Information Security Statement

About ClauseBase

ClauseBase hosts an online platform ("the ClauseBase Platform") for drafting & reviewing legal documents. It features two applications: Clause9 (accessed through a browser), and ClauseBuddy (MS Word & Outlook plug-in). Together, they allow users to automate, draft, redraft & review legal documents.

The ClauseBase Platform focuses on drafting & reviewing: it is not a contract management or archiving solution. Even though there is one module designed for long-term storage of completed documents in order to serve as inspiration ("Truffle Hunt"), all other modules of the software merely process data in a transient manner, i.e. while the document is being edited/reviewed. Nevertheless, the ClauseBase Platform was built from the ground up with security in mind.

Our client portfolio consists of a mix of small, medium and large law firms, inhouse legal teams within large (often multinational) corporations, governmental agencies and HR service providers.

Information Security Management System

At ClauseBase, employees are integral to maintaining and advancing the organisation’s ISO 27001:2022-certified information security framework. ClauseBase has established and actively maintains an Information Security Management System (ISMS) to safeguard its assets and ensure compliance with the highest standards in information security. This system is not only a set of policies and procedures but is designed to be embedded into the very DNA of the organisation, shaping how every employee approaches their role.

Each year, ClauseBase’s ISMS undergoes a comprehensive review by an external conformity assessment body. This annual evaluation ensures that ClauseBase’s security practices not only meet ISO 27001:2022 requirements but are also continuously improved to stay ahead of evolving security threats. The external audit also reinforces accountability across all levels of the organisation, confirming that employees adhere to best practices in data protection and security management.

ClauseBase actively involves employees in cultivating a security-focused culture through regular training, awareness programs, and engagement initiatives. By encouraging employees to view information security as an essential part of their daily responsibilities, ClauseBase aims to create a resilient environment where security is second nature. This proactive approach not only aligns with ISO 27001:2022 standards but strengthens trust with clients and stakeholders by demonstrating ClauseBase’s unwavering commitment to information security.

Asset Management

As an ISO 27001:2022-certified organisation, ClauseBase has a structured asset management system in place to ensure that all assets essential for developing and hosting services are carefully tracked and managed. This system supports ClauseBase’s commitment to maintaining a secure and efficient operational environment.

Every asset used within the organisation, whether hardware, software, or data, is meticulously documented in an asset register. This register contains essential information about each asset, including its owner, purpose, location, and any relevant security requirements. By maintaining an up-to-date and comprehensive record, ClauseBase ensures full visibility over all resources used in its operations, enabling quick identification and response in case of any security incidents.

Asset management at ClauseBase extends beyond documentation. Each asset is regularly monitored and assessed to verify its condition, security, and compliance with the organisation's security policies. Access to critical assets is limited to authorised personnel, following a principle of least privilege, which minimises the risk of misuse or unauthorised access.

To uphold ISO 27001:2022 standards, ClauseBase also performs periodic reviews of its asset register. These reviews verify that all records are accurate and that assets still in use align with the organisation’s operational and security requirements. This disciplined approach to asset management ensures that all resources are effectively protected and that ClauseBase can reliably deliver its services while meeting strict information security standards.

Access Management

At ClauseBase, robust access management is a critical component of its information security framework. The company employs Single Sign On (SSO) to ensure that when accessing the ClauseBase Platform, its staff members must verify their identity through at least two methods, enhancing security beyond a single password. Customers who use the ClauseBase Platform are strongly encouraged to use either Multi-Factor Authentication (Clause9) or SSO (ClauseBuddy). Alternatively, for customers who cannot use SSO in ClauseBuddy, so-called "security codes" are used instead of the typical username/password combination. Security codes are randomly generated codes of 28 characters that cannot be chosen by the user, can be made subject to expiry dates, and can be easily revoked by administrators.

For all other systems used by its staff members, ClauseBase will use MFA where possible, or alternatively require staff members to create and maintain strong passwords that meet strict complexity requirements, including a combination of upper and lowercase letters, numbers, and special characters. These passwords are regularly updated to minimise the risk of unauthorised access.

Access to ClauseBase’s systems and applications is strictly managed based on the principle of privileged access. Users are only granted the minimum level of access necessary for their role, ensuring that sensitive data and critical systems are protected from unnecessary exposure.

To maintain high security standards, ClauseBase conducts periodic reviews of system and application access. These reviews ensure that users still require the permissions they have been granted, and any access no longer needed is revoked immediately. In addition to these reviews, the organisation performs security testing and penetration tests (pentests) regularly. These tests identify any vulnerabilities in the access management framework and help ensure that controls are functioning as intended.

This comprehensive approach to access management ensures that ClauseBase remains compliant with ISO 27001:2022 while safeguarding its sensitive data from potential security threats.

Business Continuity

At ClauseBase, business continuity is an integral part of its ISO 27001:2022-certified information security management system, ensuring the consistent availability of its critical application. The primary objective of ClauseBase’s business continuity plan is to minimise any downtime and swiftly recover essential services in case of any disruptions, thereby safeguarding operational resilience.

ClauseBase’s business continuity framework comprehensively addresses the availability, integrity, and confidentiality of information assets. Key systems are supported by redundancy measures, data backup protocols, and failover mechanisms, guaranteeing that critical data remains accessible and uncorrupted during unexpected events. These measures are designed to prevent data loss and maintain the accuracy and trustworthiness of ClauseBase’s services.

To protect confidentiality, ClauseBase applies strict access controls and encryption standards in data handling and storage processes, ensuring sensitive information remains secure even during a disruption. Additionally, periodic testing, including simulations of potential incidents, is conducted to validate the effectiveness of the business continuity procedures. These tests help identify any gaps in the response plan and allow for continuous improvement.

Through this structured approach, ClauseBase not only meets ISO 27001:2022 requirements but also reassures clients and stakeholders that the organisation is well-prepared to maintain service continuity, data protection, and resilience, even in adverse conditions. This proactive commitment reinforces ClauseBase’s reliability and adherence to high standards in information security management.

Change Management

At ClauseBase, change management is a vital process that ensures both operational stability and controlled innovation. ClauseBase has implemented a dual approach to change management, addressing two key areas: changes to production systems and changes related to product development. Both forms are supported by standardized processes that align with the organisation's security and quality requirements.

For production system changes, a rigorous change management process is in place to minimise potential disruptions and maintain system integrity. Any modification to production environments is thoroughly reviewed, tested, and approved before implementation. This process includes risk assessments to evaluate the potential impact of the change, followed by detailed documentation to ensure traceability and compliance with ISO 27001:2022 standards.

For product development changes, a separate but equally structured change management process is used. This approach allows for flexibility and innovation in product evolution while still maintaining control over security and quality. Changes related to product development go through stages of planning, testing, and peer review, ensuring that they meet both functional requirements and security protocols before being introduced.

Regular audits and reviews are conducted for both types of change management processes to ensure they remain effective and aligned with ClauseBase’s overall security objectives. By structuring change management in this way, ClauseBase can safeguard its production environment while enabling product advancements that are secure, reliable, and compliant with industry standards.

Compliance

At ClauseBase, a company founded by former lawyers, the compliance monitoring is a cornerstone of its ISO 27001:2022-certified information security management system. To ensure continuous adherence to regulatory requirements and industry standards, ClauseBase has implemented a comprehensive compliance monitoring program that encompasses policies, procedures, and regular audits.

This program is designed to oversee the organisation’s compliance with ISO 27001:2022 requirements as well as any relevant legal and regulatory standards. ClauseBase regularly reviews and updates its policies to reflect changes in regulatory requirements, ensuring all operations align with current laws and security guidelines. Compliance monitoring extends to all departments, with each area responsible for meeting specific controls and requirements that contribute to the organisation's overall compliance framework.

By proactively managing and monitoring compliance, ClauseBase reinforces its commitment to data protection, legal adherence, and operational integrity, providing assurance to clients and stakeholders that the organisation is fully aligned with the highest standards in information security.

Continual Improvement

At ClauseBase, continuous improvement is a core value embedded in its ISO 27001:2022-certified information security management system. The organisation is committed to regularly enhancing its processes, technologies, and policies to adapt to evolving security threats and maintain the highest standards of data protection.

Continuous improvement at ClauseBase is driven by a structured cycle of planning, implementation, monitoring, and review. This cycle is supported by frequent internal audits, risk assessments, and performance evaluations, allowing the organisation to identify and address areas for improvement proactively. Each identified improvement is carefully assessed for its potential impact on security, compliance, and operational efficiency, ensuring that changes contribute positively to the organisation’s security posture.

ClauseBase actively engages its employees in this process, fostering a culture where all team members are encouraged to suggest improvements. Regular training and awareness programs equip employees with the latest knowledge and skills, enabling them to identify and respond to potential vulnerabilities or process inefficiencies.

Additionally, ClauseBase incorporates feedback from external audits, customer feedback, and industry best practices into its continuous improvement strategy. By systematically evaluating and refining its practices, ClauseBase not only maintains compliance with ISO 27001:2022 but also strengthens its resilience against emerging threats, underscoring its commitment to safeguarding client data and continuously enhancing its operational effectiveness.

Information Transfer

At ClauseBase, the secure transfer of information is a core component of its ISO 27001:2022-certified information security framework. To manage and protect data effectively, ClauseBase has implemented data classification guidelines that ensure all information is categorised based on its storage location, sensitivity and handled accordingly. These classifications guide employees on appropriate security measures for transferring data, whether internal or external to the organisation.

For secure information transfer, ClauseBase utilises encrypted connections to safeguard data in transit, preventing unauthorized access or interception. This encryption standard is applied consistently across all data exchanges, ensuring compliance with the organization’s strict security requirements. In addition to secure connections, all systems involved in information transfer are protected with SSO or MFA where possible (see above), adding an additional layer of security by requiring users to verify their identity through multiple means.

These measures ensure that only authorised personnel can access and transfer sensitive information, in line with ClauseBase’s commitment to confidentiality, integrity, and availability of data. Periodic reviews and security tests are conducted to validate the effectiveness of these security protocols, maintaining ClauseBase’s robust information transfer standards and continuous compliance with ISO 27001:2022. This structured approach reflects ClauseBase’s dedication to protecting data at every stage, reinforcing trust and security in all communications.

People

At ClauseBase, employees are a vital part of the organisation’s ISO 27001:2022-certified information security framework. ClauseBase upholds a screening policy for all employees, ensuring that each individual joining the team meets high standards of integrity, trustworthiness, and security awareness. This initial screening is a foundational step in safeguarding the organisation’s assets and sensitive information.

To maintain high competency levels, ClauseBase continuously monitors and assesses the skills and performance of its employees. Regular evaluations help identify any skill gaps, ensuring that team members possess the necessary expertise to support the organization’s security and operational goals.

ClauseBase places strong emphasis on personal development and knowledge acquisition for all employees. Through ongoing training programs, workshops, and certifications, team members are encouraged to stay up to date with the latest developments in information security and industry best practices. This commitment to learning not only enhances employee skills but also strengthens ClauseBase’s ability to respond effectively to evolving security threats.

Furthermore, ClauseBase supports employees in setting personal development goals that align with both their career aspirations and the organisation’s needs. This continuous focus on growth and development helps foster a skilled, motivated workforce that is fully equipped to contribute to ClauseBase’s security objectives and uphold its ISO 27001:2022 standards.

Physical Security

At ClauseBase, physical security is a key aspect of the organisation's ISO 27001:2022-certified information security strategy, particularly as it pertains to the hosting of its critical applications. ClauseBase has partnered with a reputable third-party, ISO 27001 certified hosting provider to ensure its applications are stored and maintained in a secure environment that meets stringent security requirements.

The hosting provider has implemented comprehensive physical security measures to protect the data center where ClauseBase's applications are hosted. These measures include 24/7 surveillance, access control systems, and security personnel stationed on-site to prevent unauthorised entry. Access to sensitive areas within the data center is strictly limited to authorized personnel only, verified through multifactor authentication methods, including biometric scanning.

In addition to access control, the data center is equipped with environmental controls such as fire suppression systems, temperature regulation, and uninterruptible power supplies (UPS) to safeguard against environmental hazards. These systems are routinely tested and maintained to ensure reliability in case of emergencies.

ClauseBase conducts regular audits and compliance checks to confirm that the hosting provider continues to meet ISO 27001:2022 standards. This proactive monitoring helps ensure that the physical security measures align with ClauseBase’s own commitment to data protection and availability. By outsourcing to a trusted provider with strong physical security controls, ClauseBase upholds a high level of security for its applications and data, ensuring protection against potential physical threats.

Secure Development

At ClauseBase, secure development is a fundamental aspect of its ISO 27001:2022-certified approach to information security. The organisation has established comprehensive Secure Development guidelines to ensure that all software is developed with security as a priority. These guidelines provide a structured framework for developers, incorporating best practices in secure coding, risk assessment, and data protection from the earliest stages of development.

Before any release is deployed to production, it undergoes vulnerability testing. This includes automated scans, manual code reviews, and penetration testing to identify and address any potential weaknesses. By proactively identifying vulnerabilities, ClauseBase ensures that only robust, secure software is released, minimizing risks of exploitation or data breaches in the production environment.

ClauseBase’s secure development process is continuously refined based on emerging threats, industry standards, and lessons learned from previous projects. Regular training and knowledge-sharing sessions keep the development team informed on the latest security techniques and vulnerabilities, fostering a proactive security mindset.

Through these measures, ClauseBase not only meets ISO 27001:2022 standards but also instills confidence in its clients and stakeholders, demonstrating a strong commitment to delivering secure, resilient software that protects sensitive data and maintains operational integrity.

Supplier Management

At ClauseBase, supplier management is a critical component of its ISO 27001:2022-certified information security framework, ensuring that third-party suppliers meet the organisation’s strict security and compliance standards. Given the potential risks associated with outsourcing and third-party relationships, ClauseBase has established a structured supplier management process that evaluates, monitors, and mitigates risks associated with suppliers.

ClauseBase begins with a thorough supplier evaluation process, assessing each supplier's security practices, reliability, and compliance with relevant regulations. Only those suppliers who demonstrate a strong commitment to security and data protection are approved. Contracts include stringent clauses on data confidentiality, availability, and integrity, aligning with ClauseBase’s own security requirements.

Once onboarded, suppliers are subject to ongoing monitoring to ensure continuous compliance. This includes regular audits, performance reviews, and risk assessments. Suppliers are required to report any incidents or changes to their security posture that could impact ClauseBase’s operations, allowing the organisation to respond proactively to potential threats.

ClauseBase also conducts periodic reviews to reassess supplier compliance and ensure they continue to meet ISO 27001:2022 standards. Should a supplier fail to meet these requirements, ClauseBase has procedures in place for either remediation or termination of the relationship.

Through rigorous supplier management, ClauseBase ensures that all third-party partnerships support and uphold its commitment to security and regulatory compliance, reducing risks and strengthening overall operational resilience.

Updates

• September 2025: initial version 1.0