Weagree's IT security measures and ISMS
Weagree ISO 27001 cloud security 1 IT security

Weagree IT security measures

We know how crucial security is to your organisation. We take your (and our) security very seriously. Therefore, our organisational and technical information security measures are of the highest level.

We are ISO 27001, ISO 27017 and ISO 27018 certified with all our operations and services in scope.

Our attitude. Our online presence should not be relevant for your use of the Weagree Wizard. However, also for our own purposes, we strive for perfection. Our websites, emails, DNS, and all that relates to it are monitored by several security services and protected by advanced firewalls.

SecurityScorecard = 99-100%. We are proud to have a score (“A”) higher than 99% at SecurityScorecard. Security scanning of our systems is not limited to SecuretyScorecard: several other services are applicable, providing us (and you) a multiple layered assurance.

ISMS and ISO 27001 certifications

Effective ISMS. We have implemented an ISMS and keep our Weagree Wizard to strict, high standards. From easy-to-configure access controls to secure storage and data delivery, we provide a solution with passion and care: you should be able to use the Weagree Wizard with true peace of mind.

Weagree has certifications of the ISMS, with a scope as broad as possible to cover all aspects of our operations and services, under:

ISO 27001: our ISMS relates to all our operations and is implemented (using a Confluence-based Instant 27001) and includes a full risk assessment, all policies, procedures, and related measures and a operational monitoring plan, incident management, change management, (our) access controls and our registers,

ISO 27017: an extensive controls certifying that we enable you, our customers, through the Weagree Wizard, to comply with your IT security standards (incl. regarding data integrity, data retention and availability, segregation of networks, data encryption),

ISO 27018: the controls ascertaining our compliance with GDPR, and enabling you to comply with your GDPR requirements in using our application.

The ISO 27017 controls go well beyond ISO 27001 in that the latter would not necessarily provide you the (audited) certainty that your IT security requirements are properly covered. And indeed, it may imply that we need to enter into an SLA to agree on how precisely the Weagree Wizard must be configured or operating.

Weagree ISO 27001, 27017, 27018

Services dedicated to you. Every customer has their own dedicated application, connected to their own dedicated (encrypted) database. Application-level and database-level caching is also customer-dedicated. The servers hosting the Weagree Wizard do not deploy or operate any other applications: maximised hardening.

User authentication

MFA and SSO. Customers can deploy SAML SSO (single sign-on), the popular other 2FA authentication methods, including LinkedIn, Google, Outlook. You may configure and enforce password requirements.

AD-federated roles. Roles and user profiles in the Weagree Wizard can be federated, synced and managed through your organisation’s ADFS (or Azure).

Location of data, deployment options

Hosted in the Netherlands. By default, the Weagree Wizard is hosted in the Netherlands, in our subcontracted datacentre (near-tier 3, ISO 27001, ISO27017 certified and audited for an extensive list assurances under ISAE 3402 Type 2 (SOC2).

On-premise + distributed hosting. If needed, on-premise hosting is possible. Weagree support (on-premise) deployments across the globe in case your organisation is subject to data governance restrictions (assuring both a controlled distribution and localised storage of data, and syncing of your contract templates).

Access controls (user management)

The Weagree Wizard contains extensive capabilities to organise and manage role-based access.

Advanced RBAC user management. The Weagree Wizard is designed for large organisations (and yet, small teams are not left in a jungle of obscure options). Weagree includes easy-to-configure role-based access controls (RBAC) based on:

  • User groups (managing access rights)
  • Organisational units (filtering of visible contracts and data, along the matrix of your organisation’s business units and departments)
  • Information classification (access aligned to your organisation’s information classification policies, yet not uncontrolled)
  • Forced logout (after an end-user’s period of inactivity)

Access to features and functionalities. Virtually every Weagree feature or functionality can be activated and be granularly configured by creating user profiles or on an individual end-user basis. Access by your (external) integrators can be restricted. User profiles are also available for application managers, contract approvers and the junior co-workers of your external integrators.

You configure who, what, where. You manage who has access to your templates, clause library, contracts, e-signing, legal entities (own entities and Weagree CRM) and to your corporate housekeeping. End-users may invite their customers, clients, suppliers and business partners as ‘guest users’ but are subject to authorisations and access rights configured by you on the portal level. End-users can be registered with an access-expiry date.

Segregation of networks. Just like the segregation of customer portals and their hosting not being used for any other purposes, we have segregated our internal operations: our team members are only granted access to your instance of the Weagree Wizard if you have granted access or otherwise on a clear need-to-access basis.

Cryptography, data storage and transit

Everything is encrypted. All your contracts and data are encrypted at rest in our database and encrypted in transit via https (incl. API-transit). Contracts (and contract-related files) stored on our servers are encrypted at data level (incl. individual contract files).

Encryption keys. The use of encryption techniques is of the latest best practices.

External storage (CMIS). The Weagree Wizard has extensive API-integration options enabling you to store all your contracts and contract-related files externally (and in the Weagree Wizard to retrieve and organise these files from there). Thanks to deploying the CMIS standard, numerous external repository applications, DMS’s and archives are supported (inc. SharePoint, iManage).

The configuration options for external storage allow differentiating between the precontractual (contract creation and negotiation) stage, the post-signing stage (CLM) and entity management. Moreover, on an individual contract entry it is possible to configure or API-populate other storage or contract-related URL’s.

Data protection (GDPR-compliance)

GDPR-configuration options. The Weagree Wizard contains comprehensive functionality enabling your organisation to continue to comply with GDPR. This includes functionality to optimise for:

  • Data retention periods (granular, depending on the contracting stage and the type of contract or type of contracting party)
  • Data integrity (prevention of inadvertent deletion of a contract, a CLM contract sheet, a contracting party or an end-user)
  • Information classification (internal, confidential, sensitive)

Weagree as your GDPR register. The Weagree Wizard can also be used as your (complete) GDPR-compliant register. Accordingly, the Weagree Wizard enables you to:

  • Create, have e-signed, manage and monitor your Data processing agreements (DPA)
  • Maintain a register of all security officers and data protection officers of all your data processors (and of their subcontractors)
  • Register all processing activities across your organisation, as well as their nature or purpose of processing, any processing-related services, categories of data subjects, (potential) recipients of processed data
  • Maintain a register of (your qualification of the adequacy of) all data processors’ organisational and security measures
  • Register any deployed or applicable border-crossing transfer mechanism (and details of the data importer and data exporter)
  • Maintain a list of public authorities for reporting any (suspected) data breach, as well as each processor’s ultimate breach notification period
  • Receive e-mail alerts for any required action or deadline,

as required under GDPR (EC Regulation (EU) 2016/679) or any ‘equivalents’, including the English Data Protection Act 2018, the California Consumer Privacy Act of 2018 (CCPA) or California Privacy Rights Act of 2020 (CPRA), the Australian Privacy Act 1988, as amended up to 2021).

Logging, reporting and audits

Logging ‘everything’. All actions both by any user or admin in the Weagree Wizard and by us in supporting our customers (including outside the Weagree Wizard in our day-to-day business applications) are recorded. Log-files do not contain personal data.

In-app reporting functionality. Note that the Weagree Wizard contains various reporting options:

  • Usage (end-user logins)
  • Number of contracts created or managed of any type, with numerous differentiation options (e.g. per user group, per organisational unit, per contract template, per CLM contract sheet, per selected risk levels, for specific end-users, e-signing status, precontractual vs. post-signing)
  • Average time required to create, approve or reject, e-sign, register and follow up on any contract or contract request
  • Adoption of contract playbook policies (Q&A answers given)
  • Average contract value
  • Contracted risks (differentiating for the risk levels and types of risks)

The above reporting options can be finetuned for defined periods of time, user groups, types of contract, or CLM contract sheet (and in any combination).

SLA optionality. We are willing to enter into a Service level agreement (SLA) in which we agree on applicable service levels and any periodical reporting requirements. Upon request from time to time, we are willing to report on the availability of our services to you (downtime), any recorded irregularities, any incidents in relation to your instance of the Weagree Wizard, and other matters relevant to you.

Audit rights. Logging in to the Weagree Wizard can be made available to customers (fair use and on reasonable notice). In our Data processing agreements and furthermore, on an individual basis, we are willing to agree that customers and their regulatory supervisory authorities are entitled to audit our (and our subcontractors’) compliance with the laws to which we are subject, subject to reasonable prior notice.

Infrastructure and segregation of networks

Hosting at ISO27001, ISO27017 and ISAE 3402 type 2 (SOC2). Our hosting provider makes a sport out of perfecting security management and enforcing comprehensive security controls. And so do we. Our hosting provider (and datacentres) are of course certified for ISO 27001, ISO27017 (and ISO 27018), and audited for extensive assurances under ISAE 3402 Type 2 (SOC2).

Segregation of networks. Your instance of the Weagree Wizard is strictly segregated from the instances of other customers: both the application and its database. (Database is located on a different server, accessible only from within the application.)

Continuous SOC-monitoring. The infrastructure on which the Weagree Wizard operates is monitored 24/7 for any suspicious behaviour. The Weagree Wizard is protected by a virus scanner, and application firewall. Moreover, all usage of the Weagree Wizard is continuously monitored by an ISO27001-certified SOC-aaS (Security Operations Centre as-a-service).

Secure development and testing

Vulnerabilities. Our servers and open-source packages are frequently tested for security vulnerabilities and kept up-to-date. We usually respond to and remedy vulnerability threats and published security concerns before our customers’ information security officers (CISO) or security departments notify us. (And we do not have the least professional officers amongst them – it is a team sport.)

Software development. We have implemented a comprehensive software development process. We have the Weagree Wizard pen-tested at appropriate intervals and in connection with major releases. Changes and additions to the source code are peer-code-reviewed and the source code is stored and managed securely. We have implemented an adequate DTAP release process, as well as an upgrade-release process to manage any inadvertent irregularities or inconveniences.

Error-reporting. Needless to say that we have implemented and operationalised comprehensive policies to monitor and address any irregularities (incl. application errors) on your production instance of the Weagree Wizard.

Responsible disclosure policy. We have adopted a responsible disclosure policy.

Business continuity, backups

Managed backups. Your contracts and data are backed up at least every 24 hours (both at the server level and at the customer-portal level, using ISO-certified best practices). This enables your organisation to restore a previous state (not only in the context of a disaster recovery need but also if you managed to destroy any of your valuable data.

Incident management and change management. Both our hosting service provider (datacentre) and we (for our operational procedures) have implemented an operative and actively monitored ISMS. Part of it is a comprehensive incident management process and change management process.

Your exit (post-termination migration)

Data exports. The Weagree Wizard enables you to smoothly exit. Authorised end-users (or admins) can:

  • Create all-options documents of each automated contract (even differentiating for the main parameters (global questions) reflected in your automated contract templates
  • Export all contract entries, all Q&A-driven contract data, all CLM contract data, all own parties and all other parties
  • For any reporting-configured option, you can export the report (Excel or through the API)

Onboarding (importing external CLM). We do not only facilitate your exit but also your entry: the Weagree Wizard contains advanced migration tooling enabling you to import foreign CLM’s, any manual contract-data-spreadsheets, exports from third-party entity management data, as well as the related contract (files) or the links to your non-Weagree repositories and storage locations.

Terms of Use

I hereby accept (or reconfirm my acceptance of) Weagree’ Terms of use, in which:

Terms of Use

I hereby accept (or reconfirm my acceptance of) Weagree’ Terms of use, in which: