OurFirm.ai LogoOurFirm.ai
Back to Legal

SECURITY ADDENDUM

Ourfirm.ai, Inc. Effective Date: October 23, 2025

1. Purpose & Relationship to the Agreement

This Security Addendum (“Addendum”) describes the technical and organizational measures (“TOMs”) Ourfirm.ai maintains to protect Customer Data processed under the applicable master terms (the “Agreement”). Capitalized terms not defined here have the meanings in the Agreement or the Data Processing Addendum (“DPA”).

2. Scope

This Addendum applies to Customer Data that customers upload to, receive from, or generate within the Services, including case files, notes, prompts/outputs, and account metadata.

3. Security Program

We maintain a documented, risk-based information security program designed to preserve the confidentiality, integrity, and availability of Customer Data; protect against anticipated threats; and meet legal and contractual obligations.

4. Governance, Risk, and Access Controls

  • Governance & Policies. Written policies covering data handling, access, encryption, logging, incident response, vendor risk, SDLC, and acceptable use. Annual review.
  • Risk Management. Annual risk assessments; remediation tracking; executive oversight.
  • Access Control. Role-based access; least privilege; SSO/MFA for administrative access; timely access reviews; prompt revocation upon role change or separation.
  • Segregation. Logical tenant separation of Customer Data.

5. Encryption & Key Management

  • In Transit. TLS 1.2+ for all external connections.
  • At Rest. Industry-standard encryption (e.g., AES-256) for storage and backups.
  • Keys. Centralized key management; restricted access; rotation and revocation procedures.

6. Secure Development & Change Management

  • SDLC. Code reviews, dependency scanning, and secret-leak detection.
  • Testing. Pre-deployment testing in non-production environments with scrubbed or synthetic data.
  • Changes. Documented approvals and rollback procedures for material changes.

7. Logging & Monitoring

  • Security and application logs for authentication, administrative actions, data access, and system events; protected against tampering; retention consistent with our retention policy; alerting for suspicious activity.

8. Vulnerability Management & Testing

  • Scanning. Regular vulnerability scanning of applications and infrastructure.
  • Penetration Testing. At least annually by qualified independent testers, with remediation tracking.
  • Remediation Targets. Critical: 7 days; High: 30 days; Medium: 90 days; Low: risk-based.

9. Business Continuity & Disaster Recovery

  • Backups. Encrypted backups with periodic restore testing.
  • Objectives. Target RPO ≤ 24 hours and RTO ≤ 24 hours for core services.
  • Resilience. Multi-AZ deployment (where available) and infrastructure as code for rapid rebuilds.

10. Personnel Security

  • Background checks as permitted by law; confidentiality obligations; security awareness training at onboarding and annually; need-to-know access.

11. Vendor and Subprocessor Management

  • Security and privacy reviews before onboarding; contractual security and confidentiality obligations; data processing terms; region alignment; ongoing monitoring. The current Subprocessor List is published at /legal/subprocessors.

12. Data Retention & Deletion

  • Retention aligned to customer configuration and legal requirements.
  • Customer-initiated deletion: upon verified request, we delete or de-identify Customer Data from active systems; backups age out on a rolling schedule.
  • Upon termination, we delete Customer Data within standard timelines unless legally required to retain.

13. Incident Response & Breach Notification

  • IR Plan. Defined roles, triage, containment, eradication, and post-incident review.
  • Notification. We will notify the customer without undue delay and within 72 hours of confirming a Security Incident affecting Customer Data, including known facts, likely impact, and remediation steps, consistent with legal and law-enforcement requirements.

14. Customer Responsibilities

  • Configure access controls appropriately; manage user accounts; classify and lawfully collect data; avoid uploading prohibited sensitive data unless expressly permitted; maintain your own device and network security.

15. Changes

We may update this Addendum to reflect evolving practices and legal requirements. Material reductions in protection will be announced in advance via the customer admin contact or posted notice.