// Trust & Security Report

    VLEX (part of Clio) logo

    VLEX (part of Clio)

    AI legal research and intelligence platform: Vincent AI assistant (NLP legal research, contract analysis, litigation workflows), vLex Library (1B+ legal documents across 100+ countries), Docket Alarm (850M+ court records, litigation analytics), vLex Labs (custom enterprise AI), and Fastcase Library (US primary law database)

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    our 2025 SOC 2 Type II report has been issued for the period of June 1st, 2024 to May 31st, 2025 — listed on trust center page explicitly scoped to Vincent and vLex products

    Verify on trust.clio.com
    ISO/IEC 27001:2022
    HELD

    ISO/IEC 27001:2022 certification listed on trust center applicable to Vincent and vLex products; Statement of Applicability also available on request

    Verify on trust.clio.com
    GDPR
    HELD

    GDPR listed as compliance posture on trust center; privacy policy confirms RGPD compliance since 05/25/2018 and appointment of a Data Protection Officer (dpo@vlex.com)

    Verify on vlex.com
    HIPAA
    HELD

    HIPAA listed on trust center page explicitly scoped to Vincent and vLex products; BAA availability is not confirmed via public documentation and requires direct engagement with the vendor

    Verify on trust.clio.com
    > Show 8 unconfirmed / not-held certifications
    SOC 1 Type 2
    NOT CONFIRMED

    SOC 1 Type II is confirmed for the broader Clio entity (clio.com/security) but is not listed on the vLex/Vincent-specific trust center page; no public evidence it covers vLex products in scope

    source: clio.com
    PCI DSS
    NOT CONFIRMED

    PCI DSS compliance is referenced for Clio Payments only on clio.com/security; no evidence it applies to vLex legal research products

    source: clio.com
    ISO/IEC 27017
    NOT CONFIRMED

    unknown / no public evidence found on vlex.com, trust.clio.com, or vlex.com/security

    source: trust.clio.com
    ISO/IEC 27018
    NOT CONFIRMED

    unknown / no public evidence found on vlex.com, trust.clio.com, or vlex.com/security

    source: trust.clio.com
    ISO/IEC 27701
    NOT CONFIRMED

    unknown / no public evidence found on vlex.com, trust.clio.com, or vlex.com/security

    source: trust.clio.com
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    unknown / no public evidence found; vLex/Clio does not reference AI management standard on any verified vendor-domain page

    source: trust.clio.com
    CSA STAR
    NOT CONFIRMED

    unknown / no public evidence found on vlex.com, trust.clio.com, or clio.com/security

    source: trust.clio.com
    FedRAMP
    NOT CONFIRMED

    unknown / no public evidence found; not referenced on any verified vendor-domain page

    source: trust.clio.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    US, EU, and Australia available via Clio infrastructure; vLex privacy policy references both EU and US storage

    vLex maintains zero-retention agreements with AI model providers: 'your confidential legal documents and queries are never stored or used for model training' (vlex.com/security). However, vLex Terms of Service (Section 8(c), last updated March 2024) grant vLex a broad irrevocable license to use User Content to 'improve our products and services and to create aggregated and de-identified information'. It is ambiguous whether vLex itself trains on de-identified customer data for its own AI models. Customers should clarify this directly with the vendor before sharing sensitive legal work product.

    // Security controls

    Encryption in transit

    FIPS 140-2 compliant encryption

    vlex.com

    Encryption at rest

    Envelope encryption with unique conversation keys per interaction, protected by customer-specific master keys managed through hardware security modules (HSMs)

    vlex.com

    Zero-retention policy with AI model providers

    Strict zero-retention agreements with AI model providers; queries and documents are not stored by the underlying model provider and not used for model training

    vlex.com

    Penetration testing

    Annual third-party penetration testing by a leading cybersecurity firm

    clio.com

    Continuous monitoring

    Real-time monitoring and regular independent security assessments to identify vulnerabilities

    vlex.com

    Access controls

    Detailed audit logs; flexible multi-tenant and single-tenant deployment options for enterprise

    vlex.com

    // Products & data scope

    Vincent AIAI Legal Assistant

    data: Processes user legal queries, uploaded documents (contracts, complaints, depositions), and firm-specific workflows; zero-retention with AI model providers confirmed

    Enterprise-focused; integrates with Microsoft Word, Outlook, iManage; includes Vincent Studio for custom enterprise AI workflows (requires Enterprise tier)

    vLex LibraryLegal Research Database

    data: Read-only access to 1B+ third-party legal documents; user search queries logged per privacy policy

    Coverage across 100+ countries; 14 language translation capabilities

    Docket AlarmLitigation Analytics

    data: Access to 850M+ public court records; user search and alert preferences stored

    Real-time docket alerts; judge/opposing counsel profiling; API available for custom integrations

    vLex LabsCustom Enterprise AI Solutions

    data: May involve customer's internal knowledge and proprietary data integrated into bespoke AI workflows; data scope defined per enterprise contract

    Custom DPA and security terms likely required for this tier; contact vendor directly

    Fastcase LibraryUS Legal Research Database

    data: Read-only access to US case law, statutes, regulations, and court rules

    US-primary-law focused; acquired from Fastcase

    // What to watch

    • TERMS vs SECURITY PAGE TENSION: vLex ToS Section 8(c) (March 2024) grants vLex a broad perpetual license to use User Content including for 'improving products and services' and creating 'aggregated and de-identified information'. This sits in tension with the security page's zero-retention marketing claim. Customers sharing sensitive legal work product should clarify whether de-identified content is used to train or fine-tune vLex's own AI models.
    • STALE PRIVACY SHIELD REFERENCE: The vLex privacy policy references EU-US Privacy Shield for transatlantic data transfers. Privacy Shield was invalidated by the CJEU (Schrems II, July 2020). The current valid transfer mechanism should be Standard Contractual Clauses or a successor framework. This is an outdated compliance reference that should be corrected.
    • SOC 2 MARKETING AMBIGUITY: vlex.com/security and the homepage state 'SOC2 certification' without specifying Type 1 or Type 2. The trust center confirms Type 2. The marketing page wording is imprecise but not a fabrication.
    • HIPAA BAA NOT PUBLICLY CONFIRMED: HIPAA is listed on the trust center scoped to vLex/Vincent products, but no public documentation confirms a Business Associate Agreement is available. Customers needing HIPAA coverage must verify BAA availability directly with the vendor before sharing PHI.
    • ISO 27001 SCOPE ASSUMED FROM TRUST CENTER SCOPING STATEMENT: The trust center page states 'This page is applicable to our Vincent and vLex products' but the actual ISO 27001:2022 Statement of Applicability and certificate are gated behind an NDA/access request. The scope assumption is reasonable but unverified at the document level.

    // At a glance

    Pricing model

    Subscription (free trial available; firm, enterprise, and API tiers; enterprise pricing not public)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on VLEX (part of Clio)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.clio.com

    > Browse all vendor trust reports