Security Policies
Last updated: January 1, 2026
eCourtDate's information security program is based on the ISO 27001:2013 guidance for an Information Security Management System. It provides us a way to identify threats and vulnerabilities, and to take proactive measures to prevent these from being realized. The goal of the information security program is to preserve value for eCourtDate by ensuring the security of information and information systems.
Risk-Driven Information Security
The information eCourtDate handles is inherently valuable, and is therefore at risk from losses or failures in confidentiality, integrity, and availability. The foundation of our information security program rests on a thorough assessment of the risks present to our information systems and the data they store, process, and transmit.
These risks may be identified by internal risk management efforts, or mandated by external bodies including governmental and industry regulatory groups. Once identified, these risks are proactively treated and managed with security controls and safeguards.
eCourtDate may participate in Information Sharing and Analysis Centers (ISAC) appropriate to eCourtDate's industry, to facilitate risk and threat information sharing.
Risk Monitoring
eCourtDate remains diligent for both new risks as well as changes to the existing risk environment. Ongoing monitoring efforts include routine activities such as vulnerability scans and penetration tests, as well as monitoring appropriate external channels such as vendor publications, Information Sharing and Analysis Centers (ISAC), and threat intelligence.
Risks identified outside of the risk assessment process are dealt with in the same manner: they are given a risk score and action plans. Senior management may also designate certain accepted risks for additional ongoing monitoring. For example, as Distributed Denial of Service (DDoS) attacks rise in frequency and magnitude, the controls that mitigate them may be designated for additional oversight to ensure they remain adequate to the current risk.
Third-Party Vendors
eCourtDate routinely assesses the security posture of any third parties with which it does business, and incorporates such assessments into the annual risk assessment. Third parties with a weak security posture present additional risk to eCourtDate, and decisions about continued business with such third parties must consider that risk.
Continuous Improvement
All security efforts at eCourtDate are placed into a cycle of continuous improvement where design deficiencies are identified and corrected. Identification may come through proactive review, such as the annual risk assessment and routine vulnerability scans, or as part of lessons learned when incidents occur.
Infrastructure Security
eCourtDate is hosted on Amazon Web Services (AWS) GovCloud, an isolated U.S. region designed to host sensitive data and regulated workloads in the cloud. All data is encrypted at rest and in transit using FIPS 140-3 validated cryptographic modules.
Access Control
Access to eCourtDate systems is governed by the principle of least privilege. Role-based access controls (RBAC) ensure that users only have access to the data and functions required for their role. Multi-factor authentication (MFA) is required for all administrative access.
Audit and Logging
All system activity is logged and monitored. Audit trails are maintained for all data access, modifications, and administrative actions. Logs are retained in accordance with applicable regulatory requirements and are available for compliance review.
Training and Awareness
Security is everyone's responsibility at eCourtDate. We provide training on basic security to all employees, and ongoing education and certification is required for employees with more advanced information security roles. This policy applies to everyone who works for eCourtDate, including employees, contractors, and third parties who have access to any eCourtDate data.
Incident Response
eCourtDate maintains a documented incident response plan that is tested and updated regularly. The plan details the preparations eCourtDate has taken for security incidents, the approved responses, and guidance on creating a plan of action. In the event of a security incident, affected customers will be notified in accordance with applicable laws and contractual obligations.
Key steps
- An Incident Response (IR) team, headed by an IR Coordinator, is responsible for documenting and executing incident response procedures.
- Proactive steps are taken to prepare eCourtDate for likely incidents, rather than relying on decisions made during a crisis.
- The selected response for any incident prioritizes the following in order: data confidentiality, data integrity, and availability of data and systems.
- Incidents involving eCourtDate customer data require notification of the affected parties, and may require coordination with law enforcement or external agencies.
Incident prioritization
- P0, Critical: The highest priority. P0 incidents are likely to have a catastrophic effect on eCourtDate, and require the most attention and resources.
- P1, High: P1 incidents have a major effect on eCourtDate operations, which are disrupted until the incident is resolved.
- P2, Moderate: P2 incidents have a noticeable effect on operations, but the business can continue as long as the incident is resolved quickly.
- P3, Low: P3 incidents have no noticeable effect on operations, but elevate the potential for risk. They are addressed in accordance with sound risk management processes.
Compliance Certifications
- CJIS Compliant: Meets FBI Criminal Justice Information Services security requirements
- FIPS 140-3: Federal Information Processing Standards for cryptographic modules
- CSA STAR: Cloud Security Alliance Security, Trust, Assurance, and Risk
- GovRAMP Member: Government Risk and Authorization Management Program
- CISA CRR: Cybersecurity and Infrastructure Security Agency Cyber Resilience Review
- AWS GovCloud: Hosted in an isolated U.S. government region
For security inquiries, contact security@ecourtdate.com.
