Security
iManage offers a comprehensive approach to security, adopting the best practices from the security and cloud industries to provide a secure global platform for professional services firms. Our platform is independently verified by auditors, large commercial financial institutions and significant players in the defense space.
Data Center & Network Security
You can rely on the confidentiality, integrity and availability of your data in our best-in-class (Tier III) data centers with protections from blast walls to at-rest encryption.
Application Security
We build secure software by providing enhanced annual security training for our developers, conducting peer reviews on all code, and continuously testing our code via Dynamic Application Security Testing (DAST).
Security & Governance Products
We deliver need-to-know security, protect sensitive information from phishing and internal threats and support ethical walls and client audit requests, all without burdening the user with additional steps and work.
Compliance Certifications
iManage security practices exceed industry standards, as shown by awards we have received. We also continue to maintain relevant certifications.
Disaster Recovery and Availability
iManage leads the industry in service availability. Our policy is to replicate your data across datacenters (in-region) and maintain four copies.
Best Practices
Maintaining your own iManage stack? Go to help.imanage.com to download detailed security best practices (for end users and server administrators) and stay current on software updates.
Privacy
iManage can help ease your regulatory burden with our products that support privacy objectives.
Integration
We provide ease of use and security features for your organization by providing support for SAML and IP filtering.
Data Center & Network Security
Facility
- iManage datacenters are located in tier III (or better), SSAE18, PCI, ISO compliant facilities.
- Power is supplied by redundant systems and multiple UPS/backup generators.
Physical Security
- Blast walls, gates, steel-reinforced concrete exterior walls, reinforced and alarmed doors
- Biometric authentication, 24/7 security officers, fixed and rotating cameras, video recorded
Employees
- Annual training of all employees
- Background checks of all employees
- Segregation of duties enforced
Encryption and Segregation
- All data is encrypted using standards compliant systems
- All data in transit is encrypted via https/TLS or SFTP
Logging, Monitoring and Incident Response
- iManage uses industry leading SIEM to monitor and alert on anomalous events
- 24 x 7 monitoring and escalation of security events
- iManage conducts internal training on incident response
DDOS
- iManage mitigates the threat of Denial of Service via multiple tools to balance traffic and prevent loss of service to customers
- iManage purchases additional services to provide additional DDOS protection
Vulnerability & Patch Management
- Internal and external network tested via automated tools at least monthly
- Monthly patching of all systems
Network Segmentation
- Limited number of iManage employees have access to dedicated customer environment (access granted for maintenance purposes)
- Customer environment requires 2-factor authentication to access
Application Security
Developer Training
- iManage requires all software engineers to take security training annually
- iManage engineers are required to take a free form test to ensure they understood security concepts and standards and are required to score above 90% to pass.
- Once above are done, all engineers have to sign an assertion confirming their commitment to understanding and following software security standards.
Developer led assurance
- All changes are peer reviewed prior to being committed
- Dev team uses industry leading tools to test their own code prior to QA and external testing
Dynamic App Testing
- All cloud applications are tested using externally managed continuous dynamic application security testing (DAST) service (with support from iManage QA and iManage Security)
- Any defects found are escalated according to internal software defect process and remediated
Static App Testing
- All code is reviewed using static application security testing (SAST) tool, and defects are remediated as part of development process
Penetration Testing detail
- All cloud products are independently tested at least annually
Compliance Certification
- iManage has a security and compliance program that supports the following regulations, standards and frameworks
- ISO 27001 & ISO 27002 (all controls)
- ISO 27017
- ISO 27018
- ISO 22301
- SOC 2 Type 2
- NIST 800-171
- HIPPA
- DFARS 252.204-7012
Disaster Recovery and Availability
- In addition to offering the best availability when it comes to cloud DMS providers, iManage offers contractual service level commitments for availability.
- Every iManage production data center has a corresponding spare site in-geography to allow for immediate recovery.
- iManage maintains multi-gigabyte connectivity to ensure timely replication to ensure we can meet your recovery point requirements.
- Our DR process is seamless to our users. In the event of a disaster, no host or DNS changes are required by our customers.
- Our DR plan is tested regularly.
Privacy
- iManage confirms that iManage will be compliant with the GDPR regulations when they come into force in May 2018.
- Customer retains ownership of the Customer Data.
- iManage will cooperate with Customer in meeting the obligations of Article 28 and other related articles.
- iManage includes an addendum to our Cloud Services Agreement that defines our obligations.
Integration
- iManage offers many ways to integrate your identity provider into our solution including including SAML2 compliant identity providers and ADFS
- All our traffic is encrypted via TLS (encryption in transit) using an independent cert, however we can support any additional security requirements you may have such as IP Filtering for your profile
- iManage has published a comprehensive, secure REST api SDK