Provider
Cloud Court does not host product systems or data within corporate offices. Cloud Court’s product infrastructure resides in Microsoft’s data centers located in the United States. We place reliance on Microsoft’s audited security and compliance programs for the efficacy of their physical, environmental, and infrastructure security controls. Microsoft’s compliance documentation and audit reports are publicly available. You can obtain them directly from Microsoft’s Service Trust portal.
Cloud Court Employee Access to Customer Data
Cloud Court’s internal data stores and production infrastructure may only be accessed via Microsoft Entra (formerly Azure Active Directory) login portal. Cloud Court sets app and data access to require device validation and Multi-factor Authentication (MFA). User access is strictly controlled. Cloud Court employees and customers are granted access using a role based access control model. Day-to-day access is minimized to members of the Engineering team and persistent administrative access is restricted.
Development and Release Management
One of Cloud Court’s greatest advantages is a rapidly advancing feature set, and we optimize our products through a modern continuous delivery approach to software development. Code reviews, testing, and merge approval is performed before deployment. Static code analysis runs regularly against code repositories and blocks known misconfigurations from entering the code base. Approval is controlled by designated repository owners and once approved, code is submitted to Cloud Court’s app environment where compilation, packaging and unit testing occur. Newly developed code is first deployed to a dedicated and separate QA environment for the last stage of testing before being deployed to production. Network-level segmentation prevents unauthorized access between QA and production environments. All code deployments create archives of existing production code in case failures are detected by post deployment hooks. Major feature changes are communicated through in-app messages and/or product update posts.
Background Checks and Onboarding
Cloud Court employees in the USA undergo an extensive third party background check prior to formal employment offers. In particular, employment, education, and criminal checks are performed for potential employees. Outside of the USA, employment checks are performed. Reference verification is performed at the hiring manager's discretion. Upon hire, all employees must read and acknowledge Cloud Court’s Information Security Policy, which helps to define employee security responsibilities in protecting company assets and data.
To help keep all our employees on the same page with regard to protecting data, Cloud Court documents and maintains a number of written policies and procedures. Cloud Court maintains a core Information Security Policy, which covers a variety of topics such as data handling requirements, privacy considerations, and disciplinary actions for policy violations. Policies are reviewed and approved at least annually and stored on the company intranet. Policies requiring acknowledgment by employees are incorporated into mandatory annual training.
Security Awareness Training
We consider employees to be our first line of defense, and we ensure Cloud Court employees are trained for their roles. Cloud Court employees are required to complete security awareness training within 14 days of commencing employment, and training is made available annually thereafter. In addition to awareness training, Cloud Court keeps employees aware of recent security news or initiatives with internal enablement. Cloud Court conducts phishing awareness training at least annually and provides additional role-based training for certain roles.
Cloud Court has a documented Risk Management policy, continual risk assessments, and a formal risk register. Risk mitigation and remediation activities are tracked and reviewed at a designated cadence. Further detail on the risk assessment and risk management program can be found within the SOC 2 report (available upon request).
We leverage a number of third party service providers to support the development of our product as well as internal operations. We maintain a vendor management program to ensure that appropriate security and privacy controls are in place. The program includes inventorying, tracking, and reviewing the security programs of the vendors who support Cloud Court.
Appropriate safeguards are assessed relative to the service being provided and the type of data being exchanged. Ongoing compliance with expected protections is managed as part of our contractual relationship with them. Our Security, Legal, and Compliance team members coordinate with our business stakeholders as part of the vendor management review process.
Company-issued laptops are centrally managed and are configured to, among other things, maintain full disk encryption. Endpoints are also protected by a market leading Endpoint Detection and Response (EDR) solution and we incorporate extensive automation into our detection and response capabilities, capitalizing on signaling from our robust security stack to create a highly integrated ecosystem that is continually optimized to detect anonymous behavior.
Many automated processes feed into our incident response process, including malicious activity or anomaly alerts, vendor alerts, customer requests, privacy events, and others. Our Security team reviews all security related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.