The Vaquill AI Trust Center
Legal AI built to keep your data confidential. PII anonymized before the model sees it, zero data retention with our LLM providers, US data residency, no training on your data. Aligned with ABA Model Rules 1.6, 1.13 (organization as client), 5.3, and ABA Formal Opinion 512.
Vaquill AI serves in-house counsel, GCs, and US-licensed lawyers from solo practices to in-house legal teams. We handle attorney-client-privileged communications, work-product-protected materials, board-confidential matters, M&A deal data, and regulated business data every day. Every security decision is made with privilege and organizational confidentiality in mind: your documents stay yours, they stay in the United States, and they are never used to train anyone's models.
This page is a plain-English summary of how we protect your data. For contractual commitments, see our Data Processing Addendum and Privacy Policy.
Current Compliance Posture

SOC 2 Type 1
Attested. Type II in progress.
GDPR Compliant
DPA and SCCs available on request.
Data-handling commitments
The core promises we make about your matter data, in order of what lawyers ask about most.
No training on your data
Your documents, prompts, outputs, and matter data are never used to train Vaquill AI's models. Our LLM sub-processors operate under zero-data-retention agreements, meaning inputs and outputs are not retained for model training or logging beyond what's needed to deliver the response.
US-based cloud hosting
Customer Data is hosted on cloud infrastructure in the United States, all inside reputable Tier-IV data centers, with application compute, the managed database, and document object storage each handled by vetted, US-based providers. The full sub-processor register is available on request.
Tenant isolation
Each legal team's data is logically isolated. Your documents never commingle with another team's. Row-level security is enforced at every database query and every object-store read.
Encryption
AES-256 encryption at rest. TLS 1.3 in transit. Managed KMS keys with automatic rotation. Secrets are never checked into source control.
Retention & deletion
Matters and documents are retained while your account is active. After cancellation, your data is exportable for 30 days, then permanently deleted or anonymized. Audit logs are retained for up to 3 years.
Minimal access, logged
Vaquill AI staff do not access your matter data except when you explicitly request support or when required to diagnose an incident. Every access is logged and reviewed.
Compliance & certifications
We tell you exactly what is in place today and what we're working toward. No certifications are listed here that we do not hold or are not actively pursuing.
SOC 2 Type I
In ProgressAttestation engagement in progress with a third-party auditor. Targeted completion by Q1 2027 on a best-effort basis. Type II will follow after an observation period.
US state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, TDPSA, UCPA)
LiveWe honor consumer rights under California, Virginia, Colorado, Connecticut, Texas, and Utah privacy laws: right to know, access, correct, delete, and opt out of sale/sharing of personal information.
GDPR
LiveFor EU- and UK-resident users we act as a processor. Standard Contractual Clauses are available on request. See our DPA for Article 28 commitments.
HIPAA (BAA)
Available on RequestA Business Associate Agreement is available for firms handling protected health information in connection with their matters. Contact contact@vaquill.ai to request one.
ISO 27001
On RoadmapNot currently certified. We track ISO 27001 controls internally and plan to pursue certification after SOC 2 Type II.
Related: Privacy Policy · Terms of Service · Data Processing Addendum · Accessibility.
Access controls
Firm admins decide who sees what. Individual lawyers decide how they authenticate.
SSO with Google Workspace and Microsoft 365
Coming SoonSign in with your firm-managed Google or Microsoft identity. SCIM provisioning on request for Enterprise plan firms.
Role-based access within your workspace
LiveAssign admin, lawyer, and paralegal/clerk roles. Restrict matter visibility by practice group. Firm admins manage invites and removals.
Audit logs for firm admins
LiveEvery sign-in, permission change, document upload, share event, and deletion is recorded. Admins can review or export logs from firm settings.
Two-factor authentication (2FA)
LiveTOTP-based 2FA available for every user. Firm admins can require 2FA for the entire workspace.
Product security
Security controls baked into the product itself, not bolted on after release.
Input validation and prompt-injection mitigation
Every uploaded document is run through our document safety screening to detect and neutralize attempts to manipulate model behavior through hidden instructions in PDFs, Office files, or images.
Verified citations and 4-layer answer verification
Citations are cross-referenced against the underlying case-law corpus and your uploaded sources before an answer is rendered. Read more on our legal research page.
Secure software development lifecycle
Dependency scanning, automated static analysis, code review on every change, and least-privilege deployment credentials. Production changes require pull-request approval and pass CI before release.
Incident response
In the event of a confirmed security incident affecting customer data, we notify affected customers within 72 hours of confirmation, in line with GDPR Article 33 and applicable US state breach-notification laws.
Sub-processors
Vaquill AI relies on a small, deliberately short list of vetted third-party services to deliver the product, all hosted in the United States. Every sub-processor is bound by a written data-processing agreement and required to protect Customer Data with safeguards no less protective than our own. Our LLM providers operate under zero-data-retention agreements: your prompts and documents are never retained beyond a response and never used to train models.
The current sub-processor register, with regions and per-vendor data scope, is available to customers and their counsel on request. Email contact@vaquill.ai.
Responsible disclosure
Found a security issue?
Please email security@vaquill.ai with a description of the issue, steps to reproduce, and any proof-of-concept material. We acknowledge reports within 72 hours and follow a 90-day coordinated-disclosure timeline.
Full programme details, scope, response SLAs, and our safe-harbor commitment are on our Vulnerability Disclosure Programme page.
Larger firm with additional requirements?
If your firm needs a signed BAA, custom DPA, bring-your-own-key (BYOK), a dedicated tenant, or other controls beyond what's listed above, we're happy to discuss. Email contact@vaquill.ai and tell us what you need.
Questions about security?
Email contact@vaquill.ai or reach out via /contact. For contractual commitments, see /dpa and /privacy.