Security at eCourtDate

Hardened SaaS application security for government cloud workloads

CloudFlare logo

Firewall and DDoS protection

AWS logo

Hosted in the CJIS-compliant AWS GovCloud™

Azure logo

Single Sign On with Azure and Office365

Government-grade Encryption

HTTPS is enforced in transit and AES 256-bit encryption at rest. This applies to data received by users as well as data stored or transmitted in internal systems. All requests require a secure connection.

Multi-Tenant Serverless Architecture

We use a distributed, serverless cloud-native architecture for maximum security, performance, and capability. Each agency is assigned an isolated tenant based on their optimal GovCloud region.

Role-based Access Control

Configure user access on a granular level with customizable roles and permissions. Assign Create, Read, Update, or Delete permissions based on each record type.

Multi-factor Authentication

MFA is required with app and hardware based support.

API Key Management

Create and manage secure and expirable API keys.

Disaster Recovery

Automated rollover and hourly data backups ensure 99.95% uptime.

StateRAMP Member Logo

eCourtDate is proud to be a member of the StateRAMP cybersecurity community. We are listed in the Progressing Product list here.

See Security Snapshot.

How We Secure Your Data

Securing your data is a critical responsibility, and ensuring its protection is at the core of everything we do. We combine expertise, vigilance, and automation to keep data protected. We are happy to answer any of your questions regarding our security practices.

Data Integrity

Backups occur via continuous streaming replication and frequent snapshots. We can restore to a point-in-time or reprocess integration sources based on time received. We use AWS RDS for automated data encryption and point-in-time backups.

Account

We offer integration with third-party authentication services like Office 365, Google, LinkedIn, OAuth 2.0, and LDAP. You can enforce password policies for your internal users based on granular permission policies.

Password Security

We employ the latest CJIS-compliant password security policies including authenticated, encrypted channels for password requests, failed attempt limits, and forced password changes.

Data Reset Tools

We provide a “Reset Data” tool that allows authorized administrators to permanently delete records based on type. An email alert is sent and users can access each agency directly to verify that the data is deleted. Cached data sources are immediately purged upon using the reset tool.

Continual Monitoring

Our support team continuously monitors the performance and integrity of our services, including intrusion attempts, via automated monitoring. We run OWASP Top 10 and CWE/SANS Top 25 scans automatically on all code version changes, daily PCI and SSL compliance scans, and automated DNS and firewall scans using CloudFlare.

Application Security

We employ cutting-edge, leading industry methods to protect our applications including deployment of sophisticated malicious bot detection, malicious file scanning to detect trojans, viruses, and malware, and automated vulnerability scans.

Physical Security

We host eCourtDate on AWS GovCloud (US). GovCloud data centers host sensitive data and regulated workloads and address the most stringent US government security and compliance requirements.

Data Backup Tools

We provide a “Backup Data” tool that allows authorized administrators to bulk export raw data in JSON, CSV, and SQL formats. This can be used in advance of running the “Reset Data” tool.

Third-Party Integrations

All third-party integrations are geo-restricted, IP restricted, and use modern protocols with support for secure connections (HTTPS, SSH). Any automated security alerts, including warnings such as unexpected logins, are sent to authorized users.

Network Security

We use best practices for DNS security, including DNSSEC, DKIM, DMARC, and SPF. This includes domain authentication methods for email delivery. We use CloudFlare for DDoS protection and Web Application Firewall. Our bug bounty program invites researchers and customers to conduct penetration tests at any time.

User Audit Logs

Track all user activity in real-time with read-only audit logging.

User activity is stored in encrypted audit logs which are available for the duration of the contract. Authorized users can search real-time and historical records, and logs are downloadable in CSV, JSON, and XML formats. Audit logs are “Read Only” regardless of user type or permission and available for the duration of the contract. We do not allow for any modification or deletion. Audit Logs can only be accessed through our console application which is restricted to administrator users. In addition, we log all system access using GovCloud CloudTrail for overall monitoring and security compliance. All logs are uniquely identified based on the user identifier with created, updated, and last active timestamps. All failures and error logs are part of our audit logs. In addition, any unexpected process failures are sent to administrators as an email “System Issue” notification.

Read more about Audit Logs

Audit Log Activity

Privacy Mode

All data is encrypted in transit and at rest. For customers with sensitive data such as juvenile and victims services, we offer an enhanced Privacy Mode which enables the following Personal Identifiable Information (PII) and Multi-factor Identification (MFI) protections:

Privacy Mode in eCourtDate Dashboard

PII fields are hidden by default when users interact with the application.

PII records are automatically archived after the data is inactive.

Archived data is automatically purged after a defined period (typically 90 days).

Any PII fields in data reports can redacted or masked.

We do not store any PII fields on portals or data dashboards in general.

Clients and message recipients are required to perform MFA with sessions limited to 1 hour.

Federal Information Processing Standard (FIPS 140-2/140-3) Compliant

Built to meet the rigorous security requirements of Federal Information Processing Standards (FIPS).

We use AWS's FIPS 140-2/140-3 compliant cryptographic services, ensuring that all data encryption, decryption, and key management processes adhere to federal and state standards.

Our platform is hosted in AWS GovCloud (US), a secure environment specifically designed for U.S. government workloads. This ensures that all data is processed and stored using FIPS-compliant endpoints, providing an additional layer of protection for sensitive information.

To maintain compliance, we continuously monitor our systems and perform regular audits.

View FIPS 140-2 Certificate

Federal Information Processing Standard (FIPS Compliant

Data Center Security

We use Amazon Web Services We use AWS GovCloud

AWS GovCloud (US) meets the most stringent U.S. government security and compliance requirements, offering a secure cloud environment for sensitive data and mission critical government workloads.

It is compliant with FedRAMP High, the DOJ's Criminal Justice Information Services (CJIS) security policy, U.S. International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), Department of Defense (DOD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5, FIPS 140-2, IRS-1075, and others.

Operated exclusively by U.S. citizens on U.S. soil, it ensures data protection with advanced security features like server-side encryption, AWS CloudHSM, AWS Key Management Service, identity federation, Amazon GuardDuty, and AWS CloudTrail for enhanced visibility, audit access, and monitoring.

Learn more about AWS GovCloud (US) here.

Security Assessments

CISA Security Agency Logo

Cyber Resilience Review (CRR)

CISA's CRR assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.
CSA Star Logo

CSA Star Level One

The Security Trust Assurance and Risk (STAR) registry encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices.
Texas DIR Cyberstar Logo

CyberStar DIR

The Texas Cyberstar Certificate is recognition of an organization's commitment to cybersecurity best practices and to being a good organizational cybercitizen in Texas.
View Security Policies
Security Scorecard Logo

Public Scorecards showcase the cybersecurity health of organizations and help users learn about the cybersecurity health of technical services. Based on ten factors that reflect different cybersecurity practices and risks.

See Security Scorecard.

Software Bill of Materials

Third-party vendors that we use to operate the eCourtDate platform.

Amazon Web Services

We use Amazon Web Services as an IaaS (infrastructure-as-a-service) provider.

Microsoft Azure

We use Azure as an IaaS (infrastructure-as-a-service) provider.

GitHub

We use GitHub to manage our source version control.

CloudFlare

We use CloudFlare for our content delivery network and DDoS protection.

Postman

We use Postman to design and test our APIs.

Auth0

We use Auth0 to handle authentication for our users.

DataDog

We use Datadog to monitor our infrastructure health.

Let's Encrypt

We use Let's Encrypt to provision our SSL certificates.

Continuous Code Health

We use DeepSource and other continuous monitoring technology to ensure secure code design and dependencies.

View Report
OWASP® Top 10 PASSING

The OWASP® Top 10 is a recommendation framework and a collection of security recommendations that helps organizations to write more secure code.
CWE/SANS Top 25 PASSING

The CWE (Common Weakness Enumeration) / SANS Top 25 is a well-known list of the most common and severe errors in software that can lead to serious security vulnerabilities.