ClausePilot Security Policy

    1. Introduction

    ClausePilot Korlátolt Felelősségű Társaság (registration number: Cg.01-09-454891; registered seat: 1163 Budapest, Karát utca 33., Hungary) ("ClausePilot", "we", "us", or "our") is committed to maintaining the confidentiality, integrity, and availability of all Personal Data and User-Generated Content processed through our Platform. This Security Policy describes the comprehensive technical, organizational, and administrative measures we have implemented to ensure robust information security, trust, and compliance with applicable laws, including the GDPR and legal profession regulatory requirements across EU jurisdictions.

    This Policy applies to all users of the ClausePilot platform, with particular attention to the unique security requirements of legal professionals, as well as to ClausePilot staff, contractors, and third-party service providers.

    1.1 Legal Professional Security Commitment

    ClausePilot recognizes that legal professionals have heightened security obligations, including the preservation of attorney-client privilege, client confidentiality, and compliance with professional ethics rules. Our security framework is specifically designed to support these professional obligations while enabling the use of advanced AI technology for supporting legal and administrative work.

    2. Hosting and Infrastructure Security

    2.1 EU Data Sovereignty and Residency

    Primary data storage at rest for all User-Generated Content is located exclusively within the European Economic Area (EEA). For certain session-limited processing activities, such as AI analysis via third-party APIs, the relevant User-Generated Content is temporarily transferred to service providers in the United States (see Appendix B of the Data Processing Agreement). Transfers rely on (i) the EU–U.S. Data Privacy Framework ("DPF") where the provider is certified, or (ii) the European Commission’s Standard Contractual Clauses ("SCCs") supplemented by transfer-impact assessments and encryption safeguards. We apply comprehensive technical controls preventing any inadvertent data transfers outside the EEA jurisdiction.

    2.2 Cloud Infrastructure Security

    ClausePilot relies on Amazon Web Services (AWS) EU regions, the market leader in secure cloud infrastructure, certified under ISO 27001, SOC 2, and other international standards.

    2.3 Encryption and Cryptographic Controls

    • Data in Transit: TLS 1.3 encryption for all communications with perfect forward secrecy
    • Data at Rest: AES-256 encryption for all stored data with regularly rotated encryption keys
    • Key Management: Hardware Security Modules (HSMs) for cryptographic key generation and management
    • Document-Level Encryption: Additional encryption layer for legal documents with matter-specific keys

    3. Dual-Role Security Architecture

    ClausePilot operates under a dual-role security framework reflecting our distinct responsibilities as both Data Controller and Data Processor under GDPR.

    3.1 Data Controller Security Measures

    For Personal Data where ClausePilot acts as Data Controller (account information, usage data, payment data), we implement:

    • Dedicated Controller Infrastructure: Separate security controls and monitoring for controller data
    • Enhanced Access Logging: Comprehensive audit trails for all access to personal account information
    • Privacy-by-Design Controls: Built-in privacy protections for all personal data processing
    • Controller-Specific Incident Response: Tailored procedures for incidents affecting personal data

    3.2 Data Processor Security Measures

    For User-Generated Content where ClausePilot acts as Data Processor (uploaded documents, client information, user information), we implement:

    • Processor-Only Access: Strict limitations ensuring we only process data per user instructions
    • Enhanced Confidentiality Controls: Additional security layers for sensitive legal documents
    • Client Privilege Preservation: Technical measures maintaining attorney-client privilege throughout all processing

    4. AI Processing Security Framework

    4.1 AI Integration Security Architecture

    ClausePilot integrates with third-party AI providers (as listed in Appendix 2 of the Data Processing Agreement) under strict security controls:

    • Isolated Processing Environments: Each AI processing request operates in a secure, isolated container
    • API Security Hardening: Enhanced authentication, encryption, and monitoring for all API communications
    • Processing Transparency: Complete audit trails of all AI processing activities

    4.2 Legal Professional Privilege Protection

    Our AI processing framework specifically preserves legal professional privilege:

    • Privilege-Aware Processing: AI systems receive explicit instructions about privileged content handling
    • No Model Training: Contractual and technical guarantees preventing use of legal documents for AI model training
    • Immediate Purging: All AI processing data is immediately purged after response generation

    4.3 Third-Party API Security Controls

    For each AI API provider, we enforce:

    • Confidentiality Agreements: Comprehensive contracts prohibiting data retention and model training
    • Security Assessments: Regular third-party security audits of all API providers
    • Fail-Safe Mechanisms: Automatic fallback procedures if security controls are compromised

    4.4 Model Training Prohibition Controls

    Technical safeguards preventing user data from being used for AI model training:

    • No-Training Headers: Explicit API headers prohibiting model training use
    • Contractual Enforcement: Legal agreements for unauthorized data use

    5. Access Management and Control

    5.1 Advanced Access Control Framework

    We enforce comprehensive access control measures:

    • Role-Based Access Control (RBAC): Granular permissions based on job functions and business necessity
    • Zero Trust Architecture: Continuous verification of all access requests regardless of source
    • Privileged Access Management: Enhanced controls for administrative and system accounts
    • Authentication: To ensure secure and robust user authentication, ClausePilot utilizes Google Firebase Authentication services, which provide industry-standard security for managing user credentials and sessions.

    5.2 Emergency Access Procedures

    Secure emergency access protocols while maintaining confidentiality:

    • Break-Glass Procedures: Controlled emergency access with comprehensive audit trails
    • Dual Authorization: Multiple approvals required for emergency access to legal documents
    • Immediate Notification: Automatic notification to relevant legal professionals of emergency access
    • Post-Incident Review: Mandatory review of all emergency access incidents

    6. Document Security and Vault Protection

    6.1 Document Lifecycle Security

    Comprehensive security throughout the document lifecycle:

    • Upload Security: Malware scanning and content validation for all uploaded documents
    • Processing Security: Encrypted processing pipelines with integrity verification
    • Storage Security: Multi-layered encryption and access controls for stored documents
    • Deletion Security: Cryptographic erasure ensuring complete data destruction

    6.2 Personal Vault Security Architecture

    Enhanced security for personal document storage:

    • Individual Encryption: Each vault encrypted with unique, user-controlled keys
    • Access Isolation: Complete isolation between different users' vaults
    • Integrity Monitoring: Continuous monitoring for unauthorized vault access or modification
    • Backup Security: Encrypted, geographically distributed backups with restoration capabilities

    6.3 Secure Document Deletion

    Enhanced deletion protocols exceeding industry standards:

    • Cryptographic Erasure: Immediate deletion of encryption keys rendering data unrecoverable
    • Multi-Pass Overwriting: Physical overwriting of storage media for enhanced security
    • Backup Purging: Coordinated deletion across all backup systems and replicas
    • Deletion Verification: Technical verification of complete data destruction

    7. Legal Profession Compliance Framework

    7.1 Professional Standards Compliance

    Regular assessment of compliance with legal profession requirements:

    • Multi-Jurisdiction Compliance: Monitoring compliance with legal profession regulations across EU member states
    • Professional Ethics Integration: Regular review of platform features against legal ethics requirements
    • Regulatory Change Monitoring: Continuous tracking of evolving legal profession regulatory requirements

    8. Incident Response and Breach Notification

    8.1 Enhanced Incident Response Framework

    ClausePilot maintains a comprehensive Incident Response Plan with legal data specific procedures:

    • Notification: Immediate notification procedures for incidents affecting legal data
    • Privilege Preservation: Incident response procedures that maintain attorney-client privilege
    • Regulatory Notification: Notification to relevant legal profession regulatory bodies when required
    • Client Impact Assessment: Comprehensive framework for assessing and communicating client data impacts

    8.2 Incident Classification and Response

    Tiered response based on incident severity and data types affected:

    • Critical Incidents: Immediate response for incidents affecting legal documents or client data
    • High Priority: Rapid response for incidents affecting platform availability or personal data
    • Standard Response: Regular procedures for minor incidents and system issues
    • Post-Incident Review: Comprehensive analysis and improvement planning after all incidents

    8.3 Breach Notification Procedures

    Comprehensive notification procedures ensuring compliance with all applicable requirements:

    • User Notification: Direct notification to affected legal professionals within 24 hours
    • Regulatory Notification: Notification to data protection authorities within 72 hours as required by GDPR
    • Professional Body Notification: Notification to relevant legal profession regulatory bodies when required
    • Transparency Reporting: Clear communication about incident nature, consequences, and remediation measures

    Where ClausePilot acts as processor, providing the Controller with all necessary information to enable them to meet their own obligation to notify the relevant data protection authority within 72 hours, as required by GDPR.

    9. Vulnerability and Patch Management

    9.1 Proactive Vulnerability Management

    ClausePilot implements a comprehensive vulnerability management program:

    • Continuous Scanning: Automated vulnerability scanning of all systems and applications
    • Threat Intelligence: Integration with global threat intelligence feeds for early warning
    • Risk Assessment: Regular risk assessment of identified vulnerabilities with prioritized remediation
    • Zero-Day Protection: Enhanced monitoring and rapid response procedures for zero-day vulnerabilities

    9.2 Patch Management Framework

    Systematic approach to security patching:

    • Critical Patch Timeline: Emergency patching within 24 hours for critical security vulnerabilities
    • Regular Patch Cycles: Scheduled patching cycles with comprehensive testing procedures
    • Testing Protocols: Rigorous testing in isolated environments before production deployment
    • Rollback Procedures: Comprehensive rollback capabilities for problematic patches

    9.3 Third-Party Security Assessment

    Regular security assessment of all third-party components:

    • Vendor Security Reviews: Annual security assessments of all critical vendors
    • Dependency Scanning: Automated scanning of all software dependencies for vulnerabilities
    • Third-Party Monitoring: Continuous monitoring of third-party security advisories and patches

    9.4 Penetration Testing and Security Audits

    Regular independent security testing:

    • Annual Penetration Testing: Comprehensive penetration testing by independent third parties
    • Quarterly Security Audits: Regular security audits focusing on different aspects of the platform
    • Red Team Exercises: Advanced adversarial testing simulating sophisticated attack scenarios

    10. Third-Party and Vendor Risk Management

    10.1 Sub-Processor Security Requirements

    Enhanced security requirements for all sub-processors handling User-Generated Content:

    • Security Certification Requirements: Mandatory security certifications (ISO 27001, SOC 2) for all sub-processors
    • Contractual Security Obligations: Comprehensive security requirements in all sub-processor agreements
    • Regular Security Assessments: Ongoing security assessments of all sub-processors

    10.2 AI Provider Security Management

    Specialized security management for AI API providers:

    • Enhanced Due Diligence: Comprehensive security assessment of all AI providers
    • Contractual Safeguards: Detailed contracts prohibiting data retention and unauthorized use
    • Technical Integration Security: Secure API integration with comprehensive monitoring
    • Regular Compliance Verification: Regular verification of AI provider compliance with security requirements

    10.3 Vendor Lifecycle Management

    Comprehensive vendor management throughout the engagement lifecycle:

    • Pre-Engagement Assessment: Thorough security assessment before vendor engagement
    • Ongoing Monitoring: Continuous monitoring of vendor security posture and performance
    • Incident Coordination: Coordinated incident response procedures with all vendors
    • Contract Termination: Secure data destruction and access revocation upon contract termination

    11. Organizational Security Measures

    11.1 Security Training and Awareness

    Comprehensive security training program:

    • Legal-Specific Security Training: Specialized training addressing legal profession security requirements
    • Regular Security Updates: Ongoing training on evolving security threats and countermeasures
    • Professional Ethics Integration: Training integrating security with legal ethics and professional conduct

    11.2 Personnel Security

    Enhanced personnel security measures:

    • Background Verification: Comprehensive background checks for all personnel with system access
    • Confidentiality Agreements: Detailed confidentiality agreements for all staff and contractors
    • Access Recertification: Quarterly review and recertification of all personnel access rights
    • Separation Procedures: Comprehensive procedures for secure access termination upon role change or departure

    11.3 Physical Security

    Secure handling and disposal of all IT equipment.

    12. Continuous Monitoring and Transparency

    12.1 Comprehensive Audit Trails

    Detailed logging supporting legal professional compliance requirements:

    • AI Processing Logs: Detailed logs of all AI processing activities with query and response tracking

    12.2 Real-Time Security Monitoring

    Continuous monitoring for security threats and anomalies:

    • Threat Detection: Real-time detection of security threats and attack attempts
    • Automated Response: Automated response systems for immediate threat containment
    • Alert Management: Comprehensive alert management with escalation procedures

    12.3 Legal Professional Reporting

    Specialized reporting supporting legal professionals' compliance obligations:

    • Activity Reports: Detailed reports of document access, processing, and AI interactions
    • Security Status Reports: Regular reports on security posture and incident status
    • Audit Support: Comprehensive documentation supporting legal professional regulatory audits

    12.4 Transparency and Communication

    Regular communication about security posture and incidents:

    • Security Status Page: Public status page showing current security posture and any incidents
    • Regular Security Updates: Periodic communication about security enhancements and changes
    • Incident Transparency: Clear, timely communication about security incidents and remediation
    • Security Roadmap: Regular updates about planned security improvements and enhancements

    13. Data Retention and Destruction

    13.1 Data Retention Framework

    Comprehensive data retention policies aligned with legal and regulatory requirements:

    • Personal Data Retention: Retention of personal data only as long as necessary for stated purposes
    • User-Generated Content Retention: User-controlled retention with immediate deletion capabilities
    • Legal Hold Procedures: Procedures for legal hold requirements while maintaining security
    • Automated Retention Management: Automated systems for retention policy enforcement and data lifecycle management

    13.2 Secure Data Destruction

    Enhanced data destruction procedures:

    • Cryptographic Erasure: Primary data destruction method using encryption key deletion
    • Physical Destruction: Physical destruction of storage media when cryptographic erasure is insufficient
    • Chain of Custody: Comprehensive chain of custody documentation for all data destruction activities
    • Destruction Verification: Technical verification and certification of complete data destruction

    14. Business Continuity and Disaster Recovery

    14.1 Business Continuity Planning

    Comprehensive business continuity framework:

    • Continuity Risk Assessment: Regular assessment of risks to business continuity
    • Recovery Time Objectives: Defined recovery time objectives for different types of incidents
    • Continuity Testing: Regular testing of business continuity procedures and capabilities

    14.2 Disaster Recovery Procedures

    Comprehensive disaster recovery capabilities:

    • Data Backup Strategy: Multi-tier backup strategy with geographically distributed storage
    • Recovery Procedures: Detailed procedures for data and system recovery
    • Recovery Testing: Regular testing of recovery procedures and capabilities
    • Recovery Communication: Clear communication procedures during disaster recovery situations

    15. Compliance and Review

    15.1 Regular Policy Review

    This Security Policy is subject to comprehensive regular review:

    • Annual Policy Review: Comprehensive annual review of all security policies and procedures
    • Regulatory Change Assessment: Regular assessment of changes in legal and regulatory requirements
    • Threat Landscape Review: Regular review of evolving security threats and countermeasures
    • Stakeholder Feedback Integration: Integration of feedback from legal professional users and other stakeholders

    15.2 Compliance Monitoring

    Ongoing compliance monitoring and assessment:

    • Internal Audits: Regular internal audits of security controls and procedures
    • External Assessments: Independent third-party security assessments and compliance audits
    • Regulatory Compliance: Ongoing monitoring of compliance with legal profession regulatory requirements
    • Continuous Improvement: Continuous improvement based on audit findings and industry best practices

    16. Contact and Enquiries

    Questions or concerns regarding this Security Policy may be directed to:

    Security Team, ClausePilot

    • Email: security@clausepilot.com
    • Response Time: Acknowledgment within 24 hours, substantive response within 72 hours

    17. Definitions

    • "Platform": The ClausePilot AI-powered web-based interface accessible via app.clausepilot.com and all associated services.
    • "Personal Data": Any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
    • "User-Generated Content": Any documents, contracts, contract drafts, clauses, templates, text, data, information, or other materials that are uploaded, input, created, modified, stored, or otherwise processed by users through the Platform.
    • "Matter": A specific legal case, transaction, or issue that a legal professional is handling for a client.
    • "Data Controller": The natural or legal person who determines the purposes and means of processing personal data, as defined in Article 4(7) GDPR.
    • "Data Processor": A natural or legal person who processes personal data on behalf of the controller, as defined in Article 4(8) GDPR.
    • "Sub-processor": Any processor engaged by ClausePilot that processes User-Generated Content on behalf of users.
    • "AI API Providers": The external artificial intelligence service providers (as listed in Appendix 2 of the Data Processing Agreement) whose APIs are integrated into the Platform.
    • "Encryption": The use of cryptographic protocols to protect data in transit (TLS 1.3 or higher) and at rest (AES-256).
    • "Zero Trust Architecture": A security model that requires verification for every person and device trying to access resources, regardless of their location.
    • "Cryptographic Erasure": A method of data destruction that renders data unrecoverable by deleting or overwriting the cryptographic keys used to encrypt the data.

    This Security Policy is effective as of 23 April 2026 and supersedes all previous versions. ClausePilot reserves the right to modify this policy as necessary to maintain the highest standards of security and compliance.

    This site uses cookies, for details read our Cookie Policy.