Introduction

Traditionally organizations have looked to the public cloud for cost savings, or to augment private data center capacity. However, organizations are now primarily looking to the public cloud for security, realizing that providers can invest more in people and processes to deliver secure infrastructure.

This paper outlines Platinum’s approach to security and compliance for our entire Digital Litigation Support offering and our premier suite of services used by organizations worldwide, from large enterprises and retailers with hundreds of thousands of users to law firms, corporations and government agencies. Platinum includes offerings in eDiscovery, document hosting, compute, storage, and archival. This whitepaper focuses on security including details on organizational and technical controls regarding how Platinum protects your data.

As a cloud pioneer, Platinum fully understands the security implications of the cloud model. Our cloud services are designed to deliver better security than many traditional on-premises solutions. We make security a priority to protect our own operations, but because Platinum runs its business on the same infrastructure that we make available to our customers, your organization can directly benefit from these protections. That’s why the focus on security and protection of data is among our primary design criteria. Security drives our organizational structure, training priorities and hiring processes. It shapes our data center solutions and the technology they house. It’s central to our everyday operations and disaster planning, including how we address threats. It’s prioritized in the way we handle customer data. And it’s the cornerstone of our account controls and our compliance audits.

Platinum IDS has not experienced a data breach in any of its operational hubs or data centers since establishment in 2001; while Law360 claims that more than 1 in 4 law firms were victim to some kind of data breach in 2021. We take security very seriously in everything we do.

Platinum: a Strong Security Culture

Platinum has created a vibrant and inclusive security culture for all employees. The influence of this culture is apparent during the hiring process, employee onboarding, as part of ongoing training and in company-wide events to raise awareness.

Employee background checks

Before they join our staff, Platinum will verify an individual’s education and previous employment and perform internal and external reference checks. Where local labor law or statutory regulations permit, Platinum may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the desired position. Background checks are performed in compliance to our policy: ‘HRS-02: Background Screening’.

Security training for all employees

All Platinum employees undergo security training as part of the orientation process and receive ongoing security training throughout their careers. During orientation, new employees agree to our Acceptable Use Policy (HRS-08: Acceptable Use Policy) and a strong non-disclosure agreement (HRS-06: Non-Disclosure Agreements) which highlights our commitment to keep customer information safe and secure. Depending on their job role, additional training on specific aspects of security may be required. For instance, the information security team instructs new team members on topics like secure data handling practices, project design and automated delivery tools. Team members also attend technical presentations that cover new threats, vulnerability patterns, forensic data integrity techniques and more.

Our designated security team

Platinum designates a team of security and privacy professionals who are part of our engineering and operations divisions. This team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure and implementing Platinum’s security policies. Platinum’s security team actively scans for security threats using commercial and custom tools, quality assurance (QA) measures and software security reviews.

Within Platinum, members of the information security team review security plans for all networks, systems and services. They monitor for suspicious activity on Platinum’s networks, address information security threats, perform routine security evaluations and audits, and welcome outside experts to conduct regular security assessments. Designation of our security team is documented in compliance to our policy: SEF-01: Contact / Authority Maintenance.

Internal audit and compliance

Platinum has a designated internal audit team that reviews compliance with security laws and regulations as they’re created. As new auditing standards are created, the internal audit team determines what controls, processes, and systems are needed to meet them. This team facilitates and supports independent audits and assessments by third parties. Currently, Platinum is aligned with the CCM v. 3.01 (Cloud Controls Matrix) but regularly reviews other internal compliance frameworks to determine if better frameworks or subsystems are available.

Operational Security

Far from being an afterthought or the focus of occasional initiatives, security is an integral part of our operations.

Vulnerability management

Platinum administers a vulnerability management system that actively scans for security threats using a combination of commercially available and purpose-built tools, quality assurance processes, software security reviews and external audits from our clients. The infrastructure management team is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The infrastructure management team tracks such issues and follows up frequently until they can verify that the issues have been remediated. Upon any threat to Platinum’s security, all surrounding policies and procedures are examined and updated where this risk can be mitigated in the future. Vulnerability mitigation is detailed in our policy: TVM-02: Vulnerability / Patch Management.

Malware prevention

An effective malware attack can lead to account compromise, data theft, and possibly additional access to a network. Platinum takes these threats to its networks and its customers very seriously and uses a variety of methods to prevent, detect and eradicate malware. Malware sites or email attachments install malicious software on users’ machines to steal private information, perform identity theft, or attack other computers. When people visit these sites, software that takes over their computer is downloaded without their knowledge. Platinum’s malware strategy begins with infection prevention by using manual and automated scanners to scour all stored content that may be vehicles for malware or phishing. Platinum makes use of antivirus engines for servers and workstations to help identify malware that may be missed by traditional antivirus signatures. Malware prevention is performed in compliance with our policy: TVM-01: Antivirus / Malicious Software.

Monitoring

Platinum’s datacenter security monitoring program is focused on information gathered from internal network traffic, employee actions on systems and outside knowledge of vulnerabilities. At many points across our network, internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate botnet connections. This analysis is performed using a combination of open-source and commercial tools for traffic capture and parsing. A proprietary correlation system built on top of Google technology also supports this analysis. Network analysis is supplemented by examining system logs to identify unusual behavior, such as attempted access of customer data. Automated network analysis helps determine when an unknown threat may exist and escalates to Platinum’s security staff, and network analysis is supplemented by analysis of system logs. Platinum’s monitoring commitment is made in compliance to policy: IVS-01: Audit Logging / Intrusion Detection

Incident management

We have a rigorous incident management process for security events that may affect the confidentiality, integrity or availability of systems or data. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation and documentation. Platinum’s security incident management program is structured around the CCM guidance on handling incidents: SEF-02: Incident Management, SEF-03: Incident Reporting and SEF-04: Incident Response Legal Preparation. Key staff are trained in handling evidence in preparation for an event including the use of third-party and proprietary tools. Testing of incident response plans is performed for key areas such as systems that store sensitive customer information. These tests take into consideration a variety of scenarios, including insider threats and software vulnerabilities.

Technology with Security at Its Core

Platinum utilizes Google Cloud Platform which runs on a technology platform that is conceived, designed and built to operate securely. Google is an innovator in hardware, software, network and system management technologies. Platinum custom designs our servers and selects geographically distributed data centers. Using the principles of “defense in depth,” we’ve created an IT infrastructure that is more secure and easier to manage than more traditional technologies.

State-of-the-art data centers

Platinum’s focus on security and protection of data is aligned with Google’s primary datacenter design criteria. Platinum chooses Google as its sole datacenter provider. Google data center physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, biometrics and the data center floor features laser beam intrusion detection. Our data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are available in case an incident occurs. Data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training. As you get closer to the data center floor, security measures also increase. Access to the data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics. Only approved employees with specific roles may enter. Less than one percent of Google employees will ever set foot in one of our data centers.

Secure operational facility

Platinum’s headquarters, our only brick-and-mortar facility is located in the heart of Downtown Dallas, Texas. The building is protected and monitored by CCTV. Security keypad access is required for entry into the facility and Platinum maintains its own CCTV network beyond the building’s capabilities. Platinum uses enterprise grade firewalling and highly secure point-to-point VPN transit technologies to access our secure datacenter infrastructure.

Powering our data centers

To keep things running 24/7 and ensure uninterrupted services; Google’s data centers feature redundant power systems and environmental controls. Every critical component has a primary and alternate power source; each with equal power. Additionally, diesel engine backup generators can provide enough emergency electrical power to run each data center at full capacity for 30 days or more. Cooling systems maintain a constant operating temperature for servers and other hardware, reducing the risk of service outages. Fire detection and suppression equipment helps prevent damage to hardware. Heat, fire, and smoke detectors trigger audible and visible alarms in the affected zone, at security operations consoles and at remote monitoring desks.

Environmental impact

Google reduces the environmental impact of running their data centers by designing and building their own facilities. Google installs smart temperature controls, uses “free-cooling” techniques like using outside air or reused water for cooling, and redesigns how power is distributed to reduce unnecessary energy loss. To gauge improvements, Google calculates the performance of each facility using comprehensive efficiency measurements. Google is the first major Internet services company to gain external certification of its high environmental, workplace safety and energy management standards throughout their data centers. Specifically, Google received voluntary ISO 14001, OHSAS 18001 and ISO 50001 certifications. In a nutshell, these standards are built around a very simple concept: Say what you’re going to do, then do what you say—and then keep improving.

Custom server hardware and software

Google’s data centers house energy-efficient purpose-built servers and network equipment. Unlike most commercially available hardware, Google servers don’t include unnecessary components such as video cards, chipsets, or peripheral connectors which can introduce vulnerabilities. Google’s production servers run a custom-designed operating system (OS) based on a stripped-down and hardened version of Linux. Google’s servers and their OS are designed for the sole purpose of providing secure infrastructure services. Server resources are dynamically allocated which allows for flexibility in growth, the ability to adapt quickly and efficiently while adding or reallocating resources based on customer demand. This homogeneous environment is maintained by proprietary software that continually monitors systems for binary modifications. If a modification is found that differs from the standard Google image, the system is automatically returned to its official state. These automated, self-healing mechanisms are designed to enable Google to monitor and remediate destabilizing events, receive notifications about incidents and slow down potential compromise on the network.

Hardware tracking and disposal

Platinum meticulously tracks the location and status of all equipment within its data centers from acquisition to installation to retirement and ultimately destruction. Video surveillance is implemented to help make sure no equipment leaves the data center floor without authorization. If a component fails to pass a performance test at any point during its lifecycle, it is removed from inventory and repaired or retired.

When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. Physical drives are then destroyed in compliance with our policy: DSI-07: Secure Disposal.

Google Cloud: A global network with unique security benefits

Google’s IP data network consists of their own fiber, public fiber, and undersea cables. This allows Platinum to deliver highly available and low latency services across the globe. We offer a public view into regional latency and downtime periods on our server performance status page. This resource demonstrates our commitment to performance; made possible by our close relationship with Google. In fact, our hosted platforms load 97% faster than all sites on the internet. This is a metric we’re extremely proud of.

In other cloud services and on-premises solutions, customer data must make several journeys between devices, known as “hops,” across the public Internet. The number of hops depends on the distance between the customer’s ISP and the solution’s data center. Each additional hop introduces a new opportunity for data to be attacked or intercepted. Because it’s linked to most ISPs in the world, Google’s global network improves the security of data in transit by limiting hops across the public Internet. This also reduces latency and the chance of interruption by a disaster event at one of the hops.

Defense in depth describes the multiple layers of defense that protect Google’s network from external attacks. Only authorized services and protocols that meet our security requirements are allowed to traverse it; anything else is automatically dropped. Industry-standard firewalls and access control lists (ACLs) are used to enforce network segregation. All traffic is routed through custom GFE (Google Front End) servers to detect and stop malicious requests and Distributed Denial of Service (DDoS) attacks. Additionally, GFE servers are only allowed to communicate with a controlled list of servers internally; this “default deny” configuration prevents GFE servers from accessing unintended resources. Logs are routinely examined to reveal any exploitation of programming errors. Access to networked devices is restricted to authorized personnel.

Securing data at rest and in transit

Data is most vulnerable to unauthorized access as it travels across the Internet or within networks. For this reason, securing data in transit is a high priority for Platinum. Data traveling between a customer’s device and Platinum’s Infrastructure is encrypted using HTTPS/TLS. When sending to or receiving email from a non-Platinum user, all links of the chain (device, browser, provider of the email service) have to be strong and work together to make encryption work. Platinum’s email systems have also been upgraded to RSA certificates with 2048-bit keys, making our encryption in transit for Cloud Platform and all other services even stronger. Perfect forward secrecy (PFS) minimizes the impact of a compromised key, or a cryptographic breakthrough. It protects network data by using a short- term key that lasts only a couple of days and is only held in memory rather than a key that’s used for years and kept on durable storage. Platinum’s system encrypts Cloud Platform data as it moves between our data centers on Platinum’s private network. All stored data is encrypted at rest.

Low latency and highly available solution

Platinum designs the components of our offering to be highly redundant. This redundancy applies to our server design, how we store data, network, Internet connectivity and the software services themselves. This “redundancy of everything” includes the handling of errors by design and creates a solution that is not dependent on a single server, data center or network connection.

Data Usage. Our philosophy

Platinum’s Cloud Platform customers own their data; not Platinum or Google. The data that customers put into our systems is theirs and we do not scan it for advertisements nor sell it to third parties. We offer our customers a detailed data privacy policy that describes our commitment to protecting customer data. It states that Platinum will not use client data for any purpose other than to fulfill our contractual obligations. Furthermore, if customers ask us to delete their data, we commit to deleting it from our systems within 30 days or less. Finally, we provide services that make it easy for customers to take their data with them if they choose to stop using our services without penalty or undue cost imposed by Platinum.

Data Access and Restrictions: Administrative access

To keep data private and secure, Platinum logically isolates each customer’s Cloud Platform data from that of other customers and users, even when it’s managed on the same physical server. Only a small group of Platinum employees have direct access to customer data. For Platinum’s employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Most Platinum employees are only granted a limited set of default permissions to access company resources, such as employee email and application administration frontends. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives as dictated through compliance with our policy: DCS-09: User Access. Approvals are managed by workflows that maintain audit records of all approvals. These control both the modification of authorization settings and the approval process to ensure consistent application of the approval

policies. An employee’s authorization settings are used to control access to all resources, including data and systems for Cloud Platform interfaces. Support services are only provided to authorized customer administrators whose identities have been verified in several ways. Employee access is monitored and audited by our dedicated security, privacy, and internal audit mechanisms.

For customer administrators and ‘power users’

Within customer organizations, administrative roles and privileges for Platinum’s platform are configured and controlled by the project owner, executed through the project management and hosted services groups. This means that individual client team members can manage certain services or perform specific administrative functions without gaining access to all settings and data. These abilities are limited to parameters aligned with our shared security goals.

Law enforcement data requests

The customer, as the data owner, is primarily responsible for responding to law enforcement data requests; however, like other technology and communications companies, Platinum may receive direct requests from governments and courts around the world about how a person has used the company’s services. We take measures to protect customers’ privacy and limit excessive requests while also meeting our legal obligations. Respect for the privacy and security of data you store with Platinum remains our priority as we comply with these legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Platinum’s policies. Generally speaking, for us to comply, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. Unless otherwise demanded by legal order, Platinum will communicate with the data owner when this kind of request is made.

If we believe a request is overly broad, we’ll seek to narrow it, and we push back often and when necessary. In some cases we may receive a request for all information associated with a customer account, and we may ask the requesting agency to limit it to a specific product or service. We believe the client deserves to know the full extent to which governments request user information from Platinum and to that extent, It is Platinum’s policy to notify customers about requests for their data unless specifically prohibited by law or court order. This kind of request will be handled by the

information systems team, in conjunction with inside counsel and in compliance with policy: SEF-01: Contact / Authority Maintenance.

Third-party suppliers

Platinum directly conducts virtually all data processing activities to provide our services. However, Platinum may engage some third party suppliers to provide services related to our services, including software and technical support. Prior to engaging third-party vendors, Platinum conducts an assessment of the security and privacy practices of third-party organizational policy to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Platinum will not share customer data with any 3rd party without consent from the data owner. Some third parties, such as consumable suppliers (office supplies, online vendors) are not background checked, as they do not have access to platinum’s offices or data pipelines.

Conclusion

The protection of your data is a primary design consideration for all of Platinum’s services and Google’s secure cloud infrastructure. Our scale of operations and collaboration with the security research community enable Platinum to address vulnerabilities quickly or prevent them entirely.

We believe that Platinum can offer a level of protection that very few litigation support providers or private enterprise IT teams can match. Because protecting data is core to Platinum’s business, we make extensive financial and labor investments in security, resources and expertise at a scale that others cannot. Our investment frees you to focus on your business and innovation. Data protection is more than just security. It’s about culture.

Platinum primarily uses Google’s Cloud Platform to deliver services to its clients. Google’s Cloud Platform provides a number of third-party certifications, detailed here. If any other cloud platform, datacenter or infrastructure provider is utilized in a commercial solution, it will be disclosed to the parties involved.

We require any alternative solution, such as AWS or Azure to provide third party validated configurations and current certifications that match our security and compliance standards for any service consumed regardless of its maturity. This includes systems used for research, development or utilized in a productized workflow or service.