CLIENT RELATIONS ANNEX
By signing the ethical charter for an online law market and its actors (“the Charter”), the Signatories underline their commitment to promote quality client relationships in order to guarantee the development of the legal market and public trust. They undertake to implement the following principles for the benefit of the clients :
- Quality of service
- User-path simplicity
- Compliance with response times
- Client relations service
- Duty to provide appropriate information
The Signatories reaffirm their conviction that the relationship of trust between the actors of the online law market and their clients can be considerably strengthened by the adoption and application of these principles.
The Signatories undertake to provide advice and assistance to deliver to clients and users quality service along with the relevant information for decision-making.
Client satisfaction is the priority and must guide all actions and processes.
Article 1 – Scope of Application
Any person signing or stating its compliance with the Charter undertakes to, notably, implement the means necessary to adopt and apply the principles laid down in this annex.
Article 2 – Quality of Goods and Services and Continuous Improvement
The Signatories undertake to offer quality products and services. Towards this purpose :
They ensure that they have the support of competent professionals and subcontractors;
They implement continuous processes for improvement in product design and manufacturing and quality of service.
They ensure, in the development of software solutions, that such continuous improvement relates in particular to the smooth operation of the software solution with regard to the specifics advertised.
Article 3 – Simplicity of the User-path
The Signatories acknowledge that the simplicity of the user-path is, for their clients, a significant advantage for the development of the online legal market. They therefore strive to implement the relevant means to facilitate and continuously improve the user-path.
Article 4 – Compliance with Response Times
The Signatories ensure that they offer reasonable response times both in respect of the delivery of their products or services and in the event of difficulties in accessing the service or a malfunction.
Article 5 – Transparency
Aware that clients need clear and complete information, particularly with regard to prices, services and products, the Signatories undertake to exercise full transparency in this respect.
In particular, the Signatories:
Adopt a clear pricing policy
Specify, in an exhaustive manner, the details of each service, the specifications of each product and the delivery times.
Provide an easily accessible entry point for any complaint.
Provide the client with clear information regarding access to the entry point for potential complaints.
Article 6 – Client Relations Service
The Signatories offer their clients a client relations service to respond efficiently and promptly to any support request and to allow the clients to express and deal with possible dissatisfaction, in order to ensure the continuous improvement of products and services.
Article 7 – Duty of Information
The Signatories ensure that they offer formalized, simple and complete information to their clients for all of the points referred to in this annex. They ensure that the information is easily accessible and understandable.
By signing the Ethics Charter for an Online Legal Market and its Actors, the Signatories underline their commitment to information security. They undertake to implement the security provisions of this Annex.
This annex was developed by the AIDJ and OPEN LAW associations. It notably complies with :
- The various guides of good practices formalized by the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information [National Cybersecurity Agency of France] )
- The Guide of Best Practices for Computing by the CGPME
This annex to the Charter aims to establish public trust, including from the informed public, in the Signatories’ products and services and contribute to both the quality of the transition to new technologies and the promotion of these technologies.
The Signatories reaffirm their conviction that online legal services cannot develop without a clear set of rules of best practices, which represent both a necessary minimum standard and a specific guarantee for clients and partners of the Signatories.
Article 1 – Scope of Application
Anyone signing, or stating its compliance with the ethics charter undertakes to comply with the rules established in this annex.
The Signatories are aware that threats to information systems are numerous and in constant evolution and that this fact warrants the adoption of a security-oriented attitude towards their technology.
Article 2 – In-depth Security Principle
The Signatories undertake to institute security covering all aspects of their organization: human, organizational and technical.
This Charter offers a minimum level of security, based on best practices established by the leading organizations and in line with the sensitivity of the processed data and the strict obligations of Professional Secrecy which apply to law professionals.
To ensure an in-depth defense, the Signatories undertake to appoint a “Security Referent” within their organization, whose mission is to coordinate and ensure compliance with the security recommendations of this annex.
Article 3 – Compliance with the Legal and Regulatory Framework
The Signatories confirm that they comply with applicable regulations, including the Computing Systems and Freedom Act, the Law of 5 January 1998 known as the “Godfrain Act”, general security standards, protection of “IT assets”, intellectual property and Professional Secrecy obligations.
The Signatories also undertake to comply with the provisions of the EU Regulation No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.
Article 4 – Security Monitoring
Signatories undertake to establish the monitoring of new threats to Information Systems in the context of their business.
The “Security Referent” of the Signatories shall subscribe, at least, to the CERT-FR alerts to stay informed of new vulnerabilities affecting their information systems.
The “Security Referent” ensures processing of identified vulnerabilities.
Article 5 – Classification and Handling of Information
The Signatories undertake to classify the various types of information they handle according to their degree of confidentiality and implement a sensitive data processing policy to best guarantee its confidentiality. This policy should specify how data is stored, deleted, transferred and who has access to it, depending on its classifications.
Any user data processed for purposes other than those for which it was provided (tests, statistics, etc.) must be anonymized beforehand.
Article 6 – Logical Access Management
The Signatories undertake to establish appropriate processes to ensure secured access to organizational resources.
1. A password policy should be implemented
passwords must be robust: a minimum of 8 characters (Uppercase, lowercase, numbers and special characters). Administrator accounts shall have 12-character passwords;
Passwords should be changed every three months at least;
Passwords are non-transferable and personal;
Passwords are stored in an encrypted form;
Using a password safe is moreover recommended.
2. Access rights must be regularly reviewed: dormant accounts, or belonging to former staff of the organization, must be systematically disabled. Access reviews must be performed at least once per year.
3. Connections to an information system should comply with state of the art practices, as stated in ANSSI’s guides and the Guide des Bonnes Pratiques de l’Informatique [Guide of Best Practices for Computing] (ANSSI et CGPME).
Article 7 – Data Storage
Data must be stored in an encrypted form and in secure facilities. The encryption protocol should be robust; a 256-bit SSL encryption is recommended. The duration of storage and reprocessing of data must comply with applicable regulations.
Data files and any modification of their perimeter must be notified to the CNIL in accordance with the law.
Article 8 – Back-up and Restoration
Signatories undertake to back up their data at a frequency that they shall determine with regard to the needs of their users. Backups must be encrypted.
Restoration tests should be performed to ensure the proper preservation of data entrusted by users.
Article 9 – Secure Development
Application development should comply with the most recent secure development standards. Open source development is moreover recommended.
The development of web applications should comply with ASVS OWASP standards. The ASVS Level (1 to 3) shall be representative of the sensitivity of the data that are to be processed through the web application.
It is also recommended to perform intrusion tests and code audits on a yearly basis or after each significant update of the application.
Article 10 – Logging and Monitoring
Event logs must be stored and protected against the risk of tampering or unauthorized access. These logs must be kept for a duration of at least six months, unless more strict applicable regulations provide otherwise.
Article 11 – Protection against Malware
Signatories undertake to implement an anti-malware policy.
In accordance with the in-depth defense principle, various filtering mechanisms must be implemented: firewalls, proxies, antivirus, etc.
Article 12 – Safety Principles regarding Third Parties
All contracts signed with third parties must bind that party to the same security provisions regarding the processing, storage, transfer of, and access to, data as the Signatory.
The Signatory should also include in the annex a right to audit the third party to ensure that it is in compliance with its data security obligations.
Article 13 – Data Transfer
Data transfers through web applications must be secured through SSL encryption.
Article 14 – Continuous Improvement and Activity Report
The Signatories undertake to continuously improve the security of their information systems.
They state all measures implemented to guarantee the security of client data that they process and of their information systems in a yearly report. Where applicable, the report indicates the improvements added since the previous year.