Application security is extremely important and we have implemented industry-standard measures.
General Approach
Juristic performs application and network level penetration testing periodically and provide the results to our customers per request. Best practices for safe and secure coding is established by maintaining peer reviews (CTO or minimum 2 developers) within feature branches.
Juristic uses ESLINT and Prettier. No code is pushed live before a thorough review in one or multiple staging environments. Juristic uses known frameworks (React, AdonisJS and NodeJS) to ensure that security is implemented through the overall design parameters. This is for example expressed through the processing of files, CORS or SQL injections. Access control takes a "default deny" approach, so developers only have access to data if it is relevant to perform their designated tasks. Error handling and logging is handled automatically for all developers. All configurations are visited periodically and updated if necessary.
All requests to the backend are validated to ensure watertight shields both between users and organisations and all relevant identification parameters are encrypted/encoded when used in the front end. We enforce a strict TLS version 1.3 encryption combined with SHA-256 hashing and a 256 bit aes-xts-plain-64 encryption key. Juristic supports SSO with 2-factor authentication for our Enterprise customers. If you are interested in understanding how it works - or if you have specific needs - please reach out.
Exposed server endpoints are recurrently tested for vulnerabilities using multiple types of scanning software as well as manual testing. Request-handling code paths have frequent user re-authorization checks, payload size restrictions, rate limiting where appropriate, and other request verification techniques. All requests are logged and made searchable to operations staff.
We use a wide range of security and privacy enhancing measures to ensure that your data is safe, including:
- Pseudonymisation
- IP Restrictions
- Access Control and Minimisation, hereunder strict Rolebased Access Control (RBAC)
- Content Security Policies
- XFrame Options
- Web Application Firewall (WAF) enabled
- Browser Integrity Check, including DDOS protection
- Input validation
- Enforced security measures for the end user
Network Diagrams
Juristic has produced network diagrams showing how information assets are used to to fulfill the agreement between the customer and Juristic.
The employee in charge for the operation of the individual components in these diagrams is the CTO or system owner. The network diagrams are shared with customers per request. The network diagrams are, by default, static pictures of what the infrastructure looks like and how the data "moves". The customer will be notified without undue delay if Juristic intends to change any aspect of the infrastructure structure in a way that may affect the customer. The architecture is reviewed periodically to ensure that it meets the latest and best standards. ###
Data Center
All procedure related to data centers and networks like power, cabling, network equipment, segmentation, connection, monitoring, rack cabinets, etc. are handled by 3DS Outscale. This is not and cannot be monitored by us, but follows Outscale's standard procedure. 3DS Outscale is - among other certifications - ISO 27001 certified. Please refer to 3DS Outscale for further information on this: https://en.outscale.com/certificate/.
Risk Assessment
All the measures above are implemented to ensure a high security and privacy threshold, especially due to the possible character of and risk based on Client and Case Data ([reference](/en/article/sub-processors-4clm6r/)).
We have made no tradeoffs in security vs. usability, rather we have implemented industry standard security and privacy enhancing measurements. All vendors and sub-processors have been selected based on a risk assessment where the following parameters have been included and evaluated:
- What kind of data is processed by the vendor or sub-processor?
- Is the vendor or sub-processor an EU provider and do they comply with EU regulation?
- If the vendor or sub-processor is not an EU provider, or if the vendor or sub-processor is owned by an third country, do they provide adequate safeguards?