EU-only. Zero retention. Audit before you sign.
A legal-tech vendor's security posture should read like a DPA, not a marketing page. This is what we will publish, defend in writing, and walk an auditor through — before contract signature.
EU data residency
Frankfurt (eu-central-1) + Warsaw (eu-central-2). No transfers outside EEA.
Zero AI training
Customer data never enters any training set, ours or anyone else's.
Zero retention
Model providers see your data only in-flight, never at rest.
ISO 27001 · operating to controls
Stage 1 audit Q3 2026. SOC 2 Type II evidence Q3 2026 → Q1 2027. ISO 42001 Q3 2027. Not yet certified.
Six commitments. Each tied to a contract clause.
| Commitment | Where it lives | Status |
|---|---|---|
| EU-only data residencyCustomer data is stored and processed only in Frankfurt and Warsaw AWS regions. | DPA § 4.1 | in force |
| Zero AI training on customer dataNo customer prompt, document, or output is used to train any model. Confirmed by sub-processor contracts. | DPA § 6.3 | in force |
| Zero retention by model providersAll LLM calls run under no-retention enterprise agreements. No customer data persists outside our EU tenant. | DPA § 5.2 | in force |
| Encryption in transit and at restTLS 1.3 in transit. AES-256 at rest. Customer-managed keys (CMK) available on Enterprise tier. | DPA § 7.1 | in force |
| ISO/IEC 27001:2022Operating to the Annex A controls today. Stage 1 audit scheduled for Q3 2026. We do not yet hold the certificate. | aligned · audit scheduled | aligned |
| SOC 2 Type IIOperating to the Trust Services Criteria. Evidence-collection window opens 01.07.2026. First report expected Q1 2027. | aligned · roadmap | aligned |
| ISO/IEC 42001:2023 (AI MS)Programme design under way, calibrated to EU AI Act obligations for limited-risk AI systems. Certification targeted Q3 2027. | programme design | in design |
Five sub-processors. Disclosed in the DPA. Auditable before signature.
| Provider | Region | Jurisdiction |
|---|---|---|
| Amazon Web Services EMEA SARLCompute, storage, networking | Frankfurt · Warsaw | EU |
| Anthropic Ireland Ltd.Language model inference · no-retention enterprise agreement | Dublin · Frankfurt | EU |
| Mistral AI SASPolish-language model inference · EU sovereign deployment | Paris | EU |
| Plausible Insights OÜCookieless analytics · aggregate, anonymized | Tallinn | EU |
| Resend Sp. z o.o.Transactional email · DKIM + ARC signed, EU-routed | Warsaw | EU |
A query, end to end. Every hop in EU jurisdiction.
- [1] Corpus retrieval: public primary sources only, fetched read-only and indexed within the EU tenant.
- [2] Citation verifier: every model output is matched back to the source paragraph before display.
- [3] Refusal-when-silent: if no primary source resolves the question, the answer says so. No fabricated sygnatury.
A limited-risk system, transparently used.
Grasperly is classified as a limited-risk AI system under the EU AI Act (Regulation (EU) 2024/1689). The platform supports natural-language interaction with verified case-law and assists with drafting and deadline arithmetic; it does not autonomously file pleadings, accept service of process, or take regulatory action on behalf of the firm.[1]
Every AI-generated output ships with an unambiguous indicator (the signal-teal citation marks throughout the product) and a one-click expansion to the supporting primary source. The platform meets the transparency obligations of Article 50 of the regulation and exceeds them in legal-research outputs.[2]
- [1] Regulation (EU) 2024/1689 · EU AI Act · Art. 6 risk classification · eur-lex.europa.eu
- [2] Regulation (EU) 2024/1689 · EU AI Act · Art. 50 transparency obligations · eur-lex.europa.eu
Zero training on customer data is in force today. ISO 27001, SOC 2, and ISO 42001 are the frameworks we operate to and the audits we have scheduled.