Security

At Version Story, Inc, we know the security of your digital experience and data is of paramount importance. Security practices are deeply ingrained into our internal software development, operations processes, and tools. Our cross-functional teams strictly follow these practices to help prevent, detect, and respond to incidents in an expedient manner.

We keep up to date with the latest threats and vulnerabilities through our collaborative work with partners, leading researchers, security research institutions, and other industry organizations and regularly incorporate advanced security techniques into the products and services we offer.

This white paper describes the defense-in-depth approach and security procedures implemented by Version Story, Inc to secure the VersionStory Application and its associated data.

About the Application

The Version Story Application helps lawyers, paralegals, and practice assistants compare and merge document versions via a set of modern cloud-based web services. The application also makes it easy to convert PDF files to Word, and vice-versa.

We offer the application as a standalone, browser-based service. We also provide an integration with our customer’s Document ManagementSystem (DMS), supporting both iManage and NetDocuments. This integration automates the comparison of numerous DMS document versions.

Certifications

We have obtained, are pursuing, or are maintaining several certifications in accordance with industry best-practices. These include:

• Regular vulnerability scanning.
• Annual penetration testing by Cacilian.
• Annual SOC 2 auditing by Prescient Assurance.

Application Security

Encryption

All documents on Version Story are encrypted over-the-wire via TLS and at-rest via S3’s document encryption system (SSE-S3).

Version Story’s domains use TLS certificates provisioned byAWS Certificate Manager (CM).

AWS ACM certificates use SHA256withRSA as their signature algorithm. SSE-S3 encrypts each object with a unique key. Additionally, it encrypts the key itself and rotates it regularly. SSE-S3 uses the block cipher256-bit Advanced Encryption Standard (AES-256) to encrypt its object and keys.AES-256 is the US federal government standard for data encryption and was originally established by the National Institute of Standards and Technology(NIST) in 2001. For more information on S3’s security practices, see here.

Penetration Testing

We undergo annual penetration testing conducted by Cacilian, LLC. Cacilian’s credentials include:

• NIST Cybersecurity Framework Certified.
• ISO 27001 Information Security Management Certified.
• PCI Security Standards Council.

Insurance & Certifications

Cyber Insurance Policy Overview

Version Story maintains a comprehensive insurance policy, issued by CFC Underwriting Ltd., which provides coverage for matters pertaining to cybersecurity, data privacy, professional liability, and errors and omissions. As an additional benefit, the policy affords the utilization of CFC's Cyber Incident Response Team in the event of an exigent cyber-related incident.

Vulnerability Scanning

Version Story undergoes regular vulnerability scanning. In 2024, Version Story received a vulnerability scanning security score of 98 out of 100, reflecting a letter grade of A. The report further assessed that Version Story is on par with or better than industry averages for security best practices.

SOC 2

We work with Prescient Assurance as our SOC 2 auditor. We undergo routine audits by Prescient Assurance to maintain SOC 2 Type II security certification.