Trust Center

The detailed security posture procurement and IT teams need: compliance, hosting, controls, incident response, subprocessors, and answers to common security questionnaires. Documentation is available on request.

Compliance and standards

A compliance program aligned to government standards

Security controls and assessments are reviewed at least annually. Where a standard can be verified at the source, the link goes straight to the registry or program listing.

CJIS Security Policy

Designed to meet the FBI Criminal Justice Information Services security requirements, including encryption, access control, audit logging, and personnel security.

FIPS 140-2/140-3

Operates on AWS FIPS 140-2/140-3 validated cryptographic modules for all encryption, decryption, and key management.

CSA STAR Level One

Listed in the Cloud Security Alliance Security, Trust, Assurance, and Risk (STAR) registry.

Verify

CISA Cyber Resilience Review (CRR)

Assessment aligned with CISA best practices for organizational resilience and gap analysis.

GovRAMP Member

Member of the GovRAMP cybersecurity community, listed on the Progressing Product list.

Verify

ISO 27001-aligned

Information security management system built on ISO 27001:2013 guidance (aligned, not certified).

HIPAA

Can be configured to support HIPAA-compliant workflows for agencies handling protected health information, with Business Associate Agreements (BAAs) available on request.

Annual penetration testing

Independent third-party penetration tests and vulnerability assessments conducted annually. Reports available under NDA.

Independently verifiable

Certifications and assessments

Hosting foundation

Built on AWS GovCloud (US)

eCourtDate runs exclusively in AWS GovCloud (US), operated by U.S. citizens on U.S. soil and built for the most stringent government workloads. The platform inherits the authorizations the foundation holds.

A note on FedRAMP: AWS GovCloud is FedRAMP High authorized, and eCourtDate is hosted there. eCourtDate itself does not hold a separate FedRAMP authorization. It is a GovRAMP member listed on the Progressing Product list as it pursues additional formal authorizations.

Inherited from the GovCloud foundation

  • FedRAMP High authorized (inherited from the AWS GovCloud foundation)
  • DOJ CJIS Security Policy
  • ITAR and Export Administration Regulations (EAR)
  • DOD Cloud Computing SRG Impact Levels 2, 4, and 5
  • FIPS 140-2 validated endpoints
  • IRS-1075 for federal tax information

Security controls

Controls across the platform

Infrastructure and Hosting

  • Hosted exclusively on AWS GovCloud (US), an isolated U.S. region for sensitive government workloads
  • All data resides within the United States with geo-restricted access
  • Distributed, serverless architecture with automatic scaling and self-healing
  • Multi-region failover with quarterly disaster recovery testing
  • 24/7 infrastructure monitoring with U.S.-based engineering response

Data Integrity and Backup

  • Continuous streaming replication across availability zones
  • Hourly encrypted snapshots with AES 256-bit encryption
  • 30-day snapshot retention with 7-day replication logs
  • Point-in-time recovery via AWS RDS
  • RTO 4 hours, RPO 1 hour, 99.95% uptime SLA
  • Bulk data export in JSON, CSV, and SQL formats

Authentication and SSO

  • SAML 2.0, OAuth 2.0, LDAP, and Active Directory integration
  • Azure AD, Google Workspace, Office 365, and Okta SSO
  • SCIM directory sync for automated provisioning and deprovisioning
  • Multi-factor authentication: TOTP, FIDO2/WebAuthn, and SMS
  • Session management with configurable timeouts and concurrent session limits

Password Security

  • CJIS-compliant password policies enforced by default
  • 20-character minimum length with complexity requirements
  • 90-day expiration with 10-password history enforcement
  • Account lockout after a configurable failed-attempt threshold
  • All credentials transmitted over encrypted channels only

Privacy Mode

  • PII fields hidden by default with explicit access grants
  • Auto-archiving of inactive records after configurable periods
  • Auto-purging of archived data after 90 days (configurable)
  • Redacted reports for leadership and public records requests
  • MFA required for PII access with 1-hour session limits

Network Security

  • DNSSEC, DKIM, DMARC, and SPF enforced on all domains
  • Cloudflare WAF with custom rules for justice-specific attack patterns
  • DDoS mitigation with automatic traffic filtering
  • Daily PCI and SSL vulnerability scans
  • IP allowlisting and geo-restriction on integrations and API access

Application Security

  • OWASP Top 10 vulnerability scanning on every deployment
  • CWE/SANS Top 25 static analysis integrated into CI/CD
  • Bot detection and malicious file scanning on all uploads
  • Automated dependency vulnerability scanning
  • Annual independent penetration testing, reports available under NDA

Employee and Organizational Security

  • All employees are U.S.-based and background-checked
  • CJIS Security Awareness Training and fingerprinting for staff handling CJI
  • Annual security awareness training and phishing simulations
  • Least-privilege access with quarterly access reviews
  • Subcontractor security and privacy agreements required
  • Confidentiality and NDA requirements for all personnel

Incident response

Prepared before an incident, not during one

A dedicated incident response team, led by a designated IR Coordinator, follows documented procedures for detection, containment, eradication, and recovery.

When customer data is affected, eCourtDate notifies affected parties within 24 hours of confirmed impact, including the nature of the incident, the data affected, and the remediation steps taken.

eCourtDate has not experienced any data breaches or data-loss events to date.

Incident prioritization

  • P0Critical. Catastrophic impact. Immediate response with maximum resources.
  • P1High. Major operational disruption until resolved.
  • P2Moderate. Noticeable impact, operations continue, prompt resolution.
  • P3Low. Minimal impact, handled through standard processes.

Backup, recovery, and availability

Durable by design

Backup strategy

Continuous streaming replication and hourly AES 256-bit encrypted snapshots in AWS GovCloud. Point-in-time recovery with 30-day snapshot retention and 7-day replication logs.

Disaster recovery

Multi-region failover within AWS GovCloud, tested quarterly. Recovery time objective (RTO) of 4 hours and recovery point objective (RPO) of 1 hour for critical systems.

Uptime and SLA

A 99.95% uptime guarantee with defined response times by severity, proactive automated alerting, and monthly uptime reporting on request.

Data ownership and lifecycle

Your data stays yours

Agencies own their data. At any time, authorized administrators can bulk-export raw data in JSON, CSV, and SQL using the Backup Data tool.

On contract termination, after export is confirmed, eCourtDate performs certified secure deletion of all agency data, including backups, within 30 days. A certificate of data destruction is provided on request.

A Reset Data tool also lets authorized administrators permanently delete records by type during the contract, with cached sources purged immediately and an email alert sent to administrators.

Monitoring, patching, and maintenance

Watched continuously, patched promptly

24/7 monitoring

Infrastructure and application health watched around the clock with Datadog, AWS CloudTrail, Amazon GuardDuty, and Cloudflare analytics, with automated alerting on anomalies.

Vulnerability management

Continuous OWASP Top 10 and CWE/SANS Top 25 scanning, daily PCI and SSL scans, DNS and firewall assessments, and annual third-party penetration testing.

SIEM integration

Log forwarding to your agency SIEM on request. System access, user activity, and security event logs integrate with your security operations center.

Patching cadence

Critical patches applied within 24 to 48 hours, high-severity within 7 days, routine updates monthly. All patches tested in staging before production.

Source code is continuously scanned for security and quality, with OWASP Top 10 and CWE/SANS Top 25 checks on every change. An active bug bounty program invites security researchers and customers to report vulnerabilities through responsible disclosure.

Subprocessors

The vendors behind the platform

Primary data storage is in AWS GovCloud (US). The third-party services that support the platform are listed below, and each undergoes a security assessment.

  • Amazon Web Services

    Infrastructure-as-a-service: compute, storage, and database in AWS GovCloud (US).

  • Microsoft Azure

    Identity-provider integration for single sign-on.

  • Cloudflare

    Content delivery network, Web Application Firewall, and DDoS protection.

  • Auth0

    Authentication and identity federation for user accounts.

  • Datadog

    Infrastructure and application health monitoring.

  • GitHub

    Source version control and CI/CD pipelines.

  • Postman

    API design and automated API testing.

  • Let's Encrypt

    SSL/TLS certificate provisioning.

Documentation

Evidence for your security review

Whatever your procurement process requires, the security team can provide it. Request access through your account manager or the contact form.

Penetration test report

Results of the most recent independent third-party penetration test and vulnerability assessment.

Available under NDA

CAIQ / SIG questionnaire

Pre-completed Consensus Assessments Initiative Questionnaire and Standardized Information Gathering responses for your security review.

Available on request

Data Processing Agreement

DPA covering data handling, and a certificate of secure data destruction issued on contract termination.

Available on request

GovRAMP listing

Public listing on the GovRAMP Progressing Product list, with CSA STAR registry and CISA CRR references.

Publicly verifiable

Security FAQ

Answers to common questionnaires

The questions that come up most in government security reviews, grouped by topic.

General and Compliance

What security standards and assessments does eCourtDate follow?
eCourtDate follows the CJIS Security Policy, operates on AWS FIPS 140-2/140-3 validated infrastructure, and has completed the CSA STAR Level One self-assessment and the CISA Cyber Resilience Review (CRR). eCourtDate is a GovRAMP member listed on the Progressing Product list, and its information security management system is aligned with ISO 27001:2013. Independent third-party security assessments and penetration tests are conducted annually.
Is eCourtDate CJIS compliant?
Yes. eCourtDate is designed to meet the FBI Criminal Justice Information Services (CJIS) Security Policy. This includes CJIS-compliant encryption, access controls, audit logging, personnel security (background checks and fingerprinting), and security awareness training for staff handling CJI. eCourtDate is hosted in CJIS-compliant AWS GovCloud (US).
Is eCourtDate HIPAA compliant?
eCourtDate can be configured to support HIPAA-compliant workflows for agencies handling protected health information (PHI). This includes encryption of PHI in transit and at rest, access controls, audit logging, and Business Associate Agreements (BAAs) on request.
Is eCourtDate FedRAMP authorized?
eCourtDate itself does not hold a FedRAMP authorization. eCourtDate is hosted exclusively in AWS GovCloud (US), which holds FedRAMP High authorization, and is a GovRAMP member listed on the Progressing Product list as it works toward additional formal authorizations.
How often is eCourtDate security posture reviewed?
The security posture is reviewed continuously through automated monitoring and formally through annual risk assessments, penetration tests, and compliance audits. Vulnerability scans run daily, and security policies are reviewed and updated at least annually.
Can you provide penetration test or vulnerability assessment reports?
Yes. Annual penetration test results and vulnerability assessment reports are available under a non-disclosure agreement (NDA). Contact your account manager or the security team to request documentation.
Has eCourtDate experienced any data breaches?
eCourtDate has not experienced any data breaches or data-loss events. eCourtDate maintains a proactive security posture with continuous monitoring, automated threat detection, and rapid incident response.

Hosting and Infrastructure

Where is eCourtDate hosted?
eCourtDate is hosted exclusively in AWS GovCloud (US), a secure cloud environment operated by U.S. citizens on U.S. soil. AWS GovCloud independently meets FedRAMP High, CJIS, ITAR, and DOD SRG requirements, providing a compliant foundation for the platform.
Is data stored exclusively in the United States?
Yes. All customer data is stored, processed, and transmitted exclusively within the United States in AWS GovCloud (US) regions. No data leaves U.S. borders.
What is your tenancy model?
eCourtDate uses a multi-tenant, serverless architecture where each agency is assigned an isolated tenant within its optimal GovCloud region. Data is logically segregated at the database level with enforced tenant isolation.
What is your technology platform stack?
eCourtDate is built on a cloud-native, serverless architecture using AWS GovCloud services including Lambda, RDS, S3, CloudFront, and API Gateway. All infrastructure is managed as code with automated provisioning and configuration.
Do you use third-party storage vendors?
Primary data storage uses AWS GovCloud services exclusively. The Software Bill of Materials includes Amazon Web Services, Microsoft Azure (for SSO and identity), GitHub, Cloudflare, Auth0, Datadog, Postman, and Let’s Encrypt. All third-party vendors undergo security assessments.

Data Protection and Encryption

How is data encrypted in transit and at rest?
All data in transit is encrypted using TLS 1.2+ (HTTPS enforced). All data at rest is encrypted using AES 256-bit through AWS FIPS 140-2/140-3 validated cryptographic modules. This applies to databases, backups, file storage, and internal system communications.
What encryption standards do you use?
eCourtDate operates on AWS FIPS 140-2/140-3 validated cryptographic infrastructure: AES 256-bit for data at rest, TLS 1.2+ for data in transit, AWS CloudHSM and KMS for key management, and DNSSEC, DKIM, DMARC, and SPF for email and DNS security.
How do you handle data at contract termination?
On contract termination, agencies can export all data using the Backup Data tool in JSON, CSV, and SQL formats. After export is confirmed, eCourtDate performs certified secure deletion of all agency data, including backups, within 30 days. A certificate of data destruction is provided on request.
What backup and disaster recovery capabilities do you provide?
Data is protected through continuous streaming replication and hourly encrypted snapshots stored in AWS GovCloud. The disaster recovery plan includes multi-region failover tested quarterly, with a 30-day snapshot retention period.
What are your RTO and RPO targets?
Recovery Time Objective (RTO) is 4 hours and Recovery Point Objective (RPO) is 1 hour for critical systems. These targets are supported by continuous replication, automated failover, and regularly tested recovery procedures.

Access Control and Authentication

What authentication methods are supported (SAML, OAuth, LDAP)?
eCourtDate supports SAML 2.0, OAuth 2.0, LDAP, Active Directory, Azure AD, Google Workspace, and Office 365 for single sign-on. Native authentication with configurable password policies is also available.
Is multi-factor authentication required?
Yes. Multi-factor authentication is required for all administrator and privileged access. eCourtDate supports app-based authenticators (TOTP), hardware security keys (FIDO2/WebAuthn), and SMS verification. MFA can be enforced for all user types through agency-level configuration.
How does role-based access control work?
Administrators configure user access on a granular level with customizable roles and permissions. RBAC supports create, read, update, and delete permissions per record type, and roles can be tailored to organizational hierarchies and operational requirements.
What is your password policy?
eCourtDate enforces CJIS-compliant password policies: minimum 20-character length with complexity requirements, 90-day maximum password age, 10-password history enforcement, account lockout after consecutive failed attempts, and secure self-service password reset with identity verification.

Monitoring, Auditing, and Incident Response

How do you monitor for security threats?
eCourtDate uses 24/7 monitoring with Datadog, AWS CloudTrail, Amazon GuardDuty, and Cloudflare analytics. This includes automated intrusion detection, anomaly detection, real-time alerting, and continuous vulnerability scanning via the OWASP Top 10 and CWE/SANS Top 25 frameworks.
Can audit logs be forwarded to our SIEM?
Yes. eCourtDate supports log forwarding to agency SIEM systems on request. System access, user activity, and security event logs are available for integration with your existing security operations center.
How long are audit logs retained?
Audit logs are retained for the duration of the contract in read-only format and are downloadable in CSV, JSON, and XML. System access logs are additionally maintained via AWS CloudTrail for infrastructure-level monitoring.
What is your incident response process and notification timeframe?
The Incident Response team, headed by a designated IR Coordinator, follows documented procedures for detection, containment, eradication, and recovery. Affected parties are notified within 24 hours of a confirmed security incident. Incidents are prioritized from P0 (Critical) through P3 (Low) with resources allocated accordingly.
Do you conduct regular vulnerability scans?
Yes. Automated vulnerability scans run continuously on all code changes. Daily PCI and SSL compliance scans run alongside automated DNS and firewall assessments via Cloudflare. Annual third-party penetration tests supplement the automated scanning program.

Employees and Operations

Are employees U.S.-based and background-checked?
Yes. All eCourtDate employees are United States-based and undergo comprehensive background checks prior to employment. Employees handling CJI are fingerprinted in accordance with CJIS policy.
Do employees receive CJI and security training?
Yes. Employees handling Criminal Justice Information complete CJIS Security Awareness Training, and all staff complete annual security awareness training covering phishing, social engineering, data handling, and incident reporting.
How are patches and updates applied?
Critical security patches are applied within 24 to 48 hours of release. High-severity patches are applied within 7 days. Routine updates follow a monthly schedule. All patches are tested in staging environments before production deployment.
What are your maintenance notification procedures?
Planned maintenance is scheduled during low-traffic windows with a minimum of 2 weeks advance notice. Emergency maintenance for critical security issues may occur with shorter notice, accompanied by real-time status updates. Agencies are notified by email and through the support portal.
What is your uptime SLA?
eCourtDate guarantees 99.95% platform uptime as part of its Service Level Agreement. SLA terms include defined response times by issue severity, proactive monitoring with automated alerting, and monthly uptime reporting on request.

Network and Application Security

What network defenses are in place (IPS/IDS, WAF, DDoS)?
eCourtDate uses multi-layered network defenses: Cloudflare Web Application Firewall (WAF), DDoS protection, and bot management. AWS infrastructure provides network-level IDS/IPS via Amazon GuardDuty and VPC flow-log monitoring. DNSSEC, DKIM, DMARC, and SPF are enforced for DNS and email security.
How are APIs secured and tested?
All API endpoints require authentication via secure API keys or OAuth 2.0 tokens. APIs are rate-limited, geo-restricted, and IP-restricted. API security is validated through automated testing and continuous monitoring with OWASP API Security Top 10 coverage.
Do you support IP restrictions?
Yes. All third-party integrations and API connections support IP restriction (allowlisting). Agency administrators can configure IP-based access rules to limit platform access to authorized network ranges.
Do you have a bug bounty program?
Yes. eCourtDate maintains an active bug bounty program that invites security researchers and customers to conduct penetration testing and report vulnerabilities through responsible disclosure.

Last reviewed June 2026. Responsible disclosure: security@ecourtdate.com. See also Bug Bounty, Security Policies, and Audit Logs.

Talk to our security team

Request documentation, work through a security questionnaire, or see the platform in a demo. Our U.S.-based team is ready.