Security at Prevail


Prevail is committed to keeping your data safe. By following industry best practices and adhering to a well-known security model known as the C.I.A. triad, we ensure all three elements of data security are met: confidentiality, integrity, and availability.

Confidentiality: Data is only accessible by those granted explicit permission

Integrity: Data is consistent and accurate from conception to destruction

Availability: Users have the right to access their data and can do so at all times

Oversight

Our team works diligently to establish procedures that ensure adherence to industry best practices, ensuring compliances are met and can be confirmed by third-party auditors.

Our policies build upon these foundational principles:

  • Access should be restricted to only those with a legitimate need and provided in accordance with the principle of least privilege.
  • Security measures should include multiple layers and adhere to defense-in-depth and zero-trust principles during implementation.
  • Consistency in applying security controls should be maintained to ensure uniform implementation throughout all business processes.
  • An iterative approach should be adopted when implementing controls. This approach ensures continuous development across all areas, enhancing effectiveness, auditability, and usability.

    • Compliance

    Prevail maintains compliance with the following security assurance frameworks:

    SOC 2 Type 2

    Prevail complies with all controls in the American Institute of Certified Public Accountants ' System and Organization Controls, specifically the SOC 2—Trust Services Criteria, Type 2.  This report addresses internal controls for security, confidentiality, processing integrity, privacy, and availability of customer data.

    For a copy of our SOC2 report, please email security@prevail.ai.

    ISO 27001 Compliance

    Prevail complies with the International Organization for Standardization's ISO 27001:2022 standard for "establishing, implementing, maintaining and continually improving an information security management system within the context of the organization."

    Data Protection

    Data in Transit

    The Prevail Platform follows industry best practices to secure data, including encrypting all traffic between user equipment and cloud services, and between individual hosts within cloud services.

    Data at Rest

    All data stores that house customer data, including Amazon Web Services (AWS) S3 buckets, are encrypted at rest.

    The Prevail Legal platform is physically hosted in the AWS us-east-1 Region.  Prevail employs best practices, including configuration auditing and log auditing, to maintain security.  Prevail maintains appropriate, secure, restorable backups of all customer data.

    Encryption

    Encryption keys are managed via AWS Key Management System (KMS), which stores key material in Hardware Security Modules (HSMs), preventing direct access by individuals, including Amazon and Vanta employees. Amazon’s KMS APIs use the keys stored in HSMs for encryption and decryption.

    Application secrets are encrypted and securely stored using AWS Secrets Manager and Parameter Store features, and access to these values is strictly limited.

    Employee Access

    Employees access to customer data is limited to what is directly needed to provide services for customers.  For example, in a Remote Session facilitated by a Prevail Session Manager (SM), the SM will not have access to the Remote Session after it concludes, and can only join directly assigned sessions.

    Managers and System Administrators have broader access to the extent required by their tasks.  Prevail Legal maintains a comprehensive audit trail concerning customer data access to preempt and mitigate potential misuse.  All access to customer data and to systems containing customer data is logged and attributable to individual people.

    User Access

    Prevail follows the best practices outlined in NIST Special Publication 800-63B: Digital Identity Guidelines Authentication and Lifecycle Management. Users authenticating with Prevail servers via an email address and password have Authenticator Assurance Level 1.

    To reach Assurance Level 2, Prevail supports either direct Multi-Factor Authentication, or federated Single Sign On with any OAuth2 or SAML-compliant Identity Provider.  This feature is available to both Individual and Enterprise Users free of charge.  With SSO authentication, Prevail does not access or store any user authentication secrets.

    Data Availability

    Some Prevail Sessions, such as legal proceedings, are subject to US state and federal rules determining availability.  Typically, any participant may obtain a recording or transcript of a session at any time, with fees varying by jurisdiction.

    Prevail maintains storage of this data for at least seven years unless otherwise specified.

    Platform Security

    Penetration testing

    All areas of the product are made available for assessment by our preferred testing partner, HackerOne. One of the industry's most reputable penetration testing providers, HackerOne performs penetration testing on the Prevail infrastructure multiple times per year.

    Vulnerability Scanning

    Prevail uses multiple services to scan both the package dependencies and the source code of Prevail software on a regular basis

    Prevail remediates all identified issues within defined time limits, which vary based on the severity of the issue.

    Company Security

    Endpoint Protection

    Staff with administrative access to systems containing customer data, i.e., staff performing Developer Operations tasks, use dedicated-purpose computers with actively monitored security settings.

    Education

    Prevail requires recurring security training for all employees.

    Access Management

    All Prevail staff use Multi-Factor Authentication and Single Sign On for any access to systems that contain Confidential or Sensitive data.  Prevail Legal only grants new employees access after passing a background check, and employee access to customer data is logged.  All employee access is revoked upon termination of employment.

    See also our Privacy Policy and Terms of Service.