Confidentiality & security
What security should a law firm look for in a legal AI tool?
Look for independent security credentials such as ISO/IEC 27001 certification and a SOC 2 attestation, encryption in transit and at rest, clear data-residency terms, a contractual commitment not to train on your content, role-based access controls, and a signed data processing agreement. Marketing claims are not enough — ask to see the certificates and the contract terms in writing.
Independent certifications
ISO/IEC 27001 (information-security management) and SOC 2 (an attestation over a provider's controls) are the recognised baselines. Ask which the vendor holds, and ask to see the evidence — a current certificate or report, not a logo on a website.
Encryption and access controls
Confirm data is encrypted in transit (TLS) and at rest (AES-256), and that access is role-based and logged. You want to know not just that the data is protected, but who inside the vendor can reach it and under what controls.
Data terms in the contract
Get the data questions answered in writing: where client content is stored and processed, a commitment not to train on it, a data processing agreement, and breach-notification terms. These belong in the agreement, not in a sales conversation.
Where Quillio sits
Quillio is ISO/IEC 27001:2022 certified, holds a SOC 2 Type 2 attestation, and is aligned with IRAP, the Australian Privacy Principles and GDPR. Client content is stored in Australia on Australian-owned hosting, encrypted in transit and at rest, and is not used to train any AI model.
Frequently asked questions
Is ISO 27001 enough for legal AI?
It is a strong baseline for information-security management, but pair it with a SOC 2 attestation, encryption, clear data-residency terms and a no-training commitment for a complete picture.
What is the difference between ISO 27001 and SOC 2?
ISO/IEC 27001 certifies an information-security management system; SOC 2 is an attestation over a provider's controls. Reputable vendors often hold both — they answer different questions.
Should I ask to see the actual certificate?
Yes. Ask for the current certificate or report and the relevant contract terms, rather than relying on a badge or a marketing claim.
See how Quillio handles this in practice
AI built for Australian and New Zealand law — a citation on every answer, client content stored in Australia, and a free trial so you can test it on your own files.