C

Cassi — Security Policy

Effective Date: September 1, 2025 • Last Updated: September 1, 2025

Echelix, Inc.

1. Introduction

Echelix, Inc. ("Echelix") is committed to maintaining the highest standards of security for Cassi, our AI-powered legal assistant platform. This Security Policy outlines our comprehensive approach to protecting your data, maintaining confidentiality, and ensuring the integrity of our Service.

2. Security Framework

2.1 Security Standards

  • SOC 2 Type II compliance principles
  • ISO 27001 security management standards
  • NIST Cybersecurity Framework
  • Cloud Security Alliance (CSA) guidelines

2.2 Regulatory Compliance

  • Legal industry confidentiality requirements
  • Attorney-client privilege protections
  • State bar ethical guidelines
  • Federal and state data protection laws

3. Data Security

3.1 Encryption

  • In Transit: TLS 1.3 encryption
  • At Rest: AES-256 encryption
  • Key Management: Hardware security modules (HSMs)
  • Database Encryption: Transparent Data Encryption (TDE)

3.2 Data Classification

  • Attorney-Client Privileged: Highest protection level
  • Confidential Client Information: Enhanced controls
  • Internal Business Data: Standard protection
  • Public Information: Basic controls

3.3 Data Minimization

  • Collect only necessary information
  • 30-day automatic deletion
  • Regular data purging and sanitization

4. Infrastructure Security

4.1 Cloud Security

  • Microsoft Azure multi-region deployment
  • Azure Security Center monitoring
  • DDoS protection and mitigation
  • Network security groups and firewalls

4.2 Network Security

  • Virtual private cloud (VPC) isolation
  • Network segmentation and micro-segmentation
  • Intrusion detection/prevention (IDS/IPS)
  • Web Application Firewall (WAF) protection

4.3 Endpoint Security

  • Device encryption requirements
  • Mobile device management (MDM)
  • Anti-malware and endpoint detection
  • Regular security patching

5. Access Controls

5.1 Authentication

  • Multi-factor authentication (MFA)
  • Single sign-on (SSO) integration
  • Password complexity requirements
  • Session management and timeouts

5.2 Authorization

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews
  • Privileged access management (PAM)

5.3 User Account Management

  • Automated provisioning/deprovisioning
  • Regular account audits
  • Separation of duties enforcement
  • Emergency access procedures

6. Application Security

6.1 Secure Development

  • Security by design principles
  • Secure coding standards
  • Regular code reviews and static analysis
  • Dependency vulnerability scanning

6.2 Testing and Validation

  • Automated security testing in CI/CD
  • Third-party penetration testing
  • Vulnerability assessments and remediation
  • Security testing for all releases

6.3 API Security

  • OAuth 2.0 and OpenID Connect standards
  • API rate limiting and throttling
  • Input validation and sanitization
  • Secure API documentation

7. Monitoring and Incident Response

7.1 Security Monitoring

  • 24/7 Security Operations Center (SOC)
  • Security Information and Event Management (SIEM)
  • Real-time threat detection
  • Behavioral analytics and anomaly detection

7.2 Logging and Auditing

  • Comprehensive audit trails
  • Log integrity protection
  • Centralized log management
  • Retention policies per legal requirements

7.3 Incident Response

  • Dedicated incident response team
  • 24/7 incident hotline
  • Documented response procedures
  • Regular incident response drills

7.4 Breach Notification

  • Immediate internal escalation
  • Customer notification within 24 hours
  • Regulatory notification as required
  • Detailed incident reports and remediation

8. Business Continuity and Disaster Recovery

8.1 Backup and Recovery

  • Automated daily backups
  • Geographic backup distribution
  • Regular recovery testing
  • RTO: 4 hours, RPO: 1 hour

8.2 Business Continuity

  • Business continuity planning/testing
  • Alternative processing sites
  • Vendor and supplier contingency plans
  • Stakeholder communication plans

9. Vendor and Third-Party Security

9.1 Vendor Management

  • Security assessments for all vendors
  • Contractual security requirements
  • Regular vendor security reviews
  • Data Processing Agreements (DPAs)

9.2 Clio Integration Security

  • Secure API connections to Clio
  • OAuth 2.0 authentication
  • Encrypted data transmission
  • Minimal data access principles

10. Personnel Security

10.1 Background Checks

  • Criminal background checks for all employees
  • Reference, education, and employment verification
  • Ongoing monitoring for sensitive positions

10.2 Security Training

  • Mandatory security awareness training
  • Role-specific security training
  • Regular phishing simulations
  • Annual policy acknowledgment

10.3 Confidentiality

  • Comprehensive confidentiality agreements
  • Attorney-client privilege training
  • Data handling procedures
  • Clean desk and clear screen policies

11. Physical Security

11.1 Data Centers

  • SOC 2 certified facilities
  • 24/7 physical security monitoring
  • Biometric access controls
  • Environmental monitoring and controls

11.2 Office Security

  • Badge-controlled access
  • Visitor management systems
  • Secure disposal procedures
  • Equipment inventory tracking

12. Risk Management

12.1 Risk Assessment

  • Annual comprehensive risk assessments
  • Quarterly risk reviews
  • Threat modeling for new features
  • Third-party security assessments

12.2 Vulnerability Management

  • Regular vulnerability scanning
  • Patch management procedures
  • Zero-day vulnerability response
  • Vulnerability disclosure program

13. Compliance and Auditing

13.1 Regular Audits

  • Annual SOC 2 Type II audits
  • Internal security audits
  • Penetration testing by certified firms
  • Compliance assessments

13.2 Certifications

  • SOC 2 Type II certification
  • Pursuing ISO 27001 certification
  • Industry-specific compliance validations
  • Regular certification renewals

14. Data Retention and Disposal

14.1 Retention Policies

  • 30-day automatic deletion of temporary data
  • Retention schedules by data type
  • Legal hold procedures
  • Client data retention coordination with Clio

14.2 Secure Disposal

  • Cryptographic erasure for encrypted data
  • Physical destruction of storage media
  • Certificate of destruction documentation
  • Environmentally responsible disposal

15. Security Governance

15.1 Security Committee

  • Executive security oversight committee
  • Regular security reviews and reporting
  • Budget allocation for security initiatives
  • Strategic security planning

15.2 Policies and Procedures

  • Comprehensive security policy framework
  • Regular policy reviews and updates
  • Employee acknowledgment of policies
  • Exception management procedures

16. Contact Information

For security-related questions or to report security incidents:
Security Team:
Email: security@echelix.com

This Security Policy demonstrates our commitment to protecting the confidentiality, integrity, and availability of your data while maintaining the highest standards of legal industry security.