ISO 27001 is an international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive information through risk assessment, security controls, and continuous improvement. Organizations that achieve ISO 27001 certification have demonstrated they follow industry-best practices for protecting data.
Security and Privacy Overview
August is an enterprise-grade AI platform built specifically for law firms and in-house legal teams, with security and confidentiality designed into every layer of the architecture.
August Trust Center
Enterprise-grade security certifications and attestations.
Data residency • Zero training • End-to-end encryption
ISO 27001:2022 SOC 2 Type II CASA Verified TLS 1.2+ AES-256 SSO + MFA
Security Feature | Status |
|---|---|
Zero training on customer data | ✅ Verified |
End-to-end encryption | ✅ Verified |
Single-tenant architecture | ✅ Verified |
Data residency pinning | ✅ Verified |
Ethical walls / Matter isolation | ✅ Verified |
99.9% uptime SLA | ✅ Verified |
Independent Certifications
August maintains the most stringent security certifications for legal work:
ISO 27001:2022 Certified — A full Information Security Management System (ISMS) across all August operations.
SOC 2 Type II — Independent audit with an unqualified opinion and zero exceptions.
CASA Verified — Cloud Security Alliance Security, Trust, Assurance, and Risk (STAR) verification.
Annual Penetration Testing — Black-box and grey-box testing with rapid remediation.
Data Isolation and Confidentiality
August uses a single-tenant, siloed architecture that keeps each firm's data completely separate:
Private Tenant per Client — Compute, storage, and network isolation means one firm's information never mixes with another's environment.
User Profile Siloing — Within a firm or organization, user profiles are fully siloed from one another unless users proactively share chats or outputs, or create a shared workspace (Projects).
No Visibility into User Data — August does not have visibility into user inputs, uploads, or outputs.
Data Residency Pinning — Data is pinned to your selected geographic region and enforced at the infrastructure level.
Ethical Walls and Matter Isolation
Isolation extends within your firm. August's Personas feature enforces hard client and matter-level walls with role-based access controls. Data is segregated not only between tenants but between matters within your own organization. One partner cannot see another partner's prompts, uploads, or outputs unless content is explicitly shared or placed in a shared Project workspace.
Zero Training on Your Data
Your legal work product is never used to improve AI models:
Documents, prompts, outputs, metadata, and derived data are never used for model training, fine-tuning, analytics, or product improvement.
August has contractual agreements with each of the language models utilized (including Llama, Anthropic, and OpenAI) to not train on or retain user inputs, uploads, or outputs.
Foundation model providers process data ephemerally — they do not store, log, review, or reuse your content.
This protects attorney-client privilege and work product protections.
Encryption and Key Management
All data is protected with enterprise-grade encryption:
Encryption in Transit — TLS 1.2+ for all data moving between your device and August.
Encryption at Rest — AES-256 encryption for all stored documents, database records, and backups.
Key Protection — All encryption keys are protected by Hardware Security Modules (HSMs).
Annual Key Rotation — Encryption keys are rotated on a defined annual schedule.
Model-Agnostic Secure Gateway — Policy enforcement, routing controls, and full auditability across all AI model interactions.
AI Model Security
August secures AI model interactions at every layer:
Zero Model Provider Retention — Foundation model providers do not retain your data after processing.
Bring Your Own Key (BYOK) — For certain model providers (including Anthropic via AWS Bedrock), you can use your own encryption keys for additional control.
Secure Gateway — All model interactions pass through a secure gateway with policy enforcement, routing controls, and full auditability.
Access Controls and Identity
August integrates with enterprise identity systems:
SSO with MFA — Single sign-on via SAML, OIDC, and OAuth2 with multi-factor authentication enforced.
SCIM Integration — Automated user provisioning and deprovisioning.
Role-Based Access Controls (RBAC) — Granular permissions based on user roles.
Ethical Walls — Matter-level access controls via Personas to enforce conflicts and confidentiality boundaries.
Quarterly Access Reviews — Regular audits of access permissions.
Audit Trails
Comprehensive audit trails log all system activity: user actions, AI outputs, document access, and administrative changes. Every action is attributable to a specific user. Retention is configurable from 1 to 10 years, with logs protected against tampering.
Internal Access Controls
August maintains strict controls on employee access to production systems:
Zero Customer Data on Employee Devices — Customer documents are never stored on employee workstations.
Least-Privilege, Just-In-Time Access — Production data access is limited to a defined set of engineers on a least-privilege, just-in-time basis. Every access event is logged and reviewed.
No Admin-Privileged Service Roles — No service roles have administrator privileges.
Short-Lived Credentials — Production access requires SSO, MFA, and short-lived credentials. No persistent tokens.
Engineering Workflows Use Anonymized Data — Real data access requires explicit approval.
Endpoint Security — All company-issued laptops run MDM, EDR with daily signature updates, and full-disk encryption.
Subprocessors
Each subprocessor is contractually bound to data use restrictions, including prohibition on using customer data for training.
The following diagram illustrates the architecture for August's hosted deployment, showing how client data flows through the infrastructure:
Subprocessor | Role | Data Training |
|---|---|---|
Amazon Web Services | Infrastructure and hosting | Prohibited |
Anthropic (via AWS Bedrock) | Foundation model provider (BYOK) | Prohibited |
OpenAI LLC | Foundation model provider | Prohibited |
Microsoft Corporation | Office integration framework | Prohibited |
Google Cloud Platform | Compute services | Prohibited |
Weaviate | Vector storage | Prohibited |
Supabase | SQL solution | Prohibited |
Reducto | OCR provider | Prohibited |
Customers receive 30 days advance notice before a new subprocessor begins processing customer data. Copies of specific contractual clauses are available under NDA.
SLA and Service Commitments
August provides enterprise-grade service level commitments:
99.9% Monthly Uptime — High availability commitment for the platform.
30-Minute Critical Issue Response — Rapid response for critical severity issues.
7-Day Critical CVE Remediation — Security vulnerabilities addressed within 7 days for critical CVEs.
Security Operations
August maintains robust security operations:
Secure SDLC Practices — Security built into the software development lifecycle.
Continuous Monitoring — Real-time threat detection and response.
Incident Response & BCDR — Tested plans for incident response and business continuity/disaster recovery.
Integrations Security
August integrates with your existing tools while maintaining security standards:
Microsoft Word and Outlook add-ins — Work seamlessly across Word, Outlook, and SharePoint/OneDrive with full context preservation.
SharePoint — Full SharePoint integration for enterprise document management.
Google Drive — Access and import documents directly from Google Drive.
Dropbox — Connect your Dropbox for document sync and access (coming soon).
All integrations follow the same encryption and access control standards.
What This Means for Your Practice
When you use August for legal work:
Your client's documents and privileged information stay isolated and protected.
Nothing you upload, generate, or discuss is used to train AI models.
You control who within your organization can access shared workspaces.
August cannot see your legal work product.
Matter-level ethical walls protect confidentiality within your firm.
For questions about security certifications, data processing agreements, subprocessor documentation, or compliance documentation, contact your August account team or visit the legal documentation hub.
Security FAQ
Common questions about August's security posture, certifications, and data handling practices.
Certifications
What is ISO 27001?
What is SOC 2 Type II?
SOC 2 Type II is an independent audit framework that evaluates an organization's security, availability, processing integrity, confidentiality, and privacy controls over a period of time (typically 6-12 months). Type II reports verify that controls not only exist but operate effectively in practice. August's SOC 2 Type II audit resulted in an unqualified opinion with zero exceptions.
What is CASA verification?
CASA (Cloud Security Alliance) STAR verification demonstrates compliance with the Cloud Security Alliance's security, trust, assurance, and risk requirements. It provides third-party validation of cloud security practices and transparency about security posture.
What can customers assume based on these certifications?
Customers can have confidence that August takes a proactive, structured approach to information security. ISO 27001 certification validates a comprehensive security management system across all operations. SOC 2 Type II confirms that security controls operate effectively over time. Together, these certifications demonstrate ongoing commitment to protecting customer data through annual surveillance audits and continuous improvement processes.
How does August maintain its certifications over time?
August maintains certifications through internal security teams, regular internal audits, annual surveillance audits by accredited third-party certification bodies, and recertification audits on defined schedules. Security controls are continuously monitored and improved based on audit findings and evolving threat landscapes.
Data Handling
Is August single-tenant or multi-tenant?
August uses a single-tenant, siloed architecture. Each client gets their own private tenant with compute, storage, and network isolation. Your firm's data never mixes with another firm's environment. This is different from multi-tenant systems where customer data shares infrastructure and is only logically separated.
Can August see my legal work product?
No. August does not have visibility into user inputs, uploads, or outputs. Your documents, prompts, and AI outputs remain private to your firm. This protects attorney-client privilege and work product protections.
Will my data be used to train AI models?
No. Documents, prompts, outputs, metadata, and derived data are never used for model training, fine-tuning, analytics, or product improvement. August maintains contractual agreements with all foundation model providers (including Anthropic, Llama, and OpenAI) prohibiting training on or retention of user content. Model providers process data ephemerally and do not store, log, review, or reuse your content.
Where is my data stored?
Data is stored in your selected geographic region and pinned at the infrastructure level through data residency pinning. This ensures your data remains in the jurisdiction you choose, supporting compliance with regional data protection requirements. August supports both US and EU deployment options.
How long is data retained?
Audit trail retention is configurable from 1 to 10 years to meet your organization's compliance requirements. Customer data remains until you delete it. Foundation model providers do not retain your data after processing.
Security Controls
How is my data encrypted?
All data is protected with enterprise-grade encryption:
In transit: TLS 1.2 or higher for all data moving between your device and August.
At rest: AES-256 encryption for all stored documents, database records, and backups.
Key management: All encryption keys are protected by Hardware Security Modules (HSMs) and rotated annually.
What access controls are in place?
August integrates with enterprise identity systems for robust access control:
SSO with MFA: Single sign-on via SAML, OIDC, and OAuth2 with multi-factor authentication enforced.
SCIM Integration: Automated user provisioning and deprovisioning.
Role-Based Access Controls: Granular permissions based on user roles.
Ethical Walls: Matter-level access controls to enforce conflicts and confidentiality boundaries.
Quarterly Access Reviews: Regular audits of access permissions.
What are ethical walls and matter isolation?
Ethical walls are matter-level access controls enforced through August's Personas feature. Data is segregated not only between tenants (firms) but between matters within your own organization. One partner cannot see another partner's prompts, uploads, or outputs unless content is explicitly shared or placed in a shared Project workspace. This protects against conflicts of interest and maintains client confidentiality.
Can August employees access my data?
No. Customer documents are never stored on employee workstations. Production data access is limited to a defined set of engineers on a least-privilege, just-in-time basis. Every access event is logged and reviewed. Engineering workflows use anonymized data, and real data access requires explicit approval.
Compliance and Enterprise
Can I use my own encryption keys?
Yes. For certain model providers, including Anthropic via AWS Bedrock, you can use Bring Your Own Key (BYOK) to maintain additional control over encryption keys for AI model interactions.
What is August's uptime commitment?
August commits to 99.9% monthly uptime as part of the enterprise SLA. Critical issues receive a 30-minute response time, and critical security vulnerabilities (CVEs) are addressed within 7 days.
How do I report a security vulnerability?
If you discover a security vulnerability, please report it through responsible disclosure by contacting your August account team. August maintains incident response and business continuity/disaster recovery plans with continuous monitoring for threat detection and response.
Where can I find more security documentation?
Download the official August Security Whitepaper (v1.1, May 2026) and client matter documentation:
For data processing agreements, subprocessor documentation, or compliance questions, contact your August account team or visit thelegal documentation hub.
Security Whitepaper
Download the official August Security Whitepaper (v1.1, May 2026) for comprehensive details on August's security architecture, certifications, data protection, and compliance commitments:
August Security Whitepaper
Complete security documentation covering certifications (SOC 2 Type II, ISO 27001:2022, CASA), single-tenant architecture, encryption, access controls, AI model security, data residency options, and compliance:
Download August Security Whitepaper (PDF)
August for Client Matters
Security overview for client matter handling and confidentiality:
Was this helpful?