Data stays in the EU
All customer data is stored and processed on infrastructure located in Germany. Nothing leaves the EU without an explicit legal transfer mechanism.
Security
Your data lives in the EU, travels encrypted, is never used to train AI models, and is handled in compliance with GDPR. Here is exactly how we protect it.
Questions or security reviews? Write to security@lawcel.com
All customer data is stored and processed on infrastructure located in Germany. Nothing leaves the EU without an explicit legal transfer mechanism.
TLS 1.2 and 1.3 enforced for all traffic. Older protocol versions are disabled.
Role-based access enforced at every route and action. All data is logically isolated per organisation at the database level. Team members get the minimum access their role requires.
API keys are stored only as one-way hashes. The raw key is shown once at creation and never retained. Webhook payloads are verified by HMAC-SHA-256 signature before processing.
Sign-in uses magic links only - no passwords to store, rotate, or leak. Sessions are bound to secure, httpOnly cookies.
Daily database backups with a 30-day rolling window. Restore procedures are tested periodically.
AI data handling
All AI processing happens server-side. Your browser never communicates directly with the AI provider - requests are proxied through Lawcel's backend so your data stays within our control boundary.
Only the minimum data needed for each analysis is forwarded - change descriptions, your legal documents, and your legal profile.
No model training
Customer content submitted via the API is not used to train or improve the AI provider's general models, under their commercial terms.
Scoped transfers
Only the minimum data needed for each analysis is forwarded. Retention at the AI provider is limited to the operational period set out in their terms.
Transfer safeguards
Where AI processing involves a provider outside the EU, transfers are governed by Standard Contractual Clauses with a completed Transfer Impact Assessment.
If your procurement process requires a completed security questionnaire, a countersigned DPA, or a technical walkthrough, reach out directly.