Information Security Requirements

Capitalized terms not defined in this Information Security Requirements (this “Exhibit”), or otherwise defined in the Agreement, shall have the same meaning as set forth in the Agreement.

  1. Definitions
    • Customer” means a person, business or entity that obtains goods, services or licenses from LegalZoom, including without limitation on LegalZoom.com.
    • Information Resources” means any computing and other systems, applications, and network elements, by or with which LegalZoom Information is stored, transmitted or processed, in conjunction with supporting the business of LegalZoom and/or fulfilling Vendor’s obligations under the Agreement.
    • “LegalZoom Information” means any and all information disclosed directly or indirectly by or on behalf of LegalZoom to Vendor, whether orally or in writing, that (i) has been marked as “proprietary” or “confidential” or (ii) under the circumstances surrounding disclosure or by the nature of the information itself, should be reasonably considered confidential. LegalZoom Information includes, without limitation, (a) information pertaining to LegalZoom, its affiliates, and its and their respective businesses or end users, (b) personal data or personal information as defined by applicable privacy laws, rules, or regulations, and (c) proprietary information such as ideas, strategies, markups, inventions, processes, charts, documents, algorithms, data, software code, presentations, internal memorandums, documented or oral communications, contracts or notes related to existing or proposed product offerings or services. LegalZoom Information does not include information that: (1) is already in the public domain at the time of disclosure or later becomes available to the public through no breach of Vendor’s confidentiality obligations; (2) is lawfully in Vendor's possession, without an obligation of confidentiality, prior to receipt hereunder; (3) is received independently by Vendor from a third party who was free to lawfully disclose such information to Vendor; or (4) is independently developed by Vendor without the use of Confidential Information as evidenced by Vendors business records
    • Strong Encryption” means the use of encryption technologies with minimum key lengths of 128-bits for symmetric encryption and 1024-bits for asymmetric encryption whose strength provides reasonable assurance that it will protect the encrypted information from unauthorized access, and is adequate to protect the confidentiality and privacy of the encrypted information.
    • Vendor” means the non-LegalZoom party to the Agreement.
  2. Minimum System Security Requirements
    • Monitoring Security Alerts: Actively monitor industry resources (e.g., cert.org and pertinent software vendor mailing lists and/or websites) for timely notification of all applicable security alerts pertaining to Vendor networks and Information Resources.
    • System Scanning: Scan both external-facing and internal Information Resources with applicable industry standard security vulnerability scanning software (including, but not limited to, network, server, application, and database scanning tools) at a minimum monthly. Upon LegalZoom’s request, Vendor will furnish to LegalZoom its most current scanning results.
    • Deploy Intrusion Detection/Prevention Systems: Deploy one or more Intrusion Detection/Prevention Systems (IDS or IPS) in an active mode of operation.
    • Remediating/Patching Service Vulnerabilities: Use a documented process to remediate security vulnerabilities in the Information Resources, including, but not limited to, those discovered through industry publications, vulnerability scanning, virus scanning, and the review of security logs, and apply appropriate security patches promptly with respect to the probability that such vulnerability can be, or is in the process of being exploited.
    • Security Administration Responsibilities: Assign security administration responsibilities for configuring host operating systems to specific individuals and ensure that security staff has reasonable and necessary experience in information/network security.
    • Hardened Systems: Ensure that all of Vendor’s Information Resources are and remain ‘hardened’ including, but not limited to, removing or disabling unused network services (e.g., finger, rlogin, ftp, simple TCP/IP services) and installing a system firewall, TCP Wrappers or similar technology.
    • Restrict User and Super User Privileges and Access: Restrict access by users to only the commands, data and Information Resources necessary to perform authorized functions. System administrator/root (or privileged, super user, or the like) access should be limited to individuals requiring such high-level access in the performance of their jobs and system administrators should not perform tasks for non-privileged users using system administrator accounts or credentials.
  3. Minimum Physical Security Requirements
    • Secure Facilities: Ensure that all of Vendor’s networks and Information Resources are located in secure physical facilities with access limited and restricted to authorized individuals only.
    • Monitoring and Recording Access: Monitor and record, for audit purposes, access to the physical facilities containing networks and Information Resources used in connection with Vendor’s performance of its obligations under the Agreement.
  4. Minimum Network Security Requirements
    • Detection and Handling of Unauthorized Access: Have a documented process and controls in place to detect and handle unauthorized attempts to access LegalZoom Information.
    • Encryption of Information both in Transit and at Rest: Use Strong Encryption for the transfer of LegalZoom’s Information outside of LegalZoom-controlled or Vendor-controlled facilities, or when transmitting LegalZoom Information over any untrusted network, or when storing LegalZoom Information.
    • Remote Access Authentication: Require authentication and encryption for any remote access use of Information Resources.
  5. Minimum Requirements for the Protection of LegalZoom Information
    • Segregation of LegalZoom’s Information: Segregate LegalZoom’s applications and LegalZoom’s Information from any other applications and information of Vendor or Vendor’s customers, by using physically separate servers or, alternatively, by using logical access controls where physical separation of servers is not implemented.
    • Documentation of Secure Backup, Transport, Storage and Disposal of LegalZoom Information: Have a documented procedure for the secure backup, transport, storage, and disposal of LegalZoom Information and upon LegalZoom’s request, provide such documented procedure to LegalZoom.
    • Business Continuity Plan: Maintain and, upon LegalZoom’s request, furnish to LegalZoom a business continuity plan that ensures that Vendor can meet its contractual obligations under the Agreement, including the requirements of any applicable Statement of Work or Service Level Agreement. Upon LegalZoom’s request, Vendor shall promptly update its business continuity plan to include a potential threat scenario.
    • Limit Access to LegalZoom Information Regardless of Form: Limit access to LegalZoom Information solely to the extent necessary to provide the Services, including, but not limited to, paper hard copies, only to authorized persons or systems.
  6. Minimum Identification and Authentication Requirements
    • Unique Account Names, UserIDs and Login Credentials: All default account names, passwords or credentials are changed, and unique UserIDs and Login credentials are assigned to individual users for systems connecting to or handling LegalZoom Information. Any LegalZoom-assigned personnel credentials will not be used by any person other than the assigned individual user (no sharing of credentials). A documented UserID Lifecycle Management process will be used, including, but not limited to, procedures for approved account creation, timely account removal, and account modification (e.g., changes to privileges, span of access, functions/roles) for all Information Resources and across all environments (e.g., production, test, development, etc.). Vendor must notify LegalZoom within twenty-four (24) hours of separation of personnel holding LegalZoom-assigned personnel credentials (“Personnel”) by emailing the following information to provideroffboarding@legalzoom.com: (i) Vendor legal entity name, (ii) full name of Personnel, (iii) username of Personnel, and (iv) separation date of Personnel.
    • Limit Failed Logins: Limit failed login attempts to no more than six (6) successive attempts and lock the user account upon reaching that limit. Access to the user account can be reactivated subsequently through a manual process requiring verification of the user’s identity or, where such capability exists, can be automatically reactivated after at least three (3) minutes from the last failed login attempt.
    • Terminate Inactive Interactive Sessions: Terminate interactive sessions, or activate a secure, locking screensaver requiring authentication, after a period of inactivity not to exceed fifteen (15) minutes.
    • Passwords: Passwords must meet the minimum requirements of (i) must be a minimum of eight (8) characters in length; (ii) if the password is less than twelve characters in length, it must contain characters from at least three (3) of these groupings: uppercase alpha, lowercase alpha, numeric, and special characters; (iii) must not be the same as the UserID with which they are associated; and (iv) must be complex and not contain names or dictionary words.
    • Secure Conveyance of UserIDs and Passwords: Use a secure method for the conveyance of authentication credentials (e.g., passwords) and authentication mechanisms (e.g., tokens or smart cards). Ensure user session authentication is protected by utilizing TLS encryption on Vendor websites.
  7. Minimum Requirements for Software and Data Integrity
    • Scan and Remove Viruses: Have current antivirus software installed and running to scan for and promptly remove viruses.
    • Separate Production and Non-Production Resources: Separate development and test activities from and restrict developer access to operational environments in order to reduce the risks of inadvertent or unauthorized modifications to the operational system that could compromise the system’s integrity or availability.
    • Software Change Control Process: Implement a documented software change control process including back out procedures.
    • Utilize Database Transaction Logging: For applications which utilize a database that allows modifications to LegalZoom Information, have database transaction logging features enabled and retain database transaction logs for a minimum of six (6) months.
    • Review Code for Vulnerabilities and Compliance with Industry Standard Security Requirements: For all software developed, used, furnished and/or supported under this Agreement, review such software to find and remediate security vulnerabilities during initial implementation and upon any modifications and updates. Further, ensure, prior to furnishing or developing custom software, that such software incorporates applicable industry best practices (OWASP and SANS CWE) to address and avoid potential security risks and common coding vulnerabilities.
    • Quality Assurance Test Application and Security Vulnerabilities: Perform quality assurance testing for the application functionality and security components (e.g., testing of authentication, authorization, and accounting functions, as well as any other activity designed to validate the security architecture) during initial implementation and upon any modifications and updates.
  8. Minimum Monitoring and Auditing Controls
    • Restrict Access to Security Logs: Restrict access to security logs to authorized individuals.
    • Review Security Logs and Resolve Security Problems: Review, on a routine basis, security logs for anomalies and document and resolve all logged security problems in a timely manner.
    • Record Retention: Retain complete and accurate records relating to its performance of its obligations arising out of these Security Requirements and Vendor’s compliance in a format that will permit audit for a period of no less than three (3) years, or longer as may be required pursuant to a court order or civil or regulatory proceeding.
    • Annual Compliance Review: At a minimum, annually review the Information Security Requirements of this Exhibit to ensure that Vendor is in compliance with the requirements of this Agreement.
  9. Minimum Personnel Security and Integrity Procedures
    • Implementing Appropriate Personnel Security and Integrity Procedures and Practices: Deploy procedures including, but not limited to, conducting background checks consistent with applicable law and permitting LegalZoom access to such background checks upon LegalZoom’s reasonable request.
    • Training of Personnel: Provide appropriate privacy and information security training to Vendor's employees that have access to LegalZoom Information or to LegalZoom systems, facilities, or assets.
  10. Minimum Connectivity Requirements: In the event Vendor is provided access to LegalZoom’s networks (“Connectivity”) in conjunction with the Agreement, then Vendor will:
    • Use only the mutually agreed upon facilities and connection methodologies to interconnect LegalZoom’s networks with Vendor’s networks and to provide access to the data for each connection.
    • Only establish interconnection to endpoint resources and/or end users outside the United States with the express prior written consent of LegalZoom.
    • Provide LegalZoom access to any Vendor facilities during normal business hours for the maintenance and support of any LegalZoom equipment (e.g., router) used for the transmission of LegalZoom Information under the Agreement.
    • Use any LegalZoom equipment provided under the Agreement only for the furnishing of those Services or functions explicitly defined in the Agreement.
    • Ensure that all Vendor interconnections to LegalZoom pass through the designated LegalZoom perimeter security gateway (e.g., firewall).
    • Ensure that Vendor interconnections to LegalZoom terminate at a perimeter security gateway (e.g., firewall) at the Vendor end of the connection.
    • Maintain logs of all sessions that pass through the Vendor’s perimeter security gateway. These session logs must include sufficiently detailed information to identify the end user or application, origination IP address, destination IP address, ports / service protocols used and duration of access. These session logs must be retained for a minimum of six (6) months.
    • Immediately suspend or terminate any interconnection if LegalZoom, in its sole discretion, believes there has been a breach of security, unauthorized access to, or misuse of LegalZoom data facilities or LegalZoom Information.