Built for firms whose regulator asks questions
Plexolegal handles the most sensitive material a law firm holds. This page sets out, plainly and without badges, how that material is protected. Detailed documentation is available to firms under review.
How client data is handled
The platform is engineered on certified enterprise infrastructure, with controls applied from the first line of code rather than added before an audit.
Data residency
All processing and storage is configured to UK and EU regions exclusively. Client material does not leave those regions at any stage of processing.
Isolation
Each firm operates in its own isolated environment with its own access controls. No data, index or model context is shared between firms.
Encryption & access
Encryption in transit and at rest as standard. Multi-factor authentication is enforced for every user, with role-based permissions configured to the firm's structure.
Accountability
Every action touching case data is recorded in an audit trail retained for seven years, aligned with professional record-keeping expectations.
AI boundaries
Client data is never used to train AI models. Every AI-produced output is reviewed and approved by the firm's own fee earners before it enters a case file, and every claim cites its source page.
Resilience
Daily encrypted backups with point-in-time recovery, and documented incident response and retention policies.
The documents your compliance review will ask for
- Data Processing Agreement signed with every client firm as part of onboarding.
- A firm-specific Data Protection Impact Assessment prepared during setup, reflecting your data flows rather than a generic template.
- Sub-processor list available on request, with notice of changes.
- Information security, incident response, and retention policies available to firms under review.
Reporting a security concern
We welcome responsible disclosure. Email [email protected] and we will acknowledge promptly; our security.txt carries the canonical contact details.