LEAP Information Security Policy

The LEAP Information Security Policy sets out the obligations between LEAP and our customers in respect of the provision of LEAP Services.

1. The Subscriber’s Compliance with GDPR

The Subscriber agrees that they are a Data Controller and that LEAP is a Data Processor for the purposes of processing Personal Data. The Subscriber shall at all times comply with the GDPR in connection with the processing of Personal Data. The Subscriber shall ensure all instructions given by it to LEAP in respect of Personal Data shall at all times be in accordance with the GDPR.

2. LEAP’s Compliance with GDPR

2.1 LEAP, acting as the Data Processor, shall process Personal Data in compliance with the obligations placed under it under the GDPR. LEAP shall:

(a) act only on instructions from the Subscriber or the Regulator in respect of any Personal Data processed by LEAP;

(b) have technical and organisational measures in place, having regard to the state of technological development and the cost of implementing any measures, against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by it, appropriate to the harm that might result from such unauthorised or unlawful processing or loss, destruction or damage to Personal Data and the nature of the Personal Data;

(c) take reasonable steps, having regard to the state of technological development and the cost of implementing any measures, to ensure the reliability of any of its staff who have access to Personal Data processed in connection with the Terms and Conditions; and

(d) not transfer the Personal Data provided by the Subscriber to a country or territory outside the EEA without ensuring the Personal Data is afforded adequate protection within the meaning of the GDPR.

2.2 The Subscriber acknowledges that, with certain exceptions, LEAP does not have access to Personal Data and will require permission from a User if asked to provide services related to the LEAP Software. The Subscriber shall provide access to the LEAP personnel only on an as-needed basis and to terminate such access promptly after the need for such access has expired. In the performance of Helpdesk support where file-sharing is used, it is the responsibility of Users to ensure that all sharing sessions are terminated.

3. Data Ownership, Deletion and Portability

3.1 The data contained within LEAP remains the property of the Subscriber.

3.2 If a Subscriber ends their agreement, LEAP will retain the Subscribers data for a period of seven (7) years before having it destroyed.

3.3 During the seven (7) years following termination, a subscription can be reactivated to gain access to the data held.

3.4 The Subscriber can request that their data be deleted upon their termination, or at any time before the seven (7) year expiration date.

3.5 LEAP will enable The Subscriber to delete Personal Data.

3.6 LEAP will enable The Subscriber to extract Personal Data on request.

4. Data Sovereignty and Integrations

4.1 The Subscribers data, including Personal Data, is housed in a highly available, active-active scalable solution situated in the ISO 27001 certified AWS datacentres in Dublin.

4.2 Personal Data may be shared with Trusted Third Party applications to provide their services.

4.3 No Personal Data is shared with other applications or integrations without the written consent of the Subscriber excluding those provided as part of the Service.

5. Data Encryption

5.1 Each LEAP application is accessed via HTTPS using Transport Layer Security (TLS). TLS is a cryptographic protocol designed to protect information transmitted over the internet, against eavesdropping, tampering, and message forgery.

5.2 All stored data is encrypted at rest, using AES-256, military grade encryption. This is done to protect data in the event a LEAP server is compromised by an unauthorised party.

6. Security

Taking into account the state of technical development and the nature of processing, LEAP shall implement and maintain the technical and organisational measures set out in Appendix 3 to protect the data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.

7. Audits

LEAP shall, in accordance with GDPR, make available to the Subscriber such information that is in its possession or control as is necessary to demonstrate the LEAP's compliance with the obligations on each party imposed by Article 28 of the GDPR, and allow for and contribute to audits, by the LEAP’s Third Party Auditor (subject to a maximum of one audit request in any 36 month period).

8. Information Security Personnel

LEAP has a dedicated team of Information Security Specialists who continually monitor the AWS infrastructure and LEAP Services. Each team member with direct access to the infrastructure must go through an extensive vetting process, including police background checks.

9. Backup Policy and System Monitoring

LEAP servers are backed up multiple times daily, weekly and monthly, and are monitored 24 hours a day, 7 days a week, 365 days a year.

10. Data Breaches

LEAP shall notify the Subscriber without undue delay and in writing on becoming aware of any Data Breach in respect of any Personal Data.

If a vulnerability is identified or data is available publicly outside of the LEAP Software, please contact LEAP immediately via secure@leap.com.au.

Appendix 1: Definitions

Unless otherwise defined in this policy, all terms in bold will have the meanings given them to them below:

AWS means Amazon Web Services based in the Dublin Region

Data Breach has the meaning defined in the GDPR

Data Controller has the meaning defined in the GDPR

Data means all data entered into the Services

Data Processor has the meaning defined in the GDPR

EEA means the European Economic Area

GDPR means the General Data Protection Regulation (EU) 2016/679

ISO 27001 certification means an ISO/IEC 27001:2013 certification or a comparable certification for the Audited Services.

LEAP means LEAP Legal Software Ltd and its associated entities of 10 John Street, London, WC1N 2EB

LEAP Services means the LEAP Desktop, iOS, Android, Web and LawConnect applications and all other future applications or services provided by LEAP

LEAP’s Third Party Auditor means a LEAP-appointed, qualified and independent third party auditor, whose then-current identity LEAP will disclose to Subscriber

Personal Data has the meaning defined in the GDPR

Regulator means the Solicitors Regulatory Authority, The Law Society of Scotland, The Law Society of Northern Scotland or The Law Society of Scotland

Subscriber means a person or organisation who pays monthly for access to the LEAP Software and Services

Term means the period from the installation date until the end of LEAP’s provision of the Services, including, if applicable, any period during which provision of the LEAP Services may be suspended and any post-termination period during which LEAP may continue providing the Services for transitional purposes

Trusted Third Parties means Infotrack, Perfect Portal, Zaliet and Advocate

Appendix 2: Subject Matter and Details of the Data Processing

Subject Matter
LEAP’s provision of the Services to The Subscriber.

Duration of the Processing
The Term plus the period from the expiry of the Term until deletion of all Data by LEAP in accordance with the Security Policy.

Nature and Purpose of the Processing
LEAP will process Personal Data for the purposes of providing the Services to the Subscriber in accordance with the Security Policy.

Categories of Data
Data relating to individuals provided to LEAP via the Services, by (or at the direction of) the Subscriber or by the Subscriber’s customer.

Data Subjects
Data subjects include the individuals about whom data is provided to LEAP via the Services by (or at the direction of) the Subscriber or by the Subscriber’s customer.

Appendix 3: Security Measures

LEAP utilises multiple layers of security controls (software, physical and process based) to protect data. This includes, but not limited to;

  • Local & Network Firewalls
  • Web Application Firewalls
  • Intrusion Detection & Prevention Systems
  • Multivendor Anti-Virus
  • Application White Listing
  • DDoS Throttling Services
  • Access Control Lists
  • Security Patch Management
  • ITIL Framework (release/incident/change)
  • Identity and Access Management
  • Centralised Log Management
  • Symmetric and Asymmetric Encryption systems
  • Two Factor Authentication
  • Secure Code reviews
  • Separation of Duties
  • Data Loss Prevention
  • Vulnerability Assessment
  • Anomaly Detection
  • Externally commissioned penetration testing
  • Externally commissioned audits
  • Remote Monitoring & Alerting

Everything you need
to run
a law firm.

Book your obligation free demonstration online today by emailing us at info@leap.co.uk

or call us for more information
0845 683 2517.

REQUEST A FREE DEMO