Our Commitment to Protect Our Client’s Personal Data:
We apply the standards of global privacy laws and regulations to all data which we process on behalf of our clients.

All information and data received by us from our clients when ordering the delivery of information governance, litigation support and other legal services from Legility:

  • is used only to deliver Legility services;
  • is processed, stored, reviewed and transferred only (i) in connection with the delivery of our services, (ii) at the direction and in accordance with the instruction of our clients, and (iii) if cross border, including from the EU/EEA to the United States, in compliance with applicable data privacy laws, including data protection agreements and transfer mechanisms established under GDPR by the EU Commission pursuant to Regulation 2016/679.

See Privacy Policy here.

I. Data Security Measures

Data security is a core commitment to our clients. Legility has implemented organizational and technical measures across our global organization designed to prevent the unauthorized access, use, alteration, or disclosure of data received from our clients to perform our services.

Security is a core value and function of our organization, lead by our expert Information Security (“InfoSec”) and Information Technology (“IT”) teams, and a shared responsibility by all at Legility. We have implemented administrative, technical and organizational measures to ensure our services, systems and facilities are secure for personal and confidential data, including that of our clients.

Legility’s data security program is designed to:

  • Protect the privacy, confidentiality, integrity, and availability of client data in our possession or control or to which we have access;
  • Protect against any anticipated threats or hazards to the privacy, confidentiality, integrity, and availability of client data;
  • Protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of client data; and
  • Safeguard information as set forth in any local, state or federal regulations by which Legility may be regulated.

Security Awareness and Training
Legility conducts regular mandatory employee security awareness training, which include training on how to comply with our information security program and promotes a culture of heightened security awareness.

Access Controls
Through our policies, procedures, and logical controls, we limit access to our information systems to properly authorized persons only and access is granted commensurate with the task and job duties to be performed. User access rights are monitored and adjusted when needed as a result of changes to job responsibilities or job status. Access rights are reviewed at regular intervals to ensure that the appropriate rights are allocated.

Physical and Environmental Security
We have implemented controls to ensure that access to physical facilities and servers at data centers is limited to properly authorized individuals. Typical data center controls include visitor screening, video surveillance, biometric and proximity scanners, dual-factor authentication, and mantrap, among other security measures. Environmental controls are in place to detect, prevent and control destruction due to environmental conditions and extremes.

Security Incident Procedures
We have established and maintain a security incident response plan and policy that outlines detailed procedures to be followed by our incident response team in the event of a security breach of any application or system, including those specifically associated with the processing, storage or transmission of client data. Our incident response team is trained to respond to incidents in real time and our plan includes communication protocols for alerting impacted parties. Root cause analysis and remediation are key components of our plan so that we continuously improve our processes and procedures.

Contingency Planning
We have developed and implemented a disaster recovery and business continuity plans and procedures for responding to an emergency or other occurrence, such as fire, vandalism, system failure, pandemic, and natural disaster that could compromise our systems and networks. These plans are reviewed and tested on an annual basis. We apply data backup and redundancy measures across critical systems as part of our disaster recovery procedures.

Audit Controls
Our IT and InfoSec teams maintain technical and procedural mechanisms to audit and promote compliance with our policies, including annual external third-party audits.

Data storage and Transmission Security; Encryption.
We maintain and apply encryption for client data in the delivery of our services in order to protect our data from unauthorized disclosure or access. Client data is encrypted at rest using a combination of NetApp NSE, NVE, and NAE storage encryption technologies. Client data is encrypted in transit using a combination of IPSEC and TLS1.2/AES256.

Secure Disposal
When our clients request the destruction of data, we use the cryptographic erasure method to securely and completely wipe data from our system. Data located on physical media is sent to an approved third party for secure destruction. As a standard practice, we issue certificates of destruction to each client upon completion of their request.

Dedicated/Assigned Security Responsibility
The development, implementation, and maintenance of our information security program is administered by a designated information security team. Roles and responsibilities for individuals with security responsibilities are clearly defined.

Testing and Monitoring
We regularly test the key controls, systems and procedures of our information security program to validate that they are properly implemented and are effective in addressing the threats and risks identified. We engage a third party to perform an internal audit of our ISMS, as well as to perform cyber security assessments. We conduct network and systems monitoring, including but not limited to the monitoring of error logs on servers, disks and security events for any potential issues, including:

  • Reviewing changes affecting systems handling authentication, authorization, and auditing; and Reviewing privileged access to production systems processing Confidential Information, among other processes consistent with industry best practices.

Change and Configuration Management
We maintain policies and procedures for managing changes Legility makes to its environment, including those production systems, applications, and databases processing client data. Those processes include a process for documenting, testing and approving the patching and maintenance of the covered service, and a security patching process that requires patching systems in a timely manner based on a risk analysis.

Vendor Management
Our InfoSec team follows our vendor management program guidelines, which incorporates a vetting process that includes conducting a risk assessments for each one of our vendors, including those used in the delivery of client services. Such assessments will include the performance of data transfer impact assessments where appropriate. Vendors are engaged through service contracts with an emphasis on confidentiality, and those vendors with whom we share client data at the request of our clients will be legally bound by data protection and data transfer agreements, as applicable.

Program Adjustments
To ensure that we have effective security measures in place and acknowledging a fast-changing landscape, we monitor, evaluate, and adjust, as appropriate, our security program considering:

  • Any relevant changes in technology and any internal or external threats to Legility or our clients’ data;
  • Security and data privacy regulations applicable to Legility; and
  • Legility’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

II. Data Processing Addendum

Click here to view Legility’s Data Processing Addendum.

III. Data Transfers – SCCs

Click here to view Legility’s Standard Contractual Clauses (SCCs). 


IV. Affiliates / Sub-processors

Legility and its affiliates (each a “Legility Group Affiliate”) are service providers who carry out our clients’ instructions and direction with respect to client data (including personal data). As such, we are the “processors” and our clients are the “controller” of personal data.

Client data transferred to a Legility Group Affiliate for the performance of services may be accessed by and shared with employees of another Legility Group Affiliated to the extent necessary for the delivery of certain service components. All Legility Group Affiliates operate under our global information security systems, apply the technical and organization data security measures outlined here, and comply with all applicable data protection requirements.

Legility Group Affiliates

Legility, LLC
216 Centerview Drive, Suite 250
Brentwood, TN 37027
Country of processing: USA

Legility Data Solutions, LLC
216 Centerview Drive, Suite 250
Brentwood, TN 37027
Country of processing: USA

Inventus, LLC
216 Centerview Drive, Suite 250
Brentwood, TN 37027
Country of processing: USA

Inventus Solutions UK Ltd.
18th Floor 100 Bishopsgate
London, EC2N 4AG
Location of processing: UK

Inventus Solutions GmbH
c/o Inventus Solutions
18th Floor 100 Bishopsgate
London, EC2N 4AG
Country of processing: Germany and/or UK

Only if and when instructed by our clients as part of ordering services from a Legility Group Affiliate will we share access with and may transfer client data to one or more of the trusted partners whose products and services form part of the solution and services ordered by our client.

A list of current sub-processors who our clients choose, and we use in the delivery of our services on a regular basis can be found here.