Security
Security is built into the Duff Cloud Services platform from the ground up. DCS runs on Microsoft Azure and takes a defense-in-depth approach: encryption in transit and at rest, hosted payment processing, least-privilege access control, and append-only audit logging. This page describes the controls we actually operate today.
Security at a glance
Encryption in transit
All traffic is served over TLS 1.2+ enforced at Azure Front Door, with HTTP automatically redirected to HTTPS. There is no unencrypted opt-out.
Encryption at rest
Data is stored in Azure Table and Blob Storage with 256-bit AES encryption at rest via Azure Storage Service Encryption (Microsoft-managed keys).
Payments
Card payments are handled by Stripe (PCI-DSS Level 1). Card details are entered into Stripe's hosted fields — DCS never sees or stores raw card numbers.
Access & identity
Portal sign-in uses Google OAuth 2.0 with per-site role-based access (Owner / Editor / Viewer). Service-to-service calls use Azure managed identities — no static credentials.
Audit logging
Sign-in, agreement acceptance, waiver signing, and sensitive-form access are written to an append-only audit log with actor, timestamp, and IP address.
HIPAA-aligned
For healthcare-category services, DCS masks protected health information from emails, SMS, push, and kiosk displays, and offers a Business Associate Agreement. DCS is not a certified electronic medical record system.
Platform & network
Network security
- • Azure Front Door with Web Application Firewall (WAF)
- • Platform-level DDoS protection
- • Endpoint-specific rate limiting on sensitive routes
- • Tenant data isolated by per-site storage partitioning
Protect your account
- • Enable multi-factor authentication on your Google account
- • Use strong, unique passwords or a password manager
- • Review your account activity and access logs
- • Follow least-privilege when inviting team members
Vendor & attorney due-diligence summary
Professionals — including attorneys, who have an ethical obligation under ABA Model Rule 1.1 to understand the technology they use — often need technical detail to evaluate a vendor. This section provides the details your IT or risk reviewer needs to assess DCS.
Transport Security
All traffic to DCS customer sites and the portal is served exclusively over TLS 1.2+ enforced at Azure Front Door. HTTP requests are automatically redirected to HTTPS. There is no opt-out path for unencrypted transport.
Encryption at Rest & Integrity
All client data — including form submissions, contact records, and uploaded files — is stored in Azure Table Storage and Azure Blob Storage with 256-bit AES encryption at rest, managed by Azure Storage Service Encryption (SSE) with Microsoft-managed keys. Signed liability waivers are hashed (SHA-256) at the moment of signing and version-locked, so any post-signature alteration is detectable.
Access Control Model
Portal access is authenticated through Google OAuth 2.0. Role-based access control (RBAC) is enforced per site: Owner, Editor, and Viewer roles limit what actions each team member can take. Global administrative access is restricted to named DCS accounts. Form submissions marked as sensitive (such as legal intake forms) log every access with user ID, timestamp, and IP address in an append-only audit log, and their contents are never included in notification emails.
Audit Logging
DCS maintains structured audit logs for: portal login events, form submission access, waiver signing and access, Business Associate Agreement execution, Terms of Service acceptance (with IP address and timestamp), and administrative actions. Audit log entries are append-only. DCS targets a 7-year minimum retention for agreement and waiver records, consistent with ESIGN expectations, and can export them on request for regulatory review.
Subprocessors
DCS uses the following third-party subprocessors that may have access to client data:
- Microsoft Azure — primary cloud infrastructure (compute, storage, CDN, Front Door, Key Vault). Data centers in the United States.
- Stripe — payment processing for revenue-enabled sites. Stripe is PCI-DSS Level 1 certified. DCS does not store raw card data.
- Microsoft Graph / Google Workspace — email delivery (via Microsoft Graph API for transactional notifications) and Google OAuth 2.0 for authentication.
- Anthropic Claude — AI content drafting features (optional). When used, content prompts may be transmitted to Anthropic's API. No client submission data is included in AI prompts.
Data Retention
Form submissions, waiver records, and agreement audit events are retained for a target minimum of 7 years (consistent with ESIGN Act expectations). Client-uploaded files in blob storage are retained for the duration of the customer relationship plus the applicable retention window. Portal users and site administrators may export their data at any time from the portal. Upon contract termination, DCS provides a 30-day data export window before deletion.
Breach Notification Commitment
In the event of a confirmed data breach affecting your data, DCS will notify affected customers without undue delay and within 72 hours of confirmed discovery, consistent with GDPR Article 33 timelines and applicable US state breach-notification laws. Notification will include: the nature of the data affected, the approximate number of records involved, the likely consequences, and the measures taken or proposed to address the breach.
Request a vendor security package
If your IT department, bar-association committee, or risk-management team requires additional documentation — including an infrastructure overview or a completed vendor security questionnaire — contact us and we will provide it.
Report a security issue
If you discover a security vulnerability, please report it to us right away. We appreciate responsible disclosure and will work with you to address issues quickly.