ClausePilot Security Policy
1. Introduction
ClausePilot Korlátolt Felelősségű Társaság (registration number: Cg.01-09-454891; registered seat: 1163 Budapest, Karát utca 33., Hungary) ("ClausePilot", "we", "us", or "our") is committed to maintaining the confidentiality, integrity, and availability of all Personal Data and User-Generated Content processed through our Platform. This Security Policy describes the comprehensive technical, organizational, and administrative measures we have implemented to ensure robust information security, trust, and compliance with applicable laws, including the GDPR and legal profession regulatory requirements across EU jurisdictions.
This Policy applies to all users of the ClausePilot platform, with particular attention to the unique security requirements of legal professionals, as well as to ClausePilot staff, contractors, and third-party service providers.
1.1 Legal Professional Security Commitment
ClausePilot recognizes that legal professionals have heightened security obligations, including the preservation of attorney-client privilege, client confidentiality, and compliance with professional ethics rules. Our security framework is specifically designed to support these professional obligations while enabling the use of advanced AI technology for supporting legal and administrative work.
2. Hosting and Infrastructure Security
2.1 EU Data Sovereignty and Residency
Primary data storage at rest for all User-Generated Content is located exclusively within the European Economic Area (EEA). For certain session-limited processing activities, such as AI analysis via third-party APIs, the relevant User-Generated Content is temporarily transferred to service providers in the United States (see Appendix B of the Data Processing Agreement). Transfers rely on (i) the EU–U.S. Data Privacy Framework ("DPF") where the provider is certified, or (ii) the European Commission’s Standard Contractual Clauses ("SCCs") supplemented by transfer-impact assessments and encryption safeguards. We apply comprehensive technical controls preventing any inadvertent data transfers outside the EEA jurisdiction.
2.2 Cloud Infrastructure Security
ClausePilot relies on Amazon Web Services (AWS) EU regions, the market leader in secure cloud infrastructure, certified under ISO 27001, SOC 2, and other international standards.
2.3 Encryption and Cryptographic Controls
- Data in Transit: TLS 1.3 encryption for all communications with perfect forward secrecy
- Data at Rest: AES-256 encryption for all stored data with regularly rotated encryption keys
- Key Management: Hardware Security Modules (HSMs) for cryptographic key generation and management
- Document-Level Encryption: Additional encryption layer for legal documents with matter-specific keys
3. Dual-Role Security Architecture
ClausePilot operates under a dual-role security framework reflecting our distinct responsibilities as both Data Controller and Data Processor under GDPR.
3.1 Data Controller Security Measures
For Personal Data where ClausePilot acts as Data Controller (account information, usage data, payment data), we implement:
- Dedicated Controller Infrastructure: Separate security controls and monitoring for controller data
- Enhanced Access Logging: Comprehensive audit trails for all access to personal account information
- Privacy-by-Design Controls: Built-in privacy protections for all personal data processing
- Controller-Specific Incident Response: Tailored procedures for incidents affecting personal data
3.2 Data Processor Security Measures
For User-Generated Content where ClausePilot acts as Data Processor (uploaded documents, client information, user information), we implement:
- Processor-Only Access: Strict limitations ensuring we only process data per user instructions
- Enhanced Confidentiality Controls: Additional security layers for sensitive legal documents
- Client Privilege Preservation: Technical measures maintaining attorney-client privilege throughout all processing
4. AI Processing Security Framework
4.1 AI Integration Security Architecture
ClausePilot integrates with third-party AI providers (as listed in Appendix 2 of the Data Processing Agreement) under strict security controls:
- Isolated Processing Environments: Each AI processing request operates in a secure, isolated container
- API Security Hardening: Enhanced authentication, encryption, and monitoring for all API communications
- Processing Transparency: Complete audit trails of all AI processing activities
4.2 Legal Professional Privilege Protection
Our AI processing framework specifically preserves legal professional privilege:
- Privilege-Aware Processing: AI systems receive explicit instructions about privileged content handling
- No Model Training: Contractual and technical guarantees preventing use of legal documents for AI model training
- Immediate Purging: All AI processing data is immediately purged after response generation
4.3 Third-Party API Security Controls
For each AI API provider, we enforce:
- Confidentiality Agreements: Comprehensive contracts prohibiting data retention and model training
- Security Assessments: Regular third-party security audits of all API providers
- Fail-Safe Mechanisms: Automatic fallback procedures if security controls are compromised
4.4 Model Training Prohibition Controls
Technical safeguards preventing user data from being used for AI model training:
- No-Training Headers: Explicit API headers prohibiting model training use
- Contractual Enforcement: Legal agreements for unauthorized data use
5. Access Management and Control
5.1 Advanced Access Control Framework
We enforce comprehensive access control measures:
- Role-Based Access Control (RBAC): Granular permissions based on job functions and business necessity
- Zero Trust Architecture: Continuous verification of all access requests regardless of source
- Privileged Access Management: Enhanced controls for administrative and system accounts
- Authentication: To ensure secure and robust user authentication, ClausePilot utilizes Google Firebase Authentication services, which provide industry-standard security for managing user credentials and sessions.
5.2 Emergency Access Procedures
Secure emergency access protocols while maintaining confidentiality:
- Break-Glass Procedures: Controlled emergency access with comprehensive audit trails
- Dual Authorization: Multiple approvals required for emergency access to legal documents
- Immediate Notification: Automatic notification to relevant legal professionals of emergency access
- Post-Incident Review: Mandatory review of all emergency access incidents
6. Document Security and Vault Protection
6.1 Document Lifecycle Security
Comprehensive security throughout the document lifecycle:
- Upload Security: Malware scanning and content validation for all uploaded documents
- Processing Security: Encrypted processing pipelines with integrity verification
- Storage Security: Multi-layered encryption and access controls for stored documents
- Deletion Security: Cryptographic erasure ensuring complete data destruction
6.2 Personal Vault Security Architecture
Enhanced security for personal document storage:
- Individual Encryption: Each vault encrypted with unique, user-controlled keys
- Access Isolation: Complete isolation between different users' vaults
- Integrity Monitoring: Continuous monitoring for unauthorized vault access or modification
- Backup Security: Encrypted, geographically distributed backups with restoration capabilities
6.3 Secure Document Deletion
Enhanced deletion protocols exceeding industry standards:
- Cryptographic Erasure: Immediate deletion of encryption keys rendering data unrecoverable
- Multi-Pass Overwriting: Physical overwriting of storage media for enhanced security
- Backup Purging: Coordinated deletion across all backup systems and replicas
- Deletion Verification: Technical verification of complete data destruction
7. Legal Profession Compliance Framework
7.1 Professional Standards Compliance
Regular assessment of compliance with legal profession requirements:
- Multi-Jurisdiction Compliance: Monitoring compliance with legal profession regulations across EU member states
- Professional Ethics Integration: Regular review of platform features against legal ethics requirements
- Regulatory Change Monitoring: Continuous tracking of evolving legal profession regulatory requirements
8. Incident Response and Breach Notification
8.1 Enhanced Incident Response Framework
ClausePilot maintains a comprehensive Incident Response Plan with legal data specific procedures:
- Notification: Immediate notification procedures for incidents affecting legal data
- Privilege Preservation: Incident response procedures that maintain attorney-client privilege
- Regulatory Notification: Notification to relevant legal profession regulatory bodies when required
- Client Impact Assessment: Comprehensive framework for assessing and communicating client data impacts
8.2 Incident Classification and Response
Tiered response based on incident severity and data types affected:
- Critical Incidents: Immediate response for incidents affecting legal documents or client data
- High Priority: Rapid response for incidents affecting platform availability or personal data
- Standard Response: Regular procedures for minor incidents and system issues
- Post-Incident Review: Comprehensive analysis and improvement planning after all incidents
8.3 Breach Notification Procedures
Comprehensive notification procedures ensuring compliance with all applicable requirements:
- User Notification: Direct notification to affected legal professionals within 24 hours
- Regulatory Notification: Notification to data protection authorities within 72 hours as required by GDPR
- Professional Body Notification: Notification to relevant legal profession regulatory bodies when required
- Transparency Reporting: Clear communication about incident nature, consequences, and remediation measures
Where ClausePilot acts as processor, providing the Controller with all necessary information to enable them to meet their own obligation to notify the relevant data protection authority within 72 hours, as required by GDPR.
9. Vulnerability and Patch Management
9.1 Proactive Vulnerability Management
ClausePilot implements a comprehensive vulnerability management program:
- Continuous Scanning: Automated vulnerability scanning of all systems and applications
- Threat Intelligence: Integration with global threat intelligence feeds for early warning
- Risk Assessment: Regular risk assessment of identified vulnerabilities with prioritized remediation
- Zero-Day Protection: Enhanced monitoring and rapid response procedures for zero-day vulnerabilities
9.2 Patch Management Framework
Systematic approach to security patching:
- Critical Patch Timeline: Emergency patching within 24 hours for critical security vulnerabilities
- Regular Patch Cycles: Scheduled patching cycles with comprehensive testing procedures
- Testing Protocols: Rigorous testing in isolated environments before production deployment
- Rollback Procedures: Comprehensive rollback capabilities for problematic patches
9.3 Third-Party Security Assessment
Regular security assessment of all third-party components:
- Vendor Security Reviews: Annual security assessments of all critical vendors
- Dependency Scanning: Automated scanning of all software dependencies for vulnerabilities
- Third-Party Monitoring: Continuous monitoring of third-party security advisories and patches
9.4 Penetration Testing and Security Audits
Regular independent security testing:
- Annual Penetration Testing: Comprehensive penetration testing by independent third parties
- Quarterly Security Audits: Regular security audits focusing on different aspects of the platform
- Red Team Exercises: Advanced adversarial testing simulating sophisticated attack scenarios
10. Third-Party and Vendor Risk Management
10.1 Sub-Processor Security Requirements
Enhanced security requirements for all sub-processors handling User-Generated Content:
- Security Certification Requirements: Mandatory security certifications (ISO 27001, SOC 2) for all sub-processors
- Contractual Security Obligations: Comprehensive security requirements in all sub-processor agreements
- Regular Security Assessments: Ongoing security assessments of all sub-processors
10.2 AI Provider Security Management
Specialized security management for AI API providers:
- Enhanced Due Diligence: Comprehensive security assessment of all AI providers
- Contractual Safeguards: Detailed contracts prohibiting data retention and unauthorized use
- Technical Integration Security: Secure API integration with comprehensive monitoring
- Regular Compliance Verification: Regular verification of AI provider compliance with security requirements
10.3 Vendor Lifecycle Management
Comprehensive vendor management throughout the engagement lifecycle:
- Pre-Engagement Assessment: Thorough security assessment before vendor engagement
- Ongoing Monitoring: Continuous monitoring of vendor security posture and performance
- Incident Coordination: Coordinated incident response procedures with all vendors
- Contract Termination: Secure data destruction and access revocation upon contract termination
11. Organizational Security Measures
11.1 Security Training and Awareness
Comprehensive security training program:
- Legal-Specific Security Training: Specialized training addressing legal profession security requirements
- Regular Security Updates: Ongoing training on evolving security threats and countermeasures
- Professional Ethics Integration: Training integrating security with legal ethics and professional conduct
11.2 Personnel Security
Enhanced personnel security measures:
- Background Verification: Comprehensive background checks for all personnel with system access
- Confidentiality Agreements: Detailed confidentiality agreements for all staff and contractors
- Access Recertification: Quarterly review and recertification of all personnel access rights
- Separation Procedures: Comprehensive procedures for secure access termination upon role change or departure
11.3 Physical Security
Secure handling and disposal of all IT equipment.
12. Continuous Monitoring and Transparency
12.1 Comprehensive Audit Trails
Detailed logging supporting legal professional compliance requirements:
- AI Processing Logs: Detailed logs of all AI processing activities with query and response tracking
12.2 Real-Time Security Monitoring
Continuous monitoring for security threats and anomalies:
- Threat Detection: Real-time detection of security threats and attack attempts
- Automated Response: Automated response systems for immediate threat containment
- Alert Management: Comprehensive alert management with escalation procedures
12.3 Legal Professional Reporting
Specialized reporting supporting legal professionals' compliance obligations:
- Activity Reports: Detailed reports of document access, processing, and AI interactions
- Security Status Reports: Regular reports on security posture and incident status
- Audit Support: Comprehensive documentation supporting legal professional regulatory audits
12.4 Transparency and Communication
Regular communication about security posture and incidents:
- Security Status Page: Public status page showing current security posture and any incidents
- Regular Security Updates: Periodic communication about security enhancements and changes
- Incident Transparency: Clear, timely communication about security incidents and remediation
- Security Roadmap: Regular updates about planned security improvements and enhancements
13. Data Retention and Destruction
13.1 Data Retention Framework
Comprehensive data retention policies aligned with legal and regulatory requirements:
- Personal Data Retention: Retention of personal data only as long as necessary for stated purposes
- User-Generated Content Retention: User-controlled retention with immediate deletion capabilities
- Legal Hold Procedures: Procedures for legal hold requirements while maintaining security
- Automated Retention Management: Automated systems for retention policy enforcement and data lifecycle management
13.2 Secure Data Destruction
Enhanced data destruction procedures:
- Cryptographic Erasure: Primary data destruction method using encryption key deletion
- Physical Destruction: Physical destruction of storage media when cryptographic erasure is insufficient
- Chain of Custody: Comprehensive chain of custody documentation for all data destruction activities
- Destruction Verification: Technical verification and certification of complete data destruction
14. Business Continuity and Disaster Recovery
14.1 Business Continuity Planning
Comprehensive business continuity framework:
- Continuity Risk Assessment: Regular assessment of risks to business continuity
- Recovery Time Objectives: Defined recovery time objectives for different types of incidents
- Continuity Testing: Regular testing of business continuity procedures and capabilities
14.2 Disaster Recovery Procedures
Comprehensive disaster recovery capabilities:
- Data Backup Strategy: Multi-tier backup strategy with geographically distributed storage
- Recovery Procedures: Detailed procedures for data and system recovery
- Recovery Testing: Regular testing of recovery procedures and capabilities
- Recovery Communication: Clear communication procedures during disaster recovery situations
15. Compliance and Review
15.1 Regular Policy Review
This Security Policy is subject to comprehensive regular review:
- Annual Policy Review: Comprehensive annual review of all security policies and procedures
- Regulatory Change Assessment: Regular assessment of changes in legal and regulatory requirements
- Threat Landscape Review: Regular review of evolving security threats and countermeasures
- Stakeholder Feedback Integration: Integration of feedback from legal professional users and other stakeholders
15.2 Compliance Monitoring
Ongoing compliance monitoring and assessment:
- Internal Audits: Regular internal audits of security controls and procedures
- External Assessments: Independent third-party security assessments and compliance audits
- Regulatory Compliance: Ongoing monitoring of compliance with legal profession regulatory requirements
- Continuous Improvement: Continuous improvement based on audit findings and industry best practices
16. Contact and Enquiries
Questions or concerns regarding this Security Policy may be directed to:
Security Team, ClausePilot
- Email: security@clausepilot.com
- Response Time: Acknowledgment within 24 hours, substantive response within 72 hours
17. Definitions
- "Platform": The ClausePilot AI-powered web-based interface accessible via app.clausepilot.com and all associated services.
- "Personal Data": Any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
- "User-Generated Content": Any documents, contracts, contract drafts, clauses, templates, text, data, information, or other materials that are uploaded, input, created, modified, stored, or otherwise processed by users through the Platform.
- "Matter": A specific legal case, transaction, or issue that a legal professional is handling for a client.
- "Data Controller": The natural or legal person who determines the purposes and means of processing personal data, as defined in Article 4(7) GDPR.
- "Data Processor": A natural or legal person who processes personal data on behalf of the controller, as defined in Article 4(8) GDPR.
- "Sub-processor": Any processor engaged by ClausePilot that processes User-Generated Content on behalf of users.
- "AI API Providers": The external artificial intelligence service providers (as listed in Appendix 2 of the Data Processing Agreement) whose APIs are integrated into the Platform.
- "Encryption": The use of cryptographic protocols to protect data in transit (TLS 1.3 or higher) and at rest (AES-256).
- "Zero Trust Architecture": A security model that requires verification for every person and device trying to access resources, regardless of their location.
- "Cryptographic Erasure": A method of data destruction that renders data unrecoverable by deleting or overwriting the cryptographic keys used to encrypt the data.
This Security Policy is effective as of 23 April 2026 and supersedes all previous versions. ClausePilot reserves the right to modify this policy as necessary to maintain the highest standards of security and compliance.