This article covers Everlaw GovCloud policies for session timeouts, account expiration, and unsuccessful login attempts. It also addresses how to re-enable expired user accounts.
Important
This article is specific to federal Everlaw GovCloud organizations accessing Everlaw in the browser.
Session timeouts
Everlaw automatically logs federal Project Admins out after 15 minutes of inactivity. All other user types are logged out after 30 minutes. Inactivity refers to when a user is not directly interacting with the platform. Direct interaction includes most browser activity, such as applying review work or refreshing the page.
Passive or surface-level updates are not considered active user interaction and do not prevent session timeouts. Examples include a progress bar loading, a video playing, or slowly scrolling through a document in the review window.
Note
If a session times out while a progress bar is displayed (e.g. during a document upload), Everlaw does not stop the action happening in the background. You can leave Everlaw unattended while waiting for tasks like uploads to complete.
Unsuccessful login attempts
Users are allowed three consecutive invalid login attempts within a 15-minute period. Exceeding this limit results in a 30-minute account lockout.
Account expiration
Everlaw GovCloud accounts are disabled after 60 days of inactivity, which is stricter than the 90-day requirement from FedRAMP’s Moderate baseline (AC-2(03)).
Account activity is defined as logging into or out of Everlaw.
Authentication is monitored at the platform level, not at the project level. Expired accounts can be re-enabled via the user’s usual means of authentication. However, expired accounts do also result in the user’s removal from all projects. This project-level access must be restored by a Project Admin.
Note
Account expiration is Everlaw GovCloud specific; it does not happen to Commercial Cloud users.
Account expiration notifications
Users at risk of account expiration receive email notifications before their account expires at the following intervals:
- 1 month before expiration
- 1 week before expiration
- 3 days before expiration
- 1 day before expiration
A final email is sent when an account expires. This includes a list of all projects the user lost access to.
Expired accounts can be re-enabled via the user’s usual means of authentication and project access restored.
Project Admins receive an email notifying them of expired accounts. Unlike users, admins do not receive notification emails prior to an account's expiration.
Restore user access to projects
User access to projects can be restored at the project-level by a Project Admin.
Before you start: We recommend verifying that the user’s credentials are still valid. Otherwise, you may need to ask the user to reset their password or even create a new account following account restoration.
To restore a user's access to a project:
- Go to Project Management > Project Settings > Users.
-
Scroll to the table titled Expired Users.
-
Find the user you are looking for, and select the associated restore
button in the table row.
This opens the Restoring user dialog. - [Optional] In the Groups field, add or remove the user from groups, as needed.
- [Optional] In the Database permissions field, enter database permission, as applicable.
- In the Approving Admin field, enter your name as the approving Project Admin.
-
Select Restore User.
The user’s account is automatically restored and appears in the primary users table above.
Log out of your account
To manually log out of your Everlaw account, open the user menu from the Everlaw navigation bar. Then select Log Out.