Information Security Program at Blue J
Security and Trust are fundamental to the services we provide and Blue J is committed to ensuring that our product and processes employ enterprise-grade best practices to keep your data safe.
- Achieved SOC 2 Type 1 compliance
- Product Description
- Corporate Security
- Information Security Program in place
- Employee Security Awareness training performed annually
- Employee background checks completed
- Business Continuity, Disaster Recovery and Incident Response policies reviewed and tested annually
- Highly Available, redundant infrastructure
- Security Controls continuously monitored by independent 3rd Party
- Multi-Factor Authentication protects employee accounts
- Risk Assessments performed annually
- Application Security
- Data Security
- Vendors / Sub-Processor Partners
- Vulnerability Disclosure Program
We work with an independent auditor to maintain a SOC 2 report which objectively certifies our controls to ensure the continuous security of our customers’ data. Blue J achieved our SOC 2 Type 1 compliance in July 2022. We plan to acquire a SOC 2 Type 2 report upon completion of the requisite monitoring period. Blue J can provide its SOC 2 report upon receipt of a signed Non-Disclosure Agreement (NDA).
The Blue J platform is a cloud native research platform that includes the following user-friendly tools:
- Outcome Prediction & Scenario Planning
- Statute Analysis
- Factor-Based Retrieval & Analysis of Case Law
The modern AI-powered approach to case research and analysis uses the selection of values for factors considered relevant to case decisions. This does not require PII input.
The diagramming tool assists users with tax entity and relationship planning. The user is in control of this data and while it does not require them to enter sensitive data, client information and relationships are likely to be defined by the user in the diagram. This and all data is stored and managed with the strictest of security practices as documented on this page.
PII collection for our users is limited to the data necessary to manage Authentication and Authorization for the purposes of using the Blue J platform (email address and name).
Blue J has established an Information Security Program that maintains a set of policies that are reviewed annually. Policies pertinent to security include:
- Acceptable Use Policy
- Asset Management Policy
- Backup Policy
- Business Continuity/Disaster Recovery Plans
- Code of Conduct
- Data Classification, Deletion, and Protection Policies
- Encryption and Password Policies
- Incident Response Plan
- Physical Security Policy
- Responsible Disclosure Policy
- Risk Assessment Policy
- Software Development Life Cycle Policy
- System Access Management Policy
- Vendor Management Policy
- Vulnerability Management Policy
At Blue J security compliance is overseen by our CTO, Brett Janssen.
During onboarding, new employees must complete Security Awareness training provided by a trusted vendor. Additionally, this training must be completed annually by all existing employees to ensure that security remains a top priority within the organization.
The Blue J Information Security program policies must be read and accepted by employees, during onboarding and renewed annually or when changes may occur to the policies.
Development team staff also complete additional training such as OWASP Top 10 Security Vulnerability training which is also renewed annually.
All Blue J employees are screened prior to employment using standard background checks provided by a trusted vendor and include:
- Verification of identity
- National Criminal records check
- County Criminal records check
- Sex offender registry check (U.S. Only)
Business Continuity and Disaster Recovery
Blue J’s Business Continuity and Disaster Recovery approach includes plans that are maintained and reviewed annually to ensure the business can react appropriately to large scale, unplanned events. Our plans are tested and executed annually allowing us to continually refine our process in the absence of genuine events.
Regular backups and an Infrastructure as Code implementation of hosting environments allow our operations team to react quickly and effectively in the event of large scale outages or disaster.
Security Incident Response
Blue J’s Information Security Program includes policies that are maintained and reviewed annually to ensure the business can react appropriately to unplanned or malicious events. This includes identifying, responding to, communicating and documenting the information related to a security incident. In the event of a data breach, Blue J will promptly report to required parties to comply with all applicable regulatory requirements. Incident Response plans are tested and executed annually allowing us to continually refine our process in the absence of genuine events.
Blue J achieves high availability by using multiple load balancers, servers and datastores for redundancy. In addition to redundancy we have engineered our platform to self-heal so that most issues can be recovered from quickly and automatically.
Continuous Security Control Monitoring
Blue J uses Drata’s automation platform to continuously monitor 100+ security controls across the organization. Automated alerts and evidence collection allows Blue J to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.
This includes monitoring of individual employee workstations to ensure that full drive encryption, screen lock, a trusted password manager and malware protection are enabled at all times.
The System Access Control Policy defines how access to the Blue J network and its resources are managed. This includes adoption of the “Principle of Least Privilege” which limits access only to the level required to perform their job function.
2FA (Two Factor Authentication) is enforced for employee accounts and an annual review of access levels is conducted to ensure that employees maintain an appropriate level of authorization.
Blue J performs annual, whole corporation risk assessments across each of the Engineering, Human Resources (HR), Information Security, Finance, Sales, and Legal departments. The assessment team uses a customized version of the Consensus Assessments Initiative Questionnaire (CAIQ) published by the Cloud Security Alliance (CSA). The questionnaire assists the team in both identifying and quantifying risks. Any identified risks are both catalogued and subsequently actioned in a manner suited to the individual risk’s severity.
An independent, third party vendor provides Blue J with annual penetration testing. Mitigation and remediation of any vulnerabilities found during testing are prioritized within our Software Development Life Cycle.
An independent, third party vendor provides Blue J with quarterly vulnerability scanning. Mitigation and remediation of any vulnerabilities found during scanning are prioritized within our Software Development Life Cycle.
Physical Access Control
The Blue J Platform is entirely hosted in the cloud within AWS, in the us-east-1 North Virginia region. Blue J relies upon the security controls adopted by AWS to ensure the security of physical computing environments hosting cloud based resources.
Virtual Access Control
Access to cloud hosted resources are controlled by AWS IAM and authorization is granted on a “Principle of Least Privilege” basis, with annual reviews of authorization levels. We use BastionZero for secure remote access to server resources allowing Secure shell (SSH) access to be disabled and commonly attacked ports to remain closed.
Blue J has implemented comprehensive logging of operations conducted within the application as well as within the infrastructure hosting the application. Application Performance Management (APM) with alerting provides another layer of security and oversight.
Intrusion Detection and Prevention
Blue J benefits from the vendor provided security controls enabled within the AWS cloud infrastructure. In addition, Blue J continually monitors our workloads for malicious activity via AI enhanced threat detection software.
Software Development Life Cycle
Our Software Development Life Cycle policy defines the standard for the process we use to build our product at Blue J, which is consistent, repeatable and maintains information security at every stage. This includes the adoption of best practices which include:
- Version control system tracks code changes
- Code changes via pull request require independent review/approval
- Unit and integration tests run with the build
- Manual testing complements automated testing to ensure quality
- Code artifacts promoted through a series of separate development and testing environments prior to reaching Production servers
- CI/CD pipeline provides repeatable, predictable deployment of code changes
- Infrastructure as Code manages changes to the hosting system infrastructure which also follows the same SDLC process
The Blue J platform includes email notifications to support user collaboration across Workspaces. We have SPF and DKIM records set, and domain-based message authentication, reporting, and conformance (DMARC) set up for monitoring reports to prevent the possibility of phishing scams. It is still strongly recommended that customers whitelist both bluejlegal.com and bluej.com domains to ensure consistent user access to both notification emails and our products themselves.
Automated full backups of all production databases occur daily, with incremental backups happening throughout the day at 5 minute intervals. Database backups are encrypted to the same standards as live production data.
Data at rest is encrypted using the industry standard AES-256 algorithm. Cryptographic keys are protected using AWS KMS ( Key Management Service).
Data in transit is encrypted using a minimum of HTTPS transport layer security TLS 1.2.
Data Retention and Removal
Customer data is retained and protected by Blue J indefinitely unless a formal request for removal is received. Customers can submit a request for data removal by contacting their dedicated Customer Success Manager or our Data Protection Officer at firstname.lastname@example.org.
All data is stored and processed in the United States in the AWS us-east-1 North Virginia region. We do not currently offer the ability to store data in any other jurisdictions. We do not currently offer an on-premise solution.
Vendors / Sub-Processors
Blue J depends on carefully selected vendors and sub-processors to build our product and provide our services. The following list of partners and their respective security practices have been reviewed in accordance with our Vendor Management Policy.
|Auth0||Identity and access management|
|BastionZero||Remote infrastructure access|
|Confluence||Documentation, collaboration and communication|
|Datadog||Monitoring and alerting|
|Drata||Security and Compliance Management|
|Figma||Collaborative UX Design|
|Github||Source code repository and dependency scanning (Dependabot)|
|Email Service and Productivity Provider|
|LinearB||Engineering workflow optimization tools|
|Notion||Documentation, collaboration and communication|
|Salesforce||Customer relationship management|
|Salesloft||Customer relationship management|
|Twilio – Segment||Segment: Cloud-based CDP tool|
|Sentry||Alarming and monitoring|
|Slack||Collaboration and communication|
Disclosure of Vulnerabilities
If you believe you have discovered a bug or have another concern with Blue J’s security, please contact our security team at email@example.com.