LEAP Security Policy
This LEAP Security Policy (“LSP”) governs the processing of Personal Data provided by the Subscriber in connection with their use of the LEAP Services and is incorporated into the Agreement. In the event of any conflict between the Agreement and the LSP, this LSP will prevail.
- The Subscriber’s Compliance with GDPR
The Subscriber agrees that they are a Data Controller and that LEAP is a Data Processor for the purposes of processing Personal Data. The Subscriber shall at all times comply with the GDPR in connection with the processing of Personal Data. The Subscriber shall ensure all instructions given by it to LEAP in respect of Personal Data shall at all times be in accordance with the GDPR.
- LEAP’s Compliance with GDPR
2.1 LEAP, acting as the Data Processor, shall process Personal Data in compliance with the obligations placed under it under the GDPR. LEAP shall:
(a) have technical and organisational measures in place, having regard to the state of technological development and the cost of implementing any measures, against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by it, appropriate to the harm that might result from such unauthorised or unlawful processing or loss, destruction or damage to Personal Data and the nature of the Personal Data;
(b) take reasonable steps, having regard to the state of technological development and the cost of implementing any measures, to ensure the reliability of any of its staff who have access to Personal Data processed in connection with the Terms and Conditions;
(c) not transfer the Personal Data provided by the Subscriber to a country or territory outside the EEA without ensuring the Personal Data is afforded adequate protection within the meaning of the GDPR;
(d) promptly inform the Subscriber, if in LEAP’s opinion, any of the instructions regarding the processing of Personal Data provided by the Subscriber, breach any applicable data protection laws.
(e) use reasonable endeavours to assist Subscriber by implementing appropriate technical and organisational measures (insofar as this is possible taking into account the nature of the Processing), for the fulfilment of Subscriber’s obligation to respond to requests for exercising Data Subject rights laid down GDPR; and
(f) act only on instructions from the Subscriber or the Regulator in respect of any Personal Data processed by LEAP. The parties acknowledge and agree that the Agreement (subject to any changes to the LEAP Services agreed between the parties) and this LSP shall be the Subscriber’s complete and final instructions to LEAP in relation to the processing of Subscriber Personal Data;
2.2 The Subscriber acknowledges that, with certain exceptions, LEAP does not have access to Personal Data and will require permission from a Subscriber if asked to provide services related to the LEAP Software. The Subscriber shall provide access to the LEAP personnel only on an as-needed basis and to terminate such access promptly after the need for such access has expired. In the performance of helpdesk support where file-sharing is used, it is the responsibility of the Subscriber to ensure that all sharing sessions are terminated.
- Data Ownership, Deletion and Portability
3.1 The Data contained within LEAP remains the property of the Subscriber.
3.2 If a Subscriber ends their Agreement, LEAP will retain the Subscribers Data for a period of seven (7) years before having it destroyed.
3.3 During the seven (7) years following termination, a subscription can be reactivated to gain access to the Data held.
3.4 The Subscriber can request that their Data is deleted upon their termination, or at any time before the seven (7) year expiration date.
3.5 LEAP will enable The Subscriber to delete Personal Data (email@example.com).
3.6 LEAP will enable The Subscriber to extract Personal Data on request.
- Data Sovereignty and Integrations
4.1 The Subscribers Data, including Personal Data, is housed in a highly available, active-active scalable solution situated in the ISO 27001 certified AWS datacentres in Dublin.
4.2 LEAP shall not engage any other Sub-Processor for carrying out any processing activities in respect of Personal Data without the Subscriber’s written authorisation and ensuring sufficient provision of compliance with GDPR including a contract.
- Data Encryption
5.1 Each LEAP application is accessed via HTTPS using Transport Layer Security (TLS). TLS is a cryptographic protocol designed to protect information transmitted over the internet, against eavesdropping, tampering, and message forgery.
5.2 All stored Data is encrypted at rest, using AES-256, military grade encryption. This is done to protect Data in the event a LEAP server is compromised by an unauthorised party.
- Technical and organisational measures
Taking into account the state of technical development and the nature of processing, LEAP shall implement and maintain the technical and organisational measures set out in Appendix 3 in respect to Articles 32 to 36 to protect the Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Responsibility for Subject Access lies with the Subscriber as LEAP staff have no access to Personal Data contained in LEAP Services. Guidance can be provided on request.
LEAP shall, in accordance with GDPR, make available to the Subscriber such information that is in its possession or control as is necessary to demonstrate the LEAP's compliance with the obligations on each party imposed by Article 28 of the GDPR, and at the Subscriber’s expense, allow for and contribute to audits, including inspections, provided such audits or inspections are:
(a) limited in scope to matters specific to the Subscriber and agreed in advance;
(b) carried out during UK business hours and upon reasonable notice which shall be not less than 90-days notice unless an identifiable material issue has arisen; and
(c) conducted in a way which does not interfere with the LEAP’s day-to-day business.
- Information Security Personnel
LEAP has a dedicated team of Information Security Specialists who continually monitor the AWS infrastructure and LEAP Services. All employees, agents, officers and contractors involved in the handling of Personal Data:
(a) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential;
(b) have received appropriate training on their responsibilities as a Data processor; and
(c) comply with the terms of this LSP.
- Backup Policy and System Monitoring
LEAP servers are backed up multiple times daily, weekly and monthly, and are monitored 24 hours a day, 7 days a week, 365 days a year.
- Data Breaches
LEAP shall notify the Subscriber without undue delay and in writing on becoming aware of (and in any event within 72 hours of discovering) any Data Breach in respect of any Personal Data.
LEAP will take all commercially reasonable measures to secure the Personal Data, to limit the effects of any Data Breach, and to assist Subscriber in meeting their obligations under the GDPR.
If a vulnerability is identified or Data is available publicly outside of the LEAP Services, please contact LEAP immediately via firstname.lastname@example.org.
Appendix 1: Definitions
Unless otherwise defined in this policy, all terms in bold will have the meanings given them to them below:
Agreement means the agreement between the LEAP and the Subscriber for the provision of LEAP Services
AWS means Amazon Web Services based in the Dublin Region, acting as an agreed sub-processer
Data Breach has the meaning defined in the GDPR
Data Controller has the meaning defined in the GDPR
Data means all data entered into the LEAP Services
Data Processor has the meaning defined in the GDPR
EEA means the European Economic Area
GDPR means the General Data Protection Regulation (EU) 2016/679
ISO 27001 certification means an ISO/IEC 27001:2013 certification or a comparable certification for the Audited Services
LEAP means LEAP Legal Software Ltd and its associated entities of 10 John Street, London, WC1N 2EB
LEAP Services means the LEAP Desktop, iOS, Android, Web and LawConnect applications and all other future applications or services provided by LEAP, including the content available through the software such as forms, templates and legal forms and charges updates
Personal Data has the meaning defined in the GDPR
Regulator means the Solicitors Regulatory Authority, The Law Society of Scotland, The Law Society of Northern Ireland or The Law Society of Ireland
Subscriber means a person or organisation who pays monthly for access to the LEAP Services
Sub-Processor means another Data Processor engaged by LEAP to carry out processing activities in respect of Personal Data on behalf of the Subscriber
Term means the period from the installation date until the end of LEAP’s provision of the LEAP Services, including, if applicable, any period during which provision of the LEAP Services may be suspended and any post-termination period during which LEAP may continue providing the LEAP Services for transitional purposes
Terms and Conditions means the supply and support terms and conditions contained in the Agreement
Appendix 2: Subject Matter and Details of the Data Processing
LEAP’s provision of the LEAP Services to The Subscriber.
Duration of the Processing
The Term plus the period from the expiry of the Term until deletion of all Data by LEAP in accordance with the Security Policy
Nature and Purpose of the Processing
LEAP will process Personal Data for the purposes of providing the LEAP Services to the Subscriber in accordance with this LSP
Categories of Data
Data relating to individuals provided to LEAP via the LEAP Services, by (or at the direction of) the Subscriber or by the Subscriber’s customer
Data subjects include the individuals about whom data is provided to LEAP via the Services by (or at the direction of) the Subscriber or by the Subscriber’s customer
Appendix 3: Technical Measures
Data subjects include the individuals about whom Data is provided to LEAP via the LEAP Services by (or at the direction of) the Subscriber or by the Subscriber’s customer
- Local & Network Firewalls
- Web Application Firewalls
- Intrusion Detection & Prevention Systems
- Multivendor Anti-Virus
- Application White Listing
- DDoS Throttling Services
- Access Control Lists
- Security Patch Management
- ITIL Framework (release/incident/change)
- Identity and Access Management
- Centralised Log Management
- Symmetric and Asymmetric Encryption systems
- Two Factor Authentication
- Secure Code reviews
- Separation of Duties
- Data Loss Prevention
- Vulnerability Assessment
- Anomaly Detection
- Externally commissioned penetration testing
- Externally commissioned audits
- Remote Monitoring & Alerting