Compliance
GDPR
.png)
ISO 27001:2022
.png)
SOC 2
Resources View all
🔒
SOC 2
🔒
ISO 27001:2022
Subprocessors View all
Microsoft Azure
Hosting, infrastructure and AI models
Processes personal data included in DPA
Auth0
Logins
Processes personal data included in DPA
Controls
View all
Infrastructure security
›
Isolation of sensitive workloads
›
Isolation of sensitive workloads
Capacity and resource planning
Resilience and fault tolerance
+ 2 more
Organizational Security
›
Defined security responsibilities
Onboarding and offboarding procedures
Confidentiality obligations
+ 17 more
Product Security
›
Controlled access to development assets
Secure software development practices
Coding standards and security guidelines
+ 7 more
Internal Security Procedures
›
Information security governance framework
Regulatory and contractual compliance
Leadership involvement and oversight
+ 13 more
Data and Privacy
›
Acceptable use and handling of information
Data classification and handling
Labelling and contextual awareness
+ 9 more
Controls
Infrastructure security
ControlStatus
Logical infrastructure segmentation
The infrastructure is segmented into logically isolated zones to separate workloads and limit lateral movement. Segmentation is enforced through clearly defined network boundaries and access rules.
Network access control
All inbound and outbound traffic is explicitly managed using access control policies. Only approved protocols and endpoints are permitted, and default-deny principles are applied wherever applicable.
Perimeter protection
Web-facing services are protected by traffic inspection and filtering mechanisms capable of identifying and blocking common threats and malicious patterns.
Encrypted communication
All communication between system components and external endpoints is encrypted using current, secure protocols. Encryption in transit is enforced by default.
Privileged access restriction
Access to infrastructure management functions is restricted to a limited number of authorized individuals and is granted based on necessity and role. All elevated access is logged and subject to oversight.
Remote access security
Remote administrative access is protected by network restrictions, strong authentication, and session control. Direct access to infrastructure components is not allowed from untrusted networks.
Secrets and credential protection
Sensitive credentials, keys, and tokens are managed securely and are never embedded in code or exposed through public interfaces. Access to secrets is tightly controlled and monitored.
System identity management
Non-human system components authenticate and interact using managed identities or isolated credentials. Identity boundaries are enforced between systems and services.
Infrastructure change management
Changes to infrastructure are planned, documented, reviewed, and deployed through controlled processes. All changes are logged, traceable, and subject to approval workflows.
Patch and configuration maintenance
Infrastructure components are regularly updated and configured according to security baselines. Deviations from expected configurations are monitored and remediated.
Monitoring and detection
The infrastructure is continuously monitored for anomalies, unauthorized changes, and indicators of compromise. Security alerts are evaluated and acted upon in accordance with defined procedures.
Log collection and retention
Infrastructure events, access records, and changes are logged. Logs are stored securely and retained for a period that supports auditability and forensic analysis.
Infrastructure time consistency
System clocks across infrastructure components are synchronized to a trusted time source to ensure consistency in event logging and coordination.
System hardening
Infrastructure systems are deployed with only the necessary services enabled. Default credentials and unnecessary components are removed prior to deployment.
Service provisioning security
Infrastructure services are provisioned through controlled methods that enforce consistency, security configuration, and alignment with organizational standards.
Isolation of sensitive workloads
ControlStatus
Isolation of sensitive workloads
Workloads that handle sensitive or regulated data are logically and physically isolated from non-sensitive services. This ensures independent control and risk containment.
Capacity and resource planning
Infrastructure capacity is continuously monitored and adjusted to maintain availability and performance. Scaling is planned to avoid resource exhaustion or service degradation.
Resilience and fault tolerance
Infrastructure is designed to tolerate component failures and to support recovery without loss of integrity or availability. Redundancy is built into critical systems.
Denial-of-service mitigation
Mechanisms are in place to detect and mitigate denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, helping ensure service continuity under adverse conditions.
Decommissioning and disposal of resources
Infrastructure components are securely decommissioned when no longer needed. Data is removed, access revoked, and configurations sanitized according to security policies.
Organizational Security
ControlStatus
Defined security responsibilities
Roles and responsibilities related to information security are clearly assigned across the organization. Personnel are informed of their obligations and are expected to act accordingly to protect organizational systems and data.
Onboarding and offboarding procedures
Procedures are in place to manage access and responsibilities when personnel join, change roles, or leave the organization. This includes timely provisioning and revocation of access to systems and assets.
Confidentiality obligations
All personnel and relevant third parties are subject to confidentiality requirements. These are formalized through agreements and reinforced through training and awareness.
Security training and awareness
Employees and contractors receive regular security training relevant to their role. Training covers both general awareness and specific operational procedures.
Competence and capability
The organization ensures that individuals working with or around sensitive systems or data possess appropriate knowledge and experience. Ongoing development is supported through training and evaluation.
Acceptable use and conduct
Clear rules are established for acceptable use of organizational systems and assets. Personnel are required to follow these rules as a condition of employment or engagement.
Asset accountability
Responsibilities for organizational assets are defined, and ownership is assigned. Personnel are required to return any assets in their possession when their engagement ends.
Security during role transitions
Information security responsibilities are maintained and communicated during internal transfers or changes in job role. Any required adjustments to access or duties are handled through formal processes.
Information handling requirements
Personnel are instructed in the appropriate classification, storage, and handling of information according to its sensitivity, and are expected to comply with documented procedures.
Security policy communication
The organization's security objectives, expectations, and key requirements are communicated to personnel and relevant stakeholders through documented policies and briefings.
Screening and due diligence
Where appropriate and permitted by law, background screening is conducted on individuals in roles with elevated access or security responsibilities.
Incident response awareness
All personnel are made aware of how to recognize and report potential security incidents. Clear reporting lines and procedures are documented and communicated.
Operational discipline
The organization ensures that personnel operate within controlled and documented procedures, including change management, review of deviations, and process validation.
Use of external personnel or service providers
Security requirements are extended to third-party individuals and providers. Roles, responsibilities, and expectations are formalized in agreements and subject to oversight.
Workspace and information protection
Rules for protecting workspaces—such as clear desk and clear screen practices—are defined and communicated. These practices are reinforced through physical and digital controls.
Governance of organizational change
Security implications are assessed and addressed during organizational changes, such as restructuring, outsourcing, or technology transitions.
Physical access control
Where relevant, access to organizational facilities or restricted areas is limited to authorized individuals and subject to physical controls and monitoring.
Security considerations for equipment
Equipment used for processing or storing information is sited and protected to reduce the risk of unauthorized access, environmental damage, or interference.
Continuity of organizational responsibilities
Processes are in place to ensure that information security duties continue to be fulfilled during absences, transitions, or changes in organizational structure.
Product Security
ControlStatus
Controlled access to development assets
Access to source code, development environments, build pipelines and third-party libraries is restricted based on role and business need. Write access is limited to authorized personnel, and all changes are tracked.
Secure software development practices
A structured approach to software development is followed, incorporating secure design principles, threat modeling, and code quality controls throughout the development lifecycle.
Coding standards and security guidelines
Developers follow defined secure coding guidelines that are reviewed and updated regularly. These standards aim to prevent common vulnerabilities and ensure consistent implementation across the codebase.
Automated and manual security testing
Security testing is integrated into the development workflow and includes both automated and manual methods. Findings are triaged, remediated, and verified before deployment to production environments.
Environment separation and control
Development, testing and production environments are logically separated to prevent unauthorized access, data leakage or cross-environment interference. Each environment is subject to appropriate access restrictions and configuration standards.
Protection of test data
Test data is managed in accordance with organizational data handling requirements. Use of real user data in non-production environments is avoided or subject to strict masking and access control measures.
Change management and peer review
All changes to product code are subject to peer review and must follow documented change management processes. Reviews are intended to identify both functional and security-related issues before merging or deployment.
Dependency and third-party risk management
Software dependencies and open-source libraries are regularly reviewed for vulnerabilities. Patching and updates follow defined procedures to ensure timely mitigation of risks introduced by external components.
Secure deployment pipeline
Build and deployment pipelines are configured with access control, audit logging and integrity validation. Credentials and secrets used during deployment are securely managed and rotated as needed.
Incident response integration
The product development lifecycle incorporates defined steps for responding to vulnerabilities discovered post-deployment, including procedures for triage, patching, communication and verification.
Internal Security Procedures
ControlStatus
Information security governance framework
The organization maintains a structured and documented framework for managing information security, with defined roles, responsibilities, and escalation paths across operational and strategic levels.
Regulatory and contractual compliance
Relevant legal, regulatory, and contractual obligations related to information security are identified, reviewed regularly, and integrated into internal processes and procedures.
Leadership involvement and oversight
Management actively supports and governs the information security program, ensuring it is resourced appropriately and aligned with the organization's strategic objectives.
Security policy management
Information security policies and supporting guidelines are formally documented, reviewed at regular intervals, and communicated to relevant stakeholders.
Risk management integration
Security risks are identified, assessed, and treated as part of a structured risk management process. Risk decisions are documented and reviewed periodically or when significant changes occur.
Incident management readiness
The organization maintains procedures to detect, assess, report, and respond to security incidents. These processes include clearly defined roles, communication paths, and post-incident evaluation.
Business continuity and ICT resilience
Security requirements are integrated into business continuity and disaster recovery planning. Critical systems and data are protected to ensure continued operation during disruptions.
Backup and restoration processes
Backup procedures for systems and data are in place, tested periodically, and designed to support recovery objectives and minimize data loss.
Configuration and change control
Technical configurations are documented and maintained in a controlled state. Changes to systems or processes are reviewed, approved, and implemented in a structured manner.
Monitoring and internal review
Processes and controls are subject to internal monitoring and regular evaluation. This includes planned internal audits, management reviews, and independent assessments where appropriate.
Corrective and preventive actions
When deviations or weaknesses are identified, corrective actions are implemented to address root causes and reduce the likelihood of recurrence. Effectiveness of these actions is reviewed.
Awareness and reporting mechanisms
All personnel are encouraged to report observed or suspected information security events through designated channels. Reporting mechanisms are accessible and responses are timely.
Supplier and third-party oversight
Security requirements for external service providers are established, documented, and monitored. Relationships are reviewed to ensure ongoing alignment with organizational security expectations.
Documentation control and retention
Documents relevant to information security operations and governance are version-controlled, access-restricted, and retained in accordance with defined policies.
Security in operational procedures
Operational tasks are guided by documented procedures that integrate appropriate security considerations. These procedures are available to authorized personnel and reviewed regularly.
Continuous improvement
Security processes and systems are continuously evaluated and enhanced based on internal reviews, incident learnings, external developments, and organizational change.
Data and Privacy
ControlStatus
Acceptable use and handling of information
The organization defines and communicates rules for acceptable use of systems and information assets. All personnel are expected to handle data in a manner that aligns with defined policies and ethical standards.
Data classification and handling
Information is classified according to its sensitivity, criticality, and regulatory relevance. This classification guides how information is stored, accessed, shared and retained across the organization.
Labelling and contextual awareness
Where appropriate, information and related assets are labelled to reflect their classification and handling requirements, helping ensure that data is treated consistently and securely throughout its lifecycle.
Record integrity and retention
Organizational records are protected from unauthorized access, modification, or destruction. Retention practices are aligned with operational, legal and contractual obligations.
Minimization and purpose limitation
Personal and sensitive data is collected and retained only to the extent necessary for clearly defined and legitimate purposes. Data is reviewed regularly to ensure continued relevance and justification.
Information security for use of cloud services
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization's information security requirements.
Data leakage prevention controls
Technical and procedural safeguards are implemented to reduce the risk of accidental or unauthorized exposure of sensitive information, including controls over data transmission, storage and export.
Individual privacy rights
Processes are in place to address data subject rights, including access, rectification, and deletion requests, in accordance with applicable privacy laws and organizational commitments.
PII protection and compliance
The organization identifies applicable legal, regulatory and contractual obligations related to the protection of personal data and ensures they are implemented in policy and practice.
Third-party data handling
Any transfer or processing of personal or sensitive data by external parties is subject to formal agreements and oversight to ensure compliance with security and privacy expectations.
Access control based on data sensitivity
Access to information is restricted based on the classification of the data and the role of the user. Access permissions are reviewed regularly and updated as needed.
Encryption and secure storage
Sensitive data is encrypted both in transit and at rest. Storage locations are protected by technical controls that prevent unauthorized access or tampering.
Awareness and accountability
Personnel receive training on their responsibilities in handling personal and sensitive data, including the importance of privacy, confidentiality, and legal compliance.
Resources
FAQ
∨What data encryption standards do you use?
We use AES-256 for data at rest and TLS 1.3 for all data in transit. Encryption keys are managed internally and rotated on a regular schedule. No customer data is ever stored unencrypted.
∨Are you GDPR compliant?
Yes. JURIDEX is fully compliant with the General Data Protection Regulation (GDPR). We act as a data processor and have a Data Processing Agreement (DPA) available for all customers. Data residency options are available for EU-based firms.
∨What cloud infrastructure do you use?
JURIDEX is hosted on enterprise-grade cloud infrastructure with ISO 27001 certified data centres. We support single-tenant deployments for customers requiring dedicated infrastructure.
∨Who has access to our data?
Only authorised JURIDEX personnel with a verified business need can access customer data. Access is governed by role-based controls, requires approval, and is fully logged and auditable.
∨Do the AI models in use retain or learn from customer data?
No. Your data is never used to train, update, or fine-tune any AI model. All processing is done in isolated environments and data is not shared between customers or used for model improvement.
∨Where is our data stored and processed?
By default, data is stored and processed within the European Union. We offer data residency options to ensure compliance with local regulatory requirements. Specific regional configurations are available upon request.
∨Do you conduct penetration testing on a regular basis?
Yes. We conduct annual penetration tests carried out by independent third-party security firms. An executive summary of the most recent test is available upon request through the Resources section.
∨Are your environments segregated, and is customer data ever used outside of production?
Yes. Development, staging, and production environments are fully segregated. Customer data is never used in non-production environments. All test environments use synthetic or anonymised data only.
∨What authentication methods are supported?
JURIDEX supports SSO via SAML 2.0, multi-factor authentication (MFA), and standard username/password with enforced complexity requirements. Enterprise customers can enforce SSO as the only authentication method.
∨How are encryption keys managed?
Encryption keys are managed using a dedicated key management service (KMS) with automatic rotation. Keys are never stored alongside encrypted data and access is strictly controlled and audited.
∨How do you handle security incidents?
Our security team operates a 24/7 incident response programme. In the event of a confirmed breach, affected customers are notified within 72 hours in accordance with GDPR Article 33. We maintain a formal Incident Response Plan which is available upon request.
›