Is Harvey AI safe for law firms handling confidential client data in 2025? Good question—and one clients are going to keep asking.

The name on the tool matters less than how you deploy it. What counts is whether your AI copilot keeps privilege intact, blocks leaks, and holds up under a client audit. One sloppy setting on retention, training, or access makes for a very long week.

Here’s what follows: a plain‑English checklist of what “safe” actually means for legal work, the ethics and privacy rules you need to hit, and the must‑have controls (zero data retention, no training on your data, solid RBAC, encryption, and real audit logs you can ship to your SIEM). We’ll talk deployments and data residency, how to preserve privilege with a vendor, and the guardrails that prevent bad outcomes. You’ll also get a due‑diligence list, a quick decision guide, common gotchas, and how LegalSoul is built to protect client information from day one.

Short answer and who this applies to

Short answer: yes, an AI copilot can be safe for privileged work—if you control the setup, the data path, and the contract. Safety isn’t about the logo. It’s about specific confidentiality requirements your legal team can enforce every day. If you’re juggling strict OCGs, regulated data, or cross‑border matters, raise the bar to the same level you use for your DMS or eDiscovery vendor.

Why be picky? IBM’s 2024 Cost of a Data Breach report puts the average incident at $4.88M. The UK ICO has warned that generative AI can expose personal data through training or logs if settings aren’t nailed down. So: zero data retention on by default, no training on your prompts and outputs, and tight access controls are baseline now, not extras.

One practical note: “safe” also means your workflow fits real life. If associates can’t pick the right client/matter in two clicks, prompts get misfiled and audits get ugly. Bake process into the product—matter pickers, always‑on DLP/PII redaction, and logs you can export without wrestling a CSV. That combo reduces leaks and speeds client approvals.

What “safe” means for law firms in 2025

Think in three parts: confidentiality (no unauthorized access, no surprise retention, no model training on your inputs), integrity (traceable, reviewable outputs with clear logs), and availability (reliable service, redundancy, tested recovery).

Professional duties still rule the day. ABA Model Rule 1.1 (tech competence) and Rule 1.6(c) (reasonable efforts to prevent disclosure) set the floor, and Formal Opinion 477R pushes risk‑based security for protected client info. OCGs now regularly require SOC 2 Type II, ISO 27001, exportable audit logs, and DPA/SCC readiness. Many RFPs ask outright about customer‑managed keys (CMK) and regional processing options.

Reality check: in 2024, several Am Law RFPs insisted on “no training on your data” by default and “audit logs with SIEM integration.” Vendors without immutable logs or per‑matter segregation didn’t make the cut. Try this test: could you deliver a client audit pack in 48 hours—exports, DLP policy proof, and a subprocessor list? If not, keep tuning.

Regulatory and ethical framework to consider

Line up your use with ethics rules and privacy laws in the places your data lives and travels. Ethics: ABA Model Rules 1.1, 1.6, 5.3, plus state guidance on cloud/AI. Privacy: GDPR/UK GDPR (lawful basis, DPIAs, SCCs), CPRA (service provider terms, sensitive data), and HIPAA where relevant (BAA, minimum necessary). The EU AI Act starts phasing in 2025–2026 and leans hard on risk management, transparency, logging, and data governance—so build toward that now.

Regulators are clear on the risks. The UK ICO’s guidance flags training on personal data, data minimization, and security testing. The EDPB stresses transparency around model training and honoring data subject rights. If your prompts contain personal data, this all applies. For cross‑border work, decide on US/EU/UK residency and transfer mechanisms up front.

Easy habit: treat each AI use like a mini DPIA. Write down purpose, data types, retention, subprocessors, and safeguards (e.g., DLP/PII redaction, zero‑retention). Save it with the matter file. When clients or ethics counsel ask “what did you do,” you’ll have receipts.

Data handling standards you should require from any AI copilot

• Zero data retention by default. Prompts and outputs shouldn’t live anywhere outside your tenant unless you flip an explicit switch.
• No training on your data. Lock it in contract: your prompts/outputs aren’t used for foundation or fine‑tunes unless you opt in.
• Transparent data flow. Show diagrams, list subprocessors, and document regions in the security pack.
• Pseudonymized logs with selective redaction. Audit what happened without exposing client secrets.
• Clear deletion SLAs and encrypted backups. No mystery caches.

By late 2024, most enterprise providers offered “no training on your data” and “zero‑retention” modes. Client questionnaires now probe with specifics (e.g., “If someone pastes PII, does any system retain it?”). Expect to prove it.

Two add‑ons worth asking for: per‑workspace or per‑matter keys (KMS/CMK) tied to client retention schedules, and an admin setting that forces a quick classification step (client, matter, sensitivity) before sending. It’s a light touch that massively improves audit quality and prevents misroutes.

Security controls and certifications to demand

• Encryption: TLS 1.2+ in transit, AES‑256 at rest, ideally with customer‑managed keys.
• Identity and access: SSO/SAML, SCIM, granular RBAC, MFA, and least‑privilege defaults.
• Logging: immutable, tamper‑evident activity logs with alerts and exports to your SIEM (Splunk, Sentinel, etc.).
• Testing: independent pen tests (summary under NDA) and a secure SDLC.
• Certs: SOC 2 Type II and ISO 27001; ISO 27701 is a strong bonus for privacy.

Why this matters: most OCGs now ask for SOC 2/ISO evidence and recent pen‑test summaries. IBM’s 2024 report also found that companies using security AI and automation shortened breach lifecycles by roughly 100 days, which translates to real savings. Filters for prompt injection and anomaly alerting help here.

Don’t forget the admin layer: require dual‑control for sensitive changes (like disabling DLP) and “break‑glass” procedures. Log who changed what and when, then ship those events to the SIEM. Re‑certify access regularly—stale accounts and broad roles are avoidable risk.

Deployment models and data residency options

• Multi‑tenant SaaS with strong isolation and zero retention: quickest to roll out; fine for many commercial matters.
• Single‑tenant or private VPC/VNet: tighter isolation, dedicated resources, and precise regional control.
• On‑prem or air‑gapped: rare but useful for export‑controlled or national security‑adjacent work.

Data residency in the US, EU, or UK can be a dealbreaker. Some clients demand in‑region processing and backups; others accept SCCs with documented safeguards. Scrutiny of transfers isn’t fading, so pick a footprint that avoids headaches instead of lawyering around them.

Common pattern: an EU‑based diligence room for M&A, and a US region for litigation, both using customer‑managed keys and zero‑retention. Per‑matter workspaces keep barriers clear.

One contract tweak that pays off: add “portability on termination.” You get full exports of audit logs, configs, and matter spaces in a machine‑readable format. Less lock‑in, more confidence.

Preserving privilege and client confidentiality

Privilege usually holds when a vendor acts as your agent and you take reasonable precautions. Bar opinions on cloud services back this up when you have confidentiality, access controls, and supervision in place. In 2025, “reasonable” means strong contracts, zero‑retention by default, no training on your data, and clear internal policies.

Make it tangible:

• Use DPAs and NDAs that bind subprocessors and forbid secondary use.
• Segregate work by client/matter, and limit cross‑matter search.
• Require tagging with matter IDs and sensitivity labels for every interaction.

Example: a litigation team preps for depos inside a matter workspace. DLP rules block SSNs or health data from leaving firm boundaries. Audit logs show who touched what. If challenged later, you’re covered.

One habit helps a lot: keep a “privileged vendor” registry and note it in your guidance. When your logs and memos clearly show the vendor’s agency role, privilege fights get easier—and client audits go faster.

Governance, safety, and misuse prevention

Governance is the harness. Enforce DLP, PII detection/redaction, content filters, and defenses against prompt injection and data exfiltration. Keep a human in the loop for high‑impact tasks, and add approval gates for automations that can touch client systems.

Build a “trust but verify” rhythm:

• Require citations for legal conclusions.
• Test model or prompt changes in staging with red‑team scenarios.
• Track quality with a simple metric like “corrections per 100 outputs.”

NIST’s AI Risk Management Framework (2023) pushes impact assessments, measurement, and ongoing monitoring. Regulators expect proof that your safety filters actually work, especially when personal data is in play.

Try “matter sensitivity budgets.” For hot matters, cap the number of automated steps without human review and require a second reviewer when outputs cite sources outside your record. It feels like second‑partner review, adapted for AI.

Vendor due diligence and contracting checklist

Run procurement like you mean it:

• Security pack: SOC 2 Type II, ISO 27001, pen‑test summary, secure SDLC.
• Data processing: DPA, subprocessor list with notice, SCCs if needed, and data flow diagrams.
• Controls: SSO/SAML, SCIM, granular RBAC, CMK/KMS, DLP/PII redaction, audit logs with SIEM export.
• Operations: SLAs, uptime targets, RTO/RPO, breach notification windows (e.g., 72 hours), incident playbooks.
• Product safety: prompt‑injection defenses, content filters, model governance details.

RFPs in 2024–2025 started to standardize: “no training on your data,” “zero‑retention by default,” and “evidence of regional processing.” Clients won’t accept promises—they want proof.

Add a “configuration annex” to the contract listing the exact privacy/safety toggles you’ve enabled (retention, training, residency, logging). Any change requires written approval. It’s your snapshot in time for audits and renewals.

Operational rollout and training plan

Start small and intentional. Pick a few use cases (brief outlines, deposition prep, clause analysis). Agree on success metrics (time saved, quality, attorney satisfaction). Lock guardrails (zero retention, matter tagging, citations). Red‑team with real prompts. Write it down.

Set up clean plumbing: per‑matter workspaces, data barriers, least‑privilege roles. Provision users via SCIM. Turn on DLP/PII redaction globally. Pipe logs to the SIEM on day one so security can actually see what’s happening.

Teach the basics fast: what not to paste, how to tag, how to ask for new workflows. A two‑page “Prompting with Privilege” guide beats a marathon webinar. Reinforce inside the product with small nudges.

Nice quality‑of‑life move: save AI “session wrap‑ups” to your DMS—final output, matter metadata, and a link to the audit trail. Work product and evidence, side by side.

Questions to ask before approving any AI copilot

• Is zero‑retention enforced by default across all workspaces and tenants?
• Will you contractually guarantee no training on our prompts/outputs unless we opt in?
• What deployment options are available (multi‑tenant, single‑tenant, private VPC, on‑prem)?
• Do you support regional processing and backups in the US, EU, and UK?
• Which subprocessors touch our data, why, and how are they audited?
• What identity controls are in place (SSO/SAML, SCIM, MFA, granular RBAC)?
• What audit logs exist, are they immutable, and how do they integrate with our SIEM?
• How do you defend against prompt injection and data exfiltration—and can we see red‑team results under NDA?
• What are your SLAs, breach notification timelines, and RTO/RPO?
• Do you offer customer‑managed keys and per‑workspace encryption?

Ask for a full security pack, sample logs, and a live admin demo. Then run a 30‑day pilot with retention/training locked in the contract and verify behavior in your own logs. Trust, verify, document.

How LegalSoul protects confidential client data

LegalSoul is built for legal confidentiality. You can choose multi‑tenant with strong isolation, single‑tenant, or private VPC/VNet, with processing regions in the US, EU, and UK to meet data residency needs. Zero‑retention is on by default, and we never train on your data unless you opt in.

Access and security align to enterprise norms: SSO/SAML with MFA, SCIM provisioning, and fine‑grained RBAC down to client, matter, and practice group. Customer‑managed keys and per‑workspace encryption let you match client retention schedules. Every action is logged and exportable to your SIEM.

Governance features include DLP and PII redaction, defenses against prompt injection, abuse monitoring, and optional human‑review steps. Certifications: SOC 2 Type II and ISO 27001, with independent pen‑test summaries under NDA. Our security pack covers data flows, subprocessors, and model governance.

Small touch, big payoff: a matter‑aware UI that asks for client/matter and sensitivity before sending. Clean, defensible audit trails without slowing anyone down.

Risk assessment matrix and decision guide

Match sensitivity to setup:

• High sensitivity (bet‑the‑company disputes, export‑controlled, PHI): private VPC or single‑tenant, regional processing, CMK, zero retention, no training on your data, strict RBAC, dual‑control for admins, human‑in‑the‑loop, and minimal external connectivity.
• Medium sensitivity (complex commercial, employment): hardened multi‑tenant, zero retention, DLP/PII redaction, per‑matter workspaces, citations required, model change control.
• Low sensitivity (internal research, marketing): standard controls and a firm “no client data” rule.

Go/no‑go red flags:

• No guaranteed zero‑retention by default.
• Training on your prompts/outputs without explicit opt‑in.
• Missing immutable audit logs or no SIEM export.
• No clear subprocessor list or processing regions.

Flow it like this: quick DPIA for the use case, pick deployment by sensitivity and geography, run a 30‑day pilot to verify controls, then lock a configuration annex. Keep the artifacts—questionnaires, pen‑test summary, DPA, subprocessor list, sample logs—in the matter file so you’re audit‑ready.

Common pitfalls to avoid

• Using consumer accounts or public playgrounds with client data. Defaults there are not your friend.
• Leaving default retention on or allowing silent model training.
• Weak identity practices. Without SSO/SAML, SCIM, and good RBAC, you’ll collect stale accounts and broad access.
• No auditability. If you can’t export logs to your SIEM on demand, you can’t answer hard questions.
• Skipping red‑team testing. Prompt injection and data exfiltration aren’t theoretical—test them.
• Undertraining staff. Most mishaps are process errors: wrong matter, unnecessary PII, trusting outputs without checks.

Quick win: make the matter picker and sensitivity label mandatory, and keep DLP/PII redaction always on. Most accidents stop right at input.

Key Points

• Safety is about controls, not brands: zero data retention by default, no training on your data, SSO/SAML/SCIM with granular RBAC, encryption, immutable audit logs with SIEM exports, and SOC 2 Type II/ISO 27001.
• Ethics and privacy: meet ABA Model Rules 1.1/1.6/5.3 and GDPR/CPRA; keep privilege by treating the vendor as your agent, using DPAs/NDAs, regional processing, and per‑matter segregation.
• Deployment and governance: pick multi‑tenant/private VPC/on‑prem based on sensitivity and geography; enable DLP/PII redaction, prompt‑injection defenses, human review, and ongoing red‑teaming.
• Buying and rollout: use a tight due‑diligence checklist (subprocessors, CMK/KMS, SLAs, incident windows), run a 30‑day pilot with locked settings, and capture a configuration annex; LegalSoul ships these controls ready to go.

Conclusion: Is an AI copilot safe for confidential matters in 2025?

Yes—when you control the setup. You need private or regional deployment, zero data retention, no training on your data, strong identity, encryption, and immutable logs. Layer on DLP/PII redaction and tested defenses against prompt injection and exfiltration, and document your choices to satisfy ethics rules and OCGs.

Next steps: run a scoped pilot with locked privacy settings, verify everything in your SIEM, and save a configuration annex you can reuse in audits. Want a platform built for legal work with these controls on by default? Try LegalSoul. You’ll get flexible deployments (including private VPC), zero‑retention defaults, no model training on your data, enterprise‑grade access/logging, and governance that matches how lawyers actually work.