Introduction

In the digital world, security is crucial, and we recognise that security is of paramount importance to public sector agencies. This post outlines key security measures for the overall Contract Foundry solution, focusing on the Contract Foundry’s website management, our web host WPEngine, and our document automation tool provider, Gavel.

But first, let’s talk about data minimisation

Before we get to security measures, it’s worth noting that we’ve built the Contract Foundry in a way that minimises our collection of personal information and any need for you to enter commercially sensitive information.

So far as personal information is concerned, to create an account, we only collect your name and email address.

When it comes to using the the Contract Foundry’s three main offerings, you can:

  • dip into the knowledge base without disclosing any additional personal information to us;
  • dip into the clause library without disclosing any additional personal information to us; and
  • use the contract builders without having to enter any personal or confidential information if you wish.

To give an example of the third point, the MSA builder and the GMC builder have each been built in a way that enables you to bypass questions which, if answered, could entail the entry of personal or commercially sensitive information. You can answer those questions if you’d like to (and you can even enter dummy data if you wish), but you can also bypass them completely and focus on building the structure of your contract (with any optional terms, statement of work templates, etc) and then enter the personal and commercially sensitive information, in your own environment, once you’ve download the draft contract.

Security measures

Right, let’s get back to those security measures.

Contract Foundry website management

The Contract Foundry website runs on a content management system. We employ several security measures to keep it safe:

  • SSL/TLS certificates: These certificates allow our website and services to operate using HTTPS, a secure protocol for information exchange. Any data submitted to our site is encrypted.
  • Two-factor authentication: Access to the website’s backend/administrative area requires two-factor authentication. This measure provides an additional layer of security to prevent unauthorised access.
  • Payment security: We use Stripe for processing payments. Credit card details are collected and securely stored by Stripe, ensuring that we do not handle or store this information.
  • Endpoint firewall and malware scanners: Our website uses an endpoint firewall and a malware scanner. These controls are updated with new firewall rules, malware signatures, and malicious IP addresses.
  • Data retention: We do not retain a local copy of the documents you generate. The data entered to produce a document is stored temporarily and is deleted every week, or sooner upon request.
  • Hosting: Our website is hosted by WPEngine, a leading hosting provider with robust security controls, on the Amazon Web Services platform in Sydney, Australia.

WPEngine: web hosting security measures

WPEngine, our web hosting provider, has implemented numerous security measures:

  • Continuous monitoring and threat detection: WPEngine uses continuous monitoring and proactive threat detection systems to maintain site security.
  • Automated updates: WPEngine deploys automated updates to WordPress, maintaining site security with the latest patches.
  • Compliance standards: WPEngine is SOC-2 compliant and ISO 27001-2013 certified. These certifications attest to the provider’s adherence to recognised standards in the information security field.
  • Insight and control: WPEngine offers activity logs and dashboards for site management, allowing website administrators to better understand and manage their site’s security.
  • Security team support: WPEngine maintains a dedicated security team that monitors security feeds and provides proactive security alerts to users.
  • Firewall: WPEngine uses a proprietary firewall to automatically direct good, bad and malicious traffic. There are a number of checks in place that allow its system to determine which traffic should be allowed, such as real human traffic or search engine crawlers, and which traffic should not, such as malicious activity or scraping bots. WPEngine also automatically prevents certain files, file types and directories from being publicly accessible.
  • Penetration testing: WPEngine contracts with a third party vendor to perform penetration testing.
  • Encryption: All data on WPEngine servers is encrypted at rest and in transit, and site backups are also encrypted.
  • Security baselines to harden and secure IT systems: WPEngine’s security firms establish baselines and ensure WPEngine is adhering to them.
  • Two-factor authentication: We have two-factor authentication enabled for access to the WPEngine administration portal.

Gavel: Security measures for document automation

Gavel is the third-party service we use for our contract builders. It provides several security measures:

  • Continuous monitoring: Gavel constantly monitors for potential vulnerabilities and regularly updates its code and systems configuration to protect user data. It also maintains high standards for code quality, mandatory code reviews, and internal security consultations.
  • Isolated databases: Each Gavel customer is set up on their own subdomain and isolated database.
  • Regular security tests: Gavel works annually with a leading cybersecurity firm that tests the software to ensure its platform is secure.
  • Data collection, transfer, and storage: All data collected and transmitted is encrypted in transit and at rest using industry best practices, including Transport Layer Security (TLS). User data is encrypted at rest with AES-256 encryption in AWS data centers. AWS data centers are managed in accordance with SOC 1-3, PCI DSS Level 1, and ISO 9001/ISO 27001.
  • Internal security protocols: Gavel enforces physical, technical, and administrative protocols, including but not limited to two-factor authentication, background checks, regular employee security training, and secure access policies.
  • Two-factor authentication: We at the Contract Foundry have enabled two-factor authentication for access to the Gavel administration area.