Introduction
Practice League applications are cloud hosted on state of the art Microsoft Azure data center which
offer bank grade security including Data center security, Network Security, Host Security, Software
Security, Application Security, Customer Data Security and Personnel Security.
Practice League has invested a lot of time and money to ensure that your information is secure and
private. Our Security platform and process leverages on multiple levels of security – consisting of
Security Systems and Equipment combined with Security Procedures and Practices and Auditing
Processes, to ensure unparalleled security for all the services we provide. The platform tackles security
at various levels
Data Security & Privacy highlights
1) All data is stored in a highly secure and certified data center on fast, fully-redundant servers.
2) All systems are monitored 24x7x365 to ensure optimum performance and maximum
security.
3) All data is transmitted with 256-bit SSL encryption.
4) All key data and documents are encrypted while stored
4) Application provide local data back up in excel at anytime you wish
At service level, we use multiple layers of security (physical and logical) to protect your data
Physical Layer – Facility
Customer data is stored in SOC 2 / SSAE 16 certified Microsoft Azure datacenters that are
geographically distributed while taking regional data location considerations into account. Our
datacenters are built from the ground up to protect services and data from harm by natural disaster
or unauthorized access. Datacenter access is restricted 24 hours a day by job function—with only
customer application and services access given to essential personnel. Physical access control uses
multiple authentication and security processes, including badges and smart cards, biometric scanners,
on-premises security officers, continuous video surveillance, and two-factor authentication. The
datacenters are monitored using motion sensors, video surveillance, and security breach alarms. In
case of a natural disaster, security also includes automated fire prevention and extinguishing systems
and seismically braced racks where necessary.
Our partnership with Microsoft Azure datacenter are a result of a comprehensive Due diligence
process. Security and stability are two of the most important variables in our due diligence process.
Our due diligence process also incorporates a measure of proactiveness demonstrated by the
datacenter towards security. This is measured by evaluating past practices, certifications,
assessments reports, audit reports, policies, customer case studies, and the amount of time the
datacenter dedicates towards security research and study.
Physical Layer – Network
Perimeter protection is implemented through the use of controlled devices at the network edge and on points throughout the network. The overarching principle of our network security is to allow only
connections and communications that are necessary to allow systems to operate, blocking all other
ports, protocols and connections. Access Control Lists (ACLs) implemented in the form of tiered ACLs
on routers, IPsec policies on hosts, firewall rules and host based firewall rules are implemented in
the network with restrictions on network communication, protocols, and port numbers. Edge router
security allows the ability to detect intrusions and signs of vulnerability at the network layer.
Networks within the datacenters are further segmented to provide physical separation of critical
back-end servers and storage devices from the public-facing interfaces.
Logical Layer
The logical layer of security involves many controls and processes implemented to secure the host
machines, applications running on those hosts and from administrators that may perform any work
on those host machines and applications.
Automated Operations
Most of the operations performed on hosts and applications by administrators are automated so
that human intervention is reduced to a minimum, reducing the possibility of an inconsistent
configuration or a malicious activity.
Admin Access to Data
Administrator access to your data is strictly controlled. Core tenets of this process are role based
access and granting personnel least privilege access to the service that is necessary to perform
specific operations. These tenets are followed whether the access is physical (i.e., to the datacenter
or the servers) or logical.
Data Security & Privacy highlights
1) Personnel level to ensure that there are appropriate background checks and strict account
management so that only those essential to the task may perform the task
2) Multiple resources with maker-checker process
3) Role based access control
4) Access for a limited amount of time
5) Just-in-time accounts with high entropy passwords
6) Access to take specific actions based on the role
7) Auditing and review of all access
Application Security
Each application is broken down into various components such as User Interface, Core API, Backend
Database etc. Each layer of abstraction has its own security checks, despite the security checks
performed by a higher abstraction layer. All sensitive data is stored in an encrypted format. Our
engineering and development practices ensure the highest level of security with regards to all
application software.
Any 3rd party Products or Components go through comprehensive training and testing procedures
where all elements of such products are broken down and knowledge about their architecture and
implementation is transferred to our team.
Other advanced security features offered by the product include:
Authentication Options
Apart from standard PracitceLeague Sign-in, clients can chose to implement Active directory
Authentication, Office365 Authentication, Single Sign-on (SSO) using Active Directory Federation
Services and Security Assertion Markup Language (SAML)
Secure Credential Storage
PracticeLeague follows secure credential storage best practices by never storing passwords in human
readable format, and only as the result of a secure, salted, one-way hash.
API Security & Authentication
PracticeLeague API is SSL-only and you must be a verified user to make API requests. You can authorize
against the API using either basic authentication with your username and password, or with a
username and API token. OAuth authentication is also supported.
Access Privileges & Roles
Access to data within PracticeLeague is governed by access rights, and can be configured to define
granular access privileges. PracticeLeague provides a completely customizable user access control
which enables you create roles and privileges as per the needs of your firm/Legal Department.
Data Security & Privacy highlights
1) Highly configurable user-privilege settings
2) Safe and customizable client and user access
3) Temporary and restricted access for external user
IP Restrictions
Access to data within PracticeLeague is governed by access rights, and can be configured to define
granular access privileges. PracticeLeague provides a completely customizable user access control
which enables you create roles and privileges as per the needs of your firm/Legal Department.
Data Encryption
PracticeLeague has several cryptography and encryption features. Your content is encrypted at rest and in
transit, using several strong encryption, protocols, and technologies that include Transport Layer
Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPSec), and Advanced Encryption
Standard (AES).
Encryption in Transit
All information travelling between your browser and Practice League is protected with 256-bit Secure
Sockets Layer (SSL) encryption
Encryption at Rest
We offer encryption at rest for storage of documents and full daily backups. The encryption and keys are managed by Microsoft Storage. Transparent Data Encryption (TDS) provides the ability to encrypt
an entire database and the encryption is completely transparent to the applications that access the
database. TDE encrypts the data stored in both the database’s data file (.mdf) and log file (.ldf) using
either Advanced Encryption Standard (AES) or Triple DES (3DES) encryption. In addition, any backups
of the database are encrypted. This protects the data while it’s at rest as well as provides protection
against losing sensitive information if the backup were lost or stolen.
Encryption of documents
All documents stored are encrypted using AES. Documents can be access only through the application.
Further during the contract management life cycle, user can share the documents with others with
further enhanced security features including on-the-fly password, custom water mark, link expiration,
read-only document/section etc.
Field Level Encryption
We offer field level encryption for the Key fields including user credentials, database credentials and
query strings.
Secure Credential Storage
PracticeLeague follows secure credential storage best practices by never storing passwords in human
readable format, and only as the result of a secure, salted, one-way hash.
API Security & Authentication
PracticeLeague API is SSL-only and you must be a verified user to make API requests. You can authorize
against the API using either basic authentication with your username and password, or with a
username and API token. OAuth authentication is also supported.
PracticeLeague uses Azure Key Vault as a resource for storing and accessing secrets, encryption key
and certificates. Encryption keys are safeguarded by Azure, using industry-standard algorithms, key
lengths, and hardware security modules (HSMs)in the vault
Azure key vault further enables complete key lifecycle management including monitoring, rotations,
rekeying and auditing. Key Vault itself integrates with storage accounts, event, and log analytics apart
from managing SSL certificates through public CAs, for enrolment and renewal.
Practiceleague application securely accesses the information they need by using URIs which URIs allow
the applications to retrieve specific versions of a secret/keys. Authentication is done using the
Management ID for accessing the key vault.
Customers can import their own keys into the Key Vault Azure, and manage them. When
PracticeLeague application needs to perform cryptographic operations by using customers’ keys, Key
Vault does these operations on behalf of PracticeLeague application. The application does not see the
customers’ keys.
Secure Development Practices
PracticeLeague’s development practices are built on Security Development Lifecycle (SDL) model
which helps the developers build more secure software and address security compliance
requirements. Through design requirements, analysis of attack surface, and threat modeling, the
SDL helps us predict, identify, and mitigate vulnerabilities and threats from before a service is
launched through its entire production lifecycle.
.Net Framework Security Controls
PracticeLeague utilizes .Net framework security controls to limit exposure to OWASP Top 10
security flaws. These include inherent controls that reduce our exposure to SQL Injection (SQLi),
Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and among others.
Security Training
At least annually, engineers participate in secure code training covering OWASP Top 10 security
flaws, common attack vectors, and security controls.
Quality Assurance
Our QA department reviews and tests our code base. Dedicated application security engineers on
staff identify, test, and triage security vulnerabilities in code.
Separate Environments
Testing and staging environments are separated physically and logically from the Production
environment. No actual Service Data is used in the development or test environments.
Privacy Policy
When you entrust your data to PracitceLeague you remain the sole owner of your data you store in
PracticeLeague. We ensure that we maintain your privacy and operate our online services with
certain key principles
1) We use your data only to provide you with the online services, including purposes
compatible with providing those services
2) If you ever choose to leave the service, you can take your data with you
3) Application provide local data back up in excel at anytime you wish
Above this, we have privacy controls to allow you to configure exactly who has access to what within
data your organization. Kindly refer to Practice League Privacy Policy for more information
System Hardening, Application of Updates, Bug Fixes and Security Patches
Our security team hardens the OS and makes sure all the applications are patched and updated
time to time to take care of any bug issues or exploitations. All servers are registered for automatic
updates to ensure that they always have the latest security patch installed and that any new
vulnerabilities are rectified as soon as possible. The largest number of intrusions result from
exploitation of known vulnerabilities, configuration errors, or virus attacks where countermeasures
are already available.
We fully understand the requirement for strong patch and update management processes. As
operating systems and server software get more complex, each newer release is littered with security holes. Information and updates for new security threats are released on an almost daily
basis. We have built consistent, repeatable processes and a reliable auditing and reporting
framework which ensures that all our systems are always up-to-date.
Pre-Upgrade Testing Processes
Software upgrades are released frequently and while the development team follow their own
testing procedures prior to release of any upgrade, our system administration team documents the
impact analysis of various software upgrades and if any of them are perceived to have a high-risk,
they are first beta-tested in our labs before live deployment.
Audit/Logs for security events
Auditing provides information about use of the system, which can be critical in diagnosing potential
or real security issues. The PracticeLeague auditing feature provides the chronological list of all the
security events including the following:
Login History
You can review a list of successful and failed login attempts to your organization.
Record Creation and Modification Fields
All the major objects include fields to store the name of the user who created the record and who
last modified the record.
Setup Audit Trail
Administrators can also view the logs of modifications made to organization’s settings/
configuration.
The details logged for each event may vary widely, however, minimum information that is captured
in the event log include the following:
1) Timestamp
2) Event, status, and/or error codes
3) Application name
4) User account associated with the event
5) IP address
Data Deletion/Purging
Customer data privacy is one of our key commitments for the cloud. At PracticeLeague contract
termination or expiration, we provide 60 days for your administrators to confirm all data migration
has been completed. After completion of 60 days your data will be destroyed to make it commercially
unrecoverable. Further, we provide guidelines to your administrators to personally destroy your data
if that is preferred.
Data Backup, Protection
We understand that data is the lifeblood of the companies and we have therefore implemented
solid solutions that allows you to protect your data in the unfortunate event of software
malfunction, system failure, events of loss of data due to hacking or viruses etc. All data is backed
up on a daily basis and can be restore quickly in case of any disaster with no major interruption.
Client data is automatically backed up multiple times a day and full back up of everything including
Operating system, documents, client data, user data, Practice League software and complete
database every day. All the backup files are stored at our Primary datacentre and replicated to other
geographically redundant datacentres to protect against disaster scenarios. All the critical elements
of the data are stored in encrypted format within the database and database backups are encrypted
with Transparent Data Encryption (TDE).
Business Continuity and Disaster Recovery Program/RPO/RTO
PracticeLeague’s Business Continuity and Disaster Recovery Program ensures resiliency,
recoverability and contingency from significant business disruption, such as local or regional events
like a natural disaster, fire, power outage, acts of malice, and technical or infrastructure disruption.
Business Continuity and Disaster Recovery focuses on ensuring PracticeLeague’s critical business
functions and technologies will continue to operate despite a significant disruption that might
otherwise have caused an interruption, or will be recovered to an operational state within a
reasonably short period.
Practice League is hosted on Microsoft Azure Platform and incorporates a very robust
security/redundancy policy covering all aspects of physical and logical security of data, business
continuity, security, confidentiality and disaster recovery offered by the platform. Please refer to
Microsoft Azure Trust Center for more details: https://www.microsoft.com/enus/trustcenter/cloudservices/azure.
For the clients on Microsoft Azure cloud platform, additional level redundancy and recoverability is
offered through Recovery feature.
At the Azure data center, our servers assigned to a secondary location which contains a real-time
replication of their data and dedicated redundant capacity. The primary and secondary sites are
located in two separate geographically separate data centers. In the event of a disaster, this allows
Practiceleague restore the services to original state.
In addition to our standard data backup practices, replication of the data in a secondary location
reduces the chance of the data loss. Because of the real-time replication we are able to maintain a
targeted Recovery Point Objective (RPO) of 4 hours from the point of impact. RPO is defined as the
amount or extent of data loss one potentially prepared and willing to lose, worse case.
Capability of Microsoft Azure’s quick server provisioning combined with the ready data snapshot
available from the azure secondary location, enables us to restore original state quickly. For clients
with this Enhanced Feature we offer a targeted Recovery Time Objective (RTO) of 8 hours, after a declaration of a disaster. RTO is defined as the time available to recovery disrupted systems and
resources (systems recovery time)
Security Configuration Management
Secure configuration management is the technical implementation and maintenance of security
policy on systems, applications and network devices. PracticeLeague has implemented several
distinct disciplines including Configuration management planning, Configuration Identification,
configuration control, configuration status reporting, configuration assessment and remediation.
Security Incident Event Management and Incident response
Our Security Incident Event Management system gathers extensive logs from important network
devices and host systems. In case of a system alert, events are escalated to our 24/7 teams providing
Operations, Network Engineering, and Security coverage. Employees are trained on security
incident response processes, including communication channels and escalation paths.
Periodic Security Scans
Frequent checks are run using enterprise grade security software to determine if any servers have
any known vulnerabilities. The servers are scanned against the most comprehensive and up-to-date
databases of known vulnerabilities. This enables us to proactively protect our servers from attacks
and ensure business continuity by identifying security holes or vulnerabilities before an attack
occurs.
Security Audit Process
In a vast deployment of globally distributed servers, audit processes are required to ensure process
replication and discipline. Are all servers being patched regularly? Are the backup scripts running
all the time? Are offsite backups being rotated as desired? Are appropriate reference checks being
performed on all personnel? Is the security equipment sending out timely alerts? These and many
such questions are regularly verified in an out-of-band process that involves investigation, surveys,
ethical hacking attempts, interviews etc. Our audit mechanisms alert us to a second in our security
processes before it is discovered by external users.
Personnel Security
The weakest link in the security chain is always the System Admin, Engineers, Development staff,
essentially anyone that has privileged access to the system. Our Complete Security Approach
attempts to minimize security risk brought on by the “Human Factor”. Information is divulged only
on a “need-to-know” basis. Authorization expires upon the expiry of the requirement. Further, our
team never asks/stores your any information. Personnel are coached specifically in security
measures and the criticality of observing them.
Every employee that has administrator privileges to any of our servers goes through a
comprehensive background including address, education, and employment verification checks. All new hires are screened through the hiring process and required to sign Non-Disclosure and
Confidentiality agreements.
Preventing breaches also involves automatically deleting unnecessary accounts when an employee
leaves, changes groups, or does not use the account prior to its expiration. Wherever possible,
human intervention is replaced by an automated, tool-based process, including routine functions
such as deployment, debugging, diagnostic collection, and restarting services.