Skip to main content

Security & compliance

Your case files are covered by professional privilege.
So is our architecture.

Every technical choice in Themis follows one simple rule: what enters your firm never leaves it. Here are our commitments — and what they mean in practice.

EU hosting·Zero training·Zero retention

Our commitments

Seven commitments, enforced by architecture.

No vague promises: each commitment maps to a specific technical or contractual safeguard your teams can verify.

01.

Zero training

No customer data ever trains an AI model — neither ours nor our providers'. This commitment is contractual.

02.

Zero retention

Models run in EU regions: the model provider retains neither your queries nor your documents.

03.

EU hosting

Database, documents and AI processing are hosted and operated in the European Union, under the GDPR.

04.

Encryption

Your data is encrypted in transit (TLS 1.3) and at rest (AES-256).

05.

Professional privilege

Built for it: contractually-bound GDPR processor, fine-grained role-based access control, access logging.

06.

Vetted sub-processors

A short, documented chain of sub-processors — each covered by an impact assessment (DPIA).

07.

Reversibility

Your data stays yours: full export of your cases, invoices and documents, at any time.

Documentation

Everything is documented.

Sub-processor list, impact assessments (DPIA) and data processing agreement (DPA) available on request.

Request the DPA

Compliance posture

Our compliance, in full transparency.

A factual, documented status for each area. Here is exactly where we stand.

GDPR
Compliant

Records of processing, per-processor impact assessments, DPA on request.

ISO 42001
Certification in preparation

Our AI management system follows the ISO 42001 standard; we are preparing for this certification.

E-invoicing
Compliant

Structured formats and FEC export already built into Themis invoicing.

Sovereignty architecture

Your data is hosted and processed in the European Union.

Data travels a short, encrypted and auditable path through Themis — from document upload to the assistant's answer.

European Uniondata residency · eu-west
01

Your data

Case files, documents and pleadings remain the firm's exclusive property.

origin · law firm
02

Encryption

Encrypted in transit and at rest, on ISO 27001-certified infrastructure.

TLS 1.3 · AES-256
03

Zero retention

No copy is kept after processing by the model provider.

retention = 0 · training = off

Storage, database and AI inference all stay in an EU region.

Contractual guarantees
Never a consumer API

Only contracted enterprise infrastructure, in European regions — no transfer to services intended for the general public.

No data kept

The model provider retains neither your queries nor your documents: retention is disabled contractually and technically.

No training data

Nothing that passes through Themis feeds the training of any model — neither ours nor a third party's.

Frequently asked questions

The answers your firm is entitled to expect.

Straight answers, no jargon — the ones we give the firms that audit us.

Is my data used to train AI models? +
No, never. Neither your documents, nor your queries, nor your conversations with the assistant are used to train any model — ours or our providers'. This guarantee is contractual and architectural: we exclusively use enterprise AI offerings where training on customer data is disabled.
Where is my data hosted? +
In the European Union, without exception. The database, document storage and AI model inference all run in European regions subject to the GDPR.
Which AI models do you use, and where do they run? +
State-of-the-art models hosted in data centres located in the European Union. We never use consumer APIs: only enterprise infrastructure under contract, in EU regions.
What retention applies at the model provider? +
None. Retention is disabled contractually and technically: the model provider keeps neither your queries nor your documents after processing. No copy survives the response.
How is professional privilege protected? +
By design. As a contractually-bound GDPR processor, your data is encrypted in transit and at rest and hosted in the European Union. Access is finely controlled by role within the firm and logged, and no data is ever used to train a model.
Who are your sub-processors? +
A short, documented list: hosting, AI infrastructure and technical services, each covered by an impact assessment. The full sub-processor list and our DPA are available on request.
Is my data encrypted? +
Yes, systematically: in transit and at rest. Encryption comes on top of role-based access control and access logging.
Can I get my data back if I leave? +
Yes, in full. You can export all of your cases, invoices and documents in usable formats. Reversibility is a contractual commitment: your data is never captive.
Are you compliant with the GDPR and the European AI Act? +
GDPR: yes — EU hosting, records of processing, impact assessments and DPA. AI Act: our compliance programme is structured and tracked; we are preparing the corresponding ISO 42001 certification.
Does the lawyer stay in control? +
Always. The AI assists — it researches, prepares, structures and cites its sources — but it never decides. Every output can be verified reference by reference, and remains under the lawyer's control and responsibility.

DPA · security questionnaire · DPIA

Your teams have questions?
Ours have the answers.

Send us your security questionnaire, or request our DPA and sub-processor list — answered within 24 business hours.

DPA ON REQUEST · DOCUMENTED SUB-PROCESSOR LIST · REPLY WITHIN 24 BUSINESS HOURS