Security at eCourtDate
Hardened SaaS application security for government cloud workloads
Firewall and DDoS protection
Hosted in the CJIS-compliant AWS GovCloud™
Single Sign On with Azure and Office365
Government-grade Encryption
HTTPS is enforced in transit and AES 256-bit encryption at rest. This applies to data received by users as well as data stored or transmitted in internal systems. All requests require a secure connection.
Multi-Tenant Serverless Architecture
We use a distributed, serverless cloud-native architecture for maximum security, performance, and capability. Each agency is assigned an isolated tenant based on their optimal GovCloud region.
Role-based Access Control
Configure user access on a granular level with customizable roles and permissions. Assign Create, Read, Update, or Delete permissions based on each record type.
Multi-factor Authentication
MFA is required with app and hardware based support.
API Key Management
Create and manage secure and expirable API keys.
Disaster Recovery
Automated rollover and hourly data backups ensure 99.95% uptime.
eCourtDate is proud to be a member of the StateRAMP cybersecurity community. We are listed in the Progressing Product list here.
How We Secure Your Data
Securing your data is a critical responsibility, and ensuring its protection is at the core of everything we do. We combine expertise, vigilance, and automation to keep data protected. We are happy to answer any of your questions regarding our security practices.
Data Integrity
Backups occur via continuous streaming replication and frequent snapshots. We can restore to a point-in-time or reprocess integration sources based on time received. We use AWS RDS for automated data encryption and point-in-time backups.
Account
We offer integration with third-party authentication services like Office 365, Google, LinkedIn, OAuth 2.0, and LDAP. You can enforce password policies for your internal users based on granular permission policies.
Password Security
We employ the latest CJIS-compliant password security policies including authenticated, encrypted channels for password requests, failed attempt limits, and forced password changes.
Data Reset Tools
We provide a “Reset Data” tool that allows authorized administrators to permanently delete records based on type. An email alert is sent and users can access each agency directly to verify that the data is deleted. Cached data sources are immediately purged upon using the reset tool.
Continual Monitoring
Our support team continuously monitors the performance and integrity of our services, including intrusion attempts, via automated monitoring. We run OWASP Top 10 and CWE/SANS Top 25 scans automatically on all code version changes, daily PCI and SSL compliance scans, and automated DNS and firewall scans using CloudFlare.
Application Security
We employ cutting-edge, leading industry methods to protect our applications including deployment of sophisticated malicious bot detection, malicious file scanning to detect trojans, viruses, and malware, and automated vulnerability scans.
Physical Security
We host eCourtDate on AWS GovCloud (US). GovCloud data centers host sensitive data and regulated workloads and address the most stringent US government security and compliance requirements.
Data Backup Tools
We provide a “Backup Data” tool that allows authorized administrators to bulk export raw data in JSON, CSV, and SQL formats. This can be used in advance of running the “Reset Data” tool.
Third-Party Integrations
All third-party integrations are geo-restricted, IP restricted, and use modern protocols with support for secure connections (HTTPS, SSH). Any automated security alerts, including warnings such as unexpected logins, are sent to authorized users.
Network Security
We use best practices for DNS security, including DNSSEC, DKIM, DMARC, and SPF. This includes domain authentication methods for email delivery. We use CloudFlare for DDoS protection and Web Application Firewall. Our bug bounty program invites researchers and customers to conduct penetration tests at any time.
User Audit Logs
User activity is stored in encrypted audit logs which are available for the duration of the contract. Authorized users can search real-time and historical records, and logs are downloadable in CSV, JSON, and XML formats. Audit logs are “Read Only” regardless of user type or permission and available for the duration of the contract. We do not allow for any modification or deletion. Audit Logs can only be accessed through our console application which is restricted to administrator users. In addition, we log all system access using GovCloud CloudTrail for overall monitoring and security compliance. All logs are uniquely identified based on the user identifier with created, updated, and last active timestamps. All failures and error logs are part of our audit logs. In addition, any unexpected process failures are sent to administrators as an email “System Issue” notification.
Privacy Mode
All data is encrypted in transit and at rest. For customers with sensitive data such as juvenile and victims services, we offer an enhanced Privacy Mode which enables the following Personal Identifiable Information (PII) and Multi-factor Identification (MFI) protections:
PII fields are hidden by default when users interact with the application.
PII records are automatically archived after the data is inactive.
Archived data is automatically purged after a defined period (typically 90 days).
Any PII fields in data reports can redacted or masked.
We do not store any PII fields on portals or data dashboards in general.
Clients and message recipients are required to perform MFA with sessions limited to 1 hour.
Data Center Security
Security Assessments
Software Bill of Materials
Third-party vendors that we use to operate the eCourtDate platform.
Amazon Web Services
We use Amazon Web Services as an IaaS (infrastructure-as-a-service) provider.
Microsoft Azure
We use Azure as an IaaS (infrastructure-as-a-service) provider.
GitHub
We use GitHub to manage our source version control.
CloudFlare
We use CloudFlare for our content delivery network and DDoS protection.
Postman
We use Postman to design and test our APIs.
Auth0
We use Auth0 to handle authentication for our users.
DataDog
We use Datadog to monitor our infrastructure health.
Let's Encrypt
We use Let's Encrypt to provision our SSL certificates.
Continuous Code Health
We use DeepSource and other continuous monitoring technology to ensure secure code design and dependencies.
View ReportAre You A Security Researcher?