15 Questions to Ask Your Contract Lifecycle Management Provider About Security
Contracts are one of the most valuable assets for a company. As data becomes increasingly digitized, the issue of security increases in importance every day. This is why it is essential to ensure a few things before choosing a contract management solution. First, the company developing the solution must be well aware of the issues and risks related to security and, above all, is able to ensure the safety of your contractual data.
In this article, we list the 15 questions you should ask your providers before choosing a contract management solution.
15 questions to ask your contract management solution to ensure your contract data is safe
1. Why should I be concerned about the safety of my contracts?
It seems to be quite an obvious question, but a good CLM provider should be able to answer your question.
Simply put: your contracts contain information about your organization’s obligations and those of your employees. This includes names, obligations, prices, deadlines, penalties, etc. This data is key to your business and you need to protect it. Therefore you need a digital safe.
2. What are today’s biggest cybersecurity threats?
According to the French newspaper Les Echos, the French authorities are expecting around 400,000 cyberattacks during the 2024 Olympic Games in Paris.
Nowadays, companies are increasingly targeted by cyberattacks, here are the top 3 most common ones:
Ransomware is when a company’s data is taken hostage by a hacker and a ransom is asked. For this to happen, a malicious program is usually hidden in the attachment of an email and when opened it attacks the device.
According to Sophos, the price of recovering stolen data reached an average of €130,000 in 2020.
These are emails that impersonate a private company or a person and are targeted toward a specific person or organization.
Here are some tips on how to protect yourself from these security threats:
- Always be wary of attachments that could be infected.
- Hover your mouse over links to see the source destination and pay attention to the spelling.
- If you have doubts about the sender of an email, contact them through another channel (i.e. phone)
- Hacking or data leaks
This can be internal or external, intentional or accidental. A data leak can be caused by a hacker infiltrating the computer network, but it can also be done by an employee.
3. Is your company certified? If so, to what extent?
The easiest way to find out if your contracts are safe is by choosing a certified service provider. Many providers only certify certain aspects of their business but advertise themselves as fully certified. The ISO/IEC 27001:2013 standard is international certification in the field of IT security along with ISO 27701:2019 which extends to privacy. In order to obtain this certification, a company must, among other things, make a clear and detailed inventory of what is done in the company in terms of security and make a plan in the event of a cyberattack.
More importantly, once the certification is obtained three audits are carried out over a three-year period. At the end of the three audits, the certification can be renewed, or not, if all standards are met.
✨DiliTrust is ISO/IEC 27001:2013 and ISO 27701:2019 certified, read this press release to find out more: Data Privacy and Security: DiliTrust certified ISO 27001 and ISO 27701
4. What are your compliance standards regarding sensitive data?
If security is key for you it should be the same for the contract management service provider you use. To give you an example the ISO certification mentioned above obtained by DiliTrust is proof that our company has implemented the best methods to protect the data of our customers and business partners.
Dilitrust follows a strict procedure when working with a new subcontractor and certain information are checked, such as :
- Are they ISO/IEC 27701:2019 or SOC 1-2-3 (Service Organization Control) certified?
- Do they comply with privacy guidelines? Do they store their data in the European Union?
- What are the company’s processes and methods for handling personal data?
🔒 This kind of procedure allows for strict monitoring of personal data.
5. Where will my contract data be hosted?
It’s always better if the data is hosted in the European Union, as EU Member States are subject to GDPR, which regulates the processing of personal data and citizens have more control over how their data is used.
DiliTrust is also present in Canada where data is hosted locally in highly secure and ISO-compliant servers. In the MEA our servers also abide by the highest security standards and are located in several locations in the Middle East and Africa, including Morocco. The data is also not subject to the US CLOUD Act.
6. How is my contract data protected?
Does your CLM provider encrypt their customer’s data, if so how?
Dilitrust encrypts all documents with a one-time use key for each document, an outsourced KMS system and decryption on our client’s workstations to avoid decoded transfers.
7. Is your company’s infrastructure certified?
We’re talking about your network, it is not uncommon for legaltechs to have one or several of the following certifications: ISO/IEC 27001:2013, SSAE16 SOC1, SOC2, SOC3.
8. Are you GDPR compliant?
GDPR is mandatory and applicable to all EU Member States, or to all businesses that process or store personal information of EU citizens.
📍 Good to know: Don’t hesitate to ask your chosen provider to send its privacy and personal data processing policy, as well as a list of authorized providers it works with.
9. Are your employees trained in information security and risk management?
Every employee should be trained on these subjects, after all, safety is a team issue. ISO/IEC 27001:2013 certification means that team members need to know the company’s information security policy, and objectives, as well as the roles and responsibilities of each individual.
10. Are there backups of my data?
It is crucial that security backups of your data are done regularly. This is important because you need to be able to recover your data in the state it was before being corrupted or lost, and it is also an extra layer of protection measures.
11. In the event of a cyberattack, what measures have been put in place and at what level?
The infrastructure is like the skeleton of information systems, made up of servers, networks, software and data. This is the starting point of security, ask your service provider about the measures they have implemented at the infrastructure level.
The next three questions are some specific questions you can ask about their infrastructure security.
12. Is the architecture multitier?
This is when an application is divided into several layers so that it can be more easily modified instead of disrupting the whole application as the tiers are independent from one another. You could visualize it as a rooms separated by fire doors to prevent the spread of a fire in the event of one (the fire represents an attack in this visualization).
13. Have you set up anti-flooding measures?
Flooding is when large amounts of obsolete data are sent to flood a network and make it unstable. Your service provider should have measures set up to avoid this.
14. Is there an intrusion prevention system?
An intrusion prevention system (IPS), is a system that analyses networks or systems and detects potential incidents such as cyberattacks and helps block them.
15. Which contractors does your CLM provider use?
Your chosen CLM should be able to provide you with a comprehensive list of all the contractors it works with.
✅ Good to know: To obtain ISO/IEC 27001:2013 certification a company’s contractors are also audited at the security level.
Want to see how DiliTrust’s CLM module boosts your productivity and keeps your contract safe? Ask for a demo!
👉 This could also interest you: