// Trust & Security Report
LegalZoom.com, Inc.
Online legal services, business formation, estate planning, AI-assisted legal documents
Certifications held
4
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on legalzoom.com“No public attestation or SOC 2 report found on legalzoom.com or any investor/trust page. Security page makes no reference to third-party audits.”
Verify on legalzoom.com“No ISO 27001 certificate is published on the LegalZoom security page or privacy policy, and no public trust center listing was found. Absence of a public mention is not proof the certification is not held, so status is recorded as unknown rather than absent.”
Verify on legalzoom.com“Privacy policy states 'We use industry-standard SSL/TLS to transmit payment card information' but no PCI DSS Level certification is publicly disclosed.”
Verify on legalzoom.com“Privacy policy addresses GDPR rights and provides EURepresentative@legalzoom.com contact, but no formal GDPR certification or DPA template is published.”
> Show 1 unconfirmed / not-held certifications
source: legalzoom.comNo HIPAA compliance claim found. LegalZoom handles legal documents but does not claim to operate as a HIPAA-covered entity or business associate in its published terms or security page.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
US (Mountain View, CA headquarters). No data center locations publicly disclosed.
Privacy policy explicitly states LegalZoom uses personal information for 'product development, including improving our existing offerings and developing new products and services, including machine learning or AI technologies.' Data is not shared with third-party AI providers for training, but is used internally for LegalZoom's own ML and AI model development. The AI Additional Terms (https://www.legalzoom.com/legal/general-terms/ai-additional-terms) reference the privacy policy for full details and do not provide an opt-out mechanism on that page.
// Security controls
Encryption in transit
SSL/TLS for payment card data; general encryption for sensitive information described as 'transforming it into a secure code accessible only to personnel authorized by LegalZoom'
legalzoom.comMulti-Factor Authentication
MFA available to all customers; 'Depending on what you've purchased from LegalZoom, this may be automatically enabled for you.' Users can enable via account Personal info section.
legalzoom.comDedicated security team
'We have a dedicated information security team that is constantly working on improving our cybersecurity practices. This work includes collaborating with security researchers worldwide.'
legalzoom.comVulnerability Disclosure Program
VDP hosted on Bugcrowd (bugcrowd.com/engagements/legalzoom-vdp). Not a paid bug bounty; submissions reviewed within 13 days per Bugcrowd data. Contact: security@legalzoom.com.
legalzoom.comPassword alerts
Customers are notified immediately if their password changes; emergency contact line provided.
legalzoom.comData sales
'We respect your privacy and never sell your data for money.' Standard targeted advertising practices acknowledged with opt-out available.
legalzoom.comThird-party data sharing
Data shared with service providers, attorneys, tax experts, and business partners. After Dec 15, 2024, business formation customer contact data may be shared with partner 1-800Accountant.
legalzoom.com// Products & data scope
data: Business name, owner PII, EIN applications, state filing data. Data may be shared with 1-800Accountant partner post-formation (after Dec 15, 2024).
Core product. Handles state government submissions on customer behalf. No attorney-client privilege applies.
data: Highly sensitive personal data: beneficiaries, asset lists, healthcare wishes, family structure, real property details.
Accepts HIPAA Authorization as a document type but LegalZoom itself is not a HIPAA-covered entity. 3.5 million+ documents created.
data: Business and creative property details filed with USPTO on customer behalf.
No attorney-client privilege. USPTO filing agent role.
data: Customer-uploaded documents and AI-generated outputs handled under the LegalZoom privacy policy. The AI Additional Terms do not describe where AI inputs or outputs are stored or for how long they are retained. Per the privacy policy, personal information may be used for internal ML/AI development.
Generative AI feature provided 'as is' with no accuracy guarantee. Subject to AI Additional Terms, which reference the privacy policy for data handling and describe no AI-specific opt-out. Customer data may be used to improve LegalZoom's own AI models.
data: Legal matter details shared with participating independent attorneys. Not protected by attorney-client privilege via LegalZoom platform.
Attorneys are independent contractors, not LegalZoom employees. Calls limited to 30 min consultations per matter.
data: Physical mail pieces scanned and stored digitally; business address registered.
Handles physical mail which may contain sensitive business or legal correspondence.
data: Signed documents, signer identity verification data.
Competes with DocuSign for legal document signing.
// What to watch
- AI training: Privacy policy confirms customer personal data is used for internal ML/AI model development ('machine learning or AI technologies'). No blanket opt-out mechanism found on the AI Additional Terms page.
- No public SOC 2 report or ISO 27001 certificate despite handling sensitive legal, estate, and financial documents for millions of consumers and businesses.
- Third-party data sharing: Business formation customers' contact data may be shared with partner 1-800Accountant without explicit opt-in (opt-out required). Disclosed post-December 15, 2024.
- Vulnerability Disclosure Program on Bugcrowd is a VDP (no bounties), not a paid bug bounty program.
- No attorney-client privilege protection via LegalZoom platform, regardless of product. Explicitly stated in ToS and on pages.
- No DPA published for enterprise/B2B customers. EU representative contact provided but no formal DPA template.
- Publicly traded (Nasdaq: LZ) with ~$190M quarterly revenue as of Q4 2025, suggesting enterprise-grade infrastructure, but security transparency remains thin.
// At a glance
Pricing model
Freemium to subscription. One-time fees for formations ($0 + state fees). Subscription plans for compliance ($199-$999/yr), attorney plans, and premium trust packages. Full-service Business Manager tiers range from $799 (dissolution) to $999/yr (standard) up to $1,299/yr (reinstatement + Business Manager).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on LegalZoom.com, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
legalzoom.com