SOC 2 Type II
A SOC 2 Type II examination is underway. The report will be available under NDA once the observation period concludes.
Trust Center
Encryption, attorney-client privilege, and per-firm isolation, built into the platform and documented for your security team.
Book a DemoAES-256 at rest · Per-firm isolation · No training on client data
Overview
OurFirm.ai is an AI litigation workspace built for record-grounded work. Encryption, attorney-client privilege, and per-firm data isolation are architectural commitments — not features bolted on afterward. Every claim here maps to a control we operate or a document we can share under NDA, and where a certification is still in progress, we say so.
Compliance
Where an examination is complete, the report is available under NDA. Where one is in progress, we label it as such.
A SOC 2 Type II examination is underway. The report will be available under NDA once the observation period concludes.
Our SOC 2 Type I report is complete and available for your security team to review under a mutual NDA.
A HIPAA-aligned Business Associate Agreement is available, and we have executed BAAs with our AI subprocessors.
Our Data Processing Addendum is aligned to GDPR and CCPA and governs how personal data is processed.
Platform Security
The controls that protect client data in transit, at rest, and in use — enforced by architecture and contract, not policy alone.
TLS 1.3 protects data in transit. AES-256 protects data at rest. No exceptions for AI traffic.
Per-firm, per-attorney, and per-conversation isolation. Your data is never co-mingled with another firm's.
Client documents never train any AI model. Enforced by BAAs with Anthropic and OpenAI, with zero data retention beyond session for inference.
Granular role-based permissions govern who can see and do what, with full audit logging of access and activity.
Compute runs on AWS EKS (Kubernetes) across multiple availability zones, with a 99.9% SLA and multi-region failover.
Data is purged within 24 hours of a deletion request, fully auditable. We analyze usage metadata to run the platform — never the substance of your documents.
Attorney-Client Privilege
OurFirm.ai was designed with attorney-client privilege in mind, and specifically post-Heppner v. United States (Feb. 2026) — the first federal ruling to address privilege in the context of AI-assisted legal work.
Client communications stay within the attorney's controlled environment. Per-firm isolated data pipelines keep matters separate, and client data never enters an AI provider's training pipeline.
BAAs with both Anthropic and OpenAI prohibit model training on your data, with zero retention beyond session for inference — enforced by contract.
Reports & Documents
Your General Counsel, IT security team, or malpractice carrier can review the full package under NDA through our Trust Center.
Our MSA, with custom redlines accepted for enterprise clients.
The full DPA for your privacy and procurement teams.
Our HIPAA-aligned BAA for firms handling protected health information.
The completed SOC 2 Type I report, available under NDA.
AI and infrastructure subprocessors process Customer Data only to provide the Services — and, for AI providers, solely for inference.
A summary of our most recent third-party penetration test.
Legal
The full set of versioned, dated documents that govern how we build and operate the platform.
Terms of service for using the Ourfirm.ai platform
How we collect, use, and protect your data
Details on our support and service level commitments
List of subprocessors we engage with
How we handle law enforcement and legal requests
Our security practices and commitments
Acceptable use guidelines for our services
Details on data processing and compliance
How we handle and use your usage data
Request Access
Knowledge Base
The questions security teams and General Counsel ask most often.
Yes. OurFirm.ai is built on enterprise-grade infrastructure with the following protections:
SOC 2 Type II certification is underway.
OurFirm.ai was architecturally designed with privilege in mind, and specifically post-Heppner v. United States (Feb. 2026), the first federal ruling to address attorney-client privilege in the context of AI-assisted legal work.
Key protections include: a privilege-protected client portal that keeps client communications within the attorney's controlled environment; BAAs executed with both Anthropic and OpenAI prohibiting model training on your data; per-firm isolated data pipelines; and zero data retention beyond session for AI inference calls. Client data never enters the AI provider's training pipeline, this is contractually enforced, not just policy.
Our MSA and DPA are available for review. We accept custom redlines from enterprise clients.
Yes. We support HIPAA-aligned workflows for clients who handle protected health information. Our Business Associate Agreement (BAA) is HIPAA-aligned, and we have executed BAAs with our AI subprocessors. Our DPA and subprocessor list are available on request. Contact us to discuss your firm's specific compliance requirements.
We provide a full enterprise security package on request, including:
We are available to speak directly with your GC, IT security team, or malpractice carrier. Contact andrew@ourfirm.ai to schedule.
Contact & Disclosure
Send suspected vulnerabilities and security concerns to our security team and we'll investigate promptly.
Enterprise contracting, MSA redlines, and General Counsel questions.
How we handle subpoenas, warrants, and other legal requests for data.
Enterprise MSA and onboarding support available