Security enhanced

Discover security features in place to ensure the security of your account

General notes (non CISO)

Below are general notes for non-IT security professionals
 

Is Legiscope secure?

The short answer is yes, we implement numerous security measures to protect the platform and your account

Are my account data backed up?

Yes, we specifically do 2 backups of all your data every day, in addition to other general backup measures already in place

Is my data protected?

Yes, we implement important security measures to ensure the confidentiality, integrity, availability and resilience of your data.

Where are my data located?

We have two data centers: one located in France and the other in Ireland

Why is data located in two data centers?

In order to ensure the best security of your data, we planned for the possibility that a data storage center may be destroyed (eg earthquake, nuclear accident...). To avoid losses, it's a standard practice to duplicat data several thousand kilometers from each data center

Does Legiscope comply with GDPR?

Yes of course ! Legiscope is used by many lawyers, DPOs and IT security experts who would immediately point us the slightest non-compliance. You can count on us as well as our users to ensure we remain fully compliant!

Can I have more information about security

Yes, you can read the sections dedicated to CISO for very technical details on the subject

Can I export my data?

Sure ! You can export all your data easily - read our normal FAQ for details on how to do that!

 

ITSEC notes (for CISO)

Below are precise security anwsers for IT security professionals
so you get an idea of the real maturity of the solution in terms of ITSec
 

Authentication

What authentication means do you use for your internal staff (developers, administrators, DBAs, etc.)

Without going into too much detail, the protection of the platform internally looks like: MFA hardware, AND IP address restriction AND strong password policy (above CNIL requirements) AND of course premissions restrictions

If i create an account on Legiscope, what will be my user's authentication requirements ?

Users must create a password that complies with the french control authority's requirements

Do you have a mechanism to block brute force attacks?

Yes

Are the passwords hashed?

Hashed and salted

Is there a password policy implemented?

Yes of course, based on the CNIL requirements

Can I adapt the plateform's password policy adaptable for our account?

No

Is there an authorization model for users of our Legiscope account?

Yes, when you create an account the admin has an extended authorization model to give access rights for each user and build fine access permissions. You can restrict for example a user, or a group of users to only read your records of processing to a specific organization

Can I change the permissions model for our Legiscope users?

You can create very specific and detailled access permissions for each user in your account, or groups depending on your needs

Logs

Interally do you logs actions performed by administrators of Legiscope ?

Yes, we have extensive logs for security reasons, fraud prevention and internal and external attacks

Is there centralized log management (infrastructure & application)?

Yes

Vulns

Do you authorize security audits and intrusion tests on the platform?

Yes, it's an obligation imposed by article 28 of the GDPR - if this is a matter for you CONTACT US FIRST - because this is subject of a specific contract

Is there a commitment to perform remediation of detected vulnerabilities?

In fact it is a legal obligation also imposed by the GDPR - so you do not need a specific commitment since the law already imposes it (art. 32, and art. 28 of the GDPR). In case a vulnerability is discovered on our software, we take measures to patch it as quickly as we can

What would be the deadlines for patching a vulnerability?

It's common for us to do multiple deployments per day as part of normal deployments. In case of discovery of a vulnerability, our infrastructure is in place for fast update

General security

Do you have a firewall to protect Legiscope.com

Yes

An IDS

YES

A WAF ?

Yes

A protection against DDOS?

Yes

Protection against XSS, or more generally against the OWASP top 10

Yes we have extended tools on for that

SQL injection protection mechanisms

Yes

Developments

Do you apply a security approach in your developments?

Yes, we adopted a very strong security approach since day 1 to ensure the best possible security for the platform.

Could you give us a real example of your investment in terms of IT security?

Our CEO fired the entire development team during the first version of Legiscope in 2017 because the application was not build with enough security. The source code developed for 8 months by the team was abandonned as a result, and the platform was redeveloped 'from scratch'

An example of a security feature you implemented?

When you upload a file on Legiscope.com, the name of the file is systematically analyzed and modified to avoid any risk of attack by file names. More globally, we analyzed a variety of possible attack vectors and implemented solutions accordingly

Architecture

Is legiscope application secure?

We spent considerable amounts of time working on IT security. For example we have specific security policies for each function in our application. Yes you read that correctly : we built a specific security policy *for *each *function existing in our application.

Do you have a separation between production and dev environments?

Yes, without going into details, we have several development environments that are totally separate and compartimented

Do you have DevOps processes?

Yes we have a CICD pipeline that validates and ensures automated deployment of the application. In practice we have very high test coverage of the application. In 2022 we run an external audit for a complete month, at the end of the audit, only 2 bugs were discovered

Do you have DevSecOps processes?

Yes, we have a large number of security tests run during each deployment to ensure the security of the platform, and then continuously

Data

Is there a mechanism to ensure logs integrity?

Yes, it's an essential element

What means do you apply for data protection?

We ensure end-to-end encryption, in addition to encryption at rest of all data (DB, files, ...), extended backups, authentication, and authorization measures

Do you use anonymized data in your dev environments?

Yes, environements are completly separated. We generate fake data ourselves for all tests (which is kind of fun!). Production data always stays in Production

Physical protections

What are the geographical locations of all datacenters hosting account data?

France and Ireland

Are Legiscope personnel located within the European Union and clearly identified?

Yes

Question you forgot to ask

Is Legiscope profitable, is there a risk that the company will disappear?

Legiscope is entirely profitable, we have an extensive customer base which allows us to ensure the continuity of the development of the platform.

Are you dependent on a specific client?

No. We have voluntarily implemented a pricing policy that allows us to function is total independence from any specific customer