CounselGuard runs on the same controls a law firm would expect for any vendor handling privileged material: isolated tenancy, regional residency, no training on your data, and a verifiable audit trail for everything we touch.
Every firm runs in an isolated tenant on Google Cloud, with strict per-firm access scoping enforced at the database, storage, and API layers. Cross-firm reads are blocked by default and verified on every request.
Tenants are provisioned in the US (us-east1) or EU (europe-west1). Storage, processing, and backups all stay in-region. For EU firms with data-residency requirements, that means no transatlantic transfer of client material.
Gemini calls run with provider training and logging disabled. We do not fine-tune, evaluate, or otherwise train any model on captured transcripts, policies, or activity. Raw captures are sanitized before analysis and never leave your tenant.
The desktop agent and Chrome extension capture AI tool usage on the user's device. Content is signed, encrypted in transit (HMAC + TLS), and dropped into your tenant. Nothing is staged on third-party servers we don't control.
Every action against firm data is logged in an append-only audit trail. CounselGuard staff have no standing read access to tenant data; support access requires explicit firm-owner approval and is recorded in the same log.
Every record — a tool registered, a policy approved, a transcript analyzed — is timestamped, attributed, and immutable. The same workflow that catches issues produces the evidence a regulator or client would ask for.
Only Google Cloud (hosting, Firestore, Cloud Storage) and Google Gemini (model inference with training disabled). No other sub-processors touch firm content. The full sub-processor list is provided in the DPA on request.
No. The agent only observes AI tool windows and processes (ChatGPT, Claude, Harvey, etc.) that your firm has opted into. It does not capture other applications, screenshots of unrelated work, or keystrokes outside the targeted tools. The list of tools captured is configurable per firm.
TLS 1.3 in transit. AES-256 at rest. Agent and extension credentials are stored encrypted on-device. All API calls from the agent are HMAC-signed and verified server-side; signature checks are non-bypassable.
We're a young company and have not yet completed a SOC 2 Type II audit. For firms that require one, we can scope the engagement and target a completion date as part of the contract. In the interim we can share our internal security policy, incident-response runbook, and architecture overview.
Within thirty days of termination, the firm owner can export all firm data (activity records, policies, audit log, training records) in JSON, then trigger a tenant wipe. Backups are purged within ninety days. We do not retain firm content beyond that window.
Get in Touch
We respond with a brief note on whether we are a fit and, if so, suggest a short call.