Trust Center

Request access

Compliance

GDPR
ISO 27001:2022
SOC 2 (reviewing)

Resources

Certificates

  • SOC 2 (Letter of intent)
  • ISO 27001:2022

Controls

  • Infrastructure security
  • Logical infrastructure segmentation
  • Network access control
  • Perimeter protection
  • + 12 more
  • Isolation of sensitive workloads
  • Isolation of sensitive workloads
  • Capacity and resource planning
  • Resilience and fault tolerance
  • + 2 more
  • Organizational Security
  • Defined security responsibilities
  • Onboarding and offboarding procedures
  • Confidentiality obligations
  • + 17 more
  • Product Security
  • Controlled access to development assets
  • Secure software development practices
  • Coding standards and security guidelines
  • + 7 more
  • Internal Security Procedures
  • Information security governance framework
  • Regulatory and contractual compliance
  • Leadership involvement and oversight
  • + 13 more
  • Data and Privacy
  • Acceptable use and handling of information
  • Data classification and handling
  • Labelling and contextual awareness
  • + 9 more
  • Subprocessors
Microsoft Azure • Hosting, infrastructure and AI models
Processes personal data included in DPA
Auth0 • Logins
Processes personal data included in DPA

ISO 27001:2022

Request access

SOC 2 (Letter of intent)

Request access

Infrastructure security

Control

Status

Logical infrastructure segmentation

The infrastructure is segmented into logically isolated zones to separate workloads and limit lateral movement. Segmentation is enforced through clearly defined network boundaries and access rules.

Network access control

All inbound and outbound traffic is explicitly managed using access control policies. Only approved protocols and endpoints are permitted, and default-deny principles are applied wherever applicable.

Perimeter protection

Web-facing services are protected by traffic inspection and filtering mechanisms capable of identifying and blocking common threats and malicious patterns.

Encrypted communication

All communication between system components and external endpoints is encrypted using current, secure protocols. Encryption in transit is enforced by default.

Privileged access restriction

Access to infrastructure management functions is restricted to a limited number of authorized individuals and is granted based on necessity and role. All elevated access is logged and subject to oversight.

Remote access security

Remote administrative access is protected by network restrictions, strong authentication, and session control. Direct access to infrastructure components is not allowed from untrusted networks.

Secrets and credential protection

Sensitive credentials, keys, and tokens are managed securely and are never embedded in code or exposed through public interfaces. Access to secrets is tightly controlled and monitored.

System identity management

Non-human system components authenticate and interact using managed identities or isolated credentials. Identity boundaries are enforced between systems and services.

Infrastructure change management

Changes to infrastructure are planned, documented, reviewed, and deployed through controlled processes. All changes are logged, traceable, and subject to approval workflows.

Patch and configuration maintenance

Infrastructure components are regularly updated and configured according to security baselines. Deviations from expected configurations are monitored and remediated.

Monitoring and detection

The infrastructure is continuously monitored for anomalies, unauthorized changes, and indicators of compromise. Security alerts are evaluated and acted upon in accordance with defined procedures.

Log collection and retention

Infrastructure events, access records, and changes are logged. Logs are stored securely and retained for a period that supports auditability and forensic analysis

Infrastructure time consistency

System clocks across infrastructure components are synchronized to a trusted time source to ensure consistency in event logging and coordination.

System hardening

Infrastructure systems are deployed with only the necessary services enabled. Default credentials and unnecessary components are removed prior to deployment.

Service provisioning security

Infrastructure services are provisioned through controlled methods that enforce consistency, security configuration, and alignment with organizational standards.

Isolation of sensitive workloads

Control

Status

Isolation of sensitive workloads

Workloads that handle sensitive or regulated data are logically and physically isolated from non-sensitive services. This ensures independent control and risk containment.

Capacity and resource planning

Infrastructure capacity is continuously monitored and adjusted to maintain availability and performance. Scaling is planned to avoid resource exhaustion or service degradation.

Resilience and fault tolerance

Infrastructure is designed to tolerate component failures and to support recovery without loss of integrity or availability. Redundancy is built into critical systems.

Denial-of-service mitigation

Mechanisms are in place to detect and mitigate denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, helping ensure service continuity under adverse conditions.

Decommissioning and disposal of resources

Infrastructure components are securely decommissioned when no longer needed. Data is removed, access revoked, and configurations sanitized according to security policies.

Organizational Security

Control

Status

Defined security responsibilities

Roles and responsibilities related to information security are clearly assigned across the organization. Personnel are informed of their obligations and are expected to act accordingly to protect organizational systems and data.

Onboarding and offboarding procedures

Procedures are in place to manage access and responsibilities when personnel join, change roles, or leave the organization. This includes timely provisioning and revocation of access to systems and assets.

Confidentiality obligations

All personnel and relevant third parties are subject to confidentiality requirements. These are formalized through agreements and reinforced through training and awareness.

Security training and awareness

Employees and contractors receive regular security training relevant to their role. Training covers both general awareness and specific operational procedures.

Competence and capability

The organization ensures that individuals working with or around sensitive systems or data possess appropriate knowledge and experience. Ongoing development is supported through training and evaluation.

Acceptable use and conduct

Clear rules are established for acceptable use of organizational systems and assets. Personnel are required to follow these rules as a condition of employment or engagement.

Asset accountability

Responsibilities for organizational assets are defined, and ownership is assigned. Personnel are required to return any assets in their possession when their engagement ends.

Security during role transitions

Information security responsibilities are maintained and communicated during internal transfers or changes in job role. Any required adjustments to access or duties are handled through formal processes.

Information handling requirements

Personnel are instructed in the appropriate classification, storage, and handling of information according to its sensitivity, and are expected to comply with documented procedures.

Security policy communication

The organization's security objectives, expectations, and key requirements are communicated to personnel and relevant stakeholders through documented policies and briefings.

Screening and due diligence

Where appropriate and permitted by law, background screening is conducted on individuals in roles with elevated access or security responsibilities.

Incident response awareness

All personnel are made aware of how to recognize and report potential security incidents. Clear reporting lines and procedures are documented and communicated.

Operational discipline

The organization ensures that personnel operate within controlled and documented procedures, including change management, review of deviations, and process validation.

Use of external personnel or service providers

Security requirements are extended to third-party individuals and providers. Roles, responsibilities, and expectations are formalized in agreements and subject to oversight.

Workspace and information protection

Rules for protecting workspaces—such as clear desk and clear screen practices—are defined and communicated. These practices are reinforced through physical and digital controls.

Governance of organizational change

Security implications are assessed and addressed during organizational changes, such as restructuring, outsourcing, or technology transitions.

Physical access control

Where relevant, access to organizational facilities or restricted areas is limited to authorized individuals and subject to physical controls and monitoring.

Security considerations for equipment

Equipment used for processing or storing information is sited and protected to reduce the risk of unauthorized access, environmental damage, or interference.

Continuity of organizational responsibilities

Processes are in place to ensure that information security duties continue to be fulfilled during absences, transitions, or changes in organizational structure.

Product Security

Control

Status

Controlled access to development assets

Access to source code, development environments, build pipelines and third-party libraries is restricted based on role and business need. Write access is limited to authorized personnel, and all changes are tracked.

Secure software development practices

A structured approach to software development is followed, incorporating secure design principles, threat modeling, and code quality controls throughout the development lifecycle.

Coding standards and security guidelines

Developers follow defined secure coding guidelines that are reviewed and updated regularly. These standards aim to prevent common vulnerabilities and ensure consistent implementation across the codebase.

Automated and manual security testing

Security testing is integrated into the development workflow and includes both automated and manual methods. Findings are triaged, remediated, and verified before deployment to production environments.

Environment separation and control

Development, testing and production environments are logically separated to prevent unauthorized access, data leakage or cross-environment interference. Each environment is subject to appropriate access restrictions and configuration standards.

Protection of test data

Test data is managed in accordance with organizational data handling requirements. Use of real user data in non-production environments is avoided or subject to strict masking and access control measures.

Change management and peer review

All changes to product code are subject to peer review and must follow documented change management processes. Reviews are intended to identify both functional and security-related issues before merging or deployment.

Dependency and third-party risk management

Software dependencies and open-source libraries are regularly reviewed for vulnerabilities. Patching and updates follow defined procedures to ensure timely mitigation of risks introduced by external components.

Secure deployment pipeline

Build and deployment pipelines are configured with access control, audit logging and integrity validation. Credentials and secrets used during deployment are securely managed and rotated as needed.

Incident response integration

The product development lifecycle incorporates defined steps for responding to vulnerabilities discovered post-deployment, including procedures for triage, patching, communication and verification.

Internal Security Procedures

Control

Status

Information security governance framework

The organization maintains a structured and documented framework for managing information security, with defined roles, responsibilities, and escalation paths across operational and strategic levels.

Regulatory and contractual compliance

Relevant legal, regulatory, and contractual obligations related to information security are identified, reviewed regularly, and integrated into internal processes and procedures.

Leadership involvement and oversight

Management actively supports and governs the information security program, ensuring it is resourced appropriately and aligned with the organization’s strategic objectives.

Security policy management

Information security policies and supporting guidelines are formally documented, reviewed at regular intervals, and communicated to relevant stakeholders.

Risk management integration

Security risks are identified, assessed, and treated as part of a structured risk management process. Risk decisions are documented and reviewed periodically or when significant changes occur.

Incident management readiness

The organization maintains procedures to detect, assess, report, and respond to security incidents. These processes include clearly defined roles, communication paths, and post-incident evaluation.

Business continuity and ICT resilience

Security requirements are integrated into business continuity and disaster recovery planning. Critical systems and data are protected to ensure continued operation during disruptions.

Backup and restoration processes

Backup procedures for systems and data are in place, tested periodically, and designed to support recovery objectives and minimize data loss.

Configuration and change control

Technical configurations are documented and maintained in a controlled state. Changes to systems or processes are reviewed, approved, and implemented in a structured manner.

Monitoring and internal review

Processes and controls are subject to internal monitoring and regular evaluation. This includes planned internal audits, management reviews, and independent assessments where appropriate.

Corrective and preventive actions

When deviations or weaknesses are identified, corrective actions are implemented to address root causes and reduce the likelihood of recurrence. Effectiveness of these actions is reviewed.

Awareness and reporting mechanisms

All personnel are encouraged to report observed or suspected information security events through designated channels. Reporting mechanisms are accessible and responses are timely.

Supplier and third-party oversight

Security requirements for external service providers are established, documented, and monitored. Relationships are reviewed to ensure ongoing alignment with organizational security expectations.

Documentation control and retention

Documents relevant to information security operations and governance are version-controlled, access-restricted, and retained in accordance with defined policies.

Security in operational procedures

Operational tasks are guided by documented procedures that integrate appropriate security considerations. These procedures are available to authorized personnel and reviewed regularly.

Continuous improvement

Security processes and systems are continuously evaluated and enhanced based on internal reviews, incident learnings, external developments, and organizational change.

Data and Privacy

Control

Status

Acceptable use and handling of information

The organization defines and communicates rules for acceptable use of systems and information assets. All personnel are expected to handle data in a manner that aligns with defined policies and ethical standards.

Data classification and handling

Information is classified according to its sensitivity, criticality, and regulatory relevance. This classification guides how information is stored, accessed, shared and retained across the organization.

Labelling and contextual awareness

Where appropriate, information and related assets are labelled to reflect their classification and handling requirements, helping ensure that data is treated consistently and securely throughout its lifecycle.

Record integrity and retention

Organizational records are protected from unauthorized access, modification, or destruction. Retention practices are aligned with operational, legal and contractual obligations.

Minimization and purpose limitation

Personal and sensitive data is collected and retained only to the extent necessary for clearly defined and legitimate purposes. Data is reviewed regularly to ensure continued relevance and justification.

Information security for use of cloud services

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.

Data leakage prevention controls

Technical and procedural safeguards are implemented to reduce the risk of accidental or unauthorized exposure of sensitive information, including controls over data transmission, storage and export.

Individual privacy rights

Processes are in place to address data subject rights, including access, rectification, and deletion requests, in accordance with applicable privacy laws and organizational commitments

PII protection and compliance

The organization identifies applicable legal, regulatory and contractual obligations related to the protection of personal data and ensures they are implemented in policy and practice.

Third-party data handling

Any transfer or processing of personal or sensitive data by external parties is subject to formal agreements and oversight to ensure compliance with security and privacy expectations.

Access control based on data sensitivity

Access to information is restricted based on the classification of the data and the role of the user. Access permissions are reviewed regularly and updated as needed.

Encryption and secure storage

Sensitive data is encrypted both in transit and at rest. Storage locations are protected by technical controls that prevent unauthorized access or tampering.

Awareness and accountability

Personnel receive training on their responsibilities in handling personal and sensitive data, including the importance of privacy, confidentiality, and legal compliance.

  • Subprocessors
Microsoft Azure • Hosting, infrastructure and AI models
Processes personal data included in Subscriber Content
OpenAI • Provision of AI models
Processes personal data included in Subscriber Content
Auth0 • Logins
Processes personal data included in Subscriber Content

FAQ

Yes. Juridex is fully compliant with the GDPR. We support all data subject rights, including access, correction, erasure, and portability, and implement privacy-by-design across our platform.

All customer data is stored and processed within the EU by default. For customers with specific residency requirements, we offer region-specific data hosting options.

No. Any models integrated into the Juridex platform do not store, learn from, or retain customer input or output. Processing is ephemeral and stateless.

Yes. Our platform supports detailed access controls, allowing you to assign user roles and immediately revoke access as needed.

Yes. We work with independent security firms to perform annual penetration tests, as well as after major infrastructure or application changes.

Encryption keys are managed securely via our cloud provider’s native key management systems, including automatic key rotation and limited administrative access.

Yes. Development, staging, and production environments are strictly separated. Customer data is never used in test environments.