Lupl was built from the ground up with input from a group of leading legal departments and law firms. Those legal departments and law firms shared with us their security and privacy requirements, and we factored these into the development of Lupl from Day One. We continue to work with this group to ensure that Lupl meets their stringent security and privacy requirements.
Lupl is now SOC2 Type 1 Certified!
We protect your data.
Keeping your data protected and secure is our highest priority. That’s why Lupl was built from the ground up with privacy and security by design principles. This overview introduces the ways we protect data. Want to see something more detailed? This overview is supported by a range of other privacy and security materials and whitepapers, available from our team upon request. Just contact privacy@lupl.com.
Over 50 years of industry experience.
Our team of security experts has over 50 years of collective expertise in IT security and privacy. They’ve headed up the IT security and privacy operations of leading international law firms, IT companies and other organizations. They’ve seen a lot of things in their time and they know what good, legal sector-compliant security and privacy looks like when they see it. They bring this perspective to everything we are doing at Lupl.
Trusted cloud infrastructure.
All our services run in a secure, hyperscale, enterprise-grade cloud environment. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our services are built on Microsoft Azure because we regard them as the best and most secure in the business. They provide industry best practice security measures to protect our infrastructure and meet the requirements of the laws, regulations and security certifications that are applicable to our operations. You can read more about their practices here. The cloud infrastructure is updated regularly with the very latest security patches and industry best practice measures.
Sophisticated physical security.
The data centers we use are protected by state-of-the-art physical security controls, including perimeter defenses, access request and approvals controls, round-the-clock interior and exterior surveillance and monitoring, multi-factor authentication, biometric controls, staff training and background checks and screening.
Data location transparency.
Lupl provides full data location transparency, so you always know where your data is going to be stored. Our data center is geo-located within the European Union. Data transfers are managed strictly in accordance with applicable regulatory requirements including GDPR, as described in our Privacy Policy.
Did you know...?
Lupl’s privacy and security approach is embedded in the features of the app itself. Here’s one example: any time you’re about to do something on Lupl that someone outside of your organization will see, you get a clear, in-context reminder, so you never need to worry about accidentally sharing something with the wrong person.
Your data is encrypted at rest.
Data at rest is encrypted using cryptographic modules that comply with FIPS 140.2 encryption standards. “At Rest” data includes data that is not actively moving from device to device or network to network such as data stored in a database, network file storage, hard drive, laptop, flash drive, or archived/stored in some other way. Encryption keys and secrets are stored in a secure key vault with strictly controlled access and never on local file systems or in project code stored in remote repositories.
Network-level security monitoring and protection.
Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using measures including:
- A virtual private cloud (VPC), a bastion host or VPN with network access control lists (ACLs) and no public IP addresses.
- A firewall that monitors and controls incoming and outgoing network traffic.
Data retention and removal.
With Lupl, you retain complete control over your data. We comply with all applicable regulatory requirements to enable users to request the deletion of their personal data from our systems. Read more about these practices and how users can exercise their rights at https://www.lupl.com/privacy-policy.
Business continuity and disaster recovery.
The systems we use to provide Lupl have multiple layers of redundancy. This includes everything from power supplies to surveillance and monitoring systems. The systems are designed to stay functional even if multiple servers fail. And our cloud infrastructure stores and secures multiple copies of critical assets and data so that it is protected from planned and unplanned events, including network and power outages and even massive natural disasters. All our backups are encrypted.
Did you know...?
Lupl’s cloud infrastructure, provided to us by Microsoft, holds dozens of international security certifications. This helps us to provide our users with a high degree of confidence that, when using Lupl, they are benefiting from the highest level of cloud security available in the industry.
Lupl’s security is tested by independent third parties.
Our systems and processes are subject to independent third-party review and assessment. We share any key findings from these assessments with our enterprise users upon request.
Regular penetration testing.
Our systems are subject to regular penetration testing. We also intend to put in place a bounty program in due course.
Built via a secure development process.
The security practices of Lupl are baked into our development approach. Here is an overview:
ASP.NET Core Security Features
ASP.NET Core enables developers to easily configure and manage security for their apps. The framework assists in managing authentication, authorization, data protection, HTTPS enforcement, app secrets, anti-request forgery protection, and CORS management. ASP.NET Core contains features that help to secure your apps and prevent security breaches. Many common security vulnerabilities in web-based applications (such as cross-site scripting attacks (XSS), SQL injection attacks, cross-site request forgery (CSRF), and open redirect attacks) are mitigated through basic development patterns, strong documentation, and best practices.
Continuous Integration/Continuous Delivery
Continuous integration and continuous delivery (CI/CD) are methodologies that establish a consistent and automated way to build, package, test, and delivery software. SDL requirements of the project are injected into the CI/CD pipeline to ensure that the requirements are automatically applied, and security is not overlooked in feature development and release. We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25). And we use the following best practices to ensure the highest level of security in our software:
- We review our code for security vulnerabilities.
- We regularly update our dependencies and make sure none of them has known vulnerabilities.
- We use Static Application Security Testing (SAST) to detect security vulnerabilities in our codebase.
Our people.
Our employees and contractors are subject to legally binding confidentiality agreements before gaining access to Lupl’s systems and data. Everybody undergoes regular training around privacy and security practices, and we have a range of policies and protocols in place to ensure that this remains front-of-mind for our people. Individuals with access to critical infrastructure (e.g., our physical data centers) undergo background checks. We apply Just-In-Time privileged access management (JIT PAM) to prevent over-provisioning of administrative privileges.
Our users.
Multi-factor authentication (MFA) enhances security in a multi-device and cloud-centric world. Lupl provides a built-in solution for multi-factor authentication through our IdP via SMS text message, email, or push notifications to a dedicated app. We also support third-party multi-factor authentication solutions. If using our federated identity solution, you will have control over the MFA factors frequency through your own IdP.
Privacy by design.
Like our security by design approach, we also developed Lupl with privacy as a fundamental design consideration in accordance with all applicable laws and regulations. Such a privacy by design approach means that privacy was a driver of the design of the system from the very beginning. The data you store with us is and always will be “your data.” It is with this clarity of principle that we ensure that we maintain the privacy of users and operate our services with certain key principles:
We use your data only to provide you with the Lupl services, including purposes compatible with providing those services, as described in our Privacy Policy at https://www.lupl.com/privacy-policy.
- We do not mine your data for targeted advertising purposes.
- If you ever choose to leave the service, you can take your data with you.
- We tell you where your data resides, who has access, and under what circumstances.
- Our access to your data is strictly limited, non-destructive, logged and audited.
Law enforcement access.
In the unlikely event that we receive a request to hand over your data to law enforcement, we will first seek to redirect the request to you, unless legally prohibited from doing so. We refuse to comply with any such request unless a valid court order compels us to hand information over, in which case we will strictly limit this to what is required by the court order.
A growing range of compliance offerings.
We recognize that being compliant isn’t enough. We are striving to constantly demonstrate compliance to provide our users with the maximum peace of mind when using Lupl. Here’s where we are now…but stay tuned for updates.
Dozens of international cloud security certifications
Our cloud infrastructure, provided by Microsoft, holds dozens of international security certifications, including ISO/IEC 27001 and ISO/IEC 27018.
SOC 2 and ISO 27001
Our company is working towards SOC 2 and ISO/IEC 27001 certifications.
Applicable regulations, including GDPR
We comply with the requirements of all applicable laws and regulations that apply to us, including the General Data Protection Regulation (GDPR).