TrustBuilt for legal procurement

The posture, in plain language.

This page documents JustineAI™’s data, security, and accessibility posture as it stands today. We list only what we can verify against code or against the Microsoft Azure platform attestations we inherit. HIPAA, BAA, SOC 2, and additional product-level attestations are tracked separately under outside counsel and CISO review; they’ll surface here once finalized.

What we can verify today

The verified posture, plainly stated.

Azure-foundation inheritance

Inherited at the platform layer.

JustineAI™ runs on Microsoft Azure. The Azure platform layer holds the following attestations, which are inherited as the substrate for every JustineAI™ service:

  • ISO/IEC 27001 — Information Security Management
  • ISO/IEC 27018 — Protection of Personally Identifiable Information in Public Clouds
  • SOC 1 Type II · SOC 2 Type II · SOC 3 — Service Organization Controls
  • PCI DSS — Payment Card Industry Data Security Standard
  • HITRUST CSF — Common Security Framework (US healthcare data)
  • FedRAMP High — for US-government Azure regions

These attestations cover the underlying Azure infrastructure (compute, storage, network, identity). JustineAI™’s own product-level attestations are tracked separately. We don’t claim Azure’s certifications as if they were our own —they’re the floor, not the ceiling.

Compliance layers

Three layers. Named precisely.

Security responsibility sits in three distinct layers. Azure’s SOC 2 covers Azure; JustineAI’s own product-level SOC 2 Type II covers the JustineAI™ production system; the firm owns its in-firm controls. We’re explicit about which is which — conflating them is how vendors overstate.

  • Layer 1 — Platform · Microsoft

    The Azure platform.

    Data-center physical security, hypervisor, and Microsoft’s own attestations (ISO 27001/27018, SOC 1/2/3, PCI DSS, HITRUST) for Azure services. Inherited at the infrastructure layer only.

  • Layer 2 — Product · Eve-Legal, LLC

    The JustineAI™ product.

    The JustineAI™ application, its controls, people, and processes — tenant isolation, matter-scoped access, encryption, audit logging, retention, deletion, and AI governance. This is the subject of our own SOC 2 Type II examination — our attestation, not Azure’s.

  • Layer 3 — Customer · The firm

    Your in-firm controls.

    User provisioning, matter uploads, internal permissions, attorney review of AI output, and export/retention practices within the firm.

Product attestation

SOC 2 Type II — examination in progress.

JustineAI™ is undergoing an independent SOC 2 Type II examination covering the production environment, security operations, confidentiality and access controls, change management, incident response, vendor management, and customer-data handling.

On completion, the report will be available to qualified customers under NDA. HIPAA / BAA posture is tracked under counsel where medical records are central to the workflow. Until the report issues, Azure’s platform attestations are the inherited floor — not a substitute for our own.

Data handling — in detail

What we do with your firm’s data.

We process it to deliver the service. Matter data — intake records, medical records, correspondence, demand letters — is processed inside the customer’s tenant to generate the work product the firm requests. That’s the contract.

We do not train on it. Eve-Genesis (Law Edition) — the dataset that fine-tunes the Phi-4 legal reasoner — is 100% synthetic by construction. Your firm’s matter data is never used to train any model, foundation or fine-tuned, ours or anyone else’s.

We do not share it. Matter data does not leave the customer’s tenant except through workflows the firm explicitly authorizes (e.g., a CourtListener citation verification call uses only the public-citation string, not matter content). Frontier-model inference happens with provider terms that prohibit the provider from retaining or training on the inference content.

We log access to it. Every user action — logged to a structured, typed audit trail (actions, not matter content), exportable on request, retained for the contractual period.

We delete it on request. CCPA / CPRA / state-law deletion requests are honored within the contractual response window. Tenant deletion is final, with a deletion attestation; the audit trail is preserved for the contracted period.

How we handle bias

Bias is an architecture problem. So we made it one you can audit.

You cannot train bias out of a model; you can only separate the reasoning from the knowledge from the jurisdiction, so the bias becomes something you can read, audit, and govern.

In a single model trained on a single corpus, three things are fused that should never be: how the system reasons, what it knows, and whose law governs. When all three live in the same weights, you cannot say where an unfair result entered. JustineAI keeps them apart.

The reasoning is trained on logic, not outcomes. The legal reasoner learns the modes of litigation — analogical, abductive, dialectical — from the structure of argument itself, never from a record of who tends to win. There is no demographic distribution to inherit, because there are no parties in the training set.

The knowledge is rented and bounded. Frontier models are consulted for narrow sub-questions — a citation, a holding — inside a fence the reasoner draws. They answer; they never frame the case. Whatever bias rides in their weights cannot set the terms, because it never sees the matter.

The jurisdiction is written down. The controlling law — the forum’s rule, the standard in force here and not there — is carried as a plain-language instruction, not baked into a model. Counsel can read it, argue with it, and change it for the next jurisdiction without retraining anything. The assumption is a sentence, not a secret.

We do not claim to have deleted bias from the world. We claim something a fused model cannot offer: when a result is wrong, you can point to the layer that produced it — reasoning, knowledge, or jurisdiction — and the attorney whose name signs the work can interrogate each one in the language of the law. Read the full argument →

Go deeper

Procurement-grade pages.

Ready when you are

See JustineAI in your practice.

For PI principals, managing partners, and litigation operators evaluating reasoning-grade AI for their firm. Self-serve trial available for solo and small practices; sales-assisted for mid-size and enterprise.