Lawyers make their living by helping others comply with rules and stay out of trouble. But every lawyer will tell you that there are gaps in their knowledge. And this is true even for a given lawyer’s professed area of expertise. So it’s not a surprise that most lawyers don’t understand - and perhaps don’t even want to understand - how technology and internet security work.
And that’s perfectly OK with us.
We built Gravity Legal with security and compliance as top priorities. Whether we’re working to ensure that we always protect your trust account from chargebacks or processing fees or to help you comply with the rules regarding surcharging, protecting lawyers and law firms is why we exist.
We’ve put a lot of effort into protecting the financial information that you and your clients entrust to us. We wouldn’t hold ourselves out and ask you to trust us if we didn’t. Still, the lengths to which we go to keep things secure and a description of how we approach security, even if at a high level, isn’t something we’ve put out front and center. Until now.
Read on to learn more about how we protect the information that you and your clients entrust us with and (a bit of) a deeper dive into security.
- All Gravity Legal Payment Pages are served over the Hypertext Transfer Protocol Secure (HTTPS) extension. HTTPS is the standard for secure internet communication.
- Any input fields that collect payment card data are served via a PCI-certified service designed to handle such data. PCI is short for Payment Card Industry Data Standard which is an information security standard for organizations that handle branded credit cards.
- Side note: Gravity Legal does not collect, transmit, process or store payment information. Access to that information where it is stored is tightly controlled at Gravity Legal and accessed only to address specific customer service and technical support issues. All of that is handled via the PCI-certified service mentioned above.
- Similarly, we collect ACH information using the same PCI data security standards that we use to collect payment card data. We don’t store this information, and it is securely transmitted to our ACH provider who then stores the data. All of this is done in accordance with the security rules specified and enforced by the governing body of the ACH Network.
- Stored Payment Methods are Tokenized. This allows us to enable firms to use payment information repeatedly without exchanging sensitive information each time. When we collect information for Stored Payment Methods we do so the same way that we collect payment information described above.
- Gravity Legal uses Amazon Web Services (AWS) to host the Gravity Legal software and data. This allows for access to industry-standard security tools.
- Gravity Legal uses AWS Cognito to handle user authentication. The code to enforce this authentication has been written by experienced engineers, reviewed by security experts, and thoroughly tested.
- All Gravity Legal software and data reside in a Virtual Private Cloud (VPC) and are accessible only by carefully secured and audited entry points.
SOC 2: Beyond “Bank-Grade”
Gravity Legal is also SOC 2 compliant. Now, we know this is where your eyes might be likely to glaze over but stay with us, even briefly. In order to achieve SOC 2 compliance, a company must be audited for at least six months, if not twelve, by an independent CPA who then provides a final compliance report. In a SOC 2 audit, the auditor evaluates an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy.
Further, not just any CPA firm can perform SOC audits. The American Institute of CPAs (AICPA) has established guidelines that regulate the work of SOC auditors such that while CPAs are the auditors for SOC 2 compliance the AICPA ensures that those CPA auditors meet and maintain specified standards.
We’ve seen many competitors in the payments space speak to their “advanced security.” While they often mention PCI (a standard with which we comply, as noted above), beyond that they often say that their system is “very secure” or that it enforces “bank-grade” security or “bank-level” encryption. These all sound super secure - nothing conjures the idea of security like a bank safe - but go ahead and do an internet search for “bank-grade security” or “bank-level encryption.” You won’t find much. To be clear, we aren’t saying these services aren’t secure. But their stating that the security on their systems is “bank-grade” doesn’t actually tell you the specific standards to which they’ve designed and built their software.
SOC compliance, on the other hand, is a well-established security standard that requires attestation by a third-party auditor. Lawyers may not know internet security but they certainly understand that a professional, like a lawyer or accountant, writing an attestation letter is staking their professional reputation on the contents of the letter. It means something.
So, next time your payment processor tells you that they’ve got “bank-grade” security or “bank-level” encryption ask them what that means. Or, better yet, ask them for specifics by inquiring whether they are SOC 2 compliant.
Payment system security is our job, not yours. And like many of the jobs we all do, while we at Gravity Legal take security very seriously, we don’t always remember to tell folks about it. We hope that we’ve earned your trust with everything we do, not just security. However, we hope that this deeper dive into how we think about security and what we’re doing to look out for you and your firm will help you feel that much more comfortable about your decision to rely upon Gravity Legal each and every day.
Image credit: “VPN & Internet Security on Your Computer for Online Privacy” by Mike MacKenzie is licensed under CC BY 2.0.