Security and Data Trust

At Lawful Good, we understand that maintaining your trust is critical. As attorneys, you handle sensitive client information every day, and you need to be confident that any software you use protects that information with the same care you would. We take this responsibility seriously and are committed to protecting your data and maintaining attorney-client privilege.

Attorney-Client Privilege is Fundamental

We understand that attorney-client privilege is fundamental to the practice of law. That’s why we’ve built our platform with security and privacy at its core. Your data is encrypted using the same standards trusted by banks and government agencies, and we’ve designed our system so that your data is protected by default.

We do not use your data to train AI models, we do not share it with other users, and we do not review your documents or User Content. Your data is encrypted and logically isolated to your account, so it cannot be read by our team in the normal course of business.

We will not produce any of your content in response to third-party discovery requests, civil subpoenas, or other legal process directed at Lawful Good without first providing you with reasonable notice and an opportunity to assert applicable privileges or seek a protective order, except where we are prohibited by law from doing so (such as in the case of certain government investigations or sealed court orders).

Read more about how we protect your privacy in our Privacy Policy.

Infrastructure Compliance

Our infrastructure is designed to support workflows involving sensitive and privileged information.

  • HIPAA Business Associate Agreement (BAA): Our cloud infrastructure operates under a HIPAA Business Associate Agreement with Google Cloud Platform. This means that the systems storing and processing your data are covered by contractual obligations that meet HIPAA’s requirements for the protection of sensitive health information.
  • Cloud Data Processing Addendum (CDPA): We have accepted Google Cloud’s Cloud Data Processing Addendum, which incorporates Standard Contractual Clauses and commitments supporting data protection laws including the CCPA and GDPR.
  • Audit Controls: We maintain audit logs of all administrative access to our infrastructure. These logs are retained for six years in accordance with applicable regulatory requirements and are stored separately from application data.
  • Subprocessors: We use a limited number of third-party subprocessors to provide the Service. A complete list is available on our Subprocessors page.

While we have implemented measures to support HIPAA-compliant workflows, compliance is a shared responsibility. If you are subject to HIPAA or other data protection regulations, you are responsible for determining whether the Service meets your specific compliance requirements.

Responsible Use of AI

We use AI to assist you, not to replace your legal judgment. Our AI tools generate drafts and suggestions that require your professional review and approval before use.

How we protect you:

  • You’re always in control: You remain the final reviewer of all AI-generated content. AI outputs are drafts that require your legal judgment and approval.
  • Your data is never used for training: We do not allow AI model providers to train on your prompts, documents, or outputs. Your client information stays private.
  • Zero Data Retention (ZDR): All AI model providers we use operate under Zero Data Retention agreements. This means your prompts and AI responses are not stored by the model provider after processing. Your data is processed in memory, a response is returned, and no record of the interaction is retained on the provider’s systems.

We currently use Google’s Gemini Enterprise Agent Platform exclusively because of their industry-leading privacy and security controls. If we add other AI models in the future, they will only be integrated if they meet our strict privacy and security requirements, including Zero Data Retention and a commitment not to train on your data.

Your Data is Encrypted

We protect your sensitive information using industry-standard encryption. Every piece of your data is encrypted before it’s stored, using AES-256-GCM — the same encryption standard trusted by banks and government agencies. This means your data is protected even if someone were to gain unauthorized access to our systems.

What gets encrypted:

  • All documents you upload to the Service
  • All documents you create or generate using the Service
  • All prompts you enter into the Service
  • All responses from the AI models
  • Any other data you enter into the Service

Unique encryption keys for each user: Each user account has its own unique encryption key that is automatically derived from your account information and system components. We don’t store these keys as separate files — they are mathematically generated when needed for encryption and decryption operations. This ensures your data is completely isolated from other users’ data. Your encrypted data cannot be read by simply browsing our databases or file systems; it requires the specific decryption process using your account information.

Additionally, all data is encrypted in transit using Transport Layer Security (TLS), the same technology that protects your online banking.

No Sensitive Data in Logs

We have designed our systems so that no User Content — including documents, prompts, AI responses, or any other sensitive data — is ever written to application logs, even when errors occur. Our logs contain only technical metadata such as user identifiers and document identifiers in non-reversible UUID format. This means that even our infrastructure logs cannot be used to reconstruct your documents or conversations.

Your Role as Data Controller

Lawful Good acts as a data processor on your behalf. You, as the attorney or law firm, remain the data controller with respect to any client data you upload to or create within the Service. This means you retain full authority over your client data, and we process it solely according to your instructions through your use of the Service. For more detail on this relationship, see our Privacy Policy.

Privacy and Terms of Service

For complete details about how we handle your data and the terms governing your use of our service, please review our:

Security Contact

If you have security concerns or need to report a potential vulnerability, we’re here to help: