Confidential, secure, and built for in-house legal.

Our security measures include:

• We encrypt all user data at rest (AES-256) and in transit (TLS 1.2+).

• Your data is kept segregated from the data of other customers.

• All GC AI vendors that process or store user data are SOC-2 compliant. See our Subprocessor List.

• We are SOC 2 Type I and Type II certified (reports are available through our Trust Center).

This security setup is similar to that of top enterprise cloud software providers like Google Cloud.

Yes. As a professional matter, once you verify the security processes above and our terms, you can input information as you would to any other trusted cloud-based tools like Google Workspace, Slack or Asana, as long as you verify the security and policies of the provider - in this case, of GC AI. Privilege is maintained. 

You may input confidential client information into GC AI after verifying our security processes and terms. Privilege is maintained, similar to other trusted cloud-based tools (e.g., Google Workspace, Slack, Asana). State bars and the American Bar Association have advised that lawyers have a duty to review Gen AI provider security (as you would with any security provider) (see ABA Formal Opinion 512), and some, such as NY (See NY Bar Formal Opinion 2024-5), have advised the duty of candor is such that “''a lawyer must review all [G]enerative AI outputs'” including but not limited to 'analysis and citations to authority,' for accuracy before use for client purposes and submission to a court or other tribunal.

As of this writing, not yet. But we expect that courts and state bars will consider the issue and conclude, as California and the American Bar Association did (see Calif. Bar guidance on AI; ABA Formal Opinion 512) and as the Illinois Bar did for email as a technology, that attorneys are responsible for storing files and client information securely and can meet that responsibility by conducting diligence on their providers.

Today, GC AI has a product for individual lawyers and legal teams controlled by a secure auth provider, WorkOS. Each login works only for that account. Organizations have access control and administration features controlled by organization admins. We have SSO/SAML and work with all major identity providers through our authentication provider WorkOS. We also maintain incident response plans and regular security audits, and we train employees on data security.

Currently, GC AI uses OpenAI, Anthropic, Cohere, Reducto, and Google LLM APIs. None of them can train on your data. 

• OpenAI - data sent to OpenAI is not used for training (source) and, therefore, would not be accessed by others or made available if other users ask similar questions later. GC AI has a zero data retention policy with OpenAI.

• Anthropic - data sent to Anthropic is not used for training (source). GC AI has a zero data retention policy with Anthropic.

• Cohere -  data sent to Cohere is not used for training (source) as GC AI has opted out of training.

• Reducto - data sent to Reducto is not used for training (source), and GC AI has a zero data retention policy retention with Reducto.

• Google - data sent to Google is not used for training as GC AI uses the paid Gemini API service (source - Gemini Terms).

Company-specific information or data you input into GC AI is not used to train an AI model.

GC AI may use Inputs like uploaded materials for service improvement in two ways. Note: third-party providers, like OpenAI and Anthropic LLM APIs, cannot train on or retain your Inputs.  

• When You Provide Feedback. We offer in-product tools to provide feedback - today, that's the thumbs up and thumbs down functionality.  If you provide feedback on a given interaction with the AI, in that instance, our Engineering team will see that specific chat so that they can debug or take action on the feedback if needed. Your feedback is not provided to others and does not leave GC AI systems. For example, if you give feedback on AI response's formatting not being what you wanted, we might test your question against multiple private internal test versions of GC AI to fix that issue for everyone.

• In De-identified Form. GC AI may use data that has been de-identified and aggregated to improve the service of GC AI only and not other model providers. For example, we periodically create a list of anonymized query categories to better understand what kind of things users ask so we can build features related to those things. GC AI Terms require confidentiality; no identifiable data is exposed.

Yes. Our DPA is included in our standard terms for all customers.

Some US courts (like Judge Starr in Texas) require that attorneys disclose their use of AI to the court. Some state bars, like New York, recommend disclosure to stakeholders. We recommend you check and follow the rules where you practice as well as oversee the outputs of AI as outlined in the GC AI Terms.

GC AI Terms specify your right to delete your data at any time and our privacy obligations.

• Customer data is retained as long as the account is active and will be deleted upon request. Other information, such as account data, financial records, employee records, security documentation, log data, and backup data, follows guidelines and regulations consistent with the security and operational needs and standards.

GC AI uses Standard Contractual Clauses as the preferred mechanism for cross-border data transfers.

In the unlikely event of a data breach, GC AI follows a structured response plan:

• Detection

• Investigation

• Containment

• Notification

You may delete your Inputs and Outputs at any time from within the Service.

• To erase all organization data, submit a written request to security@getgc.ai.

• GC AI will delete data from all systems (including downstream vendors) within an industry-standard timeframe.

• GC AI may retain information required by law.