Security Addendum

This Security Addendum is incorporated into and made a part of the written agreement between Litera and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern. This Security Addendum sets forth the security controls and standards maintained by Litera’s (“Security Program”). Litera regularly tests and evaluates its Security Program, and may review and update its Security Program as well as this Security Addendum, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.

Litera Corporate Security Controls

Administrative Controls 

  • Dedicated Information Security Team.- Litera’s Security Program is managed by a dedicated team of information security professionals, led by the Global Head of Security. 

  • Security Policy. Litera maintains a written security policy based on industry standards and in compliance with applicable data protection laws (“Data Protection Laws”), which is reviewed and updated annually and made available to all Litera personnel.

  • Background Checks. Excluding those employees joined through acquisition, where reasonably practicable and appropriate, as part of the employment/recruitment process, Litera shall perform screening/background checks on employees (which shall vary from country to country based on local laws and regulations) who are hired after January 1, 2020, where such employees will have access to Customer’s networks, systems, or facilities.  

  • Security Awareness Training. Litera maintains a documented security awareness training program for its personnel, including new hire and on-going training conducted annually. 

  • Code of Conduct; Confidentiality Agreements; Information Security Policy. Litera personnel are required to acknowledge and agree to several policies and agreements that require employees to maintain the confidentiality of Customer Data and follow security processes related to Customer Data, including the Litera Code of Conduct, employee confidentiality agreements and the Litera Information Security Policy. 

  • Litera Risk Management & Threat Assessment. Litera has a documented risk management process. Litera’s Information Governance Committee meets regularly to review reports and material changes in the threat environment, identify potential control deficiencies and make recommendations for new or improved controls and threat mitigation strategies.

  • External Threat Intelligence Monitoring. Litera reviews external threat intelligence feeds, including US-Cert vulnerability announcements, critical vendor security advisories and other trusted sources of vulnerability and threat information. 

  • Vendor Risk Management. Litera evaluates vendors that process Customer Data or are part of an Litera’s solutions, to ensure they maintain security measures consistent with Litera’s obligations in this Security Addendum and in compliance with Data Protection Laws.

Incident Detection and Response

  • Incident Response Plan. Litera maintains a documented incident response plan, which includes incident reporting, response, roles and responsibilities, prioritization, escalation, and remediation. The plan is tested and updated periodically.

  • Security Incident Reporting. If Litera becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident”), Litera shall notify Customer without undue delay, and in any case, within 72 hours after determining a Security Incident has impacted or will impact the Customer Data.

  • Investigation. In the event of a Security Incident, Litera shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident shall be preserved for at least one year.

  • Communication and Collaboration. Litera shall provide Customer timely information about the Security Incident to the extent known to Litera, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Litera to mitigate or contain the Security Incident, the status of Litera investigation, and a contact point to obtain additional information.

  • Cyber Insurance. Litera maintains a Cyber/Technology Errors & Omissions Liability insurance policy with a Policy Holder Alphabetic Category Rating of not less than "A-" and Financial Size Category Rating of not less than "VII" according to the latest edition of A.M. Best's Key Rating Guide.

  • Litera Corporate Office Physical & Environmental Controls. Litera technical, administrative, and physical controls for its corporate offices covered by Litera’s ISO 27001 certification include, but are not limited to: 

    • Physical access to the corporate office is controlled at ingress points; 

    • Badge access is required for all personnel and badge privileges are reviewed regularly;

    • Visitors are required to sign in; 

    • CCTV covers building ingress points; 

    • Fire detection and protection systems; and Climate control systems. 
       

  • Litera System Security. 

    • Malware and Vulnerability Protection. Litera laptops, desktops and production servers are protected with auto-updating anti-malware protection and vulnerability monitoring. Email, including links and attachments in emails, are scanned for malware before being delivered.

    • Disk Encryption. Litera laptop hard drives are encrypted. 

    • Patching. Security patches are reviewed and deployed automatically at least monthly. 

    • Secure Disposal. Litera follows a documented process for the secure deposal of assets which store data. 

    • Multi-factor Authentication. Remote access to Litera networks require multi-factor authentication. 
       

  • Secure Software Development. 

    • Security is part of the entire software development lifecycle. 

    • Development systems are separate from production systems.

    • Customer Data is not transmitted to or stored on development systems. 

    • Application security testing is built into the software development pipeline.

    • A source code control system is utilized that authenticates and logs the person associated with all changes to the software or custom code baseline and all related configuration and build files.

    • Source code is backed up and protected.

Cloud Security Controls and Safeguards

  • Security Responsibilities. Litera provides its software either (i) on an on-premise basis, whereby the software is installed on Customer’s computers, or (ii) as a hosted service, whereby Litera utilizes infrastructure-as-a-service cloud providers and/or secure colocation facilities to provide Customers access to the Litera software (the “Cloud Environment”). With respect to Litera on-premises software, which is installed on Customer’s computers, the Customer is responsible for maintaining the security of Customer’s computers, including all patching, access controls, firewalls, physical security, backups and encryption. When Litera software is provided via a Cloud Environment, Litera is responsible for maintaining the security controls and safeguards described below. Litera maintains a comprehensive documented security program under which Litera implements and maintains physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the software and Customer Data. 

  • Litera Audits and Certifications.

    • Reports by independent third-party auditors are made available to Customer upon request. 
       

  • Hosting Location of Customer Data. Litera uses subservice organizations whose controls are assessed via ISO27001 and SOC 2 audits as well as other internally recognized compliance standards to ensure they are suitably designed and operated to comply with Litera’s security requirements. 

  • Encryption.

    • Encryption at Rest. Customer data residing in the Cloud Environment are encrypted at rest using AES 256.

    • Encryption Key Management. All cryptographic keys are protected from unauthorized disclosure or use. 

      • Encryption keys are created in compliance with the then current industry standard strength recommendations.

      • Any key that becomes weak due to outdated algorithms or is suspected of compromise is retired and/or rotated with an updated key.

      • Certificates are utilized to encrypt keys used to encrypt data.
         

    • Encryption in transit. Secure data transmission protocols using TLS1.2 and above are used to encrypt confidential data when transmitted over public networks.
       

  • System and Network Security.

    • Access Controls. All Litera personnel access to the Cloud Environment is via a unique user ID with a complex password and multi-factor authentication. Access to systems and data is provided to individuals when required to perform their job functions and is consistent with the principle of least privilege.

    • Separation of Environments. Litera logically separates production environments from development and testing environments. The Cloud Environment is both logically and physically separate from Litera corporate offices and networks. 

    • Change Management. Litera maintains a documented change management program for its software.

    • Firewalls/Security Groups. Litera’s Cloud Environment uses industry standard firewall or security groups technology with deny-all default policies to permit only business-required network traffic protocols and to protect systems from untrusted networks.  

    • Personnel Access Reviews & Separation. Litera reviews the access privileges of its personnel to the Cloud Environment at least quarterly and removes access on a timely basis for all separated personnel. 

    • Hardening. The Cloud Environment is hardened using industry-standard practices to protect it from vulnerabilities, including by changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching as described in this Security Addendum.

    • Patching. Security patches are reviewed and applied to systems on a regular basis in accordance with established policies and standards.

    • Monitoring & Logging. Monitoring tools and services are utilized to log specific activities and changes within the Cloud Environment. These logs are further monitored and analyzed for anomalies when necessary. The logs are securely stored to prevent tampering.

    • Endpoint Protection. The Cloud Environment leverages auto-updating threat detection tools to monitor for and provide protection from suspicious activities and malware (collectively, “Malicious Activity”) on in-scope endpoints. Litera does not monitor Customer Data for Malicious Activity.

    • Vulnerability Management. Systems in the Cloud Environment are automatically evaluated for vulnerabilities, which are then prioritized for remediation based on their potential impact to Litera software.

    • Penetration Testing. Litera engages one or more independent third parties to conduct penetration tests of selected software at least annually. Upon Customer’s written request, Litera shall provide Customer an executive summary of any such penetration test.
       

  • Cloud Data Center Physical & Environmental Controls. To ensure the Cloud Environment has appropriate physical and environmental controls for the data centers hosting the software, Litera regularly reviews Cloud Environment security controls audited under by independent third-party audits and certifications. Each Cloud Environment provider has a SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent framework. Such controls include, but are not limited to, the following:

    • Physical access to the facilities and physical systems is controlled; 

    • Physical access privileges are reviewed regularly; 

    • Visitors are required to present ID and sign in; 

    • CCTV covers all ingress points; 

    • Fire detection and protection systems; 

    • Power back-up and redundancy systems; 

    • Climate control systems; and 

    • Established NIST 800-88 compliant processes for decommissioning hardware assets. 
       

  • Deletion of Customer Data by Litera. Subject to applicable provisions of the Agreement, upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement, Litera promptly deletes any remaining Customer Data. 

  • Business Continuity and Disaster Recovery. Automated backup systems perform scheduled backups of production databases and systems. For the software for which Litera maintains, a business continuity and disaster recovery plan is in place to ensure the resumption of time-sensitive operations and services in the event of a disastrous event that causes a significant business interruption. The business continuity and disaster recovery plans contain detailed responsibilities and specific tasks for emergency response activities and business resumption operations based upon pre-defined time frames. The plan is reviewed and tested on an annual basis to validate that documented procedures are appropriate and to ensure that personnel understand the plan and the role that they play in executing the plan.

  • Customer Audit Rights. Upon written request and at no additional cost to Customer, Litera shall provide Customer, and/or its appropriately qualified third-party representative (collectively, the “Auditor“), access to reasonably requested documentation evidencing Litera compliance with its obligations under this Security Addendum in the form of, as applicable and where available, (i) Litera’s ISO 27001 certification, (ii) Litera’s Security Whitepaper, (iii) Litera’s Security FAQ, (iv) Litera’s most recently completed Shared Assessments Standardized Information Gathering (SIG) Questionnaire or Cloud Security Alliance CAIQ, and (v) the most recent penetration test summary report for the relevant Software (“Audit Reports”).