Trust Center

The Vaquill AI Trust Center

Legal AI built to keep your data confidential. PII anonymized before the model sees it, zero data retention with our LLM providers, US data residency, no training on your data. Aligned with ABA Model Rules 1.6, 1.13 (organization as client), 5.3, and ABA Formal Opinion 512.

Vaquill AI serves in-house counsel, GCs, and US-licensed lawyers from solo practices to in-house legal teams. We handle attorney-client-privileged communications, work-product-protected materials, board-confidential matters, M&A deal data, and regulated business data every day. Every security decision is made with privilege and organizational confidentiality in mind: your documents stay yours, they stay in the United States, and they are never used to train anyone's models.

This page is a plain-English summary of how we protect your data. For contractual commitments, see our Data Processing Addendum and Privacy Policy.

Current Compliance Posture

AICPA SOC for Service Organizations badge

SOC 2 Type 1

Attested. Type II in progress.

GDPR compliance badge

GDPR Compliant

DPA and SCCs available on request.

Data-handling commitments

The core promises we make about your matter data, in order of what lawyers ask about most.

No training on your data

Your documents, prompts, outputs, and matter data are never used to train Vaquill AI's models. Our LLM sub-processors operate under zero-data-retention agreements, meaning inputs and outputs are not retained for model training or logging beyond what's needed to deliver the response.

US-based cloud hosting

Customer Data is hosted on cloud infrastructure in the United States, all inside reputable Tier-IV data centers, with application compute, the managed database, and document object storage each handled by vetted, US-based providers. The full sub-processor register is available on request.

Tenant isolation

Each legal team's data is logically isolated. Your documents never commingle with another team's. Row-level security is enforced at every database query and every object-store read.

Encryption

AES-256 encryption at rest. TLS 1.3 in transit. Managed KMS keys with automatic rotation. Secrets are never checked into source control.

Retention & deletion

Matters and documents are retained while your account is active. After cancellation, your data is exportable for 30 days, then permanently deleted or anonymized. Audit logs are retained for up to 3 years.

Minimal access, logged

Vaquill AI staff do not access your matter data except when you explicitly request support or when required to diagnose an incident. Every access is logged and reviewed.

Compliance & certifications

We tell you exactly what is in place today and what we're working toward. No certifications are listed here that we do not hold or are not actively pursuing.

SOC 2 Type I

In Progress

Attestation engagement in progress with a third-party auditor. Targeted completion by Q1 2027 on a best-effort basis. Type II will follow after an observation period.

US state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, TDPSA, UCPA)

Live

We honor consumer rights under California, Virginia, Colorado, Connecticut, Texas, and Utah privacy laws: right to know, access, correct, delete, and opt out of sale/sharing of personal information.

GDPR

Live

For EU- and UK-resident users we act as a processor. Standard Contractual Clauses are available on request. See our DPA for Article 28 commitments.

HIPAA (BAA)

Available on Request

A Business Associate Agreement is available for firms handling protected health information in connection with their matters. Contact contact@vaquill.ai to request one.

ISO 27001

On Roadmap

Not currently certified. We track ISO 27001 controls internally and plan to pursue certification after SOC 2 Type II.

Related: Privacy Policy · Terms of Service · Data Processing Addendum · Accessibility.

Access controls

Firm admins decide who sees what. Individual lawyers decide how they authenticate.

SSO with Google Workspace and Microsoft 365

Coming Soon

Sign in with your firm-managed Google or Microsoft identity. SCIM provisioning on request for Enterprise plan firms.

Role-based access within your workspace

Live

Assign admin, lawyer, and paralegal/clerk roles. Restrict matter visibility by practice group. Firm admins manage invites and removals.

Audit logs for firm admins

Live

Every sign-in, permission change, document upload, share event, and deletion is recorded. Admins can review or export logs from firm settings.

Two-factor authentication (2FA)

Live

TOTP-based 2FA available for every user. Firm admins can require 2FA for the entire workspace.

Product security

Security controls baked into the product itself, not bolted on after release.

Input validation and prompt-injection mitigation

Every uploaded document is run through our document safety screening to detect and neutralize attempts to manipulate model behavior through hidden instructions in PDFs, Office files, or images.

Verified citations and 4-layer answer verification

Citations are cross-referenced against the underlying case-law corpus and your uploaded sources before an answer is rendered. Read more on our legal research page.

Secure software development lifecycle

Dependency scanning, automated static analysis, code review on every change, and least-privilege deployment credentials. Production changes require pull-request approval and pass CI before release.

Incident response

In the event of a confirmed security incident affecting customer data, we notify affected customers within 72 hours of confirmation, in line with GDPR Article 33 and applicable US state breach-notification laws.

Sub-processors

Vaquill AI relies on a small, deliberately short list of vetted third-party services to deliver the product, all hosted in the United States. Every sub-processor is bound by a written data-processing agreement and required to protect Customer Data with safeguards no less protective than our own. Our LLM providers operate under zero-data-retention agreements: your prompts and documents are never retained beyond a response and never used to train models.

The current sub-processor register, with regions and per-vendor data scope, is available to customers and their counsel on request. Email contact@vaquill.ai.

Responsible disclosure

Found a security issue?

Please email security@vaquill.ai with a description of the issue, steps to reproduce, and any proof-of-concept material. We acknowledge reports within 72 hours and follow a 90-day coordinated-disclosure timeline.

Full programme details, scope, response SLAs, and our safe-harbor commitment are on our Vulnerability Disclosure Programme page.

Larger firm with additional requirements?

If your firm needs a signed BAA, custom DPA, bring-your-own-key (BYOK), a dedicated tenant, or other controls beyond what's listed above, we're happy to discuss. Email contact@vaquill.ai and tell us what you need.

Questions about security?

Email contact@vaquill.ai or reach out via /contact. For contractual commitments, see /dpa and /privacy.

Contact us