Security Overview
Last update: 1 March 2024
Zoolibraryprovides software-as-a-service to legal practitioners and others with similar email, document, and workplace communication challenges. Zoolibrary allows users to achieve the benefits of email and document “filing”, without the burden of actually having to “file” - saving users hours each day and avoiding numerous frustrations.
The (experienced) team at Zoolibrary is aware that achieving these benefits for its customers is only possible by building trust, and ensuring customer data and systems remain resilient against threats. The following sets out some of the measures that are in place.
Note: If you have additional questions regarding Zoolibrary’s security practices, please email us security@zoolibrary.com.
1. Compliance
Zoolibrary is hosted on Amazon Web Services (“AWS”). AWS maintains several compliance and audit reports, including ISO 27001 and SOC 2. For more information about their certification and compliance, please visit the AWS Security website and AWS Compliance website.
2. Organisational Security
Privacy Policy
Zoolibrary adheres to a strict Privacy Policy, ensuring customer data is only used in a manner consistent with customer expectations and all applicable laws.
Information Security Policy
To protect the confidentiality, integrity and availability of information, all Zoolibrary employees are bound by a comprehensive Information Security Policy.
Security Awareness
Security Awareness Training is annually completed by all Zoolibrary employees.
Background Checks
Zoolibrary conducts comprehensive background checks, including criminal conviction checks, on all employees.
3. Operational Security
Penetration Testing
Zoolibrary engages independent professionals to conduct application-level penetration tests at least annually.
Identity and Access Management (IAM)
Access to Zoolibrary’s network and applications that process customer data are managed centrally, require multi-factor authentication, and are regularly audited.
Privileges are assigned based on a business need to perform a job role, and are revoked when that role changes or when employment is terminated.
Incident Management
In the event of a security incident, the Zoolibrary team initiates a documented incident response plan and procedures to identify, contain, and resolve the issue as quickly as possible.
Vendor Management
Zoolibrary has an established and documented process for engaging new vendors or suppliers, which involves an inventory of the asset, security risk assessment, and legal review.
4. Infrastructure and Endpoint Security
Endpoint security
All company-issued devices to Zoolibrary employees are managed centrally and configured by Zoolibrary to comply with industry standards for security, including:
Full disk encryption at rest, enabled firewalls, strong passwords, and automatic lock when idle.
Host-based agents installed for endpoint detection and response, and anti-malware.
System Monitoring, Logging, and Alerting
Zoolibrary closely monitors its infrastructure using a variety of tools to promptly alert for security events in the production environment, including critical changes and misconfigurations in the infrastructure, the presence of malware, and indicators of compromise.
Availability and Disaster Recovery
Zoolibrary’s infrastructure runs on systems that are fault tolerant, resilient to failures of individual servers or even a data centre.
Zoolibrary performs daily snapshots of customer data with continuous transaction logs providing near-zero RPO. These backups are stored within Zoolibrary’s AWS environment for Zoolibrary’s own disaster recovery purposes.
Zoolibrary has personnel on-call 24/7 to respond to availability events, who are also familiar with denial of service (DoS) attacks and mitigation techniques.
Zoolibrary will promptly notify and keep customers up-to-date on availability and performance events through a public status page.
5. Application Security
Dependency Management
Zoolibrary employs reputable tooling to continuously monitor open-source software dependencies and container images for vulnerabilities.
Change Management
All changes, including configuration changes to production applications and infrastructure, are version controlled and explicitly authorised before being implemented in the production environment.
Data in Transit
All data transmitted between Zoolibrary uses strong encryption protocols. Zoolibrary supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols.
Data at Rest
All customer data is stored on AWS Relational Database Service (RDS) and AWS Simple Storage Service (S3) where data encryption at rest is enabled and enforced.
Protecting Authentication Data
To protect login credentials, Zoolibrary hashes user passwords using an implementation of the bcrypt algorithm. Bcrypt is an industry-standard technology that many other companies use for this same purpose.
Rate-limiting
Zoolibrary implements API rate limits to help insulate customer performance issues and protect against brute force attacks.
Web Application Firewall (WAF)
All Internet-facing assets are fronted by AWS Web Application Firewall (WAF) to protect against common threats faced by web applications that can affect availability or compromise security.
Secret Management
All secret keys used to manage Zoolibrary’s product and application infrastructure are encrypted in AWS, where only authorised personnel have access to manage them.
Tenancy Isolation
Zoolibrary’s tenancy model utilises shared database and compute resources. Each customer is allocated one or more logical tenants (called “workspaces”) within their organisation; each workspace is geographically located based on the customer selection during setup; and ensures isolation through application-level controls based on a unique tenant Id allocated. Tenancy access checks are enforced at multiple layers within the application, both during authentication and authorisation checks as well as at the document database layer.
Third-party Integration Keys
Integration keys are encrypted using AWS Key Management Service (KMS) prior to being stored at rest.
File Upload Scanning
Zoolibrary processes uploaded file attachments in an isolated environment, performing scanning using ClamAV, before a file is available for distribution via the product.
6. Product Security Features
User and Customer Data Deletion
Where data can be deleted by a customer, it is retained for a period of time to allow for undeletion or correction, after which it is permanently removed and cannot be restored. The default period for this retention is 28 calendar days, ensuring permanent deletion capabilities align with time frames necessary to meet the requirements of privacy legislation.
Data Portability
Zoolibrary provide customers with the ability to request access to JSON APIs to allow the extraction of all data captured within the Zoolibrary platform as needed, including the contents of any files or documents stored. All emails received and sent through the Zoolibrary platform when utilising the Outlook 365 or Google mail connections are retained in those source systems providing additional avenues for data portability in combination with the JSON APIs.
Ability to Rectify User or Customer Data
All data held in the Zoolibrary platform can be updated by customers excluding data intentionally made immutable (such as previous versions of documents and audit logs). Where immutable data must be updated for legal or legislative reasons, Zoolibrary’s customer support can assist with the execution of those changes as necessary.
Role-based Access Control (RBAC)
Zoolibrary utilises role based access control to restrict access to information, with support for roles scoped at the organisation, workspace and team levels. Additionally, individual content (for example, documents, tasks, and notes) support additional restrictions to be applied controlling which users have permissions to view, edit or manage permissions for those items individually providing additional levels of access control.
Multi-factor Authentication (MFA)
Zoolibrary uses a leading IdPaaS (Auth0) for managing authentication to the Zoolibrary platform. This platform provides support for Social logins via Google, Microsoft, and Apple, as well as support for MFA and Passkeys. For new customers Zoolibrary recommends utilising passkeys, as these provide the strongest level of protection for credentials. Zoolibrary also supports connections to all popular enterprise user directories (based on your Zoolibrary licence level).
Audit logs
Zoolibrary utilises an event-driven architecture, ensuring that all changes over time are captured with full fidelity. Each event captured in the system is attributed with timestamps, identifying information about the user who made the changes, tenant information, user agent and IP address information. Raw event information is available upon request to assist with any forensic enquiries as necessary. An API to expose this information is planned.
Monitoring
Zoolibrary utilises a variety of technologies to monitor for threats and vulnerabilities within the platform. These include package and container vulnerability scanning, intrusion and intelligent threat detection as well as anomaly monitoring and crash reporting. Technologies used to assist with achieving this include Honeycomb, Sentry, Dependabot, AWS Inspector, AWS Guard Duty and AWS Config. Our monitoring is designed to automatically alert our out of hours support team in case of issues so they can respond in a timely manner.
7. Physical Security
Remote Working
Zoolibrary employees can work from a remote location. In these circumstances, we ensure Zoolibrary’s Information Security Policy is followed, with appropriate security controls on the endpoint and the services being accessed remotely.
AWS Data Centers
Zoolibrary houses the entirety of its production infrastructure in AWS data-centres, more information on their comprehensive physical security practices can be found here: https://aws.amazon.com/compliance/data-center/data-centers/