Information Security Program at Blue J
Security and Trust are fundamental to the services we provide and Blue J is committed to ensuring that our product and processes employ enterprise-grade best practices to keep your data safe.
SOC 2
We work with an independent auditor to maintain a SOC 2 Type 2 report, on an annual basis, which objectively certifies our controls to ensure the continuous security of our customers' data. Blue J can provide its SOC 2 report to customers upon receipt of a signed Non-Disclosure Agreement (NDA).
Product Description
The Blue J platform is a cloud native research platform that includes the following user-friendly tools:
- Generative AI for Tax Research
- Outcome Prediction & Scenario Planning
- Statute Analysis
- Factor-Based Retrieval & Analysis of Case Law
- Diagramming
Our generative AI solution, Ask Blue J, answers challenging tax law questions using a natural language interface. Additional AI-powered tools for case research and analysis use the selection of values for factors considered relevant to case decisions. This does not require PII input.
The diagramming tool assists users with tax entity and relationship planning. The user is in control of this data and while it does not require them to enter sensitive data, client information and relationships are likely to be defined by the user in the diagram. This and all data is stored and managed with the strictest of security practices as documented on this page.
PII collection for our users is limited to the data necessary to manage Authentication and Authorization for the purposes of using the Blue J platform (email address and name).
Corporate Security
Blue J has established an Information Security Program that maintains a set of policies that are reviewed annually. Policies pertinent to security include:
- Acceptable Use Policy
- Asset Management Policy
- Backup Policy
- Business Continuity/Disaster Recovery Plans
- Code of Conduct
- Data Classification, Deletion, and Protection Policies
- Encryption and Password Policies
- Incident Response Plan
- Physical Security Policy
- Responsible Disclosure Policy
- Risk Assessment Policy
- Software Development Life Cycle Policy
- System Access Management Policy
- Vendor Management Policy
- Vulnerability Management Policy
At Blue J security compliance is overseen by our CTO, Brett Janssen.
Additional information can be found in our Trust Center
Employee Training
During onboarding, new employees must complete Security Awareness training provided by a trusted vendor. Additionally, this training must be completed annually by all existing employees to ensure that security remains a top priority within the organization.
The Blue J Information Security program policies must be read and accepted by employees, during onboarding and renewed annually or when changes may occur to the policies.
Development team staff also complete additional training such as OWASP Top 10 Security Vulnerability training which is also renewed annually.
Background checks
All Blue J employees are screened prior to employment using standard background checks provided by a trusted vendor and include:
- Verification of identity
- National Criminal records check
- County Criminal records check
- Sex offender registry check (U.S. Only)
Business Continuity and Disaster Recovery
Blue J’s Business Continuity and Disaster Recovery approach includes plans that are maintained and reviewed annually to ensure the business can react appropriately to large scale, unplanned events. Our plans are tested and executed annually allowing us to continually refine our process in the absence of genuine events.
Regular backups and an Infrastructure as Code implementation of hosting environments allow our operations team to react quickly and effectively in the event of large scale outages or disaster.
Security Incident Response
Blue J’s Information Security Program includes policies that are maintained and reviewed annually to ensure the business can react appropriately to unplanned or malicious events. This includes identifying, responding to, communicating and documenting the information related to a security incident. In the event of a data breach, Blue J will promptly report to required parties to comply with all applicable regulatory requirements. Incident Response plans are tested and executed annually allowing us to continually refine our process in the absence of genuine events.
High Availability
Blue J achieves high availability by using multiple load balancers, servers and datastores for redundancy. In addition to redundancy we have engineered our platform to self-heal so that most issues can be recovered from quickly and automatically.
Continuous Security Control Monitoring
Blue J uses Drata’s automation platform to continuously monitor 100+ security controls across the organization. Automated alerts and evidence collection allows Blue J to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.
This includes monitoring of individual employee workstations to ensure that full drive encryption, screen lock, a trusted password manager and malware protection are enabled at all times.
Employee Access
The System Access Control Policy defines how access to the Blue J network and its resources are managed. This includes adoption of the “Principle of Least Privilege” which limits access only to the level required to perform their job function.
2FA (Two Factor Authentication) is enforced for employee accounts and an annual review of access levels is conducted to ensure that employees maintain an appropriate level of authorization.
Risk Management
Blue J performs annual, whole corporation risk assessments across each of the Engineering, Human Resources (HR), Information Security, Finance, Sales, and Legal departments. The assessment team uses a customized version of the Consensus Assessments Initiative Questionnaire (CAIQ) published by the Cloud Security Alliance (CSA). The questionnaire assists the team in both identifying and quantifying risks. Any identified risks are both catalogued and subsequently actioned in a manner suited to the individual risk’s severity.
Right to be forgotten
Any client, present or past, has a right to be forgotten. Upon email request to security@bluejlegal.com any and all data pertaining to the client in question will be permanently erased within 7 days. A confirmation email will follow on completion of the request.
Application Security
Penetration Testing
An independent, third party vendor provides Blue J with annual penetration testing. Mitigation and remediation of any vulnerabilities found during testing are prioritized within our Software Development Life Cycle.
Vulnerability Scanning
An independent, third party vendor provides Blue J with quarterly vulnerability scanning. Mitigation and remediation of any vulnerabilities found during scanning are prioritized within our Software Development Life Cycle.
Physical Access Control
The Blue J Platform is entirely hosted in the cloud by Cloudflare and within AWS, in the us-east-1 North Virginia region. Blue J relies upon the security controls adopted by AWS and Cloudflare to ensure the security of physical computing environments hosting cloud based resources.
Virtual Access Control
Access to cloud hosted resources are controlled by AWS IAM and authorization is granted on a “Principle of Least Privilege” basis, with annual reviews of authorization levels. We use BastionZero for secure remote access to server resources allowing Secure shell (SSH) access to be disabled and commonly attacked ports to remain closed.
Audit Logging
Blue J has implemented comprehensive logging of operations conducted within the application as well as within the infrastructure hosting the application. Application Performance Management (APM) with alerting provides another layer of security and oversight.
Intrusion Detection and Prevention
Blue J benefits from the vendor provided security controls enabled within the AWS cloud infrastructure. In addition, Blue J continually monitors our workloads for malicious activity via AI enhanced threat detection software.
Software Development Life Cycle
Our Software Development Life Cycle policy defines the standard for the process we use to build our product at Blue J, which is consistent, repeatable and maintains information security at every stage. This includes the adoption of best practices which include:
- Version control system tracks code changes
- Code changes require independent review/approval
- Unit and integration tests run with the build
- Manual testing complements automated testing to ensure quality
- Code artifacts promoted through a series of separate development and testing environments prior to reaching Production servers
- CI/CD pipeline provides repeatable, predictable deployment of code changes
- Infrastructure as Code manages changes to the hosting system infrastructure which also follows the same SDLC process
Email Security
The Blue J platform includes email notifications to support user collaboration across Workspaces. We have SPF and DKIM records set, and domain-based message authentication, reporting, and conformance (DMARC) set up for monitoring reports to prevent the possibility of phishing scams. It is still strongly recommended that customers add to their allowlist the bluejlegal.com, bluej.com and askbluej.com domains to ensure consistent user access to both notification emails and our products themselves.
Data Security
Backups
Automated full backups of all production databases occur daily, with incremental backups happening throughout the day at 5 minute intervals. Database backups are encrypted to the same standards as live production data.
Encryption
Data at rest is encrypted using the industry standard AES-256 algorithm. Cryptographic keys are protected using AWS KMS ( Key Management Service).
Data in transit is encrypted using a minimum of HTTPS transport layer security TLS 1.2.
Data Retention and Removal
Customer data is retained and protected by Blue J indefinitely unless a formal request for removal is received. Customers can submit a request for data removal by contacting their dedicated Customer Success Manager or by sending an email to security@bluejlegal.com.
Data Residency
All data is stored and processed in the United States in the AWS us-east-1 North Virginia region. We do not currently offer the ability to store data in any other jurisdictions. We do not currently offer an on-premise solution.
Vendors / Sub-Processors
Blue J depends on carefully selected vendors and sub-processors to build our product and provide our services. The following list of partners and their respective security practices have been reviewed in accordance with our Vendor Management Policy.
Blue J Legal Inc. and BJL US Inc. are affiliates. Accordingly, they may function as sub-processors to build our product and provide our services.
Disclosure of Vulnerabilities
If you believe you have discovered a bug or have another concern with Blue J’s security, please contact our security team at security@bluejlegal.com.