PLATFORM SECURITY
We protect your data with the highest international standards
At Webdox, we follow a set of best practices and policies to ensure the protection and security of your data.
Trusted by leading companies
Compliance associated with information security
ISO 27001 provides controls for a comprehensive Information Security Management System (ISMS).
A-LIGN Compliance and Security, Inc. certifies that the organization operates an Information Security Management System that meets the requirements of ISO/IEC 27001:2022.
This certification supports that we apply rigorous security controls, audited processes, and a culture of continuous protection at every layer of our operation.
At Webdox, security isn't an add-on, it's part of the product's DNA. This certification assures our clients that their data and contracts are protected to the highest standards in the global market.
Compliance with information privacy
Webdox has been certified by A-LIGN Compliance and Security, Inc. in ISO/IEC 27701:2019, the first international standard that defines how to manage the privacy of personal information in a structured and responsible way.
This certification extends our security management system (ISO 27001) and incorporates specific controls to protect personal data in accordance with global frameworks such as GDPR (Europe) and LGPD (Brazil).
In addition, our applicability statement incorporates controls from the ISO/IEC 27018:2019 standard, which further strengthens the protection of personal data in cloud environments.
With this certification, Webdox provides its customers with a reliable CLM platform aligned with the highest international privacy standards, ideal for organizations that demand rigorous regulatory compliance and proactive protection of their data.
Compliance associated with the management of artificial intelligence systems
La ISO/IEC 42001:2023 is the first international standard to set out the requirements for a responsible and governed artificial intelligence management system (AIMS). Webdox has been certified by A-LIGN Compliance and Security, Inc., validating that we operate a system in compliance with this standard, reinforcing our commitment to the ethical, safe and transparent use of AI.
The scope of this certification applies to the AI processes and functionalities developed by Webdox as a vendor, including automated modules, recommendation engines, and machine learning-based flows within our Webdox CLM platform. All of this is implemented under principles such as equity, explainability, traceability and protection of personal data.
This management system is complemented by ISO/IEC 27001:2022 and ISO/IEC 27701:2019 controls, ensuring comprehensive coverage in information security and privacy in enterprise AI contexts.
Compliance associated with information security and confidentiality
SOC 2 Type II is an internationally recognized standard that assesses the operational effectiveness of controls related to the security, confidentiality, availability, and privacy of systems. Webdox has been audited by
A-LIGN Compliance and Security, Inc., obtaining the SOC 2 Type II report, which demonstrates that our processes meet the Trust Services Criteria defined by the AICPA.
This certification validates that Webdox has implemented and sustained rigorous controls to protect its customers' sensitive information over time, ensuring a secure and reliable environment. The SOC 2 framework reinforces our compliance with global standards such as GDPR and CCPA, and reflects our commitment to transparency and ongoing data protection.
Security and privacy in Webdox CLM Artificial Intelligence
Webdox CLM's Artificial Intelligence powers functionalities such as intelligent contract review, based on advanced generative Artificial Intelligence models. This solution has been designed under the highest standards of security, privacy, and governance, operating in an environment completely controlled by Webdox.
Key Protection and Compliance Aspects:
- Customer data protected by design: All information processed using AI capabilities remains within Webdox's secure environment, hosted on Google Cloud Platform. The data is always owned by the customer and is not used for model training, nor is it exposed to third parties.
- Controlled and dedicated infrastructure: Requests to OpenAI models are made through a private and dedicated Webdox environment, ensuring full control over the flow of data. OpenAI does not use the information for AI training.
- End-to-end encryption: All communications between internal and external components are carried out under TLS 1.2 or higher encrypted protocols.
- Ongoing security testing and monitoring: AI capabilities are audited as part of Webdox's cybersecurity program, including regular internal and external testing.
Security applied to our infrastructure on Google Cloud Platform (GCP)
Webdox operates on Google Cloud Platform (GCP), a world-class infrastructure that provides high levels of security, availability, and scalability for all of our services.
GCP has an architecture designed under the principle of defense in depth, integrating advanced controls of encryption, authentication, network segmentation and continuous monitoring. This platform complies with international standards such as ISO/IEC 27001, SOC 2, PCI-DSS, and FedRAMP, ensuring data protection and threat resilience.
Our GCP infrastructure allows us to manage environments securely, isolated, and efficiently, ensuring that our customers' data is protected against unauthorized access, information leaks, and operational risks.
Robust Architecture
Every great solution is backed by a great strategic partner. Google Cloud Platform, along with other recognized partners, provide us with all the security features that are required in the market.
-
Webdox is a Google Cloud Partner, the infrastructure and security are inherited from Google services, with high availability in all its layers.
-
Cloudflare, Gitlab, and New Relic are some of the services we use for the creation, use, and monitoring of Webdox.
-
Systems designed for a 99.99% service level objective (SLO) and service level agreements (SLAs) are accommodated, usually at 99.5%.
-
Backups run every 24 hours with a 30-day retention and failover replicas are activated improving High Availability.
-
Disaster Recovery Planning (DRP) with RTO (Recovery Time Objective) of 2 hours per service and RPO (Recovery Point Objective) of up to 24 hours.
-
All metadata at rest is encrypted using AES 256.
-
All metadata in transit is encrypted using TLS 1.2 or 1.3.
-
Webdox has tools for monitoring and generating alarms in the event of anomalous events.
Secure Development
At the application level, Webdox has a series of security features that you can integrate with your technological infrastructure and if you want technical support we have a team of specialists who will solve all your queries. Today we rely on the good practices provided by OWASP (Top Ten) to deal with the most recurrent risks and we also work directly with ethical hackers for the continuous improvement of the application.
- User session parameter settings: Idle time, session duration, password format.
- Perimeter access management, it is configured from where it can be accessed and from where it cannot, through IP addresses.
- Single Sign On mechanisms via SAML V2.
- Integration with LDAP or SAML for user management.
- OAUTH integration through API and APP, providing robustness in the integrations that can be generated.
- Second factor of authentication.
- Access and permissions are controlled by roles assigned to users.
- Audit logs with all actions generated by users.
- DevSecOps across the development cycle.
- Identification of each internal process (UUID), granting a better operation and auditing of the platform.
Monitoring and Deployment
At Webdox we work the discovery of new vulnerabilities and their treatment, which is why we have the recurring and specialized service of different security providers for Pentesting and Ethical Hacking tests, working together to resolve the findings evidenced. This allows us to continue strengthening the service at the most demanding levels of the market.
Additionally, our Technology and Security team plans annual backup recovery tests, to guarantee operational continuity times. Complemented by the Disaster Recovery Planning (DRP) for each of the critical systems, which together with the internal and external audits scheduled during the year, feed our continuous improvement process both at the Webdox process and product level.
Frequently Asked Questions Infrastructure & Architecture
-
What are the cloud services used?
Webdox is a SaaS whose infrastructure is hosted on Google Cloud using services such as CloudSQL and GKE, from which all security features are inherited. Webdox is a platform that solves the challenges associated with efficient contract management in large enterprises. Webdox does not require cloud resources from the customer, all infrastructure is provided as part of the solution.
-
What are cloud data backups like?
Cloud backup is performed by the Google Cloud subprocessor according to our frequency and scope guidelines. At the same time, all backup processes cover the different scenarios outlined in our disaster recovery plan. We contemplate a 24-hour RPO and a 2-hour RTO per service. The information backed up is complete (not incremental) so there are no dependencies and the feasibility of recovery is risk-free.
-
Does the system allow you to scale automatically?
The service is designed to have a service level of 99.9%, which includes the ability to automatically scale the service without altering its quality. Scaling is carried out both vertically and horizontally according to the defined thresholds.
-
Is the system scalable with the growth in the number of transactions?
The infrastructure is aware of the consumptions and transactions made, so it is fully capable of detecting that any of these exceed the limits and escalate automatically.
-
Does the system allow you to operate in a high availability model?
The service is designed to have a service level of 99.9%. Additionally, it includes disaster recovery plans and operational continuity plans to have high availability.
-
Does the system allow you to identify whether transactions are normal or anomalous, based on rules and parameters?
Our monitoring system uses artificial intelligence to detect anomalous situations and execute alerts to the responsible teams.
-
Does the system allow tracking of the activities carried out by a user?
Webdox maintains a software-level auditing system which can be monitored by account admin users or consumed through the API for SIEM integrations. Registered actions keep their author, exact date, share name, etc.
-
Does the system allow you to return to the previous point of operation in the event of a failure in the deployment?
The service is designed based on versioning, so you can go to the version that is necessary.
-
Does the system have a support model with defined escalations for resolution?
The support procedure has escalation mechanisms, from a User Service level (Level 1), Operational Solutions (Level 2) to the Engineering Team level (Level 3)
-
How do you ensure data integrity?
The services provided by Webdox have fingerprint mechanisms and it is evaluated between sender and receiver that the information received maintains the same fingerprint, in such a way as to guarantee that the information has not been altered in the communication. In addition, data at rest is covered with different layers of security and encryption that prevents access to the data and evaluates that the signature is correct.
-
Does the solution support continuous integration, testing, and automation associated with the development process?
The development process includes stages of code evaluation in search of both technical and/or security deficiencies. Likewise, evaluations of the correct functioning of the functionality are contemplated, therefore continuous integration and the execution of tests are vital since guarantees are generated for the software that is going to be deployed to productive environments.
-
What is the exchange control procedure like?
A secure development policy is established that includes change management and the continuous integration cycle is considered. From code review request generation, security analysis to production.
-
What is your policy for maintenance updates (bug fixes, service packs, etc.)?
The technology team manages changes for updates according to hardening and criticality. The greater the criticality, the more urgent the change will be.
Security FAQs
-
What does API authentication look like?
Webdox implements Token Authentication through Oauth2 with time expiration. Policies determine limits and monitors for detecting anomalous situations.
-
What do authentication tokens look like?
Access tokens are highly complex and are managed with expiration and the use of fingerprints associated with users. At the same time, tokens do not store sensitive information.
-
How do you throttle to prevent DDoS and brute force attacks?
Webdox has cloud mechanisms that evaluate anomalous access attempts and manage them according to their classification. Excess requests are blocked by the WAF through Cloudflare and auditing is generated with the endpoints for the corresponding communication with the authorities if applicable.
-
Is your design and implementation audited with unit testing/integration, test coverage, and functional testing?
The development process involves peer-to-peer review of code by static code analyzers. They are evaluated from secure development guidelines to compliance with software development best practices. Additionally, the code is analyzed for vulnerabilities. If the change complies with all of the above, the approval and continuous integration process begins, where the corresponding images are generated and the compliance of the test set and security scanner is evaluated. When the CI process is completed, a release promotion request is generated, in which the Quality Area gives its approval and approves the deployment. The CI & CD system facilitates the option of rollback to a previous and safe state.
-
How do I manage the use of cryptographic controls?
Our Cryptographic Controls Policy covers the protection of information, including cryptographic controls, key management, encryption, etc.
-
How are keys managed in terms of encryption and encryption?
Specified in our cryptographic controls policy in the KMS section. Encryption key management should use encryption key management (KMS) software that automatically manages access control, has secure storage, and has key backup and rotation.
-
What are the types of encryption for external connections?
As Webdox is a SaaS, both internal and external connections are encrypted with SSL through TLS 1.2 and its higher versions. Security is a top priority for Webdox. We invest resources and work to provide a modern HTTPS connection by default on our websites, services, and products.
-
Information encryption
- Customer data is encrypted at rest using AES 256.
- Custom encryption keys for documents when using a Google Cloud Storage bucket.
- All data in transit uses TLS 1.2 or higher if supported by the client.
- Emails use TLS when enabled. DKIM, SPF, and DMARC are enabled by default.
- DKIM, SPF y DMARC están habilitados por defecto.
- Electronic signatures use more layers of encryption, including envelope encryption and the use of FIPS 140 Level-3 HSMs. The keys are rotated periodically every 30 and 90 days.
-
Privacy of Information
- Customer data follows the data encryption policy and is classified as RESTRICTED, being the highest security level of our security policy.
- Application servers can access customer data only if authorized user tickets are valid.
- Webdox employees cannot access customer data.
- Explicit customer authorization allows limited access to support agents.
-
Availability of Information
- Customer data is divided into two separate systems: documents and metadata.
- System design for a service level objective (SLO) of 99.99%.
- Service level agreements (SLAs) are adapted. Generally 99.5%.
- Full backups run every 24 hours, and failover replicas are on standby.
- RTO of 2 hours per service and RPO of 24 hours.
- DRP and Data Recovery exercises are performed 2 times a year.
