This page is plain English, not "industry-standard safeguards." It describes what the product actually does today, and is explicit about what the compliance posture is not yet.
01
Documents you upload are yours. Each workspace is scoped by an organisation ID that our API enforces on every request, so no request hits another firm's matter. When you archive a matter it stays in your workspace; when you hard-delete one, its rows and files are removed.
Owners and admins can delete an entire workspace from the settings page. We can also delete on request.
02
Your matter content (documents, review columns, answers, chat threads, notes) is not used to train, fine-tune, or evaluate AI models. Not ours, not any third party's. AI inference runs against providers under agreements that prohibit training on API inputs, and we pass the same commitment on to you.
03
Sign-in is handled by Auth0. Email and Google sign-in are supported out of the box; we can enable additional social providers on request.
Tokens are short-lived JWTs issued by Auth0, scoped to the matters a user has permission to. The backend validates every request against the role model below.
04
Workspace roles are owner, admin, member, and external. Matter-level roles are owner, editor, viewer, and external. A matter owner or admin can invite collaborators to a specific matter without giving them access to the rest of the workspace.
Permissions are enforced server-side by a single middleware. The UI never decides whether a request is allowed.
05
Sensitive actions write to an immutable audit log: sign-ins, billing changes, member changes, and workspace deletions are recorded with the actor, the target, and a timestamp. Owners and admins can read their workspace's log; we keep entries for the life of the workspace.
Coverage is expanding. Every new privileged surface gets wired into the same log. If you need a specific event covered for an internal control, ask.
06
lawgpt.com and app.lawgpt.com are served over HTTPS. Application traffic between our services runs inside a managed cloud network. Documents are stored in managed object storage; metadata is stored in a managed Postgres database.
07
We treat all matter content as confidential by default. We don't access your content to look at it. The only cases where a human on our team sees a document are (a) you've explicitly asked us to help during support, or (b) we're investigating a concrete security incident involving that matter.
Attorney-client privilege is not a product feature. We operate on the assumption that any document you send us may be privileged.
08
Completed reviews export to CSV from the product. If you want your full matter content back in another format, email us and we'll do it.
09
We are early. We do not yet have a SOC 2 attestation, an ISO certification, or a published subprocessor list. Those are on the roadmap and they are part of the Enterprise conversation.
If your firm has a procurement questionnaire, a custom DPA, specific data-residency requirements, or a security-review checklist, we are happy to work through it. Send the request to security@lawgpt.com.
10
If you believe you have found a security issue, please email security@lawgpt.com. We acknowledge within one business day, and we will not pursue legal action against good-faith researchers who follow responsible disclosure.
Need more detail?
Ask. We won't hide behind a template.
Security questionnaires, DPAs, architecture diagrams: email security@lawgpt.com and you'll get a real answer from someone on the engineering team.