A summary of ClauseBase's security features is provided below.

About ClauseBase

ClauseBase hosts an online platform for creating various types of legal documents. It features two applications: Clause9 (accessed through a browser), and ClauseBuddy (MS Word & Outlook plug-in). Together, they allow users to store & search clauses and templates, which can be interactively filled in to create simple or advanced documents.

ClauseBase's platform focuses on drafting: it is not a contract management or archiving solution. Even though it allows users to temporarily store filled-in templates, the amount of truly sensitive data will therefore be limited, and for those modules were entire documents can be stored (e.g., to search for inspiring clauses), we actively nudge our users to clean their data before upload. Nevertheless, the platform was built from the ground up with security in mind.

Our client portfolio consists of a mix of small, medium and large law firms, inhouse legal teams within large (often multinational) corporations, governmental agencies and HR service providers.

Architecture

Clause9 and ClauseBuddy are single-page applications (SPA) that can only be accessed through a secure (HTTPS) connection, either a modern standalone browser (Clause9), or as an MS Word or Outlook plugin (ClauseBuddy). The applications rely on JavaScript at client-side to interact with centrally hosted data on a single server. A secured WebSockets connection (wss://…) to the server is persistently maintained by each user’s browser, to allow for real-time interactions; if a user's firewall blocks Websockets, then AJAX polling is used as a fallback. Any time the connection is interrupted, the browser will store the current working session in its memory, and then block the user from continuing, so as to prevent data loss. All data exchanged between the browser and the server is encrypted, strongly compressed, and protected against Cross-Site Request Forgery (CSRF) attacks.

At client side, all working data is exclusively kept within the temporary JavaScript environment. The only data that is permanently stored consists of an HMAC (SHA-512) encrypted cookie (less than 100 bytes, expiry after 3 months, to allow for automatic re-connection) and a handful of trivial preference cookies, each typically less than 30 bytes, that store the position of a user’s window layout. Login cookies can be centrally invalidated on a per-user basis, so as to force a new login if user devices or passwords would be compromised.

User & file management

A separate administrator account is created for each customer, to allow for centralized user, template and layout management. Files are stored on the server in a folder-like structure, where access rights (read and/or write) can be set on a per-folder basis.

Passwords in Clause9

User passwords must have a minimum of 8 characters, are checked for minimum complexity using Zxcvbn (rejecting common passwords, patterns, …) and are stored in the database with a salted hash (BCrypt combined with SHA-512) against rainbow table attacks. API-keys for Clause9 consist of 36 characters are generated on a per-user basis (password-based key derivation function 2 with Blake2b-512). Logins are optionally, on a per-user basis, secured by two-factor authentication, using industry-standard one- time password generator apps, such as Authy, Microsoft Authenticator or Google Authenticator. After 10 failed login attempts, the user will be automatically blocked for an increasing number of minutes, to stall brute-force attacks. It is also possible to connect through SSO via Azure.

Security codes in ClauseBuddy

ClauseBuddy allows login through "security codes": randomly generated codes of 28 characters that cannot be chosen by the user, can be made subject to expiry dates, and can be easily revoked by administrators. It is also possible to connect through SSO via Azure.

Servers

Two dedicated production Linux servers are hosted by the German hosting company Hetzner, with whom a formal GDPR data processing agreement is concluded. These servers are physically located in data centres in two different cities in Germany. Each data center runs 100% on wind and hydropower, has ISO certification (audit report available on request), is guarded by on-site security guards, biometric readers, connected with redundant fibre, and has redundant configurations for all critical systems. The server can only be accessed by ClauseBase administrators, through an encrypted SSH connection secured with a strong password. For business continuity reasons, a failover server is also hosted by Hetzner, in Germany. Additionally, we use cloud servers from French hosting company Scaleway (Paris), for hourly database backups.

Database structure

Each jurisdiction and special combination of templating languages receives its own databases and subdomain (e.g., nl.clausebase.com for the Netherlands, en.clausebase.com for the United Kingdom). Enterprise customers requiring data isolation can request their own dedicated virtual machine and associated custom subdomain, which is then hosted on a physical machine in Germany with data at rest encryption through encrypted disk partitions.

Pentest

Pentests are conducted each year by an accredited independent security consultant, the results can be inspected and orally discussed when desired. The last pentest was performed in January 2024.

Backups

A backup for the entire database is performed an hourly basis, with an encrypted version of the backup stored by another Hetzner data centre (even hours) and by Scaleway (uneven hours), with offsite keys. To allow for exceptional access to historical versions, most changes to clauses and templates are also stored in a version-log that retains data for up to one month. Databases with precedents ("Truffle Hunt") are subject to a separate backup policy, with backups every week. Finally, an offline copy (resistant against ransomware) is created every two weeks. Backups are removed after 6 months.

Data retention

In most typical usage scenarios (question & answer templates), any business data inserted into templates is only kept within the JavaScript environment of the client-side browser. When a .PDF or .DOCX file is generated by the server, any such business data sent to the server using the secure WebSockets-connection is deleted from the server environment in a period between 60 – 120 seconds after the file was generated.

Logging

We have installed a central logging solution for log analysis and intrusion, threat & vulnerability detection, with BitDefender agents running on our servers and laptops. We closely monitor the MITRE ATT&CK knowledge base. Logs are kept for 18 months.

Uptime

The uptime of all our public servers is available at status.clausebase.com. Private instances for specific clients receive their own status page.

Encryption of answers

Users can optionally store their answers in an encrypted format (ChaCha cipher).

Client-side document generation

With a few limitations, it is also possible to generate Clause9 documents completely on the client-side, for those situations where customers really do not want any client-side sensitive data to ever touch the ClauseBase server.

Auto-delete

Users can store business data (answers to template questions) on the platform but are strongly advised to only do so on a temporary basis. To facilitate a fine-grained balance between business needs and data security, users can flag folders to automatically delete their contents after a user-defined number of days.

Development

ClauseBase is developed by a tightly controlled team of experienced JVM-targeted developers that take into account best security practices, such as WASP (SQL attacks, CRLF injections, XSS attacks, enterprise-grade security components, etc.). All ClauseBase staff members use desktop and/or mobile devices with strong encryption. All communication and data storage is done through the highly secure Microsoft O365 environment.

ISO27001

Since September 2023, ClauseBase is ISO27001:2022 certified, covering all controls of the standard. The certificate can be downloaded below: