// Trust & Security Report
VLEX (part of Clio)
AI legal research and intelligence platform: Vincent AI assistant (NLP legal research, contract analysis, litigation workflows), vLex Library (1B+ legal documents across 100+ countries), Docket Alarm (850M+ court records, litigation analytics), vLex Labs (custom enterprise AI), and Fastcase Library (US primary law database)
Certifications held
4
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.clio.com“our 2025 SOC 2 Type II report has been issued for the period of June 1st, 2024 to May 31st, 2025 — listed on trust center page explicitly scoped to Vincent and vLex products”
Verify on trust.clio.com“ISO/IEC 27001:2022 certification listed on trust center applicable to Vincent and vLex products; Statement of Applicability also available on request”
Verify on vlex.com“GDPR listed as compliance posture on trust center; privacy policy confirms RGPD compliance since 05/25/2018 and appointment of a Data Protection Officer (dpo@vlex.com)”
Verify on trust.clio.com“HIPAA listed on trust center page explicitly scoped to Vincent and vLex products; BAA availability is not confirmed via public documentation and requires direct engagement with the vendor”
> Show 8 unconfirmed / not-held certifications
source: clio.comSOC 1 Type II is confirmed for the broader Clio entity (clio.com/security) but is not listed on the vLex/Vincent-specific trust center page; no public evidence it covers vLex products in scope
source: clio.comPCI DSS compliance is referenced for Clio Payments only on clio.com/security; no evidence it applies to vLex legal research products
source: trust.clio.comunknown / no public evidence found on vlex.com, trust.clio.com, or vlex.com/security
source: trust.clio.comunknown / no public evidence found on vlex.com, trust.clio.com, or vlex.com/security
source: trust.clio.comunknown / no public evidence found on vlex.com, trust.clio.com, or vlex.com/security
source: trust.clio.comunknown / no public evidence found; vLex/Clio does not reference AI management standard on any verified vendor-domain page
source: trust.clio.comunknown / no public evidence found on vlex.com, trust.clio.com, or clio.com/security
source: trust.clio.comunknown / no public evidence found; not referenced on any verified vendor-domain page
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
US, EU, and Australia available via Clio infrastructure; vLex privacy policy references both EU and US storage
vLex maintains zero-retention agreements with AI model providers: 'your confidential legal documents and queries are never stored or used for model training' (vlex.com/security). However, vLex Terms of Service (Section 8(c), last updated March 2024) grant vLex a broad irrevocable license to use User Content to 'improve our products and services and to create aggregated and de-identified information'. It is ambiguous whether vLex itself trains on de-identified customer data for its own AI models. Customers should clarify this directly with the vendor before sharing sensitive legal work product.
// Security controls
Encryption at rest
Envelope encryption with unique conversation keys per interaction, protected by customer-specific master keys managed through hardware security modules (HSMs)
vlex.comZero-retention policy with AI model providers
Strict zero-retention agreements with AI model providers; queries and documents are not stored by the underlying model provider and not used for model training
vlex.comContinuous monitoring
Real-time monitoring and regular independent security assessments to identify vulnerabilities
vlex.comAccess controls
Detailed audit logs; flexible multi-tenant and single-tenant deployment options for enterprise
vlex.com// Products & data scope
data: Processes user legal queries, uploaded documents (contracts, complaints, depositions), and firm-specific workflows; zero-retention with AI model providers confirmed
Enterprise-focused; integrates with Microsoft Word, Outlook, iManage; includes Vincent Studio for custom enterprise AI workflows (requires Enterprise tier)
data: Read-only access to 1B+ third-party legal documents; user search queries logged per privacy policy
Coverage across 100+ countries; 14 language translation capabilities
data: Access to 850M+ public court records; user search and alert preferences stored
Real-time docket alerts; judge/opposing counsel profiling; API available for custom integrations
data: May involve customer's internal knowledge and proprietary data integrated into bespoke AI workflows; data scope defined per enterprise contract
Custom DPA and security terms likely required for this tier; contact vendor directly
data: Read-only access to US case law, statutes, regulations, and court rules
US-primary-law focused; acquired from Fastcase
// What to watch
- TERMS vs SECURITY PAGE TENSION: vLex ToS Section 8(c) (March 2024) grants vLex a broad perpetual license to use User Content including for 'improving products and services' and creating 'aggregated and de-identified information'. This sits in tension with the security page's zero-retention marketing claim. Customers sharing sensitive legal work product should clarify whether de-identified content is used to train or fine-tune vLex's own AI models.
- STALE PRIVACY SHIELD REFERENCE: The vLex privacy policy references EU-US Privacy Shield for transatlantic data transfers. Privacy Shield was invalidated by the CJEU (Schrems II, July 2020). The current valid transfer mechanism should be Standard Contractual Clauses or a successor framework. This is an outdated compliance reference that should be corrected.
- SOC 2 MARKETING AMBIGUITY: vlex.com/security and the homepage state 'SOC2 certification' without specifying Type 1 or Type 2. The trust center confirms Type 2. The marketing page wording is imprecise but not a fabrication.
- HIPAA BAA NOT PUBLICLY CONFIRMED: HIPAA is listed on the trust center scoped to vLex/Vincent products, but no public documentation confirms a Business Associate Agreement is available. Customers needing HIPAA coverage must verify BAA availability directly with the vendor before sharing PHI.
- ISO 27001 SCOPE ASSUMED FROM TRUST CENTER SCOPING STATEMENT: The trust center page states 'This page is applicable to our Vincent and vLex products' but the actual ISO 27001:2022 Statement of Applicability and certificate are gated behind an NDA/access request. The scope assumption is reasonable but unverified at the document level.
// At a glance
Pricing model
Subscription (free trial available; firm, enterprise, and API tiers; enterprise pricing not public)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on VLEX (part of Clio)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.clio.com