Security

We take your data seriously.

Legal privilege and client data confidentiality are our number-one priority. This page is about how, concretely. No marketing, no slogans — just the kind of infrastructure you'd expect from a professional partner.

01 — API instead of public chat

How the Claude API works.

There's a fundamental difference between the public ChatGPT/Claude chat and API access. We work exclusively over the API.

  • Data sent over the API is not used to train the model. Contractually and technically — Anthropic codifies this in the Enterprise Agreement.
  • No provider employee has routine access to the content of your conversations. Access is possible only in narrowly defined cases (abuse, legal obligation) and under strict audit.
  • Data is not shared with third parties. Not anonymized, not aggregated.
  • API conversations are not implicitly logged on the provider's side. If we enable logging (for audit trail), retention is set to the agreed period — typically 30 or 90 days, per your internal policy.

02 — Encryption & transport

How we protect data in transit and at rest.

The architecture follows current enterprise standards. No improvisation.

  • In transit: TLS 1.3 (TLS 1.2 as a minimum), forward secrecy enabled. No legacy ciphers.
  • At rest: AES‑256. Keys segregated per client; rotation per policy.
  • No data is stored locally on unsecured devices. Endpoints inside the firm (laptops, phones) are protected via MDM recommendations and a zero-trust posture.
  • EU data centres. If a specific use case requires CZ/EEA data sovereignty, we handle it via local deployments and European providers.

03 — Legal privilege

Alignment with § 21 of the Czech Bar Act.

AI is the lawyer's tool — analogous to other software you already use (DMS, billing, productivity suite). Using a tool doesn't break privilege. What matters is how the tool is configured.

  • We recommend codifying AI usage in an internal firm policy — who can use it, for what, and how. We prepare a template for this policy as part of implementation.
  • Data classification: some document types are handled by AI by default; others require explicit supervisor approval. We design the policy to fit your practice type.
  • Audit trail: who, when, and against which document AI was used. Standard for Enterprise clients; available on request for Professional.
  • Our recommendations were reviewed with counsel specialized in compliance and professional duties. The full memo is provided to clients during onboarding.

04 — Team‑level access segregation

Who sees what — exactly the way you decide.

In a larger firm, different teams work on different matters — M&A, litigation, employment law. Each has different clients, different documents, different confidentiality rules.

We configure AI tools to respect that structure precisely. The M&A team doesn't see the litigation team's files — and vice versa. Access to skills, documents and connectors is segmented per your internal policies, not per the vendor's generic defaults.

Result: AI assistance tailored to each team member's role, with full control on the side of firm management.

05 — GDPR

Personal data processing in an AI context.

AI doesn't add a special GDPR problem — it does, however, put existing principles under sharper light. We have ready answers for what GDPR asks of a provider like us.

  • Legal basis: typically art. 6(1)(f) GDPR (legitimate interest of the controller, i.e. you). For sensitive data, a specific basis — handled ad hoc.
  • DPA (Data Processing Agreement): we sign our own DPA, layered on top of the sub-processor agreement with Anthropic. Documents are provided before implementation begins.
  • Data subject rights: access, rectification, erasure, restriction — all implementable. With one-shot API calls, nothing is persisted long term.
  • DPIA (Data Protection Impact Assessment): for projects with significant scope, we prepare a DPIA as part of the design phase.

06 — The difference, in one table

"Just open ChatGPT" vs. our setup.

The gap between what your colleague does on the free version over the weekend and a professional deployment is wide. Concretely:

Attribute Free ChatGPT/Claude Cordinel setup (API)
Data used for training Yes (often default-on) No, contractually excluded
Control over data Minimal Full, per client
Audit trail No Yes, per policy
Privilege alignment Problematic Ensured
Enterprise security (SSO, MFA, roles) No / limited Yes
DPA & sub-processor agreement Generic Custom, signable

Questions we hear most often.

Short, concrete answers. If something's missing, get in touch — we'll add it.

Can I upload a client contract into AI?

Yes — provided you use API access with the control policies we configure for you. Client contracts don't go to public ChatGPT. They are sent through the API endpoint with explicit no-training, encrypted, with an audit trail.

We recommend codifying usage rules in an internal firm policy — we provide a template. For especially sensitive matters (sanctions, criminal defense, M&A in regulated sectors) we recommend a two-layer approval flow.

What if AI "leaks" my contract data into another conversation?

With API access, this can't happen. Each AI call is stateless — it has no memory between calls unless we explicitly enable it, and even then only within one isolated client context.

What you sometimes hear — "the chat showed another user's data" — refers to the public ChatGPT versions and is, in the vast majority of cases, a UI cache bug, not a data leak from the model. The API doesn't have that layer.

Do I need client consent to use AI?

From the perspective of the Czech Bar Act, generally no — AI is the lawyer's tool like any other software, and you (not the tool) maintain privilege. From a client-relationship perspective, however, it's wise to mention it in onboarding communication, especially with large corporate clients with their own policies.

For everyday clients, we recommend a brief addendum to your engagement terms (1–2 paragraphs) — drafted as part of onboarding.

Is using AI in a law firm legally compliant?

Yes. The Czech Bar Act and the Czech Bar Association's professional code do not prohibit AI use as long as the lawyer maintains privilege and bears responsibility for the output. Both the Czech Bar Association and CCBE (Council of Bars and Law Societies of Europe) have issued statements welcoming AI use, with responsibility staying with the lawyer.

The EU AI Act, which is entering into force in stages, does not classify ordinary AI use in law firms as a high-risk system — provided it's not automated decision-making without human oversight. Our implementation is designed with that in mind.

What happens in case of a data incident?

We have an incident-response process. On suspicion of an incident we notify you within 24 hours; within 72 hours we deliver a structured report (scope, affected data, remediation steps). This procedure satisfies GDPR art. 33 requirements.

Contractually, we commit to cooperate on notifying the Czech Office for Personal Data Protection if necessary. To date we haven't had to invoke this mechanism.

Have a question that isn't here?

Security is a topic where simple answers run out roughly where your specific circumstances begin. If you want to walk through the detail of your environment, get in touch directly. No sales — just a conversation about what specifically must hold for AI to make sense for you.

Write to us