Security at Prevail
Prevail is committed to keeping your data safe. By following industry best practices and adhering to a well-known security model known as the C.I.A. triad, we ensure all three elements of data security are met: confidentiality, integrity, and availability.
Confidentiality: Data is only accessible by those granted explicit permission
Integrity: Data is consistent and accurate from conception to destruction
Availability: Users have the right to access their data and can do so at all times
Our team works diligently to establish procedures that ensure adherence to industry best practices, ensuring compliances are met and can be confirmed by third-party auditors.
Our policies build upon these foundational principles:
Prevail maintains compliance with the following security assurance frameworks:
SOC 2 Type 2
Prevail complies with all controls in the American Institute of Certified Public Accountants ' System and Organization Controls, specifically the SOC 2—Trust Services Criteria, Type 2. This report addresses internal controls for security, confidentiality, processing integrity, privacy, and availability of customer data.
For a copy of our SOC2 report, please email email@example.com.
ISO 27001 Compliance
Prevail complies with the International Organization for Standardization's ISO 27001:2022 standard for "establishing, implementing, maintaining and continually improving an information security management system within the context of the organization."
Data in Transit
The Prevail Platform follows industry best practices to secure data, including encrypting all traffic between user equipment and cloud services, and between individual hosts within cloud services.
Data at Rest
All data stores that house customer data, including Amazon Web Services (AWS) S3 buckets, are encrypted at rest.
The Prevail Legal platform is physically hosted in the AWS us-east-1 Region. Prevail employs best practices, including configuration auditing and log auditing, to maintain security. Prevail maintains appropriate, secure, restorable backups of all customer data.
Encryption keys are managed via AWS Key Management System (KMS), which stores key material in Hardware Security Modules (HSMs), preventing direct access by individuals, including Amazon and Vanta employees. Amazon’s KMS APIs use the keys stored in HSMs for encryption and decryption.
Application secrets are encrypted and securely stored using AWS Secrets Manager and Parameter Store features, and access to these values is strictly limited.
Employees access to customer data is limited to what is directly needed to provide services for customers. For example, in a Remote Session facilitated by a Prevail Session Manager (SM), the SM will not have access to the Remote Session after it concludes, and can only join directly assigned sessions.
Managers and System Administrators have broader access to the extent required by their tasks. Prevail Legal maintains a comprehensive audit trail concerning customer data access to preempt and mitigate potential misuse. All access to customer data and to systems containing customer data is logged and attributable to individual people.
Prevail follows the best practices outlined in NIST Special Publication 800-63B: Digital Identity Guidelines Authentication and Lifecycle Management. Users authenticating with Prevail servers via an email address and password have Authenticator Assurance Level 1.
To reach Assurance Level 2, Prevail supports either direct Multi-Factor Authentication, or federated Single Sign On with any OAuth2 or SAML-compliant Identity Provider. This feature is available to both Individual and Enterprise Users free of charge. With SSO authentication, Prevail does not access or store any user authentication secrets.
Some Prevail Sessions, such as legal proceedings, are subject to US state and federal rules determining availability. Typically, any participant may obtain a recording or transcript of a session at any time, with fees varying by jurisdiction.
Prevail maintains storage of this data for at least seven years unless otherwise specified.
All areas of the product are made available for assessment by our preferred testing partner, HackerOne. One of the industry's most reputable penetration testing providers, HackerOne performs penetration testing on the Prevail infrastructure multiple times per year.
Prevail uses multiple services to scan both the package dependencies and the source code of Prevail software on a regular basis
Prevail remediates all identified issues within defined time limits, which vary based on the severity of the issue.
Staff with administrative access to systems containing customer data, i.e., staff performing Developer Operations tasks, use dedicated-purpose computers with actively monitored security settings.
Prevail requires recurring security training for all employees.
All Prevail staff use Multi-Factor Authentication and Single Sign On for any access to systems that contain Confidential or Sensitive data. Prevail Legal only grants new employees access after passing a background check, and employee access to customer data is logged. All employee access is revoked upon termination of employment.