Logo
Log in

Trust and Safety Overview

Last update: 1 August 2024
Zoolibraryprovides software-as-a-service to legal practitioners and others with similar email, document, and workplace communication challenges. Zoolibrary allows users to achieve the benefits of email and document “filing”, without the burden of actually having to “file” - saving users hours each day and avoiding numerous frustrations.
The (experienced) team at Zoolibrary is aware that achieving these benefits for its customers is only possible by building trust, and ensuring customer data and systems remain resilient against threats. The following sets out some of the measures that are in place.
Note: If you have additional questions regarding Zoolibrary’s security practices, please email us security@zoolibrary.com.

1. Compliance

Zoolibrary has certified its operational and security controls against SOC 2 Type I with an independent AICPA accredited auditor.
You can request a copy of the report by emailing security@zoolibrary.com; or for more information about Zoolibrary’s continuously monitored internal control environment, visit our Trust Centre.
Zoolibrary completes a CASA Tier 2 security assessment independently verified by an authorised lab on an annual basis to provide pre-built integrations with Google’s Gmail.
Zoolibrary is hosted on Amazon Web Services (AWS). AWS maintains several compliance and audit reports, including ISO 27001 and SOC 2. For more information about AWS certification and compliance, please visit the AWS Security website and AWS Compliance website.

2. Organisational Security

Privacy Policy

Zoolibrary adheres to a strict Privacy Policy, ensuring customer data is only used in a manner consistent with customer expectations and all applicable laws.

Information Security Policy

To protect the confidentiality, integrity and availability of information, all Zoolibrary employees are bound by a comprehensive Information Security Policy.

Security Awareness

Security Awareness Training is annually completed by all Zoolibrary employees.

Background Checks

Zoolibrary conducts comprehensive background checks, including criminal conviction checks, on all employees and contractors.

3. Operational Security

Vulnerability Management

Zoolibrary maintains an established Vulnerability Management Policy that supports identifying technical vulnerabilities through a range of capabilities, including:
Engaging independent professionals to conduct application-level penetration tests at least annually;
Third-party vulnerability scanning assessments, aligned with CASA requirements;
Static code analysis with coverage across both Zoolibrary’s product and infrastructure; and
Dynamic security analysis and testing.

Identity and Access Management (IAM)

Access to Zoolibrary’s network and applications that process customer data are managed centrally, require multi-factor authentication, and are regularly audited.
Privileges are assigned based on a business need to perform a job role, and are revoked when that role changes or when employment is terminated.

Incident Management

In the event of a security incident, the Zoolibrary team initiates a documented incident response plan and procedures to identify, contain, and resolve the issue as quickly as possible.

Vendor Management

Zoolibrary has an established and documented process for engaging new vendors or suppliers, which involves an inventory of the asset, security risk assessment, and legal review.

4. Infrastructure and Endpoint Security

Endpoint security

All company-issued devices to Zoolibrary employees are managed centrally and configured by Zoolibrary to comply with industry standards for security, including:
Full disk encryption at rest, enabled firewalls, strong passwords, and automatic lock when idle.
Host-based agents installed for endpoint detection and response, and anti-malware.
Zoolibrary’s production environment uses a serverless compute architecture to manage its container workloads with hardened images, enhancing security through isolation and minimising components.

System Monitoring, Logging, and Alerting

Zoolibrary closely monitors its infrastructure using a variety of tools to promptly alert for security events in the production environment, including critical changes and misconfigurations in the infrastructure, the presence of malware, and indicators of compromise.

Availability and Disaster Recovery

Zoolibrary’s infrastructure runs on systems that are fault tolerant, resilient to failures of individual servers or even a data centre.
Zoolibrary performs daily snapshots of customer data with continuous transaction logs providing near-zero RPO. These backups are stored and tested periodically within Zoolibrary’s AWS environment for Zoolibrary’s own disaster recovery purposes.
Zoolibrary has personnel on-call 24/7 to respond to availability events, who are also familiar with denial of service (DoS) attacks and mitigation techniques.
Zoolibrary will promptly notify and keep customers up-to-date on availability and performance events through a public status page.

5. Application Security

Dependency Management

Zoolibrary employs reputable tooling to continuously monitor open-source software dependencies and container images for vulnerabilities.

Change Management

All changes, including configuration changes to production applications and infrastructure, are version controlled and explicitly authorised before being implemented in the production environment.

Development and Test Environments

Zoolibrary maintains separate development, testing and production environments, and does not use production data within development and testing environments.

Data in Transit

All data transmitted between Zoolibrary uses strong encryption protocols. Zoolibrary supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols.

Data at Rest

All customer data is stored on AWS Relational Database Service (RDS) and AWS Simple Storage Service (S3) where data encryption at rest is enabled and enforced.

Protecting Authentication Data

To protect login credentials, Zoolibrary hashes user passwords using an implementation of the bcrypt algorithm. Bcrypt is an industry-standard technology that many other companies use for this same purpose.

Rate-limiting

Zoolibrary implements API rate limits to help insulate customer performance issues and protect against brute force attacks.

Web Application Firewall (WAF)

All Internet-facing assets are fronted by AWS Web Application Firewall (WAF) to protect against common threats faced by web applications that can affect availability or compromise security.

Secret Management

All secret keys used to manage Zoolibrary’s product and application infrastructure are encrypted in AWS, where only authorised personnel have access to manage them.

Tenancy Isolation

Zoolibrary’s tenancy model utilises shared database and compute resources. Each customer is allocated one or more logical tenants (called “workspaces”) within their organisation; each workspace is geographically located based on the customer selection during setup; and ensures isolation through application-level controls based on a unique tenant Id allocated. Tenancy access checks are enforced at multiple layers within the application, both during authentication and authorisation checks as well as at the document database layer.

Third-party Integration Keys

Integration keys are encrypted using AWS Key Management Service (KMS) prior to being stored at rest.

File Upload Scanning

Zoolibrary processes file attachments in an isolated environment, performing scanning to detect the potential presence of malware, before a file is available for distribution via the product.

6. Product Security Features

User and Customer Data Deletion

Where data can be deleted by a customer, it is retained for a period of time to allow for undeletion or correction, after which it is permanently removed and cannot be restored. The default period for this retention is 28 calendar days, ensuring permanent deletion capabilities align with time frames necessary to meet the requirements of privacy legislation.

Data Portability

Zoolibrary provide customers with the ability to request access to JSON APIs to allow the extraction of all data captured within the Zoolibrary platform as needed, including the contents of any files or documents stored. All emails received and sent through the Zoolibrary platform when utilising the Outlook 365 or Google mail connections are retained in those source systems providing additional avenues for data portability in combination with the JSON APIs.

Ability to Rectify User or Customer Data

All data held in the Zoolibrary platform can be updated by customers excluding data intentionally made immutable (such as previous versions of documents and audit logs). Where immutable data must be updated for legal or legislative reasons, Zoolibrary’s customer support can assist with the execution of those changes as necessary.

Role-based Access Control (RBAC)

Zoolibrary utilises role based access control to restrict access to information, with support for roles scoped at the organisation, workspace and team levels. Additionally, individual content (for example, documents, tasks, and notes) support additional restrictions to be applied controlling which users have permissions to view, edit or manage permissions for those items individually providing additional levels of access control.

Multi-factor Authentication (MFA)

Zoolibrary uses a leading IdPaaS (Auth0) for managing authentication to the Zoolibrary platform. This platform provides support for Social logins via Google, Microsoft, and Apple, as well as support for MFA and Passkeys. For new customers Zoolibrary recommends utilising passkeys, as these provide the strongest level of protection for credentials. Zoolibrary also supports connections to all popular enterprise user directories (based on your Zoolibrary licence level).
Zoolibrary mandates Multi-factor Authentication (MFA) for all users of the platform.

Audit logs

Zoolibrary utilises an event-driven architecture, ensuring that all changes over time are captured with full fidelity. Each event captured in the system is attributed with timestamps, identifying information about the user who made the changes, tenant information, user agent and IP address information. Raw event information is available upon request to assist with any forensic enquiries as necessary. An API to expose this information is planned.

Monitoring

Zoolibrary utilises a variety of technologies to monitor for threats and vulnerabilities within the platform. These include package and container vulnerability scanning, intrusion and intelligent threat detection as well as anomaly monitoring and crash reporting. Technologies used to assist with achieving this include Honeycomb, Sentry, Dependabot, AWS Inspector, AWS Guard Duty and AWS Config. Our monitoring is designed to automatically alert our out of hours support team in case of issues so they can respond in a timely manner.

7. Physical Security

Remote Working

Zoolibrary employees can work from a remote location. In these circumstances, we ensure Zoolibrary’s Information Security Policy is followed, with appropriate security controls on the endpoint and the services being accessed remotely.

AWS Data Centers

Zoolibrary houses the entirety of its production infrastructure in AWS data-centres, more information on their comprehensive physical security practices can be found here: https://aws.amazon.com/compliance/data-center/data-centers/
2024 Zoolibrary Limited | Terms | Security | Privacy