// Trust & Security Report
Rocket Lawyer Incorporated
Online legal services platform for consumers and small businesses — personalized legal document creation and e-signature, Ask a Legal Pro / Consult a Legal Pro Live attorney network, business formation and registered agent services, Rocket Copilot AI legal assistant, and an Enterprise/API tier for larger organizations
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.rocketlawyer.com“Trust center Compliance section lists 'SOC 2'; Resources section lists a downloadable 'SOC2 Type 2' report”
Verify on trust.rocketlawyer.com“Trust center Compliance section lists 'PCI DSS - SAQ A'; Resources section lists 'PCI DSS SAQ-A AOC'”
Verify on trust.rocketlawyer.com“Trust center Compliance section shows 'CCPA' with an explicit 'COMPLIANT' badge”
Verify on trust.rocketlawyer.com“Trust center Compliance section lists 'GDPR' as a tracked framework; privacy policy states 'we have self-certified to the EU-US Data Privacy Framework and the UK Extension to the EU-US Data Privacy Framework'”
> Show 6 unconfirmed / not-held certifications
source: trust.rocketlawyer.comNo public evidence: not listed in trust center Compliance or Resources sections (only SOC 2, PCI DSS SAQ-A, GDPR, CCPA appear there)
source: trust.rocketlawyer.comNo public evidence: not listed anywhere on the trust center; Rocket Lawyer's own site only offers HIPAA authorization *document templates* for customers, which is unrelated to the vendor's own compliance program
source: trust.rocketlawyer.comNo public evidence on vendor domain; not listed in trust center
source: trust.rocketlawyer.comNo public evidence on vendor domain; not listed in trust center
source: trust.rocketlawyer.comNo public evidence on vendor domain; not listed in trust center
source: trust.rocketlawyer.comNo public evidence on vendor domain; no AI-governance certification referenced anywhere on the trust center or product pages
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Primary processing in the United States; Privacy Policy states services also use tools/systems located in the United Kingdom; trust center subprocessor entry for Google Cloud Platform (IaaS) lists data center regions as 'US, EU'; users consent to transfer of personal information to the US
Rocket Lawyer makes a direct statement on its own domain (newsroom announcement for Rocket Copilot Contract Review): 'Documents uploaded to Rocket Copilot for Contract Review are encrypted, processed in a secure environment, and never used to train AI models.' On that basis, identifiable customer-uploaded documents are recorded as not used for AI model training. The broader Terms of Service still permit use of de-identified content: 'You acknowledge and agree that Rocket Lawyer is authorized to collect and use aggregated or anonymized information from or about you and other users and user-created documents for the purposes of researching, developing, improving and marketing its Services,' and the Privacy Policy adds that non-personal information input to the platform 'may be used by Rocket Lawyer to provide, maintain and improve the Services, including for quality control purposes.' So aggregated/anonymized data may inform Service improvement, but individual customer documents are not used to train AI models per the vendor's own statement. Note the verbatim no-training statement is scoped to Rocket Copilot Contract Review uploads rather than every Copilot feature, and no per-user opt-out for the separate aggregated/anonymized improvement use was found on the vendor's own domain.
// Security controls
Independent SOC 2 Type 2 audit
Vanta-hosted trust center references a completed SOC 2 Type 2 report available on request
trust.rocketlawyer.comPayment card data handling
PCI DSS Self-Assessment Questionnaire A (SAQ A) attestation of compliance on file; payments routed through Stripe, Yuno, and Spreedly subprocessors rather than storing card data directly
trust.rocketlawyer.comData encryption
Trust center Data Security and Privacy control category lists 'Data encryption utilized' among tracked controls
trust.rocketlawyer.comVulnerability management
Trust center Product Security controls include 'Vulnerabilities scanned and remediated' and 'Penetration testing performed'; a Vulnerability Disclosure Program document is published
trust.rocketlawyer.comBusiness continuity / disaster recovery
Trust center Operational Security controls list 'Continuity and disaster recovery plans established' and 'tested', plus 'Cybersecurity insurance maintained'
trust.rocketlawyer.comSubprocessors disclosed
Trust center publishes a subprocessor list: Google Cloud Platform (infrastructure, US/EU), Stripe, Yuno, and Spreedly (payments)
trust.rocketlawyer.comInternational transfer mechanism
Self-certified to the EU-US Data Privacy Framework and its UK Extension
rocketlawyer.com// Products & data scope
data: Personal information, personalized legal documents, e-signature data, Ask a Legal Pro / Legal Pro Live conversation content, payment data (via subprocessors)
Includes 'Unlimited Rocket Copilot AI' at every consumer tier per current pricing page
data: Business registration details (LLC, corporation, nonprofit, trademark, DBA, annual reports), registered agent data
Same account/data infrastructure as consumer membership
data: Employee/member personal data provided by the employer, usage/document data across the organization
Marketed on the pricing page as a separate track ('Have more than 25 employees? Explore our Enterprise membership!'); no separate enterprise-specific security documentation (e.g., a distinct enterprise DPA or higher assurance level) was found beyond the shared trust center
data: Programmatic access to document creation, potentially embedding customer end-user data from the integrating business
Advertised under 'Get access to our APIs'; no distinct API-specific security or compliance page was found beyond the general trust center
data: Jurisdiction-specific legal documents and possibly separate local legal entities/data handling
Not independently assessed here; may have different regional compliance postures (e.g., UK GDPR) not captured by the primary US trust center
// What to watch
- Third-party 'security profile' aggregator sites (e.g., a Nudge Security auto-generated page) claim Rocket Lawyer is 'ISO 27001 Compliant, HIPAA Compliant, FedRAMP Compliant, and CSA Star Level 1 Compliant' — none of these appear anywhere on Rocket Lawyer's own trust center (trust.rocketlawyer.com), which lists only SOC 2, PCI DSS SAQ-A, GDPR, and CCPA. These third-party claims should be treated as unverified/likely incorrect and must not be used to list ISO 27001, HIPAA, FedRAMP, or CSA STAR as held certifications.
- Rocket Lawyer states on its own domain (newsroom announcement) that documents uploaded to Rocket Copilot for Contract Review are 'never used to train AI models.' Separately, its ToS still permits use of 'aggregated or anonymized' and 'non-personal' user/document data to 'improve the Services,' with no per-user opt-out found, so de-identified data may inform Service improvement even though identifiable customer documents are not used for model training. The verbatim no-training statement is scoped to Rocket Copilot Contract Review uploads rather than every Copilot feature, so enterprise/legal-vertical buyers may still want written confirmation covering all Copilot use.
- No enterprise-tier-specific security documentation (e.g., a distinct Enterprise DPA, higher SOC 2 scope, or dedicated data-residency options) was found beyond the single shared trust center, despite Rocket Lawyer marketing a separate Enterprise membership and an API product.
- PCI DSS is at the SAQ A level (self-assessment, lowest tier, applicable when card data handling is fully outsourced to a processor), not a full PCI DSS Level 1 Report on Compliance — list this distinction rather than a generic 'PCI DSS compliant' claim.
// At a glance
Pricing model
Consumer/business subscription tiers (Standard $12.41/mo, Plus $20.75/mo, Pro $29.08/mo, billed yearly) plus a separate Enterprise membership tier for organizations with 25+ employees; API access offered separately
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Rocket Lawyer Incorporated's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.rocketlawyer.com