Clio and compliance protection mechanisms
Every year, Clio conducts a self-assessment to ensure that our processes, configurations, and control mechanisms comply with relevant legislation. As a Clio subscriber, your plans and offerings come with various protection mechanisms in place that ensure the security and integrity of your data, including the following:
- Data encryption in transit and at rest: Your data is secured both when it is being transmitted between devices or networks (in transit) and when it is stored on storage systems or servers (at rest). Encryption scrambles the data into an unreadable format, making it inaccessible to unauthorized users. This ensures that sensitive information remains protected from interception and unauthorized access, whether it is being transferred over networks or stored on servers or devices.
- Restricted access to production environment: This security measure ensures that only authorized personnel can access production data, reducing the risk of unauthorized access to the infrastructure.
-
Data backups performed multiple times per day: Data backups are conducted several times throughout the day, ensuring frequent and comprehensive protection of your information.
Note: Despite the security protection mechanisms in place, we recommend that you retain a local backup of your data. - Strict logical system access controls: Clio has stringent measures and protocols implemented to regulate and manage access to computer systems and networks. These controls are designed to ensure that only authorized individuals can access data or resources within the system.
- Mirrored data center facilities with daily backups to mitigate disaster situations: Mirrored data center facilities with daily backups offer extra protection against disasters. Data is copied to multiple centers and backed up daily, so even if one center fails, your information stays safe and operations can continue smoothly.
- 99.9% uptime Service Level Agreement. Take a look at Clio’s current status and uptime percentages here.
Clio’s products have configurable administrative controls available to our customers, including:
- Explicit authorization to read, download, and edit customer files.
- Monitor and track access to customer files.
- Reporting trail of account activities on both users and content.
- Formally defined and tested breach notification policy.
- Employee training on security policies and controls.
- Highly restricted employee access to customer data files.
Clio and British Columbia rules for trust accounting
Clio is unable to provide regulatory or legal advice; however, Clio clients in BC use our trust ledger report and QuickBooks to meet BC trust requirements.
Clio and the Law Society of Ontario
Clio is unable to provide regulatory or legal advice; however, law firms using Clio have been audited by the Law Society of Ontario and found to be compliant. Documenting all required paperwork in Clio has been found to be sufficient to meet compliance requirements.
Learn more about the Law Society of Ontario’s trust accounting rules.
Clio and PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a data protection law in Canada. PIPEDA is essential in ensuring the rights of individuals to control access to their personal information.
Clio’s product services and business operations meet PIPEDA requirements and our clients’ obligation toward data protection for Canadian residents.
Learn more about PIPEDA.
Clio and HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a federal United States law that sets standards for the protection of individuals’ medical records and other personal health information. You can learn more about HIPAA here.
While there is no official HIPAA certification, Clio completes an annual self-assessment of our processes, configuration, and control mechanisms to validate our compliance with legislation. Clio has also successfully completed an internal HIPAA attestation examination. This means that we store and process data in a manner that is consistent with HIPAA standards and can therefore help you fulfill your protected health information (PHI) obligations.
If your law firm is required to be HIPAA compliant, you can purchase Clio's HIPAA Add-on or Clio's Personal Injury Add-On. Clio can then enter into a business associate agreement (BAA) with your firm to help you better support your clients while protecting any electronic PHI data you may have. Contact Clio's support team or your account manager for more information. After you purchase one of the add-ons, your account's owner can accept the BAA in Clio Manage. The account owner can decline or ignore the in-app notification if your firm does not need a BAA with Clio.
Note: The HIPAA and personal injury add-ons are only available for US accounts.
Important: Clio will not accept any redlining or edits to the Clio BAA. The Clio BAA complies with all mandatory language and is taken directly from HIPAA regulations. Any additional terms and conditions would be unrelated to HIPAA and above what is required to comply with the Standards for Privacy for Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”).
Learn more about the Clio BAA, Clio’s North American Terms of Service, and Privacy Policy.
Accept BAA in Clio Manage:
- Go to Settings > Security & Compliance.
- Select the Compliance subtab.
- Select the All or Pending quick filter.
- Find the BAA and click Review & Accept.
- Review the BAA and then click Accept.
Clio and reporting security bugs or vulnerabilities
If you are aware of a valid security bug and/or security vulnerability on any Clio application (the mobile app, web app, and any add-ons), you can inform Clio's security team by completing Clio's responsible disclosure submission form here. Valid security vulnerabilities in any Clio application may be eligible for a reward. This includes novel discoveries, gaining additional illicit access, and OWASP Top Ten findings. Clio's security team will follow up with next steps within two business days of receiving the report.
Note: Reports that are not disclosed responsibly are not eligible for any reward.
Clio and data residency
For North American Clio accounts, Clio has a US server and a Canadian server. The Canadian server is a separate Canadian-based environment where firms in Canada who are subject to data residency requirements can create their Clio Manage accounts. If your firm is required to store some or all of your client data in Canada, you can store your data on the Canadian server.
If you are a new Clio customer located in Canada and want to store your data on the Canadian server, schedule a demo and contact your sales representative. Your sales representative will complete your account setup on Clio's Canadian server. If you are an existing Clio customer located in Canada and need to store your data in Canada, contact Clio's support team to switch to the Canadian server.