Home Login

Compliance

We understand that your IT department may want to perform due diligence on all third party technology providers. To make life easier for everyone, we have assembled the most common and relevant questions and answers here.

Networking security

What IP addresses or domain names belong to the application?

The following domain names can be used to access the application: courtformpro.com

What domain names are used for sending email?

You may receive email from addresses at the following domain names, and should ensure they are allowed in your email spam filter: @courtformpro.com

Does Court Form Pro use firewalls to restrict malicious network traffic?

Yes

Are production databases shielded from direct internet access through the use of VPCs or similar?

Yes

Are mitigations in place to prevent CSRF and XSS attacks?

Yes

Data

Is the solution hosted on-premises or in the cloud?

Cloud

Which cloud model is the solution based on? (eg, PaaS, IaaS, Saas)

Software as a Service (SaaS)

Which service model is used?

Public cloud (eg, AWS, Azure, Google Cloud, etc)

Are agreements in place with cloud service providers to define the legal jurisdiction where data can be transmitted, processed, or stored?

Yes

Which cloud provider(s) does the service rely on?

DigitalOcean

In which data centres / countries / geographies is data stored?

Sydney, Australia

Which tenancy model is used?

Multi-tenant

What is the availability Service Level Agreement (SLA) for this application / service?

99.99% uptime per month

Is data encrypted to an industry standard both at rest (stored data) and in transit?

Yes

Are all removable media encrypted?

No removable media is used

Is the data backed-up on a regular basis?

Data is backed up on a daily basis, and retained for 7 days

What are the SLAs around disaster recovery?

We aim to restore access as quickly as reasonably possible.

Does Court Form Pro have a data privacy policy / framework to govern the handling of personal information, including the collection, use, storage and disclosure of personal information?

Yes – see https://courtformpro.com/legals

Does the data privacy policy / framework comply with applicable Australian privacy laws and regulations, including the Privacy Act 1988 (Cth)?

Yes

Is the data privacy policy / framework regularly reviewed and approved by management on a periodic basis?

Yes

Does Court Form Pro have a data privacy breach notification procedure that specifies who needs to be notified in the event of a privacy breach, in what circumstances and in what time frames?

Yes

Please provide information to what circumstances and what time frames notifications are made

We notify affected individuals and the OAIC about an eligible data breach. An eligible data breach occurs when: 1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that our organisation holds 2. this is likely to result in serious harm to one or more individuals, and 3. our organisation hasn’t been able to prevent the likely risk of serious harm with remedial action. Notification must be made promptly, and in any event within 7 business days of discovery of the eligible data breach.

Compliance

Is access to data restricted by Role Based Access Controls (RBAC) and processes?

Yes

Are RBAC regularly reviewed to ensure only authorised uses are provided access to data, devices, and application functions?

Yes

Are audit logs recording user activities, exceptions, and information security events produced and kept for to assist in future investigations and access control monitoring?

Yes. Among other things, we log the IP address and logged in user ID for the following actions: - Log in (and all steps in the log in flow) - Log out - Access a form - Alter a form - Create a new form - Invite other users to gain access to a form

Are controls and procedures in place for granting, revoking, and separating access to all information systems and services?

Yes. Internally, the software keeps track of users and memberships. Users can only access products to which they have a membership. Externally, logins are handled by email address. Accordingly, as soon as a former employee has their email access removed, they lose access to the app.

How is user authentication managed?

Email address and password, with 2-factor authentication handled by temporary one time passwords sent by email.

Is there support for single sign-on / ActiveDirectory integration?

We do not currently offer this. However, because our user authentication uses 2-factor authentication via email, if a staff member leaves your firm and loses access to their work email, they will also lose access to their account on Court Form Pro

Is multi-factor authentication enforced for access to systems / data?

Yes – temporary one time passwords are sent to the user's email address on every login.

Is Court Form Pro accredited to a recognised Information Security Standard? (ISO 27001:2013, NIST CSF, etc.)?

No. However, we maintain an information security capability commensurate with information security vulnerabilities and threats by taking the following precautions, among others: 1. We produce a minimal product, with minimal features, and therefore, minimal surface area exposed to the outside world. 2. We use extensive automated testing to ensure our software is and remains secure against malicious users attempting to access data they should have access to. 3. We leverage widely-adopted technologies with active security maintenance. 4. We use tightly constrained network architecture which only opens the ports and hostnames that are essential for continued operation. 5. We apply sweeping IP restrictions to production assets such that they are only accessible to other production assets, and to approved company workstations.

Asset management

Are devices, servers, systems, or other network elements that store or process any data patched in a prompt fashion?

Yes. Wherever possible we use managed infrastructure where these patches are applied automatically for us.

Are managed devices subject to periodic vulnerability scans?

Yes. We use XProtect to scan executables when they run, when they change, and when new signatures are made available. We also benefit from automatic MRT, SIP, Bastion, and XProtect Behavioural Analysis.

Are applications patched as soon as possible after vulnerabilities are discovered?

Yes

How often are applications patched?

At least weekly

How often are applications scanned for vulnerabilities?

At least weekly

Security Incident Response

How are alerts and suspicious activity monitored and managed?

Among other things, suspicious activity is logged to an audit trail database and redundancy log store, and alerts are emailed to the technical team. Unexpected resource usage levels are emailed to the technical team.

Has Court Form Pro suffered a data breach in the past?

No

Are all employees with access to sensitive data made aware of, and do they understand, their responsibilities?

Yes

Personnel

Are background verification checks performed for employees and contractors?

All new employees or contractors undergo background checks and identity verification

Is photo identification of new employees and contractors done during the screening process as per Australian standards?

Yes

Are address history verification checks performed as per Australian standards?

Yes

Are all employees and contractors aware of their Information Security responsibilities?

Yes

© 2024 CFP Technology

Court Form Pro is a web application that helps family lawyers, and their support staff and clients, complete the Financial, complete the Financial Statement / Form 13, for use in applications under the Family Law Act 1975 in the Federal Circuit and Family Court of Australia (FCFCOA) or in the Family Court of Western Australia (FCWA).