Security at Outlaw
Security and privacy are essential to contracts, so they’re essential to everything we do here at Outlaw.
Security isn’t just about technology; it begins with people. People design and build technology and train each other to use it safely and correctly. Our security begins with our organization, starting from the founding DNA.
Outlaw’s CEO & Co-Founder, Evan Schneyer, worked at Google’s Site Reliability Engineering (SRE) division prior to founding Outlaw. Google SRE is recognized as the world’s premier Internet security organization and has even published a book which is widely used as a best-practices manual. Outlaw’s Chief Product Officer & Co-Founder, Dan Dalzotto, has deep experience designing products in which superior user experience is paramount for security; these include large-scale e-commerce websites, mobile banking apps and blockchain solutions for Fortune 500 companies such as Accenture, Qualcomm and United Technologies. Finally, Outlaw’s senior-most Technical Advisor, Jorge Trujillo, is a veteran in architecting bulletproof security protocols at large enterprises including Target, TripAdvisor and Morgan Stanley. Jorge has advised the Outlaw product development team from the very start to ensure robust information security throughout the entire Outlaw platform.
Auditing & Compliance
Outlaw undergoes annual independent third-party validations of its security, processes, and services, including completion of the SOC 2 Type II attestation from the AICPA.
The SOC 2 report provides assurance that Outlaw's information security program and control environment are compliant with the Trust Services Principles set forth by the AICPA. The audit reviews the controls Outlaw has implemented of its security, availability, processing integrity, privacy and confidentiality.
A copy of our report is available for current and potential clients upon request, provided an NDA has been signed: email@example.com
We host our infrastructure with Heroku, a best-in-class cloud application service owned by Salesforce. All services on Heroku run inside of virtualized unix containers, and the total isolation provided by this virtualization offers an important additional layer of implicit security. Heroku also includes automated deployments as part of a Continuous Integration (CI) pipeline, as well as instant 1-click rollback to a prior application version. Their physical infrastructure is hosted and managed within Amazon’s secure data centers which have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
View the full list of Heroku security here.
Vulnerability & Penetration Testing Program
Outlaw’s entire stack – both client-side web application and server-side API – is being watched by a 3rd party monitoring service, which notifies Outlaw’s technical team of any errors triggered throughout the platform. This service provides an extra layer of security for Outlaw by immediately flagging any unauthorized access attempts. This instant reporting will notify us of any malicious third-party attempts to misuse Outlaw, including code injection or denial of service (DoS) attacks, allowing the team to respond rapidly with appropriate measures.
Penetration testing is conducted regularly by industry-recognized independent security firms to perform vulnerability tests, threat assessments and security reviews.
All of Outlaw’s application data – which includes all customer data – resides on Firebase, a realtime database service that is part of Google Cloud Platform. Firebase offers an advanced, customizable access control layer (ACL) which allows database owners to explicitly specify different permissions to different areas of the data. We have strictly followed this protocol in our Firebase implementation, and this is the chief means by which the rules described in the Permissions section below are enforced. More information about Firebase security can be found here.
Data across all of the systems described above is encrypted both at rest and in transit using industry-standard 256-bit encryption protocols. Outlaw’s web application is only accessible via a secure HTTPS connection at https://app.getoutlaw.com.
Credit Card Safety
Outlaw does not store any credit card information on its servers. Payments are processed by Stripe, a PCI Data Security Standards (PCI DSS) Level 1 service provider. This is the most stringent level of certification available in the payments industry to ensure companies that process, store or transmit credit card information maintain a secure environment. See Security at Stripe for more information.
Outlaw customers exclusively own all of their own data, and Outlaw will never share or sell any customer data to any third party. Our standard Terms of Service can be found at https://www.getoutlaw.com/terms, and any changes in policy regarding use of data will be updated directly there, as well as sent to all customers via email.
Availability & Backup
We continuously monitor uptime and conduct Disaster Recovery planning in preparation for any potential issues that could arise. Outlaw performs full backups daily to prevent any data loss. Customer data is always transmitted over a secure communication channel and encrypted at rest.
Outlaw organizes customer data into four “scopes” in order to enable granular user-level role-based permissioning enforced by both Firebase and our server API layer at each scope. Aside from the general security best practices described above, the bulk of Outlaw’s security rests in the technical permissions architecture of these scopes and how they relate to one another.
As previously mentioned, all usage of the Outlaw platform is user-access-controlled; even the “Guest Access” described below is still tied to a unique User ID for auditing and security purposes. The User Scope is the most basic of the four permission scopes. Users always have full access and control over their own data, which consists of their profile information, and their membership in each of the other three scopes below.
Outlaw has developed a proprietary document format for contracts which we call Deals. Everything from the prose content of a contract to its variables, eSignatures, discussion and audit log are embedded in the Deal format.
The Deal format also encapsulates individually scoped User permissions – and this includes several different levels of access, from read-only to full administrative control, which can be specified by the owner (creator) of the Deal. This means that each and every contract created on Outlaw self-contains all of the security details about who can access it in any way shape or form.
Templates on Outlaw are the reusable version of Deals, encapsulating both the legal content and dynamic variables of a customer’s standard form of contract, as well as default workflows, default User permissions and default User roles that are applied to all Deals created from that Template. For instance, a customer might choose to grant one particular User (or group) access to all Deals that originate from their “Unilateral NDA” Template, and a different user (or group) access to all Deals that originate from the “Mutual NDA” Template.
Similar to the Deal Scope, the Permissions managed at the Template Scope are embedded in the Template object, optimizing for data portability (e.g., copying a Template to a different Team) without sacrificing security.
Licensed Outlaw Users are organized into Teams, and individual Users can be members on multiple Teams. In many cases all of the licensed Users at a particular customer’s organization are only on a single Team (e.g., “Acme Co”), but larger enterprise customers can have multiple, separately administered teams (e.g., “Acme Procurement” and “Acme Legal”).
Unlike Deals, which have independent and embedded ACL lists as described above, Templates are “owned” by the Team, rather than any individual User on that Team. This means that the primary function of the Team Scope is to define who can use which Templates, as well as how they can use them.
Together the Team, Template and Deal Scopes accomplish a critically important aspect of information security inside of customers’ organizations that is nearly impossible to achieve without such an advanced permissions architecture: they allow the translation and enforcement of organizational roles into contract process roles. In other words, Outlaw ensures that only the people at a customer’s organization who are authorized to interact with contracts can do so, and only in the exact roles in which they are authorized to act.
The Deal Scope is the only one of the four scopes at which some form of anonymous access is permitted, and we call this Guest Access. This exception has been established in order to enable the very common contract scenario in which a contract sender (our direct customer) wishes to share a contract with their counterparty for negotiation and/or eSigning without requiring the counterparty to explicitly create a login.
Customers can enable or disable Guest Access at both the individual contract level (Deal Scope) and at the Template level (Template Scope). Even when a contract is accessed by a Guest, an anonymous User account is still created and managed via Firebase Authentication. This enables all of the security benefits in terms of logging, audit trail and the User Scope described above (simply without requiring account creation by the recipient) and follows the security best practices that have been well established in the eSigning industry.
Outlaw also offers customers the ability to add yet another layer of security around particularly sensitive data via our Secrets feature. Secrets allows for more sensitive data such as PIN numbers or bank/wiring details – which are commonly included in contract appendices – to have double cloud-based encryption, only allowing (logged) access by specific other users, and redacting visibility in exported (PDF / DOCX) versions of the contract. The ability granted by Secrets to persist granular security rules even “off-platform” is an industry-first, and this is emblematic of our total commitment to securing customer data.