Skip to main content
Trust Center

Security & Compliance

Law firms handle the most sensitive client data. Evidence Bound is built with enterprise-grade security controls and designed for ABA ethics compliance.

Certification Status

In Progress

SOC 2 Type II

Security controls audit by independent third party

Target: Q3 2026

Planned

ISO 27001

International information security standard

Target: Q4 2026

Planned

Penetration Testing

Third-party security assessment

Planned

In Progress

ABA Opinion 512

Designed to support ABA AI ethics guidance

Aligned

Built for ABA Ethics Compliance

The ABA's Formal Opinion 512 (July 2024) establishes ethical obligations for lawyers using generative AI tools. Evidence Bound is architected to help you meet these requirements.

Key ABA Requirements We Address:

  • Rule 1.1 (Competence): Clickable citations for human verification
  • Rule 1.6 (Confidentiality): Matter isolation, encryption, no data training
  • Rule 5.3 (Supervision): Full audit trail of all AI interactions
  • Disclosure: Exportable Q&A sessions for court requirements

How We Support Compliance

Human-in-the-Loop Verification

Every citation is clickable. One click shows the source document with the passage highlighted. Verify before you rely on it.

Citation Validation

Post-generation validators check that cited spans exist in the source text before delivery.

Audit Trail Export

Complete record of every question, answer, and document accessed. Export as CSV, JSON, or formatted PDF for court disclosure.

Graceful Refusal

When evidence is insufficient, the system is designed to refuse rather than guess — reducing the risk of hallucinated or fabricated citations.

Security Architecture

Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 encryption at rest
  • Customer-managed keys (Enterprise)
  • HSTS enabled on all web endpoints

Access Control

  • Role-based access (Admin, Attorney, Paralegal, Viewer)
  • Matter-level permissions
  • SSO via OIDC/SAML (Enterprise)
  • MFA support (TOTP)

Data Isolation

  • Tenant isolation (tenant_id on all tables)
  • Matter isolation (matter_id partitioning)
  • No cross-tenant data access possible
  • Cryptographic separation of case data

Audit & Logging

  • Immutable audit logs (append-only)
  • Log: who, what, when, which documents
  • PII redacted from logs by default
  • Export per matter/date range

Secrets Management

  • No hardcoded credentials
  • Supports HashiCorp Vault / AWS Secrets Manager
  • Kubernetes secrets for containers
  • Supports automatic secret rotation

Vulnerability Management

  • Dependency scanning (Snyk/Dependabot)
  • Container image scanning
  • Critical CVEs block deployments
  • Penetration testing (planned)

Data Handling Commitments

What We Never Do

  • Use your data to train AI models
  • Share data with third parties (except for service delivery)
  • Retain LLM prompts beyond session
  • Access your data without explicit authorization

What We Guarantee

  • Data export available anytime via admin interface
  • Complete deletion within 30 days of cancellation
  • Certificate of destruction available on request
  • Configurable retention policies per tenant/matter

Deployment Options

Cloud Hosted

Fully managed on our cloud infrastructure

  • Multi-tenant isolation
  • Automatic updates
  • Target: 99.9% uptime
  • Daily backups

Customer VPC

Deploy into your AWS, Azure, or GCP environment

  • Your cloud, your network
  • Data residency control
  • BYOK for LLM
  • We manage updates

Air-Gapped On-Prem

Run entirely on your servers with zero external calls

  • Complete data sovereignty
  • Local LLM (Llama 3.1)
  • No internet required
  • Docker or Kubernetes

Security Documentation

Download our security documentation for your procurement review.

Security Addendum

Standard security terms for enterprise agreements

Product Overview

One-page overview of Evidence Bound capabilities

Security FAQ

Where is my data hosted?
Cloud-hosted deployments run on isolated infrastructure. For customers requiring data residency control, we offer VPC deployment into your own AWS, Azure, or GCP environment, or fully air-gapped on-premise deployment.
How does Evidence Bound keep my data private?
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Each tenant's data is isolated at the database level using tenant_id and matter_id partitioning. No cross-tenant data access is possible.
Is my data used to train AI models?
No. Your documents are used exclusively for your retrieval requests. We select LLM providers that offer zero-retention data processing. Your data is never used to train or improve any AI models.
How do you handle access control for client data?
Evidence Bound supports role-based access control with four roles: Admin, Attorney, Paralegal, and Viewer. Matter-level permissions ensure team members only see cases they are assigned to. Enterprise plans support SSO via OIDC/SAML.
What happens to my data if I cancel?
You can export all data at any time via the admin interface. Upon cancellation, we provide a 30-day window to export, after which all data is permanently deleted. A certificate of destruction is available upon request.
Do you have a security addendum for procurement?
Yes. Our security addendum is available for download on this page. For additional documentation or custom security questionnaires, contact [email protected].

Questions About Security?

Our security team is available to answer questions and provide additional documentation for your procurement process.

Contact Security TeamRequest Demo