Continuous Security Efforts
Filevine is continuously working to improve our security posture. We conduct risk assessments, audits, privacy impact analysis, penetration testing, vulnerability scans, and many other security best practices. We have established an Information Security Committee with cross-functional executive representation that meets regularly. The Committee provides governance, risk, and compliance (GRC) oversight as part of our enterprise risk management program.
Filevine's dedicated compliance team conducts audits year-round to assess our company's security program effectiveness and to vet trusted partners. Audits include HIPAA, CJIS and ISO 27001 security controls in addition to NIST 800-53 controls.
Filevine utilizes industry-recognized security experts to annually test the Filevine platform to ensure our websites, web applications, APIs, and related services are safe and secure.
Filevine endeavors to comply with state, federal, and international privacy requirements. Filevine has appointed a Data Privacy/Data Protection Officer (DPO) to lead privacy efforts. Filevine has also established a Privacy Program including privacy by design initiatives.
Filevine utilizes best-in-class enterprise grade vulnerability management tools to continuously detect code defects, missing patches, misconfiguration, and other system vulnerabilities.
Filevine provides ongoing security awareness training to its workforce to keep pace with evolving cyber threats. We have implemented a best-in-class security awareness training platform, awareness programs, and monthly phishing campaigns for our employees.
Filevine's Security Team members hold numerous industry-recognized security certifications for cloud, network, and wireless security, penetration testing, auditing, privacy, security program development, project management, compliance, and other related disciplines.
Filevine’s AWS infrastructure automatically backs up client data. These backups are redundant and performed in multiple availability zones and data centers in multiple AWS regions at least every 15 minutes. To provide an added layer of security, backup data is encrypted using AES 256 (which is FIPS 140-2 compliant) to protect it at rest.
Disaster Recovery / Business Continuity
A fire, flood or ransomware event can damage files or servers and may lead to lost productivity and billables. Regardless of what happens to your physical office, with an internet connection, you should be able to access your Filevine files and operate your practice remotely.
Filevine’s Security Team performs Incident Response (IR) and Security Operations Center (SOC) functions to identify and quickly respond to security incidents often preventing them from becoming serious security threats.
Our Team Certifications
Filevine adheres to many compliance frameworks against which our systems are audited regularly.
HIPAA compliance efforts:
Filevine endeavors to comply with the HIPAA Security Rule and subsequent HITECH Act legislation. We have been independently audited and assessed by multiple third-party experts. Our latest SOC 2 Type II audit included security control testing for the HIPAA Administrative, Physical and Techincal Safeguards.
CJIS compliance efforts:
Filevine performs regular audits and adheres to the CJIS Security Policy 5.9.2. We have trained and certified CJIS TACs to ensure our security program meets our customers CJIS requirements. To receive a copy of our CJIS compliance package, please send a request to the Filevine CJIS Security Team.
SOC 2 Type II + HIPAA compliance efforts:
Filevine has retained external AICPA certified auditors to conduct our annual SOC 2 Type II audit including the DC 200 Description Criteria and the TSP 100 Trust Services Critieria for Security, Availability, Process Integrity, Confidentiality and Privacy. With an NDA in place, audit reports can be requested by contacting the Security Team.
Shared Assessments compliance efforts:
Filevine routinely completes Sig Lite Shared Assessments and other customer specific security questionnaires. If you require a Sig Lite to be completed, please request one from the Filevine Security Team.
GDPR compliance efforts:
Filevine endeavors to comply with state, federal and international privacy requirements. Filevine has appointed a Data Privacy/Data Protection Officer (DPO) to lead privacy efforts and to assist with data protection agreements and related requests.
CCPA/CPRA compliance efforts:
CIS 18 compliance efforts:
The CIS 18 security controls are designed to reduce the likelihood of a security breach. Filevine has aligned its security program with the CIS 18 security controls to reduce residual risk to the business. We use automated observability tools to ensure these controls are being measured and improved.
PCI compliance efforts:
Credit card payments are processed by Stripe, a PCI Data Security Standard (PCI DSS) Level 1 service provider. This is the most stringent level of certification available in the payments industry to ensure companies that process, store or transmit credit card information maintain a secure environment. Filevine has completed an SAQ-A for compliance with the use of the Stripe service. See the Stripe security page to learn more about their compliance posture.
Guidance We Follow
ABA compliance efforts:
As cyber threats proliferate, data security has become a growing concern for legal professionals. ABA Model Rule 1.6 charges all lawyers with the responsibility to, “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Filevine helps lawyers comply with ABA Formal Opinion 477R which governs the obligations lawyers have to protect client communications.
ACC compliance efforts:
Filevine also enables safe and secure communication in alignment with the ACC's guidance on "Model Information Protection and Security Controls for Outside Counsel Processing Company confidential Information".
Where We’re Going
Filevine is continuously improving its security posture so we can meet rigorous compliance requirements in the future.
StateRAMP compliance efforts:
Filevine is looking to broaden its authorized list of state and county customers leveraging the Filevine CJIS platform in an effort to qualify to be an authorized vendor in the StateRAMP Marketplace. More details about StateRAMP can be found at the link below.
ISO/IEC 27001 compliance efforts:
Filevine has completed our first ISO/IEC 27001 audit and we will soon have the formal certification. The ISO 27001 standard is widely known, providing requirements for a robust information security management system (ISMS). Filevine is using our own platform as our ISMS and it is an effective platform for managing our written information security program (WISP).
Third-Party Vendor Risk Management (3PVRM)
Filevine performs third-party vendor risk assessments whenever Filevine contracts with a third party. This process includes input from business stakeholders from the Legal, Finance, and Information Security teams. Vendor and supplier risk is managed with a best-in-class third-party risk management platform as well as using industry-standard security questionnaires, audit report reviews, and in-depth technical interviews.
Multiple Cloud Partners
Filevine encrypts customer data in transit and at rest. Filevine uses the AWS Key Management Service (KMS) to create and manage cryptographic keys for Filevine. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated as FIPS 140-2 compliant. More information here.
Two Factor Authentication (2FA)
Filevine administrative accounts utilize 2FA to provide an additional level of authentication, dramatically reducing the risk of hacking and data theft. 2FA is a combination of something you know, such as a password, and something you have, such as a soft token, hard token, or some other one-time password (OTP) technology such as Google authenticator.
Role-Based Access Control (RBAC)
RBAC allows Filevine administrators and firm administrators to easily manage access to their confidential information. Access is granted or restricted based on predefined job roles inside the organization. If an individual changes roles, their access changes as well. This makes it easier to authenticate, authorize, and audit access to systems and case data.
Filevine has built an industry leading information security program that adheres to security frameworks such as the NIST CSF, CJIS and the CIS 18. Our program is documented in our written information security policies (WISP), procedures and operational security practices. We do not share copies of these documents but we do allow customers to review them under NDA.
Filevine is a cloud-based SaaS platform. Individuals are able to access the software in its entirety on any computer or smart device at almost any location, provided they have an internet connection using Chromium based browsers such as Edge and Google Chrome.
Cloud-Based: Filevine contracts its own instances within SSAE 18 certified, private AWS, Microsoft Azure, and Google cloud platform. We do not operate or manage our own data centers.
Yes and no. Filevine does not offer a separate Mobile App at this time. However, Filevine is mobile-friendly; users are able to access the software in its entirety on any computer or smart device at almost any location using Chromium-based browsers such as Edge and Google Chrome. Mobile application development is underway, and a release candidate announcement should be forthcoming.
Yes, Filevine utilizes an industry-recognized web application Firewall (WAF) to block common attacks identified in the OWASP Top Ten. These may include actions such as injection attacks, broken authentication, sensitive data exposure, insecure deserialization, cross-site scripting (XSS), and others. If these attacks rise to the level of a security incident, the Incident Response team follows our standard process to quickly respond and thoroughly investigate the event, through resolution.
Incident Response (IR) Team
Filevine has a trained and experienced team of IR handlers with multiple security certifications and years of experience managing incidents. This team is very familiar with industry-recognized tactics, techniques, and procedures (TTPs) to ensure security incidents are resolved in a timely and efficient manner. The team reviews countless security alerts, events of interest (EoI)s, significant events, and other incident types as it prioritizes, escalates, and resolves malicious attacks.
Enterprise Logging & Security Incident & Event Management (SIEM)
Filevine utilizes multiple, best-in-class solutions to support enterprise logging and IR efforts. Filevine has deployed enterprise logging and SIEM technologies to increase visibility, aggregate, organize, and time-synchronize network and system events to allow our teams to respond to alerts and potential threats in a timely manner. We maintain in-house security operation center (SOC) staff to triage security alerts and we have aligned our security program with the MITRE ATT&CK framework best practices for detection and response.
Filevine maintains a Business Continuity plan and a Data Security Incident Response Plan, among other policies and procedures. Our Business Continuity plan is designed to address the most common business disruptions and to reduce the risks of a significant outage or regional event interrupting Filevine services. This plan is reviewed annually and addresses risks with employees, offices, product support and other relevant business considerations.
Filevine leverages highly available services that are redundant across multiple data centers and multiple cloud service providers to ensure very high availability for the platform.
Filevine shall use reasonable efforts consistent with prevailing industry standards to maintain the Products and Services in a manner that minimizes errors and interruptions in the Products and Services and shall perform the Services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance windows or for unscheduled emergency maintenance by Filevine, or because of other causes beyond Filevine’s reasonable control, but Filevine will use reasonable efforts to provide advance notice of any scheduled service disruption. However, Filevine does not warrant that the Products or Services will be uninterrupted or error-free, will meet Subscriber’s requirements, will be compatible or work with any software, system, or other services, will be secure, accurate, complete, or free of harmful code, nor does it make any warranty as to the results that may be obtained or achieved from the use of the Products or Services.
Minimum computer requirements are needed to support Filevine including a Pentium 4 or greater processor, 4 GB of RAM and 100 MBs of hard disk space as well as a modern web browser. For the best results, a Chromium based browser such as Edge or Google Chrome is recommended with support for TLS 1.2 and preferably TLS 1.3. Meeting these requirements, users should be able to access Filevine on almost any modern computer or smart device.
Filevine's team of data security and compliance experts work with Third-Party, AICPA certified auditing firms and have completed our SOC 2 Type I & II reports for Filevine. In addition to SOC 2, Filevine is also complying with Criminal Justice Information System (CJIS) v5.9 security requirements meeting FBI security obligations. Furthermore, Filevine has adopted the CIS 18 Critical controls and has successfully completed internal and external HIPAA Security Rule audits. Filevine is also working on ADA/WCAG Compliance efforts, GDPR, and CCPA privacy efforts. Additional focus on FedRAMP, StateRAMP, ISO 27001, ISO 9001, and other security goals are in process.
When you create a Filevine user account or update your account’s passwords, Filevine requires a complex password of at least eight (8) characters and at least one (1) non-alpha character. All passwords are salted and one-way hashed in storage. Filevine administrative accounts used to administer the platform have even stronger password requirements to ensure access to the platform is secure. Filevine also supports and encourages the use of strong passphrases for clients utilizing the platform.
Yes, Filevine supports the use of SSO services such as Microsoft Azure Active Directory, Google Authentication, etc. Filevine also supports the use of Okta, Ping, and other Identity and Access Management (IAM) tools to enable SSO.
Yes, Filevine supports the use of two-factor authentication (2FA) services such as Microsoft Azure Active Directory, Google Authentication, etc. Filevine also supports the use of Okta, Ping, and other Identity and Access Management (IAM) tools to enable 2FA.
Filevine uses FIPS 140-2, FIPS 197 and FIPS 199. This includes AES 256 encryption for data at rest and support for TLS 1.2/1.3 encryption for data in transit.
Yes, Filevine uses a layered approach of disparate enterprise grade security tools to both detect and prevent potentially malicious files and activities from impacting our systems.