// Trust & Security Report

    Harvey AI Corporation logo

    Harvey AI Corporation

    Legal AI platform for law firms and in-house counsel, including document analysis, legal research, contract intelligence, and AI agents for complex legal workflows. Serves 142,000+ professionals across 60+ AmLaw 100 firms.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Harvey undergoes annual SOC 2 Type II and ISO 27001 audits to validate these controls. Harvey has successfully completed another SOC 2 Type II audit conducted by Schellman.

    Verify on harvey.ai
    ISO 27001
    HELD

    Harvey has successfully completed another SOC 2 Type II audit and renewed our ISO 27001 certification. Schellman conducted the independent assessments.

    Verify on trust.harvey.ai
    ISO 27701
    HELD

    ISO/IEC 27701 listed among current certifications available in trust portal.

    Verify on trust.harvey.ai
    ISO 42001 (AI Management Systems)
    HELD

    Harvey has achieved ISO 42001 certification, the leading internationally recognized standard specifically designed for AI management systems. Announced June 5, 2026.

    Verify on harvey.ai
    GDPR Compliance
    HELD

    Harvey implements Data Privacy Framework for EEA/UK/Switzerland transfers and Standard Contractual Clauses for non-adequate jurisdictions. Enforceable commitments built to exceed standard vendor terms aligned with GDPR standards.

    Verify on harvey.ai
    CCPA (California Consumer Privacy Act)
    HELD

    Data Processing Addendum covers compliance with California Consumer Privacy Act (CCPA). Customer data retention and processing governed by separate customer agreements.

    Verify on harvey.ai
    IRAP (Australian Compliance)
    HELD

    IRAP listed among available certifications in trust portal.

    Verify on trust.harvey.ai
    WCAG 2.2 AA (Accessibility)
    HELD

    WCAG 2.2 AA compliance listed in certifications available through trust portal.

    Verify on trust.harvey.ai
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification on vendor domain. Healthcare use cases mentioned for compliance advisory work, but HIPAA compliance not explicitly claimed or certified.

    source: harvey.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Flexible - US (default), EU, Switzerland, Australia. Customers specify preferred region in order forms.

    Harvey contractually guarantees through Platform Agreement that it does not use inputs, outputs, or uploaded documents to train underlying models. Harvey does use publicly available information (court judgments, decisions, public filings) to develop and train AI systems. This is covered in Privacy Policy which excludes uploaded platform data from the general privacy policy, governing it instead through Customer Agreements.

    // Security controls

    Encryption in Transit

    Transport Layer Security 1.2 or better

    harvey.ai

    Encryption at Rest

    AES 256-bit or better

    harvey.ai

    Encryption Key Management

    Annual key rotation with hardware security module protection

    harvey.ai

    Access Controls

    Multi-factor authentication, unique IDs, strong passwords, least-privilege access. Staff cannot access customer data without service necessity or legal order.

    harvey.ai

    Vulnerability Management

    Critical vulnerabilities patched within 7 days, high-severity within 30 days, medium within 90 days. Annual penetration tests and web application security assessments.

    harvey.ai

    Threat Detection

    Industry-standard threat detection with daily signature updates. Daily monitoring and annual penetration testing.

    harvey.ai

    Personnel Security

    Mandatory security training at onboarding and annually. Background checks include ID verification, work authorization, and criminal history screening.

    harvey.ai

    Incident Response

    Customer notification within 48 hours of confirmed breach. Full investigation and mitigation details provided. Logs preserved minimum 1 year.

    harvey.ai

    Third-Party Auditors

    Partners with Schellman, NCC Group, and Bishop Fox for annual audits and penetration tests.

    harvey.ai

    Data Lifecycle Management

    Matter-level access controls, audit-ready logs, customer ability to delete data anytime, 30-day deletion window upon service termination request.

    harvey.ai

    Audit Rights

    Customers receive annual audit reports at no cost. Can submit security questionnaires (up to 100 questions). May request audits per Security Addendum terms.

    harvey.ai

    Data Transfer Framework

    Data Privacy Framework certified for EU/UK/Switzerland transfers. Standard Contractual Clauses (SCCs) for non-adequate jurisdictions.

    harvey.ai

    // Products & data scope

    Harvey AssistantDocument Analysis & Drafting

    data: Customer-uploaded documents and queries processed but not used for model training per contractual guarantee

    Ask questions, analyze documents, draft faster with domain-specific AI

    Harvey VaultDocument Management

    data: Secure storage for legal documents with bulk analysis capability

    Securely store, organize, and bulk-analyze legal documents with encryption and access controls

    Harvey KnowledgeLegal Research

    data: Proprietary database of legal precedent, regulations, tax guidance across multiple jurisdictions

    Research complex legal, regulatory, and tax questions. Covers common and civil law systems across US, UK, EU, APAC, MENA

    Harvey AgentsWorkflow Automation

    data: 500+ pre-built and custom agents for legal workflows

    Purpose-built agents execute complex legal work end-to-end across practice areas (capital markets, environmental law, bankruptcy, etc.). Vetted by in-house lawyers.

    Contract IntelligenceContract Analysis

    data: Contract extraction, analysis, and risk identification

    Surface insights, strengthen negotiations, and accelerate contract reviews

    Harvey MobileMobile Access

    data: Mobile-optimized access to Harvey platform

    Get up to speed, capture information, and keep work moving from anywhere

    Command CenterAnalytics & Leadership

    data: Firm-wide AI adoption analytics and benchmarking

    Analytics, benchmarking, and agentic insights for organizational AI transformation leadership

    Shared SpacesCollaboration

    data: Cross-organizational secure collaboration

    Work with legal teams across organizations in secure, shared spaces

    // What to watch

    • HIPAA not claimed or certified despite healthcare use cases being mentioned. Vendor positions platform for legal work, not healthcare directly.
    • ISO 42001 certification very recent (June 5, 2026). Newest addition to compliance portfolio.
    • Trust center documents (SOC 2, ISO reports) appear to require customer access/verification through SafeBase portal; full audit details not freely public but vendor states documents available to customers.
    • Privacy policy notes customer-uploaded data excluded from general privacy policy, governed instead by Customer Agreements. Standard for SaaS but worth noting.
    • Web browsing feature (you.com integration) noted as non-HIPAA compliant, but Harvey platform itself does not claim HIPAA.

    // At a glance

    Pricing model

    Enterprise SaaS subscription; per-user or per-team models available. Pricing not publicly listed; contact for quote.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Harvey AI Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.harvey.ai

    > Browse all vendor trust reports