Security & Compliance

Enterprise-grade security for law firms and in-house teams

SOC 2 Type II Compliant

HIPAA Compliant

GDPR Compliant

EU AI Act Compliant

Trusted by 4,500+ teams worldwide

Best in class cloud providers

Frontend HTML and JavaScript files are served from AWS S3, replicated globally from Amazon’s data centres. Backend servers are in AWS ECS in the ca-central-1 data centre.

Encryption in transit and at rest

Spellbook securely captures text from the document and sends it via HTTPS 
for analysis on our backend servers. The encrypted text is processed by our LLM providers, and the result is returned to Spellbook through our servers.

Zero Data Retention Agreements

Spellbook has enterprise Data Processing Agreements and Zero Data Retention Agreements in place with the Large Language Model providers to ensure they cannot learn from, train on, or maintain copies of your data.

Compliant Internationally

We serve law firms in over 80 countries. We comply with GDPR, CCPA, PIPEDA and numerous other privacy regulations.

Still have questions?
View Trust Portal

Security FAQ

What data is retained by third party Large Language Models (LLMs)?

Spellbook has negotiated agreements with both OpenAI and Anthropic for zero data retention (ZDR). This means customer data included in requests and responses with these LLMs is not persisted and exists only in memory in order to process a request.

Do you support customers with HIPAA compliance requirements?

Spellbook has implemented the controls prescribed under the Security, Privacy and Breach Notification rules for HIPAA compliance. This includes implementing necessary safeguards such as access controls, training, policies and application security. All vendors being used to process or store protected health information (PHI) have a BAA signed with Spellbook and copies can be found in the Trust Center to download.

Spellbook can review and agree to a BAA with customers to help maintain HIPAA compliance for legal use cases involving PHI.

Does Spellbook comply with the EU AI Act?

Spellbook has received an independent legal opinion from CMS Law on our classification under the EU AI Act. Spellbook was assessed as low-risk and has implemented the controls identified under the act for this type of classification. The full opinion letter outlining these controls can be downloaded from the Trust Center.

What cloud providers are used by Spellbook?

Spellbook uses Amazon Web Services (AWS) as the primary cloud provider. Other third party services are used that may store or process customer information. A complete list of third party providers can be found in the Trust Center.

Where is customer data stored and processed?

Spellbook uses cloud providers with data centers in Canada and US for storing and processing customer data. A full list of subprocessors and locations can be found in the Trust Center.

Do you support Single Sign-On (SSO)?

Spellbook is provided as a Microsoft Word add-in and uses Microsoft accounts for SSO. This allows companies to enforce authentication controls, such as multi-factor authentication (MFA), within their Microsoft Entra tenant. More information on how SSO works can be found here.

Start your free trial

Join over 4,500 legal teams using Spellbook

please enter your business email (not gmail, yahoo, etc)
*Required

Thank you for your interest! Our team will reach out to further understand your use case.

Oops! Something went wrong while submitting the form.

Spellbook is the most complete AI suite for commercial legal work, trusted by 4,500+ in-house teams and law firms worldwide.

Follow us for the latest in legal AI

SOC 2 Type II

HIPAA

GDPR

EU AI Act

© 2026 Spellbook

Join over 4,000 legal teams using Spellbook

please enter your business email (not gmail, yahoo, etc)
*Required
Close modal

Thank you for your interest! Our team will reach out to further understand your use case.

Oops! Something went wrong while submitting the form.