Black Logo

Our site uses cookies to give you the best user experience and to collect and share information for analytics, advertising and personalization on this and other sites. Please select whether you consent to our use of cookies and related technologies (“Cookies”), as described in our Cookie Policy. You can return at any time from the same web browser to update your preferences. Please note that resetting your browser’s cookies will reset your preferences. You can control the use of some types of cookies through the Cookie Settings below, but note that if you choose to disable certain cookies, it may limit your use of certain features or functions on our services and websites.

Privacy Policy
Strictly Necessary Cookies

These cookies are required to enable core site functionality.

Functionality Cookies

Functionality cookies allow us to provide enhanced and more personalized content and features. In order to permit your connection our website, our servers receive and record information about your computer and browser, potentially including your IP address, browser type, and other software or hardware information. All of these features help us to improve your visit and assist in navigation of the sites’ features.

Analytics Cookies

We and our service providers may use analytics cookies, which are sometimes called performance cookies, to collect information about your use of our website, for instance, which pages you go to most. The information allows us to see the overall patterns of usage, help us record any difficulties users may have while using our website and can show us whether or not our advertising is effective.

Advertising And Targeting Cookies

We may use third party advertising and targeting cookies to correlate your use of our website to personal information obtained about you so that we may more clearly target the information we provide you to the specific items we think you will find interesting, based on your prior online activities and preferences. We also may use these cookies to deliver ads that we believe are relevant to you and your interests.

For more information, view our Cookie Policy

Data Security And Protection

Our Security Promise:
Data security is a core commitment to our clients. Legility has implemented organizational and technical measures across our global organization designed to prevent the unauthorized access, use, alteration, or disclosure of data received from our clients to perform our services.

Our Credentials:
We maintain industry leading certifications and, as part of our comprehensive information security program built on the ISO 27001 framework, our organization undergoes security and privacy testing by independent third-party auditors on an annual basis. Our data governance program includes a dedicated Information Security team, a Privacy Committee and we are proud of our ISO 27001 and Cyber Essentials Plus Certifications as well as our SOC 2 Type 2, HIPAA certifications. We have implemented procedures and protocols in support of GDPR and CCPA compliance and maintain ongoing compliance efforts. Our Inventus US subsidiaries are Privacy Shield Framework certified.

Our Commitment to Protect Our Client’s Personal Data:
We apply the standards of global privacy laws and regulations to all data which we process on behalf of our clients.

All information and data received by us from our clients when ordering the delivery of information governance, litigation support and other legal services from Legility:

  • is used only to deliver Legility services;
  • is processed, stored, reviewed and transferred only (i) in connection with the delivery of our services, (ii) at the direction and in accordance with the instruction of our clients, and (iii) if cross border, including from the EU/EEA to the United States, in compliance with applicable data privacy laws, including data protection agreements and transfer mechanisms established under GDPR by the EU Commission pursuant to Regulation 2016/679.

See Privacy Policy here.

I. Data Security Measures

Data security is a core commitment to our clients. Legility has implemented organizational and technical measures across our global organization designed to prevent the unauthorized access, use, alteration, or disclosure of data received from our clients to perform our services.

Security is a core value and function of our organization, lead by our expert Information Security ("InfoSec") and Information Technology ("IT") teams, and a shared responsibility by all at Legility. We have implemented administrative, technical and organizational measures to ensure our services, systems and facilities are secure for personal and confidential data, including that of our clients.

Legility’s data security program is designed to:

  • Protect the privacy, confidentiality, integrity, and availability of client data in our possession or control or to which we have access;
  • Protect against any anticipated threats or hazards to the privacy, confidentiality, integrity, and availability of client data;
  • Protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of client data; and
  • Safeguard information as set forth in any local, state or federal regulations by which Legility may be regulated.

Security Awareness and Training
Legility conducts regular mandatory employee security awareness training, which include training on how to comply with our information security program and promotes a culture of heightened security awareness.

Access Controls
Through our policies, procedures, and logical controls, we limit access to our information systems to properly authorized persons only and access is granted commensurate with the task and job duties to be performed. User access rights are monitored and adjusted when needed as a result of changes to job responsibilities or job status. Access rights are reviewed at regular intervals to ensure that the appropriate rights are allocated.

Physical and Environmental Security
We have implemented controls to ensure that access to physical facilities and servers at data centers is limited to properly authorized individuals. Typical data center controls include visitor screening, video surveillance, biometric and proximity scanners, dual-factor authentication, and mantrap, among other security measures. Environmental controls are in place to detect, prevent and control destruction due to environmental conditions and extremes.

Security Incident Procedures
We have established and maintain a security incident response plan and policy that outlines detailed procedures to be followed by our incident response team in the event of a security breach of any application or system, including those specifically associated with the processing, storage or transmission of client data. Our incident response team is trained to respond to incidents in real time and our plan includes communication protocols for alerting impacted parties. Root cause analysis and remediation are key components of our plan so that we continuously improve our processes and procedures.

Contingency Planning
We have developed and implemented a disaster recovery and business continuity plans and procedures for responding to an emergency or other occurrence, such as fire, vandalism, system failure, pandemic, and natural disaster that could compromise our systems and networks. These plans are reviewed and tested on an annual basis. We apply data backup and redundancy measures across critical systems as part of our disaster recovery procedures.

Audit Controls
Our IT and InfoSec teams maintain technical and procedural mechanisms to audit and promote compliance with our policies, including annual external third-party audits.

Data storage and Transmission Security; Encryption.
We maintain and apply encryption for client data in the delivery of our services in order to protect our data from unauthorized disclosure or access. Client data is encrypted at rest using a combination of NetApp NSE, NVE, and NAE storage encryption technologies. Client data is encrypted in transit using a combination of IPSEC and TLS1.2/AES256.

Secure Disposal
When our clients request the destruction of data, we use the cryptographic erasure method to securely and completely wipe data from our system. Data located on physical media is sent to an approved third party for secure destruction. As a standard practice, we issue certificates of destruction to each client upon completion of their request.

Dedicated/Assigned Security Responsibility
The development, implementation, and maintenance of our information security program is administered by a designated information security team. Roles and responsibilities for individuals with security responsibilities are clearly defined.

Testing and Monitoring
We regularly test the key controls, systems and procedures of our information security program to validate that they are properly implemented and are effective in addressing the threats and risks identified. We engage a third party to perform an internal audit of our ISMS, as well as to perform cyber security assessments. We conduct network and systems monitoring, including but not limited to the monitoring of error logs on servers, disks and security events for any potential issues, including:

  • Reviewing changes affecting systems handling authentication, authorization, and auditing; and Reviewing privileged access to production systems processing Confidential Information, among other processes consistent with industry best practices.

Change and Configuration Management
We maintain policies and procedures for managing changes Legility makes to its environment, including those production systems, applications, and databases processing client data. Those processes include a process for documenting, testing and approving the patching and maintenance of the covered service, and a security patching process that requires patching systems in a timely manner based on a risk analysis.

Vendor Management
Our InfoSec team follows our vendor management program guidelines, which incorporates a vetting process that includes conducting a risk assessments for each one of our vendors, including those used in the delivery of client services. Such assessments will include the performance of data transfer impact assessments where appropriate. Vendors are engaged through service contracts with an emphasis on confidentiality, and those vendors with whom we share client data at the request of our clients will be legally bound by data protection and data transfer agreements, as applicable.

Program Adjustments
To ensure that we have effective security measures in place and acknowledging a fast-changing landscape, we monitor, evaluate, and adjust, as appropriate, our security program considering:

  • Any relevant changes in technology and any internal or external threats to Legility or our clients’ data;
  • Security and data privacy regulations applicable to Legility; and
  • Legility’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

II. Data Processing Addendum

Click here to view Legility's Data Processing Addendum.

III. Data Transfers - SCCs

Click here to view Legility's Standard Contractual Clauses (SCCs). 


IV. Affiliates / Sub-processors

Legility and its affiliates (each a “Legility Group Affiliate”) are service providers who carry out our clients’ instructions and direction with respect to client data (including personal data). As such, we are the “processors” and our clients are the “controller” of personal data.

Client data transferred to a Legility Group Affiliate for the performance of services may be accessed by and shared with employees of another Legility Group Affiliated to the extent necessary for the delivery of certain service components. All Legility Group Affiliates operate under our global information security systems, apply the technical and organization data security measures outlined here, and comply with all applicable data protection requirements.

Legility Group Affiliates

Legility, LLC
216 Centerview Drive, Suite 250
Brentwood, TN 37027
Country of processing: USA

Legility Data Solutions, LLC
216 Centerview Drive, Suite 250
Brentwood, TN 37027
Country of processing: USA

Inventus, LLC
216 Centerview Drive, Suite 250
Brentwood, TN 37027
Country of processing: USA

Inventus Solutions UK Ltd.
18th Floor 100 Bishopsgate
London, EC2N 4AG
Location of processing: UK

Inventus Solutions GmbH
c/o Inventus Solutions
18th Floor 100 Bishopsgate
London, EC2N 4AG
Country of processing: Germany and/or UK

Only if and when instructed by our clients as part of ordering services from a Legility Group Affiliate will we share access with and may transfer client data to one or more of the trusted partners whose products and services form part of the solution and services ordered by our client.

A list of current sub-processors who our clients choose, and we use in the delivery of our services on a regular basis can be found here.