Trust & Privacy

At LawGoat

LawGoat is built for the way law actually works — where confidentiality isn't a setting, it's a foundation.

Every case you upload, every document you process, every client communication you draft stays inside your firm's private environment. Not shared. Not visible to other firms. Never used to improve our models or anyone else's.

This page explains exactly what we do — and don't do — with your data.

No credit card. Unlimited storage. Your data stays yours.

Built for Attorney-Client Privilege

You have obligations your software vendor doesn't. We built LawGoat with that in mind. When you upload a case to LawGoat, that data belongs to your firm.

Our AI processes it privately to generate summaries, timelines, and action proposals — but the underlying case data never leaves your environment to train a shared model, populate another firm's results, or inform any output outside your own dashboard.

This isn't just good practice. For a platform handling medical records, accident reports, treatment histories, and settlement figures, it's the only acceptable standard.

How We Protect It

Encryption — End to End

All data is encrypted at rest and in transit using AES-256-GCM — the same standard used by financial institutions and healthcare systems. Whether your files are sitting in storage or moving between services, they're encrypted.

Firm Isolation

Your firm's data is invisible to every other firm on the platform. There is no shared data layer, no cross-firm search, and no aggregation of your case content. What's yours is only yours.

Credential Vaulting

When LawGoat's action agents access external portals on your behalf — insurance portals, medical record systems, court filing platforms — your credentials are stored in a dedicated secrets vault (AWS Secrets Manager) with AES-256-GCM encryption. They are retrieved only at the moment of use, never logged, and never exposed in screenshots or audit trails.

Human-in-the-Loop — Always

No action taken on your behalf is automatic by default. Our 5-level approval system routes every AI-proposed action — from SMS drafts to portal submissions — through a human approval step before anything is sent or executed. You are always in control of what goes out. The only things that auto-execute are tasks your team has explicitly approved repeatedly over time, at a confidence threshold you control.

Audit Trail

Every action taken in LawGoat — whether by the AI or a team member — is logged with a timestamp and user attribution. If you ever need to reconstruct what happened on a case and when, that record is there.

Screenshot Sanitization

When our browser agents interact with external portals, all screenshots taken during the session have password fields and sensitive inputs cleared before they are stored. You get a visual record of what happened without credential exposure.

No AI Training on Your Cases

This deserves its own section because it matters.

Many AI platforms — legal and general — use customer interactions to improve their underlying models. We do not. Your case documents, your client data, your firm's knowledge base, and your team's approved actions are never fed back into model training. Not for LawGoat's models. Not for any third-party models we use.

Your cases are your cases. They don't make someone else's AI smarter.

Your Firm's Private AI

We don't share your data. We don't train on it. We don't sell it. Ever.

This isn't fine print — it's the foundation the platform is built on. LawGoat processes your case data privately to power your AI tools, and that's where it stays.

Sign Up Free

Compliance

Where We Are Today

LawGoat is currently implementing the technical and organizational controls required for formal compliance certification. The following are in place now:

AES-256-GCM encryption at rest and in transit
Firm-level data isolation architecture
Credential vaulting via AWS Secrets Manager
Full audit logging with user attribution and timestamps
Human-in-the-loop approval gates on all consequential actions
Screenshot sanitization for all browser agent sessions

SOC 2 Type II

We are currently undergoing our SOC 2 Type I audit with our independent auditor. SOC 2 Type I is the foundational security certification standard for SaaS companies handling sensitive data — it verifies that our security controls are properly designed to protect your information. Our audit is currently in progress, and we will publish our report upon completion.

HIPAA

Personal injury law firms regularly handle protected health information (PHI) — medical records, treatment histories, billing records. We take that responsibility seriously. We are currently undergoing an independent HIPAA compliance audit and have received our draft report — with the final report expected shortly. HIPAA-compliant data handling is a core part of our compliance roadmap, running in parallel with our SOC 2 work.

BAA Requests

If your firm handles PHI and requires a BAA, contact us at info@lawgoat.com to request one.

Sign Up Free

Your Data, Your Exit

You are never locked in. You can export your firm's data at any time, in full, in a usable format. If you decide to leave LawGoat, your data leaves with you and is deleted from our systems upon request. No holdbacks, no delays.

Questions?

If you have specific security questions — about our architecture, data handling practices, compliance timeline, or BAA process — we're happy to answer them directly.

Contact: info@lawgoat.com

This page was last updated March 2026. We will update it as our compliance certifications are completed.

Are you an attorney?

LawGoat gives you AI-powered case management and connects you with people seeking help.

LawGoat for Law Firms  →
Home About UsFor LawyersFor ConsumersContact UsCareers
FacebookInstagramLinkedin

11000 NE 33rd, Building II, Suite 101, Bellevue, WA 98004

Privacy Policy
Terms of service