Our Operating Principles
Legal AI sits at the intersection of three demanding privacy regimes: attorney-client privilege, professional-responsibility rules, and modern data-protection law. We design every part of our platform — the public site, the AI Suite, Sovereign Suite, and our consulting engagements — to honor all three. We publish what we do, certify what we claim, and tell you when we're working toward a target rather than already there.
How We Protect Your Data
Encryption
In transit: TLS 1.3 for all client/server traffic.
At rest: AES-256 for all stored data, including conversation history, submissions, and uploaded documents.
Field-level: Sensitive fields (auth tokens, API keys) encrypted at the application layer beyond storage encryption.
Data Residency
Lawra's hosted SaaS runs on Google Cloud (Firebase) with multi-region capability for clients who require specific residency. Sovereign Suite deployments run inside your infrastructure — your residency, your perimeter.
Access Controls
Role-based access with audit logging on every administrative action. Customer-managed identities supported. Sovereign Suite integrates with your firm's existing SSO and information-barrier systems.
Audit Trails
Every prompt, every AI output, every cited document — logged with user, matter, timestamp. Discovery, bar inquiries, and internal investigations should not require retrofitting visibility. Logs are retained per customer policy and exportable on demand.
Privilege Preservation
Matter-scoped data isolation: documents and conversations from one matter never enter prompts for another. Privileged work product is flagged and segregated. AI-use disclosures are configurable per jurisdiction.
Incident Response
Defined incident-response procedures with named roles, communication templates, and customer notification commitments. Quarterly tabletop exercises. Penetration testing on an annual cadence with summaries available under NDA.
Certifications & Compliance
Where we are today, where we're going, and a transparent timeline. We do not claim certifications we don't hold.
| Standard | Status | Notes |
|---|---|---|
| SOC 2 Type II | 🟡 In progress (target Q4 2026) | Internal controls audit underway with a Big Four auditor. Type I report expected mid-2026; Type II to follow. |
| ISO 27001 | 🟡 Roadmap (target 2027) | Information security management system documentation in development. Implementation phase planned alongside SOC 2. |
| ISO 42001 | 🟡 Roadmap (target 2027) | AI Management System (AIMS) standard. Lawra is among the early adopters tracking this emerging certification. |
| GDPR | 🟢 Compliant | Data Processing Agreements available. EU data subjects can exercise rights via privacy@lawra.io. Records of processing maintained. |
| LGPD | 🟢 Compliant | Critical for Brazilian and broader Latin American clients. DPO designated. Data subject request workflow operational. |
| HIPAA | 🟡 Available on request (Sovereign Suite only) | BAA available for healthcare clients deploying Sovereign Suite in HIPAA-aligned environments. |
AI Model Providers — Our Posture
Lawra's hosted AI Suite uses Google Firebase AI (Gemini 2.5 Flash) for the public-facing tools. We selected this configuration specifically because Google's Firebase AI terms include a contractual commitment that customer data is not used to train Google's foundation models.
For Sovereign Suite deployments, you bring your own API keys to the model provider you trust — Anthropic Claude (enterprise tier with no-training commitments), OpenAI (enterprise with ZDR), Google Gemini, or open-weight models running entirely inside your network (Llama, Mistral, Qwen, DeepSeek, Gemma) on your own GPU infrastructure.
We do not sell, rent, or repurpose any data passing through Lawra. We do not have an internal model-training pipeline that uses customer data. Every model used is third-party or open-weight, with provider-specific contractual terms reviewable on request.
Questions, Audit Requests, or Disclosures
For security questionnaires, audit requests, customer-specific terms, or vulnerability disclosures, reach out to security@lawra.io. Sovereign Suite engagements include security review as part of standard scoping. We respond to all enterprise security questionnaires within five business days.
Comments
Loading comments...