// Trust & Security Report
Everlaw, Inc.
AI-powered cloud-native eDiscovery software for litigation, investigations, and trial preparation
Certifications held
12
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on everlaw.com“Everlaw maintains SOC 2 Type 2 attestation covering the trust service criteria of security, availability, confidentiality, and privacy.”
Verify on everlaw.com“Everlaw's SOC 3 report is a public-facing document that provides assurance regarding our controls relevant to the Trust Services Criteria (TSC) of security, availability, confidentiality, and privacy.”
Verify on everlaw.com“Everlaw has achieved FedRAMP Moderate Authorization for Everlaw's federal cloud.”
Verify on everlaw.com“Everlaw has achieved GovRAMP Moderate Authorization, demonstrating our ability to meet rigorous security and risk management standards.”
Verify on everlaw.com“Everlaw's SOC 2 Type 2 certification includes an assessment of the applicable HIPAA and HITECH safeguards.”
Verify on everlaw.com“Everlaw supports our customers' compliance with the General Data Protection Regulation (GDPR) in relation to the personal data of EU residents and the California Consumer Privacy Act (CCPA) that protects California residents' privacy rights.”
Verify on everlaw.com“Everlaw supports our customers' compliance with the General Data Protection Regulation (GDPR) in relation to the personal data of EU residents and the California Consumer Privacy Act (CCPA) that protects California residents' privacy rights.”
Verify on everlaw.com“Everlaw relies on the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework as a legal basis for transfers of personal information from those locations to the United States.”
> Show 5 unconfirmed / not-held certifications
source: trust.everlaw.comNo public evidence of ISO 27701 certification on vendor domain. Everlaw holds ISO 27018:2019 for cloud privacy but no ISO 27701 PIMS certificate is listed.
source: trust.everlaw.comNo public evidence of ISO 42001 certification. Everlaw publishes an EverlawAI Governance Framework and Generative AI Principles but has not listed ISO 42001 among its certifications.
source: trust.everlaw.comEverlaw publishes CAIQ self-assessment documents (Everlaw CAIQ - May 2026 and Everlaw CAIQ Lite.xlsx) on its trust center, but the term 'CSA STAR' does not appear on any Everlaw page and no Everlaw listing was found on the CSA STAR Registry. A downloadable CAIQ questionnaire on the vendor's own trust center is not equivalent to a CSA STAR Level 1 registry submission; downgraded to held=false to avoid conflating a self-assessment artifact with a STAR registry listing.
source: trust.everlaw.comOnly a Level 1 CAIQ self-assessment (Consensus Assessments Initiative Questionnaire) is publicly listed. No independently audited CSA STAR Level 2 certification is listed on the trust center.
source: trust.everlaw.comNo public evidence of PCI DSS certification or compliance listing on vendor domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US, UK, EU (Germany), Canada, Australia. Hosted on AWS. Per the DPA, customers may choose within which available AWS instance their data is stored and processed.
Everlaw explicitly commits to not training AI models on customer data. From the AI Governance Framework: 'Everlaw does not develop generative AI systems or LLMs independently. We also do not train or fine-tune LLMs developed by others.' LLM providers (including OpenAI) operate under zero data retention: 'none of the LLMs will train or fine-tune their models or services on our customers data, and none of the LLMs retain this data once the processing is completed.' The Privacy Notice adds: 'where we use AI tools which process Personal Information (including Google Workspace APIs), these are not used to develop, improve, or train generalized AI and/or ML models.' Customers can opt in or out of generative AI features. OpenAI is listed as a sub-processor only where customers enable AI functionality.
// Security controls
Encryption in transit
TLS 1.2 or higher (HTTPS). 'Everlaw serves application data using HTTPS to ensure encryption in transit of all customer data. The Everlaw application uses Transport Layer Security (TLS) version 1.2 or higher to protect HTTPS communications.'
everlaw.comEncryption at rest
AES-256. 'Everlaw leverages the default encryption at rest provided by AWS, which protects the data on disk with AES-256 encryption.' Additional AES-256 encryption applied on devices.
everlaw.comPenetration testing
Annual third-party penetration tests. 'Everlaw employs third-party security experts to perform detailed penetration tests on our web application.' Executive Summary available on trust center.
everlaw.comVulnerability scanning
Monthly vulnerability scanning tools configured for infrastructure needs.
everlaw.comUptime SLA
99.95% annually including scheduled maintenance. 'Everlaw's uptime exceeds 99.95% annually, including scheduled maintenance windows.'
everlaw.comAccess controls
Role-based access controls restricting employee data access; temporary access procedures require customer verification; audit logging of all access requests and approvals.
everlaw.comInfrastructure
AWS cloud provider; production database authentication enforced; encryption key access restricted; portable media encrypted; anti-malware technology deployed.
trust.everlaw.comDisaster Recovery
Continuity and Disaster Recovery plans established and tested annually. 2026 DR/CP Functional Test Executive Summary available on trust center.
trust.everlaw.comCybersecurity insurance
Cybersecurity insurance maintained (listed as a control on the trust center).
trust.everlaw.com// Products & data scope
data: Litigation documents, ESI (electronically stored information), case files, legal holds, deposition materials. Highly sensitive legal and potentially privileged data.
Commercial cloud available in US, UK, EU (Germany), Canada, Australia. FedRAMP-authorized Government Community Cloud (GCC) available for federal agencies with US-only data residency and DOJ sponsorship.
data: Same customer document corpus as the Platform. AI features include Deep Dive (corpus analysis), Coding Suggestions (automated document review), Writing Assistant (argument drafting), Review Assistant, Predictive Coding, Clustering, and Translations.
AI features powered by OpenAI (sub-processor); zero data retention agreement in place with OpenAI. Customers on UK or EU instances have OpenAI routed to EU endpoints. AI features are opt-in per customer. Generative AI governed by EverlawAI Governance Framework published at everlaw.com.
// What to watch
- FedRAMP Moderate applies to the Government Community Cloud (GCC) only, not the commercial cloud. Commercial customers do not receive FedRAMP coverage.
- HIPAA compliance is assessed within the SOC 2 Type 2 audit scope rather than as a standalone HIPAA certification or Business Associate Agreement audit. Customers requiring formal BAA should verify availability.
- OpenAI is a listed sub-processor for AI features. AI features are opt-in and customers who do not enable them will not have data routed to OpenAI. EU/UK instance customers are routed to EU-only OpenAI endpoints.
- CSA STAR is not held: Everlaw publishes a CAIQ self-assessment document on its trust center, but neither a CSA STAR Registry listing (Level 1) nor an independently audited Level 2 attestation is evidenced, and the term 'CSA STAR' does not appear on any Everlaw page.
- ISO 42001 (AI management system standard) is not held despite publishing an EverlawAI Governance Framework. AIFOXX should distinguish governance documentation from formal certification.
- eDiscovery data is among the most sensitive legal data types (privileged communications, trade secrets, government records). Buyers should review the DPA and sub-processor list carefully before onboarding.
// At a glance
Pricing model
Subscription (SaaS); per-case or per-GB pricing typical for eDiscovery. Enterprise contracts for law firms, corporations, and government agencies. No self-serve free tier.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Everlaw, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.everlaw.com