SECURITY

Information Security Program at Blue J

Security and Trust are fundamental to the services we provide and Blue J is committed to ensuring that our product and processes employ enterprise-grade best practices to keep your data safe.

SOC 2

We work with an independent auditor to maintain a SOC 2 Type 2 report, on an annual basis, which objectively certifies our controls to ensure the continuous security of our customers' data. Blue J can provide its SOC 2 report to customers upon receipt of a signed Non-Disclosure Agreement (NDA).

Product Description

The Blue J platform is a cloud native research platform that includes the following user-friendly tools:

  • Generative AI for Tax Research
  • Outcome Prediction & Scenario Planning
  • Statute Analysis
  • Factor-Based Retrieval & Analysis of Case Law
  • Diagramming

Our generative AI solution, Ask Blue J, answers challenging tax law questions using a natural language interface. Additional AI-powered tools for case research and analysis use the selection of values for factors considered relevant to case decisions.  This does not require PII input.

The diagramming tool assists users with tax entity and relationship planning.  The user is in control of this data and while it does not require them to enter sensitive data, client information and relationships are likely to be defined by the user in the diagram. This and all data is stored and managed with the strictest of security practices as documented on this page.

PII collection for our users is limited to the data necessary to manage Authentication and Authorization for the purposes of using the Blue J platform (email address and name).

Corporate Security

Blue J has established an Information Security Program that maintains a set of policies that are reviewed annually.  Policies pertinent to security include:

  • Acceptable Use Policy
  • Asset Management Policy
  • Backup Policy
  • Business Continuity/Disaster Recovery Plans
  • Code of Conduct
  • Data Classification, Deletion, and Protection Policies
  • Encryption and Password Policies
  • Incident Response Plan
  • Physical Security Policy
  • Responsible Disclosure Policy
  • Risk Assessment Policy
  • Software Development Life Cycle Policy
  • System Access Management Policy
  • Vendor Management Policy
  • Vulnerability Management Policy

At Blue J security compliance is overseen by our CTO, Brett Janssen.

Additional information can be found in our Trust Center

Employee Training

During onboarding, new employees must complete Security Awareness training provided by a trusted vendor.  Additionally, this training must be completed annually by all existing employees to ensure that security remains a top priority within the organization.

The Blue J Information Security program policies must be read and accepted by employees, during onboarding and renewed annually or when changes may occur to the policies.

Development team staff also complete additional training such as OWASP Top 10 Security Vulnerability training which is also renewed annually.

Background checks

All Blue J employees are screened prior to employment using standard background checks provided by a trusted vendor and include:

  • Verification of identity
  • National Criminal records check
  • County Criminal records check
  • Sex offender registry check (U.S. Only)

Business Continuity and Disaster Recovery

Blue J’s Business Continuity and Disaster Recovery approach includes plans that are maintained and reviewed annually to ensure the business can react appropriately to large scale, unplanned events.  Our plans are tested and executed annually allowing us to continually refine our process in the absence of genuine events.

Regular backups and an Infrastructure as Code implementation of hosting environments allow our operations team to react quickly and effectively in the event of large scale outages or disaster.

Security Incident Response

Blue J’s Information Security Program includes policies that are maintained and reviewed annually to ensure the business can react appropriately to unplanned or malicious events.  This includes identifying, responding to, communicating and documenting the information related to a security incident.  In the event of a data breach, Blue J will promptly report to required parties to comply with all applicable regulatory requirements. Incident Response plans are tested and executed annually allowing us to continually refine our process in the absence of genuine events.

High Availability

Blue J achieves high availability by using multiple load balancers, servers and datastores for redundancy.  In addition to redundancy we have engineered our platform to self-heal so that most issues can be recovered from quickly and automatically.

Continuous Security Control Monitoring

Blue J uses Drata’s automation platform to continuously monitor 100+ security controls across the organization. Automated alerts and evidence collection allows Blue J to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.

This includes monitoring of individual employee workstations to ensure that full drive encryption, screen lock, a trusted password manager and malware protection are enabled at all times.

Employee Access

The System Access Control Policy defines how access to the Blue J network and its resources are managed.  This includes adoption of the “Principle of Least Privilege” which limits access only to the level required to perform their job function.

2FA (Two Factor Authentication) is enforced for employee accounts and an annual review of access levels is conducted to ensure that employees maintain an appropriate level of authorization.

Risk Management

Blue J performs annual, whole corporation risk assessments across each of the Engineering, Human Resources (HR), Information Security, Finance, Sales, and Legal departments. The assessment team uses a customized version of the Consensus Assessments Initiative Questionnaire (CAIQ) published by the Cloud Security Alliance (CSA). The questionnaire assists the team in both identifying and quantifying risks. Any identified risks are both catalogued and subsequently actioned in a manner suited to the individual risk’s severity.

Right to be forgotten

Any client, present or past, has a right to be forgotten.  Upon email request to security@bluejlegal.com any and all data pertaining to the client in question will be permanently erased within 7 days.  A confirmation email will follow on completion of the request.

Application Security

Penetration Testing

An independent, third party vendor provides Blue J with annual penetration testing.  Mitigation and remediation of any vulnerabilities found during testing are prioritized within our Software Development Life Cycle.

Vulnerability Scanning

An independent, third party vendor provides Blue J with quarterly vulnerability scanning.  Mitigation and remediation of any vulnerabilities found during scanning are prioritized within our Software Development Life Cycle.

Physical Access Control

The Blue J Platform is entirely hosted in the cloud by Cloudflare and within AWS, in the us-east-1 North Virginia region.  Blue J relies upon the security controls adopted by AWS and Cloudflare to ensure the security of physical computing environments hosting cloud based resources.

Virtual Access Control

Access to cloud hosted resources are controlled by AWS IAM and authorization is granted on a “Principle of Least Privilege” basis, with annual reviews of authorization levels.  We use BastionZero for secure remote access to server resources allowing Secure shell (SSH) access to be disabled and commonly attacked ports to remain closed.

Audit Logging

Blue J has implemented comprehensive logging of operations conducted within the application as well as within the infrastructure hosting the application. Application Performance Management (APM) with alerting provides another layer of security and oversight.

Intrusion Detection and Prevention

Blue J benefits from the vendor provided security controls enabled within the AWS cloud infrastructure.  In addition, Blue J continually monitors our workloads for malicious activity via AI enhanced threat detection software.

Software Development Life Cycle

Our Software Development Life Cycle policy defines the standard for the process we use to build our product at Blue J, which is consistent, repeatable and maintains information security at every stage.  This includes the adoption of best practices which include:

  • Version control system tracks code changes
  • Code changes require independent review/approval
  • Unit and integration tests run with the build
  • Manual testing complements automated testing to ensure quality
  • Code artifacts promoted through a series of separate development and testing environments prior to reaching Production servers
  • CI/CD pipeline provides repeatable, predictable deployment of code changes
  • Infrastructure as Code manages changes to the hosting system infrastructure which also follows the same SDLC process

Email Security

The Blue J platform includes email notifications to support user collaboration across Workspaces. We have SPF and DKIM records set, and domain-based message authentication, reporting, and conformance (DMARC) set up for monitoring reports to prevent the possibility of phishing scams. It is still strongly recommended that customers add to their allowlist the bluejlegal.com, bluej.com and askbluej.com domains to ensure consistent user access to both notification emails and our products themselves.

Data Security

Backups

Automated full backups of all production databases occur daily, with incremental backups happening throughout the day at 5 minute intervals.  Database backups are encrypted to the same standards as live production data.

Encryption

Data at rest is encrypted using the industry standard AES-256 algorithm.  Cryptographic keys are protected using AWS KMS ( Key Management Service).

Data in transit is encrypted using a minimum of HTTPS transport layer security TLS 1.2.

Data Retention and Removal

Customer data is retained and protected by Blue J indefinitely unless a formal request for removal is received.  Customers can submit a request for data removal by contacting their dedicated Customer Success Manager or by sending an email to security@bluejlegal.com.

Data Residency

All data is stored and processed in the United States in the AWS us-east-1 North Virginia region. We do not currently offer the ability to store data in any other jurisdictions. We do not currently offer an on-premise solution.

Vendors / Sub-Processors

Blue J depends on carefully selected vendors and sub-processors to build our product and provide our services.  The following list of partners and their respective security practices have been reviewed in accordance with our Vendor Management Policy.

Name
Description
Atlassian - Confluence Documentation, collaboration and communication
AWS Infrastructure Hosting
Auth0 Identity and access management
Catalyst Customer support
BastionZero Remote infrastructure access
Calendly Appointment booking
CertN Employee Screening
Customer.io Customer interactions
CircleCI CICD Pipeline
Cloudflare Cloud hosting, security and networking
Datadog Monitoring and alerting
Doppler Configuration and Secrets Management
Drata Security and Compliance Management
Elastic Cloud Search Infrastructure
Github Source code repository and dependency scanning (Dependabot)
Google Email Service and Productivity Provider
Hubspot Customer Relationship Management
LaunchDarkly Feature Management
Mailgun Customer interactions
Microsoft Cloud AI Services and Infrastructure
Mixpanel Product analytics
Notion Documentation, collaboration and communication
OpenAI Large Language Model AI
PagerDuty Alerting
PartnerStack Sales Channel Affiliate Management
Pinecone AI Vector Database Services
Salesforce Customer relationship management
Salesloft Customer relationship management
Stripe Payment Processing
Twilio - Segment Segment: Cloud-based CDP tool
Sentry Alarming and monitoring
Slack Collaboration and communication
Socratic Task Management
Zendesk Customer relationship management

Blue J Legal Inc. and BJL US Inc. are affiliates. Accordingly, they may function as sub-processors to build our product and provide our services.

Disclosure of Vulnerabilities

If you believe you have discovered a bug or have another concern with Blue J’s security, please contact our security team at security@bluejlegal.com.