Security

The cyber security landscape is changing every day and Filevine is well positioned to aid law firms and other professionals with best in class compliance, privacy and security programs to protect your data. We can help your business protect your customer's data from some of the most potentially damaging hacks today such as ransomware. 

We Take Security at Filevine Seriously

At Filevine, information security, privacy, and compliance are core values. We employ industry-leading security measures and regularly undergo audits to safeguard your sensitive legal data and meet the highest standards.

Curious about the specifics? Hear directly from our Chief Information Security Officer, Dean Sapp, as he explains the types of audits and frameworks Filevine completes to protect your information.

Continuous Security Efforts

Filevine is continuously working to improve our security posture. We conduct risk assessments, audits, privacy impact analysis, penetration testing, vulnerability scans, and many other security best practices. We have established an Information Security Committee with cross-functional executive representation that meets regularly. The Committee provides governance, risk, and compliance (GRC) oversight as part of our enterprise risk management program.

Audits

Filevine's dedicated compliance team conducts audits year-round to assess our company's security program effectiveness and to vet trusted partners. Audits include HIPAA, CJIS and ISO 27001 security controls in addition to NIST 800-53 controls. 

Penetration Testing

Filevine utilizes industry-recognized security experts to annually test the Filevine platform to ensure our websites, web applications, APIs, and related services are safe and secure.

Privacy Assessments

Filevine endeavors to comply with state, federal, and international privacy requirements. Filevine has appointed a Data Privacy/Data Protection Officer (DPO) to lead privacy efforts. Filevine has also established a Privacy Program including privacy by design initiatives.

Vulnerability Assessments

Filevine utilizes best-in-class enterprise grade vulnerability management tools to continuously detect code defects, missing patches, misconfiguration, and other system vulnerabilities.

Security Training

Filevine provides ongoing security awareness training to its workforce to keep pace with evolving cyber threats. We have implemented a best-in-class security awareness training platform, awareness programs, and monthly phishing campaigns for our employees.

Certifications

Filevine's Security Team members hold numerous industry-recognized security certifications for cloud, network, and wireless security, penetration testing, auditing, privacy, security program development, project management, compliance, and other related disciplines.

Backups

Filevine’s AWS infrastructure automatically backs up client data. These backups are redundant and performed in multiple availability zones and data centers in multiple AWS regions at least every 15 minutes. To provide an added layer of security, backup data is encrypted using AES 256 (which is FIPS 140-2 compliant) to protect it at rest.

Disaster Recovery / Business Continuity

A fire, flood or ransomware event can damage files or servers and may lead to lost productivity and billables. Regardless of what happens to your physical office, with an internet connection, you should be able to access your Filevine files and operate your practice remotely.

Incident Response

Filevine’s Security Team performs Incident Response (IR) and Security Operations Center (SOC) functions to identify and quickly respond to security incidents often preventing them from becoming serious security threats.

Our Team Certifications

Compliance

Filevine adheres to many compliance frameworks against which our systems are audited regularly.

CJIS compliance efforts:

Filevine performs regular audits and adheres to the CJIS security policy 5.9

HIPAA compliance efforts:

Filevine performs regular audits and adheres to the CJIS security policy 5.9

Download our HIPAA Opinion Letter 

SOC 2 Type II + HIPAA compliance efforts:

Filevine has retained external AICPA certified auditors to conduct our SOC 2 Type II audit including the DC 200 Description Criteria and the TSP 100 Trust Services Critieria for Security, Availability, Process Integrity, Confidentiality and Privacy.

Shared Assessments compliance efforts:

Filevine routinely completes Sig Lite Shared Assessments. If you require a Sig Lite to be completed, please request one from the Filevine Security Team.

Read more about Shared Assessments 

GDPR compliance efforts:

Filevine endeavors to comply with state, federal and international privacy requirements. Filevine has appointed a Data Privacy/Data Protection Officer (DPO) to lead privacy efforts.

CCPA/CPRA compliance efforts:

Filevine's Privacy Policy provides information on how we protect and manage customer data entrusted to us including specific requirements to meet CCPA compliance obligations.

Filevine privacy policy 

CIS 18 compliance efforts:

The CIS 18 security controls are designed to reduce the likelihood of a security breach. Filevine has aligned its security program with the CIS 18 security controls to reduce residual risk to the business.

CIS 18 information 

PCI compliance efforts:

Credit card payments are processed by Stripe, a PCI Data Security Standard (PCI DSS) Level 1 service provider. This is the most stringent level of certification available in the payments industry to ensure companies that process, store or transmit credit card information maintain a secure environment. See the Stripe security page to learn more.

Stripe security page 

Guidance We Follow

ABA compliance efforts:

Filevine performs regular audits and adheres to the CJIS security policy 5.9

Download our ABA 

ACC compliance efforts:

Filevine also enables safe and secure communication in alignment with the ACC's guidance on "Model Information Protection and Security Controls for Outside Counsel Processing Company confidential Information".

Download ACC guidance 

Where We’re Going

Filevine is continuously improving its security posture so we can meet rigorous compliance requirements in the future.

StateRAMP compliance efforts:

Filevine performs regular audits and adheres to the CJIS security policy 5.9

ISO/IEC 27001 compliance efforts:

Filevine in on the path towards implementing ISO/IEC 27001. The ISO 27001 standard is widely known, providing requirements for a robust information security management system (ISMS). Filevine is using our own platform as our ISMS and it is an effective platform for managing our written information security program (WISP).

ISO 27001 compliance information 

Why Filevine?

Third-Party Vendor Risk Management (3PVRM)

Filevine performs third-party vendor risk assessments whenever Filevine contracts with a third party. This process includes input from business stakeholders from the Legal, Finance, and Information Security teams. Vendor and supplier risk is managed with a best-in-class third-party risk management platform as well as using industry-standard security questionnaires, audit report reviews, and in-depth technical interviews.

Multiple Cloud Partners

Filevine products and services are built on best-in-class cloud environments leveraging the security and stability of AWS (security and compliance), GCP (security and compliance), and Microsoft Azure (security and compliance).

Data Encryption

Filevine encrypts customer data in transit and at rest. Filevine uses the AWS Key Management Service (KMS) to create and manage cryptographic keys for Filevine. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated as FIPS 140-2 compliant. More information here.

Two Factor Authentication (2FA)

Filevine administrative accounts utilize 2FA to provide an additional level of authentication, dramatically reducing the risk of hacking and data theft. 2FA is a combination of something you know, such as a password, and something you have, such as a soft token, hard token, or some other one-time password (OTP) technology such as Google authenticator.

Role-Based Access Control (RBAC)

RBAC allows Filevine administrators and firm administrators to easily manage access to their confidential information. Access is granted or restricted based on predefined job roles inside the organization. If an individual changes roles, their access changes as well. This makes it easier to authenticate, authorize, and audit access to systems and case data.

WAF and DDoS Protection

Filevine uses web application firewalls (WAF) and distributed denial of service (DDoS) protection to keep the platform safe and available.

Learn more about these services here AWS WAF and here AWS Shield

FAQ

Does Filevine have an Information Security Program?

Filevine has built an industry leading information security program that adheres to security frameworks such as the NIST CSF, CJIS and the CIS 18. Our program is documented in our written information security policies (WISP), procedures and operational security practices. We do not share copies of these documents but we do allow customers to review them under NDA.

Please provide your Software License Agreement / Support Agreement.

Visit our Terms and Conditions

Is the software cloud-based or on-premises?

Filevine is a cloud-based SaaS platform. Individuals are able to access the software in its entirety on any computer or smart device at almost any location, provided they have an internet connection using Chromium based browsers such as Edge and Google Chrome.

If cloud-based, do you manage the data center or a 3rd party?

Cloud-Based: Filevine contracts its own instances within SSAE 18 certified, private AWS, Microsoft Azure, and Google cloud platform. We do not operate or manage our own data centers.

Talk to one of our awesome reps and learn what we can do together

Get a Demo