// Trust & Security Report

    Litera Corp. (Kira Systems product line) logo

    Litera Corp. (Kira Systems product line)

    Kira is an AI-powered contract intelligence platform for legal teams, combining proprietary machine learning with optional generative AI to automate high-volume contract review and analysis. Includes Kira Smart Summaries, Smart Fields (configurable ML models), Concept Search, and Lito (AI Legal Agent).

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001:2022
    HELD

    Litera holds ISO/IEC 27001:2022 certification for information security management systems, covering corporate office technical, administrative, and physical controls.

    Verify on trust.litera.com
    SOC 2 Type II
    HELD

    Litera holds SOC 2 Type II certification; cloud environment providers undergo annual SOC 2 Type II audits. Kira supports enterprise-grade security including SOC 2 Type II.

    Verify on litera.com
    SOC 3
    HELD

    Litera holds SOC 3 certification in addition to SOC 2 Type II.

    Verify on trust.litera.com
    GDPR Compliance
    HELD

    Kira and Litera are aligned to GDPR standards. Master Data Protection Addendum (DPA) available for Kira software on-premises and cloud deployments.

    Verify on litera.com
    NIS 2 Alignment
    HELD

    Kira/Litera support enterprise-grade security with NIS 2 alignment, meeting EU cybersecurity resilience requirements.

    Verify on litera.com
    DORA Alignment
    HELD

    Kira and Litera Clean+ are aligned to DORA (Digital Operational Resilience Act), demonstrating compliance with EU digital resilience frameworks.

    Verify on litera.com
    > Show 8 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification or compliance found in Litera trust center, product pages, or DPA documents.

    source: trust.litera.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification. Litera references ISO 27001 for cloud providers but does not explicitly claim ISO 27017.

    source: litera.com
    ISO 27018 (PII in Public Cloud)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found.

    source: trust.litera.com
    ISO 27701 (Privacy Information Management)
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found.

    source: trust.litera.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP certification found.

    source: trust.litera.com
    PCI-DSS
    NOT CONFIRMED

    No public evidence of PCI-DSS certification found.

    source: trust.litera.com
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence of ISO 42001 AI governance certification found; Litera publishes AI Governance White Paper but does not claim ISO 42001 certification.

    source: trust.litera.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR AI or security certification found.

    source: trust.litera.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multiple: US, Canada, Europe (EU/UK), Asia Pacific. Flexible data residency to meet sovereignty requirements.

    Kira explicitly does NOT train on customer data. Marketing states: 'never using your data for training, while giving your organization the option to train your own models on your own data.' Kira offers project-level toggle to disable generative AI while maintaining proprietary ML features. SmartField Sharing includes differential privacy protection to prevent reverse engineering of trained models.

    // Security controls

    Encryption in Transit

    TLS/SSL required. Security Addendum references implementation of appropriate technical and organizational measures; specific cipher suite details available upon request to customers.

    litera.com

    Encryption at Rest

    Customer data encrypted at rest; specific encryption algorithms referenced in Security Addendum Schedule 2.

    litera.com

    Data Residency

    Customers can choose hosting region: US, Canada, Europe, or Asia Pacific; no mandatory cross-border transfer without customer consent.

    litera.com

    Access Controls

    On-premises: Litera does not access customer documents; only minimal telemetry collected to verify product access. Cloud: Litera does not monitor or access customer documents. Full customer control over data dissemination and alteration.

    litera.com

    Differential Privacy

    SmartField Sharing feature implements differential privacy algorithm to protect against reverse engineering of trained models when sharing custom ML fields.

    litera.com

    Audit & Logging

    ISO 27001 / SOC 2 Type II compliance indicates comprehensive audit logging and monitoring; third-party audit reports available to customers upon request.

    litera.com

    Incident Response

    DPA requires Litera to 'immediately inform the Customer if Processing infringes Data Protection Laws' and support regulatory notifications.

    litera.com

    // Products & data scope

    Kira Contract Intelligence (Cloud)Contract Review & Analysis

    data: Contract documents, metadata, extraction results. No training on customer documents by Litera.

    Cloud-hosted SaaS; supports GDPR/NIS2/DORA compliance; integrates with OpenAI for optional Generative AI features with project-level toggle.

    Kira Contract Intelligence (On-Premises)Contract Review & Analysis

    data: All data stored and processed on customer's infrastructure; Litera minimal access.

    Self-hosted option for maximum data control; same AI features as cloud version; telemetry only for product access verification.

    Kira Smart SummariesContract Analysis

    data: Contract documents sent to OpenAI for summary generation (optional feature); can be disabled.

    Optional generative AI feature; project-level toggle; can be disabled per customer requirements.

    Kira Smart Fields (ML Models)Contract Extraction

    data: Custom ML models trained on customer data if customer opts in; default proprietary models trained on 1M+ legal contracts.

    Proprietary models require no additional training. Optional feature to train custom models on customer's own data.

    Lito (AI Legal Agent)Legal Automation

    data: Integrated within Kira; handles routine legal tasks; governance-first AI with ability to opt-out.

    Included with Kira subscription; optional; can be disabled per firm requirements.

    // What to watch

    • Identity: Kira Systems is now a product line of Litera Corp. (acquired/integrated). The evidence URL redirects from kirasystems.com to litera.com/products/kira. Assessment certifications apply to Litera as vendor entity.
    • No HIPAA certification: While Kira is used by healthcare legal teams, Litera does not publicly claim HIPAA compliance. May support HIPAA use cases via GDPR/NIS2/DORA posture, but should not be marketed as HIPAA-certified.
    • Generative AI toggle: Critical governance feature. Kira allows per-project disable of GenAI while maintaining proprietary ML extraction, addressing client confidentiality concerns.
    • Subprocessors: Litera uses cloud infrastructure providers (AWS/Azure/GCP) with their own ISO 27001/SOC 2 certifications. Customer responsible for assessing sub-processor compliance.
    • AI governance gaps: No ISO 42001 or CSA STAR AI certifications found. Litera publishes AI Governance White Paper but standard certifications not claimed.
    • Cloud-only trust center: SafeBase-hosted trust center (trust.litera.com) requires account creation for full document access; public preview limited. Recommend contacting Litera for detailed compliance documentation.
    • On-premises data handling: For on-premises deployment, Litera claims zero access to customer documents; only telemetry for product access. Verification of this claim may require technical audit.

    // At a glance

    Pricing model

    Subscription-based SaaS (per-user or consumption); perpetual on-premises license option available.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Litera Corp. (Kira Systems product line)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.litera.com

    > Browse all vendor trust reports