// Trust & Security Report

    Josef Legal logo

    Josef Legal

    Legal AI SaaS platform offering AI Q&A (Josef Q), contract automation, and workflow automation for in-house legal teams and law firms

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Josef self-attested to Microsoft (December 2025): 'Does the app comply with SOC 2? Yes. Which SOC 2 certification did you achieve? type2. Most recent SOC2 certification date: 2025-05-19.' Corroborated by vendor security page: 'Josef maintains the highest security standards, combining best practices with strict compliance. As both SOC 2 Type II certified and GDPR compliant, we keep your data secure at every level.'

    Verify on learn.microsoft.com
    > Show 8 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Josef's own Microsoft 365 App Certification self-attestation (December 2025) explicitly states: 'Is the app ISO 27001 certified? No'. The vendor's 2023 blog post confirms this: 'Looking ahead, we have ISO27001 certification in our sights.' Note: Josef's security page states 'Our servers are backed by world-class infrastructure, rigorous security protocols, and ISO certification' — this refers to the GCP cloud host's infrastructure ISO cert, not Josef's own (see host-vs-vendor flag).

    source: learn.microsoft.com
    GDPR (compliance posture)
    NOT CONFIRMED

    GDPR is a regulation, not a certification. Josef claims a GDPR compliance posture: 'As both SOC 2 Type II certified and GDPR compliant, we keep your data secure at every level.' Microsoft attestation confirms: 'Do you have GDPR or other privacy or data protection requirements? Yes.' Privacy policy addresses EEA resident rights (access, rectification, deletion, restriction, supervisory authority complaint).

    source: joseflegal.com
    HIPAA
    NOT CONFIRMED

    Microsoft 365 App Certification self-attestation (December 2025): 'Does the app comply with HIPAA? N/A'. Healthcare data is not in scope for this legal-tech platform.

    source: learn.microsoft.com
    FedRAMP
    NOT CONFIRMED

    Microsoft 365 App Certification self-attestation (December 2025): 'Is the app FedRAMP compliant? No'.

    source: learn.microsoft.com
    CSA STAR
    NOT CONFIRMED

    Microsoft 365 App Certification self-attestation (December 2025): 'Has the app been Cloud Security Alliance (CSA Star) certified? No'.

    source: learn.microsoft.com
    PCI DSS
    NOT CONFIRMED

    Microsoft 365 App Certification self-attestation (December 2025): 'Do you carry out annual PCI DSS assessments? N/A'. Not in scope for this product.

    source: learn.microsoft.com
    ISO 27018
    NOT CONFIRMED

    Microsoft 365 App Certification self-attestation (December 2025): 'Does the app comply with ISO 27018? N/A'. No public evidence.

    source: learn.microsoft.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or any AI governance certification. Not referenced on vendor site or in Microsoft 365 attestation (December 2025).

    source: joseflegal.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    US, Europe (EU), UK, Australia — selectable per customer

    Privacy policy states Josef uses data to 'improve our products and services' but does not explicitly address AI model training. Microsoft 365 attestation (December 2025) states 'Does the app process customer data for a secondary purpose not described in the privacy notice (i.e. marketing, analytics)? No'. FAQ states customers 'retain full ownership of their data' and Josef acts as 'secure custodian only'. Josef Q architecture draws from customer-approved documents only — not a general training corpus. However, an explicit AI-training prohibition or opt-out mechanism is not published. Buyers should request written confirmation.

    // Security controls

    Encryption at rest

    AES-256

    joseflegal.com

    Encryption in transit

    TLS 1.3

    joseflegal.com

    Cloud hosting provider

    Google Cloud Platform (GCP)

    learn.microsoft.com

    Penetration testing

    Annual third-party penetration testing

    joseflegal.com

    Vulnerability scanning

    Quarterly automated scans; continuous automated scanning also referenced

    learn.microsoft.com

    Secure coding

    OWASP and ASD (Australian Signals Directorate) secure coding frameworks

    joseflegal.com

    MFA

    Enabled for code repositories, DNS management, and credentials

    learn.microsoft.com

    Incident response

    Formal incident response process documented; 72-hour breach notification to supervisory authorities and affected individuals

    learn.microsoft.com

    Disaster recovery

    Documented DR plan with backup and restore strategy

    learn.microsoft.com

    Key management

    Server-side encryption keys held and regularly audited by Josef

    joseflegal.com

    Change management

    Established change management process with peer code review before production deployment

    learn.microsoft.com

    Anti-malware

    Traditional anti-malware and application controls deployed

    learn.microsoft.com

    // Products & data scope

    Josef QAI Q&A / Legal knowledge management

    data: Customer-uploaded policy and compliance documents; queries answered from approved document corpus only — no general internet retrieval

    Available as Microsoft Teams add-in; no special category data processed; no automated legal decision-making; human-in-the-loop moderation available; 'hallucination-free' by design (source-grounded)

    Contract AutomationLegal document automation

    data: Customer contract templates and generated documents (NDAs, MSAs, employment contracts)

    No-code builder; integrates with SharePoint, Slack, Teams; used by L'Oreal (66% turnaround reduction reported)

    Workflow AutomationLegal intake and workflow

    data: Legal intake forms, approval workflows, and process routing data

    Connects with existing tech stack; enterprise customers include Bupa (40+ tools) and Australian Retirement Trust

    // What to watch

    • HOST-VS-VENDOR ISO AMBIGUITY: Security page (joseflegal.com/security) states 'Our servers are backed by world-class infrastructure, rigorous security protocols, and ISO certification.' Josef's own Microsoft 365 App Certification self-attestation (December 2025) explicitly states ISO 27001 = No. The ISO reference on the security page refers to GCP's infrastructure-level ISO cert, not a cert Josef holds itself. This wording may mislead buyers into assuming Josef holds ISO 27001.
    • AI TRAINING POSTURE NOT EXPLICITLY DOCUMENTED: Privacy policy mentions use of data to 'improve products and services' without explicitly ruling out AI model training. The Microsoft attestation (secondary use = No) and product architecture (customer docs only) imply no training on customer data, but no formal AI training prohibition or customer opt-out is published on the public website.
    • CUSTOMER-FACING DPA NOT PUBLICLY DOCUMENTED: Privacy policy states Josef enters DPAs with its own vendors/sub-processors. A customer-facing DPA template or availability statement is not published on the website. Enterprise buyers subject to GDPR should request a signed DPA before deployment.

    // At a glance

    Pricing model

    SaaS subscription, enterprise pricing (demo required, not self-serve)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Josef Legal's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    joseflegal.com

    > Browse all vendor trust reports