// Trust & Security Report
Josef Legal
Legal AI SaaS platform offering AI Q&A (Josef Q), contract automation, and workflow automation for in-house legal teams and law firms
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on learn.microsoft.com“Josef self-attested to Microsoft (December 2025): 'Does the app comply with SOC 2? Yes. Which SOC 2 certification did you achieve? type2. Most recent SOC2 certification date: 2025-05-19.' Corroborated by vendor security page: 'Josef maintains the highest security standards, combining best practices with strict compliance. As both SOC 2 Type II certified and GDPR compliant, we keep your data secure at every level.'”
> Show 8 unconfirmed / not-held certifications
source: learn.microsoft.comJosef's own Microsoft 365 App Certification self-attestation (December 2025) explicitly states: 'Is the app ISO 27001 certified? No'. The vendor's 2023 blog post confirms this: 'Looking ahead, we have ISO27001 certification in our sights.' Note: Josef's security page states 'Our servers are backed by world-class infrastructure, rigorous security protocols, and ISO certification' — this refers to the GCP cloud host's infrastructure ISO cert, not Josef's own (see host-vs-vendor flag).
source: joseflegal.comGDPR is a regulation, not a certification. Josef claims a GDPR compliance posture: 'As both SOC 2 Type II certified and GDPR compliant, we keep your data secure at every level.' Microsoft attestation confirms: 'Do you have GDPR or other privacy or data protection requirements? Yes.' Privacy policy addresses EEA resident rights (access, rectification, deletion, restriction, supervisory authority complaint).
source: learn.microsoft.comMicrosoft 365 App Certification self-attestation (December 2025): 'Does the app comply with HIPAA? N/A'. Healthcare data is not in scope for this legal-tech platform.
source: learn.microsoft.comMicrosoft 365 App Certification self-attestation (December 2025): 'Is the app FedRAMP compliant? No'.
source: learn.microsoft.comMicrosoft 365 App Certification self-attestation (December 2025): 'Has the app been Cloud Security Alliance (CSA Star) certified? No'.
source: learn.microsoft.comMicrosoft 365 App Certification self-attestation (December 2025): 'Do you carry out annual PCI DSS assessments? N/A'. Not in scope for this product.
source: learn.microsoft.comMicrosoft 365 App Certification self-attestation (December 2025): 'Does the app comply with ISO 27018? N/A'. No public evidence.
source: joseflegal.comNo public evidence of ISO/IEC 42001 or any AI governance certification. Not referenced on vendor site or in Microsoft 365 attestation (December 2025).
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
US, Europe (EU), UK, Australia — selectable per customer
Privacy policy states Josef uses data to 'improve our products and services' but does not explicitly address AI model training. Microsoft 365 attestation (December 2025) states 'Does the app process customer data for a secondary purpose not described in the privacy notice (i.e. marketing, analytics)? No'. FAQ states customers 'retain full ownership of their data' and Josef acts as 'secure custodian only'. Josef Q architecture draws from customer-approved documents only — not a general training corpus. However, an explicit AI-training prohibition or opt-out mechanism is not published. Buyers should request written confirmation.
// Security controls
Vulnerability scanning
Quarterly automated scans; continuous automated scanning also referenced
learn.microsoft.comIncident response
Formal incident response process documented; 72-hour breach notification to supervisory authorities and affected individuals
learn.microsoft.comChange management
Established change management process with peer code review before production deployment
learn.microsoft.com// Products & data scope
data: Customer-uploaded policy and compliance documents; queries answered from approved document corpus only — no general internet retrieval
Available as Microsoft Teams add-in; no special category data processed; no automated legal decision-making; human-in-the-loop moderation available; 'hallucination-free' by design (source-grounded)
data: Customer contract templates and generated documents (NDAs, MSAs, employment contracts)
No-code builder; integrates with SharePoint, Slack, Teams; used by L'Oreal (66% turnaround reduction reported)
data: Legal intake forms, approval workflows, and process routing data
Connects with existing tech stack; enterprise customers include Bupa (40+ tools) and Australian Retirement Trust
// What to watch
- HOST-VS-VENDOR ISO AMBIGUITY: Security page (joseflegal.com/security) states 'Our servers are backed by world-class infrastructure, rigorous security protocols, and ISO certification.' Josef's own Microsoft 365 App Certification self-attestation (December 2025) explicitly states ISO 27001 = No. The ISO reference on the security page refers to GCP's infrastructure-level ISO cert, not a cert Josef holds itself. This wording may mislead buyers into assuming Josef holds ISO 27001.
- AI TRAINING POSTURE NOT EXPLICITLY DOCUMENTED: Privacy policy mentions use of data to 'improve products and services' without explicitly ruling out AI model training. The Microsoft attestation (secondary use = No) and product architecture (customer docs only) imply no training on customer data, but no formal AI training prohibition or customer opt-out is published on the public website.
- CUSTOMER-FACING DPA NOT PUBLICLY DOCUMENTED: Privacy policy states Josef enters DPAs with its own vendors/sub-processors. A customer-facing DPA template or availability statement is not published on the website. Enterprise buyers subject to GDPR should request a signed DPA before deployment.
// At a glance
Pricing model
SaaS subscription, enterprise pricing (demo required, not self-serve)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Josef Legal's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
joseflegal.com