Understanding Data Security and Compliance in Vincent Studio
Learn how Vincent Studio ensures data security and compliance, including vLex's handling of PII, data retention, and encryption.
Summary
Vincent Studio protects your data through per-customer encryption, strict data isolation, and configurable retention policies. Critically, your firm's data is never used to train or improve the foundational AI models.
Why This is Important
Understanding these security measures allows you to use Studio with confidence, knowing your sensitive legal information is protected and that you can meet your firm's compliance and client confidentiality obligations. This article provides the key details you need to trust our AI legal workflow automation with your data.
Our Core Security and Compliance Framework
vLex implements comprehensive, multi-layered security measures to protect your sensitive legal information within Vincent Studio.
1. Encryption: In Transit and At Rest
All data your organization submits to Vincent Studio undergoes encryption using a per-customer master key. This ensures that only authorized users within your organization can access your workflow content and outputs. This encryption is applied to both data in transit (as it travels over the internet) and data at rest (as it is stored on our servers).
2. Data Isolation and AI Model Training
This is the most critical principle of our data handling policy:
Your Data is Never Used for Training: Customer data, especially Personally Identifiable Information (PII) or Protected Health Information (PHI), never trains or improves the foundational AI models (e.g., GPT, Claude). Your data is used exclusively to process your request in real-time and is not retained by the model providers.
Strict Data Isolation: Your data is kept logically separate and secure, accessible only to your authorized users.
3. Compliance and Data Residency
Vincent Studio is built on an infrastructure designed to meet stringent legal industry standards.
Configurable Data Residency: Your organization can restrict data processing to specific geographic regions (US or EU/Ireland) to comply with regulatory requirements like GDPR.
Certified Infrastructure: The platform operates on an AWS infrastructure that is ISO 27001 and SOC II certified.
4. Data Retention and Archival
You have control over how long your data is stored.
Configurable Retention: While the default data retention period for conversations is one year, your organization can configure shorter or longer periods based on your firm's policies.
Automatic Deletion: Once the retention period expires, data is automatically and permanently deleted.
Note on Workflow Assets: Documents you upload as Workflow Assets are considered part of the workflow's permanent structure. They exist outside the standard conversation retention policy and will persist until the workflow is manually deleted. Do not include sensitive or client-specific information in a Workflow Asset unless it is intended to be a permanent part of that tool.
Best Practices & Pro Tips
Treat Workflow Assets Like a Template: Before uploading a document as a Workflow Asset, always scrub it of any client names, case numbers, or other sensitive information. The asset should contain your firm's process or rules, not specific case data.
Align Retention with Firm Policy: Work with your firm's administrator to ensure your organization's data retention settings in vLex align with your internal governance and compliance policies.
Related Articles
Unlock the Power of Legal Automation
Ready to see how Vincent Studio can transform your firm's efficiency?
Contact our sales team for a personalized demo today.
What's Your Next Step?
New to Vincent Studio?
Already a Vincent Studio Customer?
Last updated
Was this helpful?