// Trust & Security Report
Harvey AI Corporation
Legal AI platform for law firms and in-house counsel, including document analysis, legal research, contract intelligence, and AI agents for complex legal workflows. Serves 142,000+ professionals across 60+ AmLaw 100 firms.
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on harvey.ai“Harvey undergoes annual SOC 2 Type II and ISO 27001 audits to validate these controls. Harvey has successfully completed another SOC 2 Type II audit conducted by Schellman.”
Verify on trust.harvey.ai“Harvey has successfully completed another SOC 2 Type II audit and renewed our ISO 27001 certification. Schellman conducted the independent assessments.”
Verify on trust.harvey.ai“ISO/IEC 27701 listed among current certifications available in trust portal.”
Verify on harvey.ai“Harvey has achieved ISO 42001 certification, the leading internationally recognized standard specifically designed for AI management systems. Announced June 5, 2026.”
Verify on harvey.ai“Harvey implements Data Privacy Framework for EEA/UK/Switzerland transfers and Standard Contractual Clauses for non-adequate jurisdictions. Enforceable commitments built to exceed standard vendor terms aligned with GDPR standards.”
Verify on harvey.ai“Data Processing Addendum covers compliance with California Consumer Privacy Act (CCPA). Customer data retention and processing governed by separate customer agreements.”
Verify on trust.harvey.ai“IRAP listed among available certifications in trust portal.”
Verify on trust.harvey.ai“WCAG 2.2 AA compliance listed in certifications available through trust portal.”
> Show 1 unconfirmed / not-held certifications
source: harvey.aiNo public evidence of HIPAA certification on vendor domain. Healthcare use cases mentioned for compliance advisory work, but HIPAA compliance not explicitly claimed or certified.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Flexible - US (default), EU, Switzerland, Australia. Customers specify preferred region in order forms.
Harvey contractually guarantees through Platform Agreement that it does not use inputs, outputs, or uploaded documents to train underlying models. Harvey does use publicly available information (court judgments, decisions, public filings) to develop and train AI systems. This is covered in Privacy Policy which excludes uploaded platform data from the general privacy policy, governing it instead through Customer Agreements.
// Security controls
Access Controls
Multi-factor authentication, unique IDs, strong passwords, least-privilege access. Staff cannot access customer data without service necessity or legal order.
harvey.aiVulnerability Management
Critical vulnerabilities patched within 7 days, high-severity within 30 days, medium within 90 days. Annual penetration tests and web application security assessments.
harvey.aiThreat Detection
Industry-standard threat detection with daily signature updates. Daily monitoring and annual penetration testing.
harvey.aiPersonnel Security
Mandatory security training at onboarding and annually. Background checks include ID verification, work authorization, and criminal history screening.
harvey.aiIncident Response
Customer notification within 48 hours of confirmed breach. Full investigation and mitigation details provided. Logs preserved minimum 1 year.
harvey.aiThird-Party Auditors
Partners with Schellman, NCC Group, and Bishop Fox for annual audits and penetration tests.
harvey.aiData Lifecycle Management
Matter-level access controls, audit-ready logs, customer ability to delete data anytime, 30-day deletion window upon service termination request.
harvey.aiAudit Rights
Customers receive annual audit reports at no cost. Can submit security questionnaires (up to 100 questions). May request audits per Security Addendum terms.
harvey.aiData Transfer Framework
Data Privacy Framework certified for EU/UK/Switzerland transfers. Standard Contractual Clauses (SCCs) for non-adequate jurisdictions.
harvey.ai// Products & data scope
data: Customer-uploaded documents and queries processed but not used for model training per contractual guarantee
Ask questions, analyze documents, draft faster with domain-specific AI
data: Secure storage for legal documents with bulk analysis capability
Securely store, organize, and bulk-analyze legal documents with encryption and access controls
data: Proprietary database of legal precedent, regulations, tax guidance across multiple jurisdictions
Research complex legal, regulatory, and tax questions. Covers common and civil law systems across US, UK, EU, APAC, MENA
data: 500+ pre-built and custom agents for legal workflows
Purpose-built agents execute complex legal work end-to-end across practice areas (capital markets, environmental law, bankruptcy, etc.). Vetted by in-house lawyers.
data: Contract extraction, analysis, and risk identification
Surface insights, strengthen negotiations, and accelerate contract reviews
data: Mobile-optimized access to Harvey platform
Get up to speed, capture information, and keep work moving from anywhere
data: Firm-wide AI adoption analytics and benchmarking
Analytics, benchmarking, and agentic insights for organizational AI transformation leadership
data: Cross-organizational secure collaboration
Work with legal teams across organizations in secure, shared spaces
// What to watch
- HIPAA not claimed or certified despite healthcare use cases being mentioned. Vendor positions platform for legal work, not healthcare directly.
- ISO 42001 certification very recent (June 5, 2026). Newest addition to compliance portfolio.
- Trust center documents (SOC 2, ISO reports) appear to require customer access/verification through SafeBase portal; full audit details not freely public but vendor states documents available to customers.
- Privacy policy notes customer-uploaded data excluded from general privacy policy, governed instead by Customer Agreements. Standard for SaaS but worth noting.
- Web browsing feature (you.com integration) noted as non-HIPAA compliant, but Harvey platform itself does not claim HIPAA.
// At a glance
Pricing model
Enterprise SaaS subscription; per-user or per-team models available. Pricing not publicly listed; contact for quote.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Harvey AI Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.harvey.ai