Australian infrastructure. Lawyer-grade controls.
Quillio is built for the duty of confidentiality Australian and New Zealand lawyers owe their clients — SOC 2 Type II, ISO 27001, full Australian data sovereignty, and a complete audit trail.
Quillio holds SOC 2 Type II and ISO 27001 certifications and runs entirely on Australian-owned infrastructure. Client documents, research queries, and AI outputs are stored in Australia, and an enterprise option keeps all AI processing in Australia. Multiple state law societies have issued AI guidance recommending exactly this — Quillio is built around it.
Standards Quillio meets
Independent audit of security, availability, processing integrity, confidentiality, and privacy controls. Type II covers the operating effectiveness of controls over a period (not just a point in time).
International standard for information security management. Quillio\'s ISO 27001 certification covers the entire information security management system across the organisation.
All client data — documents, queries, AI outputs — is stored in Australia on Australian-owned infrastructure. An enterprise option keeps all AI processing in Australia as well.
All connections to Quillio use TLS 1.3 with modern cipher suites. Documents and queries are encrypted in transit between your device and Quillio\'s infrastructure.
All client data is encrypted at rest using AES-256. Encryption keys are managed within Australia.
Every query, every output, every user action is logged for compliance, supervision, and regulatory purposes. Audit logs are accessible to firm administrators.
Data flow and residency
When you upload a document or run a query, the data flows from your device over TLS 1.3 to Quillio\'s Australian-hosted infrastructure. Your documents are stored in Australia — on Australian-owned data centres, under Australian law. The AI output is returned to your device and stored in your Quillio account on Australian infrastructure. An enterprise option keeps all AI processing in Australia.
This is materially different from US-hosted AI tools (including general-purpose tools like ChatGPT and US-based legal AI tools like Harvey and CoCounsel). US-hosted infrastructure is subject to the US CLOUD Act, which allows US law enforcement to compel disclosure of data stored on US providers\' servers — even data belonging to non-US clients. For Australian lawyers operating under AU privacy law, AU law society AI guidance, and a duty of confidentiality to clients, the location and governing jurisdiction of your AI provider\'s data centres is part of your compliance assessment.
Who can see what
Role-based access
Configure access by role: partner, senior associate, junior, support staff. Permissions can be set per practice group or per matter.
Single sign-on (SSO)
Enterprise plan supports SSO via SAML 2.0 (Okta, Azure AD, Google Workspace). Authentication is centralised through your existing identity provider.
Multi-factor authentication
MFA is supported for all plans and required by default on Enterprise. Configurable enforcement at the firm level.
Session management
Configurable session timeouts, IP allowlisting (Enterprise), and forced logout for terminated users.
Who Quillio uses
Quillio uses a small set of subprocessors for infrastructure, monitoring, and customer support — all operating within Australia where they handle client data. The current subprocessor list is available to enterprise customers under NDA. We notify customers in advance of any material change to the subprocessor list, with a window to object before the change takes effect.
Document storage, query logging, and audit logging happen within Australia, and an enterprise option keeps all AI model inference in Australia as well.
Reporting a vulnerability
If you have discovered a security vulnerability in Quillio, we want to hear about it. Email [email protected] with the details — including reproduction steps where possible. We will acknowledge receipt within 24 hours, work on a fix, and coordinate disclosure timing with you. We commit to not pursuing legal action against good-faith security researchers.
Security FAQs
Where exactly is Quillio's data hosted?
On Australian-owned data centres located within Australia. Client documents, queries, AI outputs, and audit logs are stored in Australia. An enterprise option keeps all AI processing in Australia as well.
Is Quillio used to train any AI model?
No. Client documents and queries are not used to train any AI model — Quillio\'s or anyone else\'s. Your data is yours, processed for your matter, and not contributed to any training pipeline.
Can I get the SOC 2 Type II audit report?
Yes. The full SOC 2 Type II audit report is available to enterprise customers under NDA. Email [email protected] and we will share it during your evaluation.
How does Quillio handle the US CLOUD Act?
Quillio is an Australian company operating Australian-owned infrastructure under Australian law. The US CLOUD Act applies to US-based technology providers — Quillio is not one. Your client data cannot be compelled by US law enforcement because it is not in US jurisdiction.
Does Quillio meet AU state law society AI guidance?
Yes. Multiple AU state law societies have issued AI guidance recommending that AI tools used in legal practice store and process data within Australia. Quillio is built around exactly this requirement — Australian infrastructure, Australian residency, Australian governing law.
Can I get the audit logs for my firm?
Yes. Firm administrators can access the complete audit trail of queries, outputs, and user actions through the admin dashboard. Logs can be exported for compliance and supervision purposes.
What encryption does Quillio use?
TLS 1.3 with modern cipher suites for data in transit. AES-256 for data at rest. Encryption key management is handled within Australia.
Can I require MFA for all users in my firm?
Yes. Multi-factor authentication can be enforced at the firm level on the Firm and Enterprise plans. All plans support MFA per user.
Run the security review.
Most firms clear our security review on the first pass. Start a free trial pilot, share our security pack with your CISO or risk lead, and confirm the answer fits your requirements before any commitment.
Start Trial See Demo