// Trust & Security Report

    Rocket Lawyer Incorporated logo

    Rocket Lawyer Incorporated

    Online legal services platform for consumers and small businesses — personalized legal document creation and e-signature, Ask a Legal Pro / Consult a Legal Pro Live attorney network, business formation and registered agent services, Rocket Copilot AI legal assistant, and an Enterprise/API tier for larger organizations

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Trust center Compliance section lists 'SOC 2'; Resources section lists a downloadable 'SOC2 Type 2' report

    Verify on trust.rocketlawyer.com
    PCI DSS (SAQ A)
    HELD

    Trust center Compliance section lists 'PCI DSS - SAQ A'; Resources section lists 'PCI DSS SAQ-A AOC'

    Verify on trust.rocketlawyer.com
    CCPA
    HELD

    Trust center Compliance section shows 'CCPA' with an explicit 'COMPLIANT' badge

    Verify on trust.rocketlawyer.com
    GDPR (compliance posture)
    HELD

    Trust center Compliance section lists 'GDPR' as a tracked framework; privacy policy states 'we have self-certified to the EU-US Data Privacy Framework and the UK Extension to the EU-US Data Privacy Framework'

    Verify on trust.rocketlawyer.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence: not listed in trust center Compliance or Resources sections (only SOC 2, PCI DSS SAQ-A, GDPR, CCPA appear there)

    source: trust.rocketlawyer.com
    HIPAA
    NOT CONFIRMED

    No public evidence: not listed anywhere on the trust center; Rocket Lawyer's own site only offers HIPAA authorization *document templates* for customers, which is unrelated to the vendor's own compliance program

    source: trust.rocketlawyer.com
    FedRAMP
    NOT CONFIRMED

    No public evidence on vendor domain; not listed in trust center

    source: trust.rocketlawyer.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on vendor domain; not listed in trust center

    source: trust.rocketlawyer.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence on vendor domain; not listed in trust center

    source: trust.rocketlawyer.com
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence on vendor domain; no AI-governance certification referenced anywhere on the trust center or product pages

    source: trust.rocketlawyer.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Primary processing in the United States; Privacy Policy states services also use tools/systems located in the United Kingdom; trust center subprocessor entry for Google Cloud Platform (IaaS) lists data center regions as 'US, EU'; users consent to transfer of personal information to the US

    Rocket Lawyer makes a direct statement on its own domain (newsroom announcement for Rocket Copilot Contract Review): 'Documents uploaded to Rocket Copilot for Contract Review are encrypted, processed in a secure environment, and never used to train AI models.' On that basis, identifiable customer-uploaded documents are recorded as not used for AI model training. The broader Terms of Service still permit use of de-identified content: 'You acknowledge and agree that Rocket Lawyer is authorized to collect and use aggregated or anonymized information from or about you and other users and user-created documents for the purposes of researching, developing, improving and marketing its Services,' and the Privacy Policy adds that non-personal information input to the platform 'may be used by Rocket Lawyer to provide, maintain and improve the Services, including for quality control purposes.' So aggregated/anonymized data may inform Service improvement, but individual customer documents are not used to train AI models per the vendor's own statement. Note the verbatim no-training statement is scoped to Rocket Copilot Contract Review uploads rather than every Copilot feature, and no per-user opt-out for the separate aggregated/anonymized improvement use was found on the vendor's own domain.

    // Security controls

    Independent SOC 2 Type 2 audit

    Vanta-hosted trust center references a completed SOC 2 Type 2 report available on request

    trust.rocketlawyer.com

    Payment card data handling

    PCI DSS Self-Assessment Questionnaire A (SAQ A) attestation of compliance on file; payments routed through Stripe, Yuno, and Spreedly subprocessors rather than storing card data directly

    trust.rocketlawyer.com

    Data encryption

    Trust center Data Security and Privacy control category lists 'Data encryption utilized' among tracked controls

    trust.rocketlawyer.com

    Vulnerability management

    Trust center Product Security controls include 'Vulnerabilities scanned and remediated' and 'Penetration testing performed'; a Vulnerability Disclosure Program document is published

    trust.rocketlawyer.com

    Business continuity / disaster recovery

    Trust center Operational Security controls list 'Continuity and disaster recovery plans established' and 'tested', plus 'Cybersecurity insurance maintained'

    trust.rocketlawyer.com

    Subprocessors disclosed

    Trust center publishes a subprocessor list: Google Cloud Platform (infrastructure, US/EU), Stripe, Yuno, and Spreedly (payments)

    trust.rocketlawyer.com

    International transfer mechanism

    Self-certified to the EU-US Data Privacy Framework and its UK Extension

    rocketlawyer.com

    // Products & data scope

    Rocket Lawyer membership (Standard / Plus / Pro)Consumer legal document generation and e-signature

    data: Personal information, personalized legal documents, e-signature data, Ask a Legal Pro / Legal Pro Live conversation content, payment data (via subprocessors)

    Includes 'Unlimited Rocket Copilot AI' at every consumer tier per current pricing page

    Business formation and filing servicesBusiness/compliance filings

    data: Business registration details (LLC, corporation, nonprofit, trademark, DBA, annual reports), registered agent data

    Same account/data infrastructure as consumer membership

    Enterprise membership / Group legal benefitsB2B legal benefits for organizations >25 employees

    data: Employee/member personal data provided by the employer, usage/document data across the organization

    Marketed on the pricing page as a separate track ('Have more than 25 employees? Explore our Enterprise membership!'); no separate enterprise-specific security documentation (e.g., a distinct enterprise DPA or higher assurance level) was found beyond the shared trust center

    Rocket Lawyer APIDeveloper/API access to legal document generation

    data: Programmatic access to document creation, potentially embedding customer end-user data from the integrating business

    Advertised under 'Get access to our APIs'; no distinct API-specific security or compliance page was found beyond the general trust center

    International sites (Rocket Lawyer UK, ES, FR, NL, BR)Localized legal document/service offerings

    data: Jurisdiction-specific legal documents and possibly separate local legal entities/data handling

    Not independently assessed here; may have different regional compliance postures (e.g., UK GDPR) not captured by the primary US trust center

    // What to watch

    • Third-party 'security profile' aggregator sites (e.g., a Nudge Security auto-generated page) claim Rocket Lawyer is 'ISO 27001 Compliant, HIPAA Compliant, FedRAMP Compliant, and CSA Star Level 1 Compliant' — none of these appear anywhere on Rocket Lawyer's own trust center (trust.rocketlawyer.com), which lists only SOC 2, PCI DSS SAQ-A, GDPR, and CCPA. These third-party claims should be treated as unverified/likely incorrect and must not be used to list ISO 27001, HIPAA, FedRAMP, or CSA STAR as held certifications.
    • Rocket Lawyer states on its own domain (newsroom announcement) that documents uploaded to Rocket Copilot for Contract Review are 'never used to train AI models.' Separately, its ToS still permits use of 'aggregated or anonymized' and 'non-personal' user/document data to 'improve the Services,' with no per-user opt-out found, so de-identified data may inform Service improvement even though identifiable customer documents are not used for model training. The verbatim no-training statement is scoped to Rocket Copilot Contract Review uploads rather than every Copilot feature, so enterprise/legal-vertical buyers may still want written confirmation covering all Copilot use.
    • No enterprise-tier-specific security documentation (e.g., a distinct Enterprise DPA, higher SOC 2 scope, or dedicated data-residency options) was found beyond the single shared trust center, despite Rocket Lawyer marketing a separate Enterprise membership and an API product.
    • PCI DSS is at the SAQ A level (self-assessment, lowest tier, applicable when card data handling is fully outsourced to a processor), not a full PCI DSS Level 1 Report on Compliance — list this distinction rather than a generic 'PCI DSS compliant' claim.

    // At a glance

    Pricing model

    Consumer/business subscription tiers (Standard $12.41/mo, Plus $20.75/mo, Pro $29.08/mo, billed yearly) plus a separate Enterprise membership tier for organizations with 25+ employees; API access offered separately

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Rocket Lawyer Incorporated's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.rocketlawyer.com

    > Browse all vendor trust reports