As a result of the flood of innovation in note-taking and task-centric apps since Evernote’s inception, there’s a large concern for lawyers in storing attorney-client and privileged information. While I know a lot of lawyers who choose to leverage their apps for everything except client work, it’s still important to know how your data is being stored, encrypted, backed up, replicated and secured. And it’s equally important to know how to get your data out of the app should you choose to move it elsewhere.
Questions to Ask About That Note-Taking App
Before you sign up for the “next big thing,” here’s a list of questions you want to ask the developers about the security of your data. If you’re already using a note-taking app and haven’t asked these question, better stop and ask!
Are you using your own data center for storing data or Amazon AWS? If they’re using Amazon AWS, you’re good to go. Amazon’s infrastructure is pretty amazing. They’re open to what their network architecture looks like, how they secure your data, and how they maintain compliance. If they’re not using AWS, you’ll want more details.
Are the data centers ISO 27001 and SOC 2 certified? ISO 27001 is the gold standard in international security standards. As a general rule of thumb, any time you store your data in a cloud service (also known as IaaS or SaaS), you want to make sure they’re taking data security seriously. It doesn’t get more serious than having the seal of approval from the ISO committee. There’s a lot of money and time that must be invested to get this certification. In addition, being SSAE 16 (SOC 2) certified also helps give you assurances as to the security, availability, integrity and confidentiality of your data.
Do you have a data backup and retention policy in place? If so, please provide. In other words, if their system crashes completely, has your data been backed up so that you know it hasn’t been lost forever? The standards for data backup and retention are really part of what they must do to be either ISO 27001 or SOC 2 certified. They should quickly be able to show you the documentation they are required to have on file.
Is the data encrypted? If so, is it encryption “at rest” or “in transit“? So, this is a complex topic I’ll break down for you like this: “data at rest” means that your data is protected through encryption technologies when it is at “rest” — that is, not moving through networks. For example, when you create a Word document on your laptop it is at “rest,” but once you send that Word document in an email, it’s now in “transit.” As it relates to your note-taking and productivity apps, you want to be sure that your data is encrypted in transit when it leaves the company’s servers.
Is there a difference in security levels between free and paid options? I’ve seen apps that differentiate in security protocols between their free and paid versions. In other words, if you pay, you get increased security. If you love the app, pay the monthly subscription.
What methods do I have to export my data out of the app? This is huge. We spend all this time, hoping the app we have called our trusted system will always stick around, be financially viable, and have a sustainable business model. But we never really think about the “what if?” Do you know the exit strategy if you ever want to export your data?
Let’s be clear about one thing: Free is not a sustainable business model. Your investment of your most precious data — your next actions and projects — can ultimately be an investment in a fool’s stock. From the moment the venture capital dries up — with no revenue streams in the foreseeable future, and no export strategy that provides you with data you can use elsewhere — your productivity will take a nosedive, leaving you worse off than you were before you used the app. Paid apps are not free from this danger, though you have less reason for concern. At least with a paid model you’re helping to fund the developer.
So ask about exporting: If you can only export as a JSON format (i.e., Trello), HTML (i.e., Evernote) or PDF, it’s not very helpful. Ideally, you want to be able to export your data as a text file (.TXT), or be able to move the data over to some other useful format. (CloudHQ, for example, actually allows you to migrate data from Evernote to Google Docs and properly brings over all of the attachments from each of your notes).
Knowledge Will Keep You Safe
Don’t worry — you don’t need a degree in security or network architecture to understand all this. Knowing to ask these key questions will not only help you stay productive, they’ll give you the control and confidence that your thoughts are protected and always available!