Trust Center

Security you can
put in front of a client.

Encryption, attorney-client privilege, and per-firm isolation, built into the platform and documented for your security team.

Book a Demo

AES-256 at rest · Per-firm isolation · No training on client data

Overview

OurFirm.ai is an AI litigation workspace built for record-grounded work. Encryption, attorney-client privilege, and per-firm data isolation are architectural commitments — not features bolted on afterward. Every claim here maps to a control we operate or a document we can share under NDA, and where a certification is still in progress, we say so.

Compliance

Attestable controls.

Where an examination is complete, the report is available under NDA. Where one is in progress, we label it as such.

In progress

SOC 2 Type II

A SOC 2 Type II examination is underway. The report will be available under NDA once the observation period concludes.

Status — Underway
Available under NDA

SOC 2 Type I

Our SOC 2 Type I report is complete and available for your security team to review under a mutual NDA.

Compliance

HIPAA-aligned BAA

A HIPAA-aligned Business Associate Agreement is available, and we have executed BAAs with our AI subprocessors.

Compliance

GDPR / CCPA-aligned DPA

Our Data Processing Addendum is aligned to GDPR and CCPA and governs how personal data is processed.

Effective Feb 17, 2026Read the DPA

Platform Security

Encrypted, isolated, resilient.

The controls that protect client data in transit, at rest, and in use — enforced by architecture and contract, not policy alone.

Encryption

In transit and at rest

TLS 1.3 protects data in transit. AES-256 protects data at rest. No exceptions for AI traffic.

Isolation

Per-firm data isolation

Per-firm, per-attorney, and per-conversation isolation. Your data is never co-mingled with another firm's.

AI handling

No training on client data

Client documents never train any AI model. Enforced by BAAs with Anthropic and OpenAI, with zero data retention beyond session for inference.

Access control

Least privilege, fully logged

Granular role-based permissions govern who can see and do what, with full audit logging of access and activity.

Infrastructure

AWS EKS, multi-AZ

Compute runs on AWS EKS (Kubernetes) across multiple availability zones, with a 99.9% SLA and multi-region failover.

Data lifecycle

24-hour deletion on request

Data is purged within 24 hours of a deletion request, fully auditable. We analyze usage metadata to run the platform — never the substance of your documents.

Attorney-Client Privilege

Architected for privilege, post-Heppner.

OurFirm.ai was designed with attorney-client privilege in mind, and specifically post-Heppner v. United States (Feb. 2026) — the first federal ruling to address privilege in the context of AI-assisted legal work.

Privilege

Privilege-protected client portal

Client communications stay within the attorney's controlled environment. Per-firm isolated data pipelines keep matters separate, and client data never enters an AI provider's training pipeline.

Privilege

Contractually enforced, not just policy

BAAs with both Anthropic and OpenAI prohibit model training on your data, with zero retention beyond session for inference — enforced by contract.

Reports & Documents

Enterprise materials, on request.

Your General Counsel, IT security team, or malpractice carrier can review the full package under NDA through our Trust Center.

Access controlled

Master Service Agreement

Our MSA, with custom redlines accepted for enterprise clients.

Access controlled

Data Processing Addendum

The full DPA for your privacy and procurement teams.

Access controlled

Business Associate Agreement

Our HIPAA-aligned BAA for firms handling protected health information.

Access controlled

SOC 2 Type I Report

The completed SOC 2 Type I report, available under NDA.

Access controlled

Subprocessor List

AI and infrastructure subprocessors process Customer Data only to provide the Services — and, for AI providers, solely for inference.

Public · Oct 23, 2025Read the list
Access controlled

Penetration Test Summary

A summary of our most recent third-party penetration test.

Knowledge Base

Security & privilege, answered.

The questions security teams and General Counsel ask most often.

Is my data secure?

Yes. OurFirm.ai is built on enterprise-grade infrastructure with the following protections:

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Isolated storage: Per-firm, per-attorney, and per-conversation isolation and storage, your data is never co-mingled with another firm's
  • No training on client data: Your documents are never used to train any AI model, ever
  • Compute: AWS EKS (Kubernetes, multi-AZ) with 99.9% SLA and multi-region failover
  • Access controls: Role-based permissions with full audit logging
  • Deletion: 24-hour data purge on request, fully auditable

SOC 2 Type II certification is underway.

How does OurFirm.ai protect attorney-client privilege?

OurFirm.ai was architecturally designed with privilege in mind, and specifically post-Heppner v. United States (Feb. 2026), the first federal ruling to address attorney-client privilege in the context of AI-assisted legal work.

Key protections include: a privilege-protected client portal that keeps client communications within the attorney's controlled environment; BAAs executed with both Anthropic and OpenAI prohibiting model training on your data; per-firm isolated data pipelines; and zero data retention beyond session for AI inference calls. Client data never enters the AI provider's training pipeline, this is contractually enforced, not just policy.

Our MSA and DPA are available for review. We accept custom redlines from enterprise clients.

Are you HIPAA compliant?

Yes. We support HIPAA-aligned workflows for clients who handle protected health information. Our Business Associate Agreement (BAA) is HIPAA-aligned, and we have executed BAAs with our AI subprocessors. Our DPA and subprocessor list are available on request. Contact us to discuss your firm's specific compliance requirements.

What documents are available for our General Counsel or IT Security team?

We provide a full enterprise security package on request, including:

  • Master Service Agreement (custom redlines accepted)
  • Data Processing Agreement (GDPR/CCPA-aligned)
  • Business Associate Agreement (HIPAA-aligned)
  • SOC 2 Type I Report (under NDA)
  • Subprocessor List
  • Penetration Test Summary

We are available to speak directly with your GC, IT security team, or malpractice carrier. Contact andrew@ourfirm.ai to schedule.

Contact & Disclosure

Talk to a human.

Responsible disclosure

Report a vulnerability

Send suspected vulnerabilities and security concerns to our security team and we'll investigate promptly.

Enterprise & GC

Start a security review

Enterprise contracting, MSA redlines, and General Counsel questions.

Legal process

Law enforcement & legal requests

How we handle subpoenas, warrants, and other legal requests for data.

Effective Feb 17, 2026Read the policy