Security
Built for legal data you can't afford to lose.
Legal work can involve privileged correspondence, PII, confidential documents, and draft strategy. Jarel is designed with controls that help teams review how sensitive AI work is handled.
Compliance roadmap
Honest about where we are.
We show certification and compliance work with its actual status: supported, in progress, or planned. No badge-washing.
Supported
GDPR support
Built to support GDPR obligations with DPAs, EU data-residency options, and documented security controls.
Available
DPA and security review
Security and data-processing materials can be shared with prospects and customers under NDA where appropriate.
In progress
SOC 2 Type II
Third-party audit underway. Report available under NDA after completion.
Planned
ISO 27001
Planned information security management certification for enterprise procurement and governance needs.
Planned
ISO 42001
Planned AI system governance certification for model oversight, data handling transparency, and reviewable AI outputs.
Security practices
The controls behind the roadmap.
No training on customer content
Customer documents, prompts, and generated content are not used to train Jarel models. Provider processing follows configured no-training terms where available.
Encryption in transit and at rest
Sensitive legal materials are protected with encryption in transit and at rest. Advanced key-management options should be discussed for eligible enterprise deployments.
Regional data residency
EU residency is the default public position. Additional region options should be presented only when enabled for the customer's workspace.
Authenticated access controls
Workspace access is designed around authenticated users, authorization checks, and auditability. Enterprise identity controls are configured where available.
Audit logs for review
Reads, writes, and AI calls are logged for review where available. Enterprise audit controls are designed to support traceability across sensitive workflows.
Security review program
Security testing, dependency review, and external assessment evidence should be shared according to its current status, not implied before it exists.
Transparency
Every vendor in our chain.
We publish our subprocessor list and notify customers in advance of material changes.
Request full list| Vendor | Purpose | Region |
|---|---|---|
| Vercel | Hosting and edge | US / EU |
| Vercel AI Gateway | Model routing | US / EU |
| Anthropic | LLM provider | US |
| OpenAI | LLM and voice services | US |
| Supabase | Database and storage | US / EU / UK |
| Sentry | Error monitoring | US / EU |
Questions about security?
We share our security posture, compliance roadmap, DPAs, and security materials with prospects under NDA where appropriate.