Security & Compliance
Ithildin is built for the legal industry — where confidentiality is non-negotiable. Every system, control, and audit exists to protect your clients' most sensitive information.
Compliance Standards
Audited annually by an independent third party.
Ithildin undergoes annual SOC 2 Type II audits covering the Trust Services Criteria for Security, Availability, and Confidentiality. Unlike a Type I audit, Type II validates that our controls operate effectively over time — not just on paper.
Controls assessed include: logical access management, encryption at rest and in transit, incident response procedures, change management, and continuous monitoring. Audit reports are available to enterprise clients under NDA.
- —AES-256 encryption at rest
- —TLS 1.3 for all data in transit
- —Role-based access control with least-privilege enforcement
- —Automated vulnerability scanning and penetration testing
- —Incident response SLA: notification within 24 hours
Full compliance with EU data protection law.
Ithildin operates in full compliance with the General Data Protection Regulation (EU) 2016/679. We act as a data processor on behalf of our clients, who remain the data controllers for any personal data processed through the platform.
We maintain Data Processing Agreements (DPAs) with all clients handling EU personal data. Our sub-processors are contractually bound to the same standard of protection.
- —Data Processing Agreements available on request
- —Right to access, rectification, and erasure honored within 30 days
- —Data minimization — we collect only what is necessary
- —EU data residency options available for enterprise clients
- —Breach notification to supervisory authority within 72 hours
- —We do not sell or share personal data with third parties
Your California privacy rights, fully respected.
Under the California Consumer Privacy Act, California residents have specific rights regarding their personal information. Ithildin honors all CCPA rights and does not sell personal information under any circumstances.
- —Right to know what personal information is collected and why
- —Right to delete personal information upon verified request
- —Right to opt-out of the sale of personal information (we do not sell data)
- —Right to non-discrimination for exercising any CCPA right
- —Requests processed within 45 days of receipt
International standard for information security management.
Our information security management system (ISMS) is aligned with ISO/IEC 27001:2022, the international standard for managing information security risk. This means security is embedded in how we build, operate, and improve Ithildin — not bolted on after the fact.
- —Formal risk assessment and treatment process
- —Security policies reviewed and updated annually
- —Employee security training and awareness program
- —Supplier and vendor risk assessments
- —Regular internal audits and management reviews
- —Continuous improvement through nonconformity tracking
Data Practices
How we handle your data.
Zero retention
Deposition content is never retained beyond your active session unless you explicitly export it. We do not train models on client data.
Encryption everywhere
All data is encrypted at rest with AES-256 and in transit with TLS 1.3. Encryption keys are managed with strict access controls.
Access controls
Role-based permissions limit data access to only those who need it. All access is logged, audited, and anomaly-detected.
Audit logging
Every data access event is logged with user identity, timestamp, and action. Logs are tamper-evident and retained for 12 months.
Penetration testing
External penetration tests are conducted at least annually by independent security firms. Critical findings are remediated within 30 days.
Vulnerability management
Automated scanning runs continuously across our infrastructure. We maintain a formal vulnerability disclosure program.
Questions about privacy?
Our security team is available to answer questions, provide compliance documentation, or arrange a security review for enterprise clients.
security@ithildin.ai →