Data Security and Protection

EffortlessLegal takes privacy and data protection issues seriously.  

We lock up your data by complying with:

•  U.S. Commerce Department’s National Institute of Standards and Technology (NIST) cybersecurity frameworks

•  European Union’s General Data Protection Regulation (GDPR)

•  GLBA, HIPAA, SOX, and various state laws and regulations


Our apps are secure by design — from the ground up.  And we keep things that way, throughout the development, implementation, updating, and maintenance cycles.

Like most quality online systems, all of your data with all of our applications is encrypted both “in transit" and “at rest."  

In other words, all transmissions to and from our apps, and all items stored in our apps, are all encrypted using at least 256-bit SSL certificates, providing strong “bank-grade" security.

As an additional security measure, our systems are regularly checked and certified by security experts who specialize in high-risk industries like banking and financial services.  Please contact us if you would like a copy of the latest report.

For more information about encryption and cybersecurity, please see our articles on these subjects:

Online Security for the Modern Lawyer

Prioritizing Cybersecurity to Protect Client Information from Data Breaches

Data Encryption & Online Security: What Lawyers Need To Know


Cybersecurity, data protection, and privacy are integral parts of our software design, engineering, development, updating, and maintenance functions.

For example, as to all of our applications, we comply with the NIST’s Framework for Improving Critical Infrastructure Cybersecurity and Special Publication 800-171.  This in turn means our apps meet the standards imposed under the federal Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), and related regulations.  

We also comply with various USA state laws relating to data protection and privacy, as well as the European Union’s GDPR.

More specifically, as to all of our applications, we provide at least the following features and maintain at least the following processes and procedures:

•  Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and

•  Establish and enforce security configuration settings for information technology products employed in organizational systems; and

•  Track, review, approve or disapprove, and audit changes to systems; and

•  Analyze the security impact of changes prior to implementation; and

•  Establish, implement, and enforce physical and logical access restrictions associated with changes to systems; and

•  Employ the principle of least functionality by configuring systems to provide only essential capabilities; and

•  Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services; and

•  Apply deny-by-exception (blacklisting) policies to prevent unauthorized access, or deny-all, permit-by-exception (whitelisting) policies to allow only authorized access; and

•  Control and monitor software that EffortlessLegal makes available for local installation by its customers and its customers’ users (“Subscribers"); and

•  Limit information system access to authorized Subscribers, internal users, and related processes, with additional limitations on access to more sensitive data (Role Based Access Controls); and

•  Limit unsuccessful logon attempts; and

•  Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity; and

•  Automatically terminate user sessions after defined conditions; and

•  Limit the transmission and storage of Subscriber data to only necessary processes; and

•  Encrypt all data in transit and at rest; and

•  Establish capabilities and systems to allow current and former Subscribers to obtain confirmation regarding whether or not data concerning them is being processed or used by EffortlessLegal, and if so where and for what purpose; and

•  Establish capabilities and systems to allow Subscribers to obtain a copy of their data, free of charge, in a commonly used and machine readable electronic format; and

•  Establish capabilities and systems to allow Subscribers to easily delete and permanently erase their data; and

•  Establish capabilities and systems to allow Subscribers to easily change, correct, and update their data; and

•  Ensure that all internal users are properly trained (Awareness and Training); and

•  Create, retain, and maintain information system audit records (Audit and Accountability Controls); and

•  Establish, maintain, and enforce baseline configurations and inventories of systems (Configuration Management Controls); and

•  Identify and authenticate internal users, processes, or devices, as a prerequisite to allowing access to systems (Identification and Authentication Controls); and

•  Provide multi-factor authentication options for all Subscribers; and

•  Establish capabilities and systems to allow Subscribers to easily delete and permanently erase their data; and

•  Enforce a minimum password complexity and change of characters when new passwords are created; and

•  Obscure feedback of authentication information; and

•  Store and transmit only cryptographically-protected passwords; and

•  Establish, implement, and maintain incident-handling capabilities and systems  that include preparation, detection, analysis, containment, recovery, and Subscriber response activities (Incident Response Processes); and

•  Establish, implement, and maintain capabilities and systems to track, document, and report incidents to affected Subscribers, designated officials, and/or authorities both internal and external to the organization; and

•  Establish, implement, and maintain appropriate maintenance and updating on all information systems (Maintenance Processes); and

•  Protect, secure and ensure the proper destruction of all media containing Subscriber data (Media Protection Controls); and

•  Screen internal users prior to authorizing access (Personnel Security Controls); and

•  Ensure that all systems containing Subscriber data and/or sensitive systems information are protected during and after personnel actions such as terminations and transfers; and

•  Limit and secure physical access to systems (Physical Protection Controls); and

•  Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of Subscriber data and/or sensitive systems information (Risk Assessment Processes); and

•  Regularly scan for vulnerabilities in organizational systems and applications; and

•  Remediate vulnerabilities immediately; and

•  Periodically assess security controls and implement action plans (Security Assessment Processes); and

•  Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems (System and Communications Protection Controls); and

•  Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems; and

•  Separate Subscriber and internal user functionality from system management functionality; and

•  Prevent unauthorized and unintended information transfer via shared system resources; and

•  Identify, report, and correct information flaws in a timely manner (System and Information Integrity Requirement).

Privacy and Confidentiality

Effortless Legal keeps the information, documents, and other data that any Subscriber provides to Effortless Legal (“Subscriber Information”) strictly private and confidential.

Effortless Legal does not and shall not review or examine any of Subscriber Information without express permission from Subscriber.

Effortless Legal does not and shall not transfer, sell, share, or otherwise reveal any Subscriber Information with or to any person or entity, for any purpose whatsoever, except as necessary to perform the Services for Subscriber, and except to comply with any applicable law(s), court order(s), or subpoena(s).

For additional information and details, please see our Terms of Service.