Leegality’s Data & Information Management Practices

Most of Leegality’s products deal with sensitive and confidential business & personal information. Our business interests as well as our moral, ethical, professional and legal obligations ensure that we maintain complete control and security of the information flowing through our infrastructure.

We, at Leegality, are paranoid about our information security, and our paranoia makes us recognise and secure the information paths within our networks. Legal compliance requirements with regard to information security and privacy arising out of the Information Technology Act, Aadhaar Act, the various rules, regulations & guidelines under them, Stamping laws etc. also further necessitates our emphasis on information security. We follow an ISO/IEC 27001 compliant Information Security Management System and the fact of the same is regularly audited by independent auditors.

Secure by Design

We fulfil our obligations by following a bottom up approach towards information security and privacy. As a first step to any project, information security blueprints are generated after assessing the unique business needs of every project and the unique needs of all stakeholders involved. Application architecture plans are then executed on the top of these security blueprints. Once the production starts, the project goes through regular information security reviews to address any new needs that arise and to eliminate any conflicts.

All our employees are extensively trained in handling information in compliance with our information security and data privacy policies and in building products that strictly conform to standards followed across the organisation.

Since careful information security assessment is exercised at all stages, the final products are secure by design. All individual elements of the products have their own security parameters. These individual parameters on the upper level are then clubbed with project and organisation level security parameters, ensuring a completely safe, secure and mature product for the client.

Ensuring control, integrity & confidentiality: Addressing vulnerabilities

A major part of our information security system deals with setting standards that ensure that information strictly stays under organisational control, and that data confidentiality and integrity are maintained.

We follow industry best information security practices and utilise our resources and technology to counter all threats to information control. The various layers of security, functioning at different levels of application architecture ensure that information security and protection starts right when the information leaves the user and enters our control.

The layers of security applied are distinct and unique to every project as per unique client needs. But in general, we try to ensure that we:

  1. Use front end encryption channels such as SSL/TLS

  2. Operate our services from Virtual Private Clouds insulating critical resources from unauthorised access

  3. Undergo industry standard Vulnerability and Penetration Testing (VAPT)

  4. Establish multiple level encryption techniques combining AES, ECC and RSA algorithms

  5. Keep data/databases and encryption keys in separate isolated instances

  6. Password protect documents sent over mail

  7. Store master keys in FIPS-140-2 compliant Hardware Security Modules

We implement strict access control policies which ensure that access is highly controlled and heavily monitored. Information can only be accessed by any employee after necessary internal approvals and on a strict need to know basis. Some of our projects also allow the client to completely control the encryption and decryption of their documents by using a self-generated passphrase, which puts the user in absolute control of being able to decrypt their documents.

User Privacy and Management of Aadhaar related data

We ensure users’ privacy protection by ensuring a strict adherence to our Privacy Policy. The Privacy Policy is compliant with the IT Act, 2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. We use the information provided to us only as consented to by the user. Unless specifically consented to, we do not share any kind of information with any third party. Except for in cases where the information is collected to be shared with third parties, for example, in the case of stamping form data to be shared to third party stamp vendors.

Data collected during the Aadhaar eKYC and eSign process, is strictly used for the purpose the user requested it for. Ordinarily, only the name and Date of Birth of the Aadhaar holder are used in the signing process and are then deleted from our databases once the use is over. However, the request and response logs relating to the eKYC and eSign transactions with the Certifying Authority may be retained and logged as per the legal guidelines issued by the relevant authorities.

Government Requests

In case, we receive a government request to provide some information, we will first check whether the request is tenable in law and if is accompanied with the required warrants etc. If it is, and we assess that we have a legal obligation to provide the same to the authorities, we will inform the user/client of the same, unless prevented by the law to do so.

For better risk assessment and management, our clients can use our enterprise encryption solutions and secure their files with an additional passphrase to be able to completely control decryption of documents.

Backup and Continuity

To ensure that even in cases of natural disasters or failure of critical infrastructure, the information safely stored by our clients with us does not get affected, we maintain multiple backup copies of the data, all protected by the same level of encryption and security mechanisms being used in the production environments. This ensures that clients never lose their information and that none of their business processes are hampered.

Continuous Process

We recognise that implementing and maintaining information security are continuous processes and keeping in mind the growing threats to information security, we need to be persistently proactive in securing our systems. We are perpetually trying to innovate and learn from the ecosystem to improve the standards and controls set up to maintain confidentiality and integrity of the information within our infrastructure.

As a part of our mission of digitizing the legal documentation processes across industries, we realise the heightened need of deploying a strong information security system, especially considering the level of sensitivity and confidentiality associated with the kind of information we are dealing with. We recognise the importance of maintaining information security for a business like ours and we promise our clients and users the best possible & feasible levels of information security, and adherence to our strict information security and data privacy policies.