SOC2Logo

SOC 2

We work with an independent auditor to maintain a SOC 2 report which objectively certifies our controls to ensure the continuous security of our customers’ data.  Blue J achieved our SOC 2 Type 1 compliance in July 2022.  We plan to acquire a SOC 2 Type 2 report upon completion of the requisite monitoring period. Blue J can provide its SOC 2 report upon receipt of a signed Non-Disclosure Agreement (NDA).

Product Description

The Blue J platform is a cloud native research platform that includes the following user-friendly tools:

  • Outcome Prediction & Scenario Planning
  • Statute Analysis
  • Factor-Based Retrieval & Analysis of Case Law
  • Diagramming

The modern AI-powered approach to case research and analysis uses the selection of values for factors considered relevant to case decisions.  This does not require PII input.

The diagramming tool assists users with tax entity and relationship planning.  The user is in control of this data and while it does not require them to enter sensitive data, client information and relationships are likely to be defined by the user in the diagram. This and all data is stored and managed with the strictest of security practices as documented on this page.

PII collection for our users is limited to the data necessary to manage Authentication and Authorization for the purposes of using the Blue J platform (email address and name).

 

Corporate Security 

Blue J has established an Information Security Program that maintains a set of policies that are reviewed annually.  Policies pertinent to security include:

  • Acceptable Use Policy
  • Asset Management Policy
  • Backup Policy
  • Business Continuity/Disaster Recovery Plans
  • Code of Conduct
  • Data Classification, Deletion, and Protection Policies
  • Encryption and Password Policies
  • Incident Response Plan
  • Physical Security Policy
  • Responsible Disclosure Policy
  • Risk Assessment Policy
  • Software Development Life Cycle Policy
  • System Access Management Policy
  • Vendor Management Policy
  • Vulnerability Management Policy

At Blue J security compliance is overseen by our CTO, Brett Janssen.

 

Employee Training

During onboarding, new employees must complete Security Awareness training provided by a trusted vendor.  Additionally, this training must be completed annually by all existing employees to ensure that security remains a top priority within the organization.

The Blue J Information Security program policies must be read and accepted by employees, during onboarding and renewed annually or when changes may occur to the policies.

Development team staff also complete additional training such as OWASP Top 10 Security Vulnerability training which is also renewed annually.

 

Background checks

All Blue J employees are screened prior to employment using standard background checks provided by a trusted vendor and include:

  • Verification of identity
  • National Criminal records check
  • County Criminal records check
  • Sex offender registry check (U.S. Only)

 

Business Continuity and Disaster Recovery

Blue J’s Business Continuity and Disaster Recovery approach includes plans that are maintained and reviewed annually to ensure the business can react appropriately to large scale, unplanned events.  Our plans are tested and executed annually allowing us to continually refine our process in the absence of genuine events.

Regular backups and an Infrastructure as Code implementation of hosting environments allow our operations team to react quickly and effectively in the event of large scale outages or disaster.

 

Security Incident Response

Blue J’s Information Security Program includes policies that are maintained and reviewed annually to ensure the business can react appropriately to unplanned or malicious events.  This includes identifying, responding to, communicating and documenting the information related to a security incident.  In the event of a data breach, Blue J will promptly report to required parties to comply with all applicable regulatory requirements. Incident Response plans are tested and executed annually allowing us to continually refine our process in the absence of genuine events.

 

High Availability

Blue J achieves high availability by using multiple load balancers, servers and datastores for redundancy.  In addition to redundancy we have engineered our platform to self-heal so that most issues can be recovered from quickly and automatically.

 

Continuous Security Control Monitoring

Blue J uses Drata’s automation platform to continuously monitor 100+ security controls across the organization. Automated alerts and evidence collection allows Blue J to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.

This includes monitoring of individual employee workstations to ensure that full drive encryption, screen lock, a trusted password manager and malware protection are enabled at all times.

 

Employee Access

The System Access Control Policy defines how access to the Blue J network and its resources are managed.  This includes adoption of the “Principle of Least Privilege” which limits access only to the level required to perform their job function.

2FA (Two Factor Authentication) is enforced for employee accounts and an annual review of access levels is conducted to ensure that employees maintain an appropriate level of authorization.

 

Risk Management

Blue J performs annual, whole corporation risk assessments across each of the Engineering, Human Resources (HR), Information Security, Finance, Sales, and Legal departments. The assessment team uses a customized version of the Consensus Assessments Initiative Questionnaire (CAIQ) published by the Cloud Security Alliance (CSA). The questionnaire assists the team in both identifying and quantifying risks. Any identified risks are both catalogued and subsequently actioned in a manner suited to the individual risk’s severity.

 

Application Security

Penetration Testing

An independent, third party vendor provides Blue J with annual penetration testing.  Mitigation and remediation of any vulnerabilities found during testing are prioritized within our Software Development Life Cycle.

 

Vulnerability Scanning

An independent, third party vendor provides Blue J with quarterly vulnerability scanning.  Mitigation and remediation of any vulnerabilities found during scanning are prioritized within our Software Development Life Cycle.

 

Physical Access Control

The Blue J Platform is entirely hosted in the cloud within AWS, in the us-east-1 North Virginia region.  Blue J relies upon the security controls adopted by AWS to ensure the security of physical computing environments hosting cloud based resources.

 

Virtual Access Control

Access to cloud hosted resources are controlled by AWS IAM and authorization is granted on a “Principle of Least Privilege” basis, with annual reviews of authorization levels.  We use BastionZero for secure remote access to server resources allowing Secure shell (SSH) access to be disabled and commonly attacked ports to remain closed.

 

Audit Logging

Blue J has implemented comprehensive logging of operations conducted within the application as well as within the infrastructure hosting the application. Application Performance Management (APM) with alerting provides another layer of security and oversight. 

 

Intrusion Detection and Prevention

Blue J benefits from the vendor provided security controls enabled within the AWS cloud infrastructure.  In addition, Blue J continually monitors our workloads for malicious activity via AI enhanced threat detection software.

 

Software Development Life Cycle

Our Software Development Life Cycle policy defines the standard for the process we use to build our product at Blue J, which is consistent, repeatable and maintains information security at every stage.  This includes the adoption of best practices which include:

  • Version control system tracks code changes
  • Code changes via pull request require independent review/approval
  • Unit and integration tests run with the build
  • Manual testing complements automated testing to ensure quality
  • Code artifacts promoted through a series of separate development and testing environments prior to reaching Production servers
  • CI/CD pipeline provides repeatable, predictable deployment of code changes
  • Infrastructure as Code manages changes to the hosting system infrastructure which also follows the same SDLC process

 

Email Security

The Blue J platform includes email notifications to support user collaboration across Workspaces. We have SPF and DKIM records set, and domain-based message authentication, reporting, and conformance (DMARC) set up for monitoring reports to prevent the possibility of phishing scams. It is still strongly recommended that customers whitelist both bluejlegal.com and bluej.com domains to ensure consistent user access to both notification emails and our products themselves.

 

Data Security

Backups

Automated full backups of all production databases occur daily, with incremental backups happening throughout the day at 5 minute intervals.  Database backups are encrypted to the same standards as live production data. 

 

Encryption

Data at rest is encrypted using the industry standard AES-256 algorithm.  Cryptographic keys are protected using AWS KMS ( Key Management Service).

Data in transit is encrypted using a minimum of HTTPS transport layer security TLS 1.2.

 

Data Retention and Removal

Customer data is retained and protected by Blue J indefinitely unless a formal request for removal is received.  Customers can submit a request for data removal by contacting their dedicated Customer Success Manager or our Data Protection Officer at security@bluejlegal.com.

 

Data Residency

All data is stored and processed in the United States in the AWS us-east-1 North Virginia region. We do not currently offer the ability to store data in any other jurisdictions. We do not currently offer an on-premise solution.

 

Vendors / Sub-Processors

Blue J depends on carefully selected vendors and sub-processors to build our product and provide our services.  The following list of partners and their respective security practices have been reviewed in accordance with our Vendor Management Policy.

NameDescription
AWSInfrastructure Hosting
Auth0Identity and access management
CatalystCustomer support
BastionZeroRemote infrastructure access
CalendlyAppointment booking
ConfluenceDocumentation, collaboration and communication
Customer.ioCustomer interactions
CircleCICICD Pipeline
DatadogMonitoring and alerting
DrataSecurity and Compliance Management
FigmaCollaborative UX Design
GithubSource code repository and dependency scanning (Dependabot)
GoogleEmail Service and Productivity Provider
LinearBEngineering workflow optimization tools
MailgunCustomer interactions
MixpanelProduct analytics
NotionDocumentation, collaboration and communication
PagerDutyAlerting
SalesforceCustomer relationship management
SalesloftCustomer relationship management
Twilio – SegmentSegment: Cloud-based CDP tool
SentryAlarming and monitoring
SlackCollaboration and communication
SocraticTask Management
Sumo LogicLogging

 

Disclosure of Vulnerabilities

If you believe you have discovered a bug or have another concern with Blue J’s security, please contact our security team at security@bluejlegal.com.