Security
iManage offers a comprehensive approach to security, adopting the best practices from the security and cloud industries to provide a secure global platform for professional services firms. Our platform is independently verified by auditors, large commercial financial institutions and significant players in the defense space.
Data Center & Network Security
You can rely on the confidentiality, integrity and availability of your data in our best-in-class (Tier IV) data centers with protections from blast walls to default at-rest encryption (FIPS 140-2 level 2 certified).
Application Security
We build secure software by providing enhanced annual security training for our developers, conducting peer reviews on all code, and continuously testing our code via Dynamic Application Security Testing (DAST).
Security & Governance Products
We deliver products that protect your sensitive information from phishing and internal threats, and products that support your needs to implement ethical walls, record retention policies, and audit requests.
Compliance Certifications
iManage security practices exceed industry standards, as shown by awards we have received, we also continue to maintain relevant certifications
Disaster Recovery and Availability
iManage leads the industry in service availability. Our policy is to replicate your data across datacenters and maintain four copies.
Best Practices
Maintaining your own iManage stack? Go to help.imanage.com to download detailed security best practices (for end users and server administrators) and stay current on software updates.
Privacy
iManage can help ease your regulatory burden with our products that support privacy objectives.
Integration
We provide ease of use and security features for your organization by providing support SAML, s2s VPN.
Data Center & Network Security
Facility
- iManage datacenters are located in tier IV, SSAE18, PCI, ISO compliant facilities in separate cages. Power is supplied by redundant systems and multiple UPS/backup generators.
Physical Security
- Blast walls, gates, steel-reinforced concrete exterior walls, reinforced and alarmed doors
- Biometric authentication, 24/7 security officers, fixed and rotating cameras, video recorded
Employees
- Annual training of all employees
- Background checks of all employees
- Segregation of duties enforced
Encryption and Segregation
- Your data is never intermingled with another customer’s (Dedicated storage & DB resources)
- All data is encrypted using a FIPS 140-2 level 2 certified system
- All data in transit is encrypted via https/TLS or SFTP
Logging, Monitoring and Incident Response
- iManage uses industry leading SIEM to monitor and alert on anomalous events
- 24 x 7 monitoring and escalation of security events
- iManage conducts internal training on incident response, in addition to externally lead manual exercise and assessment of IR processes
DDOS
- iManage mitigates the threat of Denial of Service via multiple tools to balance traffic and prevent loss of service to customers
- iManage purchases additional services to provide additional protection from our ISP
Network Segmentation
- Limited number of iManage employees have access to dedicated customer environment (access granted for maintenance purposes)
- Customer environment requires 2-factor to access
Application Security
Developer Training
- iManage requires all software engineers to take security training annually
- iManage engineers are required to take a free form test to ensure they understood security concepts and standards and are required to score above 90% to pass.
- Once above are done, all engineers have to sign an assertion confirming their commitment to understanding and following software security standards.
Developer led assurance
- All changes are peer reviewed prior to being committed
- Developers use industry leading tools to test their own code prior to QA and external testing
Dynamic App Testing
- All cloud applications are tested using externally managed continuous dynamic application security testing (SAST) service (with support from iManage QA and iManage Security)
- Any defects found are escalated according to internal software defect process and remediated
Static App Testing
- All code is reviewed using static application security testing (SAST) tool, and defects are remediated as part of development process
PEN Testing detail
- All cloud products are manually tested by external firms contracted by iManage
- Select client side apps are manually tested by external firms contracted by iManage
Compliance Certification
- iManage has a security and compliance program that supports the following regulations, standards and frameworks
- ISO 27001 Certification
- SOC 2 Type 2
- NIST 800-171
- HIPAA
- PCI
- DFARS 252.204-7012
Disaster Recovery and Availability
- In addition to offering the best availability when it comes to cloud DMS providers, iManage offers contractual service level commitments for availability.
- Every iManage production data center has a corresponding spare site in-geography to allow for immediate recovery.
- iManage maintains multi-gigabyte connectivity to ensure timely replication to ensure we can meet your recovery point requirements.
- Our DR process is seamless to our users. In the event of a disaster, no host or DNS changes are required by our customers.
- Our DR plan is tested regularly.
Privacy
- iManage confirms that iManage will be compliant with the GDPR regulations when they come into force in May 2018.
- Customer retains ownership of the Customer Data.
- iManage will cooperate with Customer in meeting the obligations of Article 28 and other related articles.
- iManage will add an addendum to our Cloud Services Agreement that defines our obligations.
Integration
- iManage offers many ways to integrate your identity provider into our solution including ADFS-SAML and LDAP
- All our traffic is encrypted via TLS (encryption in transit) using an independent cert, however we can support any additional security requirements you may have via
- IP Filtering for your profile
- Dedicated site to site VPN from your location to ours
- iManage publishes a large number of APIs – all are only accessible via https and require authentication