Security & Compliance

Built for Attorney-Grade Confidentiality

DraftLex is engineered around attorney-client privilege, SOC 2 Type II compliance, and the data isolation requirements of legal practice.

Certifications

Our Security Posture

๐Ÿ†

SOC 2 Type II

Independently audited. Covers Security, Availability, and Confidentiality. Report available on request to Firm and Enterprise customers.

๐Ÿ”

AES-256 Encryption

All data encrypted at rest (AES-256) and in transit (TLS 1.3). Keys managed with automated rotation via a dedicated KMS.

โš–๏ธ

Privilege-Safe Design

Your data never enters a shared model training pipeline. Every draft is processed in an isolated tenant environment.

๐Ÿ“‹

Signed DPA โ€” All Plans

A GDPR Art. 28 / CCPA compliant Data Processing Agreement is signed with every customer at every pricing tier.

๐Ÿฅ

BAA Available

For firms handling health-related client matters, a HIPAA Business Associate Agreement is available on Firm Plan and above.

๐Ÿ”

Annual Pen Testing

Independent penetration testing annually. Findings remediated within 30 days. Executive summaries available to Enterprise customers.

Comparison

DraftLex vs. General-Purpose AI Tools

FeatureDraftLexChatGPT EnterpriseMicrosoft Copilot
Data used to train shared modelโœ“ Never โ€” contractually guaranteedโœ“ Off by default (Enterprise)โœ“ Off by default (Enterprise)
Attorney-client privilege safeguardsโœ“ Core product featureโœ— Not designed for legalโœ— Not designed for legal
SOC 2 Type II certifiedโœ“ Yesโœ“ Yesโœ“ Yes
Signed DPA on all plansโœ“ All plansEnterprise onlyEnterprise only
BAA for HIPAA-adjacent mattersโœ“ Firm Plan+Enterprise onlyEnterprise only
Isolated tenant environmentโœ“ All plansEnterprise onlyEnterprise only
Bar ethics review on templatesโœ“ Quarterly attorney reviewโœ— Noโœ— No
Privilege score on every draftโœ“ All plansโœ— Noโœ— No
Audit log per matter fileโœ“ All plansโœ— NoLimited
Data Practices

Exactly What Happens With Your Data

Your email drafts stay in your isolated environment

Your prompts and outputs are processed in a tenant-isolated environment. We do not retain draft content after it is returned to your interface, except in your own matter-level audit log.

We never use client data to improve our AI

Your matter data, prompts, and draft outputs are never used to fine-tune or retrain any AI model โ€” ours or any third-party provider's. This is a contractual commitment in our DPA, not just a privacy policy statement.

Subprocessors disclosed and contractually bound

All subprocessors (cloud infrastructure, inference providers) are listed publicly and are contractually prohibited from using your data for any purpose beyond delivering the service.

72-hour incident notification

In the event of a security incident involving your data, DraftLex notifies affected customers within 72 hours, consistent with GDPR Art. 33 requirements.

Get Started

Security Documentation Available on Request

Enterprise and Firm Plan customers can request our SOC 2 report, pen test executive summary, and DPA template before signing up.

Request Security Docs Start Free Trial