We keep your data secure

Legal matters involve some of life's most sensitive information. We take that responsibility seriously.

Your story is not AI training data

Our AI services are governed by commercial terms and data-processing agreements. Model providers are contractually barred from using your content to train their models.

We minimise what we send and use provider retention controls and contractual safeguards.

Encrypted at every step

Everything you share travels over TLS and is stored encrypted (AES-256). Uploaded documents live in private storage that is only reachable through signed, expiring links.

Passwords are hashed, never stored in plain text, and checked against known breaches using k-anonymity, so neither your password nor your identity is shared.

You control who sees what

Access is role-based and limited to people who need it to support your matter. Administrative access is restricted and logged.

You can remove invited members from a matter. Partner and Remedy staff access is limited by role and purpose.

Where we stand

UK GDPR

We are UK-based and handle personal data under UK GDPR, with the ICO as our regulator.

ICO registered

Registered with the Information Commissioner's Office, registration reference ZC031343.

Cyber Essentials

Independently assessed and certified under the NCSC's Cyber Essentials scheme.

CASA Tier 2

Independently security-assessed to Google's CASA Tier 2 standard for handling connected-email data.

Our sub-processors

It takes a village to provide a world-class service. Here's ours, last updated 15 July 2026.

ProviderWhat they doWhere
AnthropicAI model providerUnited States
Google Cloud (Vertex AI)AI model providerEU where available
Google Cloud StorageFile storageGoogle Cloud, private bucket
NeonDatabaseUnited Kingdom (AWS London)
Google (Gmail API)Email access, only if you connect an inboxGlobal (Google)
Google (Places)Address autocompleteGlobal (Google)
TwilioSMS and WhatsApp messagingUnited States
PostmarkTransactional emailUnited States
ExaWeb searchUnited States
BrowserbaseWeb browsing for researchUnited States
PostHogProduct analyticsEU (Frankfurt)
CloudflareBot and abuse preventionGlobal edge network
RailwayAPI hostingEU (Netherlands)
VercelWebsite and app hostingGlobal edge network
StripeInvoicing and paymentsUnited States / EU
Cal.comScheduling callsUnited States
SlackInternal operations alertsUnited States

Signing in with Google or Apple

When you use social sign-in, Google or Apple confirm who you are and share your name and email with us. They act under their own terms, not as our processors.

Partner organisations

When you choose to involve a partner, such as a law firm taking on your case, they receive the relevant matter content under a data-sharing agreement and handle it under their own regulatory duties.

Breached-password checks

Passwords are checked against known breaches using k-anonymity (HaveIBeenPwned): only the first five characters of a hash leave our systems, never your password and never who you are.

Seen something that doesn't look right?

Security researchers, users, and anyone else: if you have a concern about how we handle data, or want to disclose a vulnerability, we want to hear it. Every message to this address is read.