Built for Attorney-Grade Confidentiality
DraftLex is engineered around attorney-client privilege, SOC 2 Type II compliance, and the data isolation requirements of legal practice.
Our Security Posture
SOC 2 Type II
Independently audited. Covers Security, Availability, and Confidentiality. Report available on request to Firm and Enterprise customers.
AES-256 Encryption
All data encrypted at rest (AES-256) and in transit (TLS 1.3). Keys managed with automated rotation via a dedicated KMS.
Privilege-Safe Design
Your data never enters a shared model training pipeline. Every draft is processed in an isolated tenant environment.
Signed DPA โ All Plans
A GDPR Art. 28 / CCPA compliant Data Processing Agreement is signed with every customer at every pricing tier.
BAA Available
For firms handling health-related client matters, a HIPAA Business Associate Agreement is available on Firm Plan and above.
Annual Pen Testing
Independent penetration testing annually. Findings remediated within 30 days. Executive summaries available to Enterprise customers.
DraftLex vs. General-Purpose AI Tools
| Feature | DraftLex | ChatGPT Enterprise | Microsoft Copilot |
|---|---|---|---|
| Data used to train shared model | โ Never โ contractually guaranteed | โ Off by default (Enterprise) | โ Off by default (Enterprise) |
| Attorney-client privilege safeguards | โ Core product feature | โ Not designed for legal | โ Not designed for legal |
| SOC 2 Type II certified | โ Yes | โ Yes | โ Yes |
| Signed DPA on all plans | โ All plans | Enterprise only | Enterprise only |
| BAA for HIPAA-adjacent matters | โ Firm Plan+ | Enterprise only | Enterprise only |
| Isolated tenant environment | โ All plans | Enterprise only | Enterprise only |
| Bar ethics review on templates | โ Quarterly attorney review | โ No | โ No |
| Privilege score on every draft | โ All plans | โ No | โ No |
| Audit log per matter file | โ All plans | โ No | Limited |
Exactly What Happens With Your Data
Your email drafts stay in your isolated environment
Your prompts and outputs are processed in a tenant-isolated environment. We do not retain draft content after it is returned to your interface, except in your own matter-level audit log.
We never use client data to improve our AI
Your matter data, prompts, and draft outputs are never used to fine-tune or retrain any AI model โ ours or any third-party provider's. This is a contractual commitment in our DPA, not just a privacy policy statement.
Subprocessors disclosed and contractually bound
All subprocessors (cloud infrastructure, inference providers) are listed publicly and are contractually prohibited from using your data for any purpose beyond delivering the service.
72-hour incident notification
In the event of a security incident involving your data, DraftLex notifies affected customers within 72 hours, consistent with GDPR Art. 33 requirements.
Security Documentation Available on Request
Enterprise and Firm Plan customers can request our SOC 2 report, pen test executive summary, and DPA template before signing up.