Trust Center
The detailed security posture procurement and IT teams need: compliance, hosting, controls, incident response, subprocessors, and answers to common security questionnaires. Documentation is available on request.
Compliance and standards
A compliance program aligned to government standards
Security controls and assessments are reviewed at least annually. Where a standard can be verified at the source, the link goes straight to the registry or program listing.
CJIS Security Policy
Designed to meet the FBI Criminal Justice Information Services security requirements, including encryption, access control, audit logging, and personnel security.
FIPS 140-2/140-3
Operates on AWS FIPS 140-2/140-3 validated cryptographic modules for all encryption, decryption, and key management.
CSA STAR Level One
Listed in the Cloud Security Alliance Security, Trust, Assurance, and Risk (STAR) registry.
VerifyCISA Cyber Resilience Review (CRR)
Assessment aligned with CISA best practices for organizational resilience and gap analysis.
GovRAMP Member
Member of the GovRAMP cybersecurity community, listed on the Progressing Product list.
VerifyISO 27001-aligned
Information security management system built on ISO 27001:2013 guidance (aligned, not certified).
HIPAA
Can be configured to support HIPAA-compliant workflows for agencies handling protected health information, with Business Associate Agreements (BAAs) available on request.
Annual penetration testing
Independent third-party penetration tests and vulnerability assessments conducted annually. Reports available under NDA.
Independently verifiable
Certifications and assessments
CJIS CompliantFBI Criminal Justice Information Services
AWS GovCloudIsolated U.S. government regionVerify
FIPS 140-2/140-3Federal cryptographic standardCSA STARCloud Security Alliance registryVerify
CISA CRRCyber Resilience Review
GovRAMP MemberListed on the Progressing Product listVerify
Hosting foundation
Built on AWS GovCloud (US)
eCourtDate runs exclusively in AWS GovCloud (US), operated by U.S. citizens on U.S. soil and built for the most stringent government workloads. The platform inherits the authorizations the foundation holds.
A note on FedRAMP: AWS GovCloud is FedRAMP High authorized, and eCourtDate is hosted there. eCourtDate itself does not hold a separate FedRAMP authorization. It is a GovRAMP member listed on the Progressing Product list as it pursues additional formal authorizations.
Inherited from the GovCloud foundation
- FedRAMP High authorized (inherited from the AWS GovCloud foundation)
- DOJ CJIS Security Policy
- ITAR and Export Administration Regulations (EAR)
- DOD Cloud Computing SRG Impact Levels 2, 4, and 5
- FIPS 140-2 validated endpoints
- IRS-1075 for federal tax information
Security controls
Controls across the platform
Infrastructure and Hosting
- Hosted exclusively on AWS GovCloud (US), an isolated U.S. region for sensitive government workloads
- All data resides within the United States with geo-restricted access
- Distributed, serverless architecture with automatic scaling and self-healing
- Multi-region failover with quarterly disaster recovery testing
- 24/7 infrastructure monitoring with U.S.-based engineering response
Data Integrity and Backup
- Continuous streaming replication across availability zones
- Hourly encrypted snapshots with AES 256-bit encryption
- 30-day snapshot retention with 7-day replication logs
- Point-in-time recovery via AWS RDS
- RTO 4 hours, RPO 1 hour, 99.95% uptime SLA
- Bulk data export in JSON, CSV, and SQL formats
Authentication and SSO
- SAML 2.0, OAuth 2.0, LDAP, and Active Directory integration
- Azure AD, Google Workspace, Office 365, and Okta SSO
- SCIM directory sync for automated provisioning and deprovisioning
- Multi-factor authentication: TOTP, FIDO2/WebAuthn, and SMS
- Session management with configurable timeouts and concurrent session limits
Password Security
- CJIS-compliant password policies enforced by default
- 20-character minimum length with complexity requirements
- 90-day expiration with 10-password history enforcement
- Account lockout after a configurable failed-attempt threshold
- All credentials transmitted over encrypted channels only
Privacy Mode
- PII fields hidden by default with explicit access grants
- Auto-archiving of inactive records after configurable periods
- Auto-purging of archived data after 90 days (configurable)
- Redacted reports for leadership and public records requests
- MFA required for PII access with 1-hour session limits
Network Security
- DNSSEC, DKIM, DMARC, and SPF enforced on all domains
- Cloudflare WAF with custom rules for justice-specific attack patterns
- DDoS mitigation with automatic traffic filtering
- Daily PCI and SSL vulnerability scans
- IP allowlisting and geo-restriction on integrations and API access
Application Security
- OWASP Top 10 vulnerability scanning on every deployment
- CWE/SANS Top 25 static analysis integrated into CI/CD
- Bot detection and malicious file scanning on all uploads
- Automated dependency vulnerability scanning
- Annual independent penetration testing, reports available under NDA
Employee and Organizational Security
- All employees are U.S.-based and background-checked
- CJIS Security Awareness Training and fingerprinting for staff handling CJI
- Annual security awareness training and phishing simulations
- Least-privilege access with quarterly access reviews
- Subcontractor security and privacy agreements required
- Confidentiality and NDA requirements for all personnel
Incident response
Prepared before an incident, not during one
A dedicated incident response team, led by a designated IR Coordinator, follows documented procedures for detection, containment, eradication, and recovery.
When customer data is affected, eCourtDate notifies affected parties within 24 hours of confirmed impact, including the nature of the incident, the data affected, and the remediation steps taken.
eCourtDate has not experienced any data breaches or data-loss events to date.
Incident prioritization
- P0Critical. Catastrophic impact. Immediate response with maximum resources.
- P1High. Major operational disruption until resolved.
- P2Moderate. Noticeable impact, operations continue, prompt resolution.
- P3Low. Minimal impact, handled through standard processes.
Backup, recovery, and availability
Durable by design
Backup strategy
Continuous streaming replication and hourly AES 256-bit encrypted snapshots in AWS GovCloud. Point-in-time recovery with 30-day snapshot retention and 7-day replication logs.
Disaster recovery
Multi-region failover within AWS GovCloud, tested quarterly. Recovery time objective (RTO) of 4 hours and recovery point objective (RPO) of 1 hour for critical systems.
Uptime and SLA
A 99.95% uptime guarantee with defined response times by severity, proactive automated alerting, and monthly uptime reporting on request.
Data ownership and lifecycle
Your data stays yours
Agencies own their data. At any time, authorized administrators can bulk-export raw data in JSON, CSV, and SQL using the Backup Data tool.
On contract termination, after export is confirmed, eCourtDate performs certified secure deletion of all agency data, including backups, within 30 days. A certificate of data destruction is provided on request.
A Reset Data tool also lets authorized administrators permanently delete records by type during the contract, with cached sources purged immediately and an email alert sent to administrators.
Monitoring, patching, and maintenance
Watched continuously, patched promptly
24/7 monitoring
Infrastructure and application health watched around the clock with Datadog, AWS CloudTrail, Amazon GuardDuty, and Cloudflare analytics, with automated alerting on anomalies.
Vulnerability management
Continuous OWASP Top 10 and CWE/SANS Top 25 scanning, daily PCI and SSL scans, DNS and firewall assessments, and annual third-party penetration testing.
SIEM integration
Log forwarding to your agency SIEM on request. System access, user activity, and security event logs integrate with your security operations center.
Patching cadence
Critical patches applied within 24 to 48 hours, high-severity within 7 days, routine updates monthly. All patches tested in staging before production.
Source code is continuously scanned for security and quality, with OWASP Top 10 and CWE/SANS Top 25 checks on every change. An active bug bounty program invites security researchers and customers to report vulnerabilities through responsible disclosure.
Subprocessors
The vendors behind the platform
Primary data storage is in AWS GovCloud (US). The third-party services that support the platform are listed below, and each undergoes a security assessment.
Amazon Web Services
Infrastructure-as-a-service: compute, storage, and database in AWS GovCloud (US).
Microsoft Azure
Identity-provider integration for single sign-on.
Cloudflare
Content delivery network, Web Application Firewall, and DDoS protection.
Auth0
Authentication and identity federation for user accounts.
Datadog
Infrastructure and application health monitoring.
GitHub
Source version control and CI/CD pipelines.
Postman
API design and automated API testing.
Let's Encrypt
SSL/TLS certificate provisioning.
Documentation
Evidence for your security review
Whatever your procurement process requires, the security team can provide it. Request access through your account manager or the contact form.
Penetration test report
Results of the most recent independent third-party penetration test and vulnerability assessment.
Available under NDA
CAIQ / SIG questionnaire
Pre-completed Consensus Assessments Initiative Questionnaire and Standardized Information Gathering responses for your security review.
Available on request
Data Processing Agreement
DPA covering data handling, and a certificate of secure data destruction issued on contract termination.
Available on request
GovRAMP listing
Public listing on the GovRAMP Progressing Product list, with CSA STAR registry and CISA CRR references.
Publicly verifiable
Security FAQ
Answers to common questionnaires
The questions that come up most in government security reviews, grouped by topic.
General and Compliance
What security standards and assessments does eCourtDate follow?
Is eCourtDate CJIS compliant?
Is eCourtDate HIPAA compliant?
Is eCourtDate FedRAMP authorized?
How often is eCourtDate security posture reviewed?
Can you provide penetration test or vulnerability assessment reports?
Has eCourtDate experienced any data breaches?
Hosting and Infrastructure
Where is eCourtDate hosted?
Is data stored exclusively in the United States?
What is your tenancy model?
What is your technology platform stack?
Do you use third-party storage vendors?
Data Protection and Encryption
How is data encrypted in transit and at rest?
What encryption standards do you use?
How do you handle data at contract termination?
What backup and disaster recovery capabilities do you provide?
What are your RTO and RPO targets?
Access Control and Authentication
What authentication methods are supported (SAML, OAuth, LDAP)?
Is multi-factor authentication required?
How does role-based access control work?
What is your password policy?
Monitoring, Auditing, and Incident Response
How do you monitor for security threats?
Can audit logs be forwarded to our SIEM?
How long are audit logs retained?
What is your incident response process and notification timeframe?
Do you conduct regular vulnerability scans?
Employees and Operations
Are employees U.S.-based and background-checked?
Do employees receive CJI and security training?
How are patches and updates applied?
What are your maintenance notification procedures?
What is your uptime SLA?
Network and Application Security
What network defenses are in place (IPS/IDS, WAF, DDoS)?
How are APIs secured and tested?
Do you support IP restrictions?
Do you have a bug bounty program?
Last reviewed June 2026. Responsible disclosure: security@ecourtdate.com. See also Bug Bounty, Security Policies, and Audit Logs.
Talk to our security team
Request documentation, work through a security questionnaire, or see the platform in a demo. Our U.S.-based team is ready.
