Select Page

Technical and Organizational Measures

Technical and Organizational Measures

According to Art. 32 GDPR

This document describes the technical and organizational measures implemented by Legito to meet legal and contractual requirements when processing the personal data of the individuals from the European Union according to GDPR.

The Legito measures described in this document shall meet the following Legito obligations:

  • the pseudonymization and/or encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

The following measures apply to all data processing activities that are under the control of Legito, or where Legito is a data processor on behalf of another data controller if a separate agreement between Legito and the relevant customer does not say otherwise.

1) Access control

Access to the Legito IT systems is controlled by the use of User IDs (in particular, email addresses), passwords, and/or tokens. All User IDs and passwords are to be uniquely assigned to named individuals and consequently, individuals are accountable for all actions on the Legito’s IT systems. Employees or any third-party users are only granted access necessary to perform their activities.

All the access rights granted are reviewed regularly and in case of any change updated or withdrawn immediately.

Access to the network and its services is controlled by technical and physical security measures.  Remote access is controlled through identification and authentication mechanisms.

2) Physical access control

Access to the company’s facilities is physically restricted in a reasonable and appropriate manner. 

All network equipment (routers, switches, etc.) and servers located in the corporate office and in all facilities must be secured when no (Legito) personnel, or authorized contractors, are present.  Physically secured is defined as locked in a location that denies access to unauthorized personnel using multiple security equipment (CCTV, magnetic window locks, motion sensors). All the offices must remain locked after the last person leaves the office.

Access to the building is done through reception and only using a chip registered on the name of the employee. Dealing with visitors and deliveries also has its procedures and is mainly held by the landlord (reception of the office building).

3) Logical access control to processing systems

Every system used is equipped with a secure authentication mechanism. Procedures are used to authorize any access to the system using the need-to-know principle. For admin access, there are special procedures in place.

For authentication in the systems, a secure password policy is used. Also, an on-premise password manager to manage passwords for users is being used.

A “Clean table rule” is also implemented, all devices must be locked (screen lock) when leaving the workplace. Automatic activation of screen lock must be also turned on (in case of inactivity). 

4) User activity control

Every employee has to attend mandatory training on information security and data privacy on at least an annual basis. Participation in the training is recorded. Every new employee is trained on information security and data privacy policies relevant to them at the start of their employment. All important user activities are logged to the extent required, also administrative activities on systems are logged. Regular backups are performed daily.

5) Segregation control

Within the multitenant solution, it is ensured that all the data are separated logically and can’t be mixed up by any circumstances.

6) Data carrier and mobile device control

Personal data are stored only in secure locations that prevent access to it. No personal data are stored out of the data center where the system resides or internal cloud storage.

Individuals are allowed to use their mobile phones for access to the company’s communication channels (such as email) if such devices are protected by a password and the screen is automatically locked.

All the computers used must be encrypted.

Use of external data storage for customer data (USB, CD, etc.) is strictly prohibited.

7) Pseudonymization and anonymization

The system has a standard Anonymization feature that allows users with given permissions to irreversibly delete data. Other measures for pseudonymization/anonymization of personal data are implemented to the necessary extent.

8) Transfer and dissemination control

All the communication must be done using HTTPS protocol (and “TLS 1.2”). Monitoring and logging activities are also in place. The robust intrusion detection system is also being implemented while the system resides in the world’s leading data center with proven capabilities of securing the data.

To secure the data transmission a “data-at-rest” encryption and AWS Key Management Service are used.

All the services used in the company that is accessible via the internet or that are facing sensitive data must use secured encrypted technologies to prevent any data security threats in compliance with other established policies. All the testing environments are accessible only via an internal VPN.

9) Input control

Controls over who entered changed or removed what data are implemented. Systems used to collect or process personal data have their access categorized and recorded. A log of those actions for every workspace in the system is also in place.

10) Availability control

Database backups are stored on separate (non-production) servers. Data centers where servers reside are hosted by a leading service provider. Business continuity and Disaster recovery policies are also in place.

11) Recoverability

All user-level and system-level information maintained by Legito are backed up periodically. The backup media shall are stored with sufficient protection and under proper environmental conditions.

Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems. Additionally, backup media must be protected in accordance with the highest sensitivity level of information stored.

A process to verify the success of the Legito electronic information backup is implemented.

Selected backup copies of operating systems and other critical information system software are stored in the same location as the operational software.

The system backup information is provided with protection from unauthorized modification and environmental conditions.

Backups are periodically tested to ensure that they are recoverable. To confirm media reliability and information integrity, the backup information is tested at a specified frequency.

Backups are performed for each server location where Legito is running at the relevant local time.

12) Job control and subcontracting

The subcontractors are selected with the objective of ensuring that there are no risks in compliance with data protection objectives.

Depending on their role and access to personal or confidential data, subcontractors have to acknowledge and comply with Legito policies (confidentiality, data protection, security). All subcontractors are being periodically evaluated.

Legito also performs security checks on all of its employees prior to hiring them.

(13) Review, assessment, and evaluation

The entire Q&A team is established to perform manual and automatic testing of the system. Any potential technical vulnerabilities or errors are evaluated and a process to resolve them is established. Critical patches to the system and other applications in use are deployed when necessary.

The internal and external audit program is in place that covers regular system, IT security, process, and data protection processes.

See also the Security at Legito page.

Start Automating Now

October 2021 Release #2: Brand New Version of Smart Document Drafting

October 2021 Release #2: Brand New Version of Smart Document Drafting

This release took document drafting experience to the next level.

We heavily redesigned our document editor based on feedback we received from you – our users. Our intention was to provide a clear and intuitive user interface where users quickly get the actions they need. The ultimate goal of the redesign is faster and easier work with automated documents. No current feature was removed. All features in the current design will be kept in the new one. They will just be organized differently. And of course, we added many new features to the new design.

We have also released several large features that bring new possibilities to Legito’s Smart Documents (document assembly). 

1) Document Menu Bar

The Document Bar now stays docked to the top of the screen so you can always reach the commands that you need, from any place in the document. Legito looks at what you are doing and makes smart decisions about what you might need next, ensuring the most likely commands are prominent. You can still access the main commands (Save, Download, Sign, etc.) below the document in a similar way as you can now, if you are used to seeing them there.

Favorite Settings was removed from the View Tab and will be placed right above the document. It will be highlighted until a user chooses it.  

We reorganized the tabs a little. Languages were taken out of the View tab and are now in a separate tab called Languages. Track Changes and Versions (including the Compare feature) are now in the Review tab, which is where users of Word are used to seeing them. Import was split into two tabs based on the source.

Document Menu Bar Tabs:

  • View
  • Review
  • Languages
  • Import from Sheet
  • Import from Legito
  • Batch Generation
  • Approval List
  • Instructions

New features:

  • Context-sensitive Command (it changes to match the work you are doing)
  • Undo/Redo
  • Hideable Workspace Menu
  • Pin/Unpin


2) Smart Navigation & Quick Actions Side-Bar

We added a Smart Navigation & Quick Actions Side-Bar on the left side of the screen. The main purpose of this feature is to allow users to quickly navigate through the document, find empty inputs or errors (Warnings), and activate/deactivate the most popular modes such as Track Changes. Hover over the icons to see tooltips.

3) New & Improved Numbering

The new numbering feature for Legito Templates is similar to what you know from MS Word or Google Docs. It is a huge step forward towards having 100% the same formatting of documents in the internet browser as there will be in final Word/PDF documents.

Numbering for your automated Templates is managed in My Account => Settings => Numbering. Numberings defined here can be applied to each Template in your Workspace or any of its clauses.

As MS Word/Google Docs users are used to, numbering for Legito documents has two types.

  • Multilevel Lists: numbering for each level is different.
  • Numberings: numbering will be the same regardless of the level of a clause.

It’s possible to choose which of the Multilevel Lists will be the default for all Templates in the Workspace. The default Multilevel List is assigned automatically to all newly-created Templates as default one.

To change the default Multilevel List for a particular Template, open the Template Editor, go to the Template tab in the left menu and choose another Multilevel List.

You may also change numbering for each clause (or group of clauses) in the Contextual Menu (right-click on the clause or left-click on Actions). Go to the Numbering item and switch numbering to another Multilevel List or Numbering.

We migrated all your settings in the previous numbering to the new one.

4) Significantly Enhanced Warnings

Warnings are rebuilt from scratch. We went far beyond a request from our users to include “mandatory fields” in Documents/Forms. Enhanced Warnings are a much more powerful tool for Template authors: authors can now restrict what a user can do with the Template or Document generated from the Template.

It is possible to add Warnings to the following types of Template Elements:

  • Text Input: Several new Warning types were added, including Warnings for empty fields.  
  • Date: Several new Warning types were added, including Warnings for empty fields. 
  • Money: Several new Warning types were added, including Warnings for empty fields. 
  • Question: Warning if a user has or has not answered the question.
  • Select: Warning if a user has or has not selected any option.
  • Calculation: Warnings for empty fields added.

Warnings for Questions and Select where the user has not chosen the option shall be used in combination with the deactivated “Select first option” property.

It’s also possible to choose how the Warning shall affect the drafting/generation flow:

  • Notify only: Just notify a user about the issue
  • Prevent from Saving: Will not allow the user to create the first draft of a Document from the Template or new version of a Legito Document before the Warning is resolved.
  • Prevent from Exporting: Will not allow the user to download a Document and/or send a Document by email the first draft of a Document from the Template or new version of a Legito Document before the Warning is resolved.
  • Prevent from Signing: Will not allow the user to start a signing of a Document before the Warning is resolved.
  • Prevent from Exporting and Signing: Is a combination of the two above-mentioned points.

For example, you can use Warnings in your Template if you want to make sure that the first draft of your contracts created by anyone from your team contains the identification of contractual parties and the price is included before it’s signed.


5) Multiple Choice Questions and Selects

We added the possibility to choose multiple answers (options) in Questions and Selects.

All Question and Select Elements are by default single choice. To change a Question/Select to multiple-choice, go to Properties and activate the “Multiple Choice” property.

It’s possible to define how separators are used to format the output from each Multiple Choice Select:

  • Separator following each selected option except for the below-mentioned ones.
  • Separator following second to last (selected) option.
  • Separator following the last option.

Separators may be translated for all Template languages in the Translation mode of the Template Editor.

For example, the separators may be set as follows: 

“first option”, “second option”, “third option” and “fourth option”. 

6) Customization of Document Menu and Side-Bar

The document menu bar and the sidebar may be deactivated for each Template Suite. However, we strongly recommend keeping them active, except for minor use-cases where it is just a simple Form that users complete and then download the document. If the bars are deactivated, users won’t be able to use any feature contained in them except for Saving, Sharing, and Downloading the document.

The default tab of the Document Menu Bar may be customized for each Template Suite. It is possible to choose the default tab for:

  • Creating the first draft of a document from the template 
  • Reviewing document (creating the second and every subsequent version)


More From New Releases