// Trust & Security Report

    Thomson Reuters Corporation (Westlaw is a West Publishing Corp. / Thomson Reuters brand; Nasdaq/TSX: TRI) logo

    Thomson Reuters Corporation (Westlaw is a West Publishing Corp. / Thomson Reuters brand; Nasdaq/TSX: TRI)

    Westlaw suite of AI-powered legal research platforms: Westlaw Edge (with AI-Assisted Research), Westlaw Precision, and the newer agentic Westlaw Advantage, sold alongside related Thomson Reuters legal products (CoCounsel Legal, CoCounsel Essentials, Practical Law, Westlaw Form Builder)

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 42001:2023 (AI Management System)
    HELD

    This certification assures that Thomson Reuters' Westlaw Precision and Edge solutions meet high industry standards, providing reliable and ethical tools for legal professionals.

    Verify on thomsonreuters.com
    GDPR (compliance posture, not a certification)
    HELD

    In 2017 we launched our privacy compliance program, Privacy Matters... we maintain ISO 27001 certification for our strategic data centers... each member of the Thomson Reuters Group signs up to and complies with an Intra-Group Agreement (IGA) with EU Model Clauses provisions.

    Verify on thomsonreuters.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Certification Scope: The provision of Technology services... [Additional sites/products within scope: Contract Express, Royal Courts of Justice (RCJ), Case Center, HighQ, CoCounsel, Imagen, ONESOURCE, Confirmation, C-Track, BigRedSky, RAMS, Software Tax Assistant]. Westlaw, Westlaw Edge, Westlaw Advantage and Practical Law are not named anywhere in the certificate or its appendix.

    source: thomsonreuters.com
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    Thomson Reuters products each have a separate set of compliance attestations... performing various assessments such as, but not limited to: SOC 1 and SOC 2 reports... [customers may] request a third party security assessment - such as SOC 1 or SOC 2 report... by contacting their account representative.

    source: thomsonreuters.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Thomson Reuters' corporate compliance whitepaper lists 'HIPAA' among assessments performed for its products generally ('such as, but not limited to'), but Westlaw is a legal-research product that does not process protected health information, and no Westlaw-specific HIPAA attestation is published.

    source: thomsonreuters.com
    FedRAMP
    NOT CONFIRMED

    Thomson Reuters has achieved FedRAMP® 'In Process' status, a critical step toward full Authorization for our Westlaw and Practical Law products.

    source: thomsonreuters.com
    PCI DSS
    NOT CONFIRMED

    No public evidence for Westlaw specifically. PCI-DSS is listed only as one of the general assessment types Thomson Reuters performs across its portfolio ('such as, but not limited to').

    source: thomsonreuters.com
    CSA STAR
    NOT CONFIRMED

    No public evidence / no mention found on the Thomson Reuters Trust Center, Westlaw product pages, or corporate security whitepaper.

    source: thomsonreuters.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Not published specifically for Westlaw. Thomson Reuters is a global company with data centers/entities in the US, UK, Canada, Australia, and India (per the ISO 27001 certificate appendix); no Westlaw-specific data residency page was found.

    Thomson Reuters publishes a standing Global Customer Data Processing Addendum (available at thomsonreuters.com/data-processing-addendum) covering personal data handling across its products. For its generative AI features the corporate position is that customer content is not used for model training: 'Thomson Reuters expressly prohibits any vendor from retaining or using customer data to train their Generative AI models' and 'user content and prompts are not used to train or improve CoCounsel and associated products or LLMs.' This exact wording was confirmed on a Contract Express AI FAQ page and third-party coverage of Westlaw/CoCounsel; a Westlaw-Edge-specific FAQ page with the identical sentence was not directly located in this pass, so treat the no-training claim as a strong but not 100% product-pinned commitment.

    // Security controls

    Encryption in transit

    'Our internal Information Security Policy requires that sensitive data, including customer, partner, and regulated data is encrypted when it is in transit over public networks.'

    thomsonreuters.com

    Encryption at rest

    '...and in certain circumstances when it is stored (at rest).' Encryption at rest is conditional/data-classification-dependent rather than universal, per Thomson Reuters' own wording.

    thomsonreuters.com

    Access control

    Least privilege, segregation of duties, unique IDs, password management, and privileged access management; production network/system access requires multi-factor authentication and unique IDs.

    thomsonreuters.com

    Security testing

    'Our products undertake comprehensive application security testing, which includes performing static and dynamic application security testing and third-party penetration testing.'

    thomsonreuters.com

    Security program framework

    'Thomson Reuters operates a global information security organization aligned with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).' Led by a Chief Information Security Officer (CISO) overseeing Cyber Compliance, Security Architecture, Security Engineering, Product Security, Cyber Defense, and Strategic Enablement teams.

    thomsonreuters.com

    Incident response / breach notification

    Dedicated incident response team with a documented procedure for mitigation and communications; contractual breach-notification responsibilities are outlined with both customers and vendors.

    thomsonreuters.com

    Employee vetting

    Pre-employment background screening checks (identification verification, prior employment verification, criminal background checks where legally permitted) and mandatory annual security/privacy training for all employees and contractors.

    thomsonreuters.com

    // Products & data scope

    Westlaw Edge (with AI-Assisted Research)Legal research (enterprise/professional)

    data: Attorney/firm queries, uploaded documents for AI-Assisted Research and litigation analytics; used by law firms, corporate legal departments, courts, and government agencies.

    Long-standing flagship Westlaw AI product; explicitly named as covered by the ISO/IEC 42001:2023 AI management system certification ('Edge').

    Westlaw AdvantageLegal research (agentic AI, enterprise)

    data: Same as Westlaw Edge, plus multistep/agentic research workflows (Deep Research, Litigation Document Analyzer, Claims Explorer).

    Both share the same Thomson Reuters corporate security/compliance program.

    Practical LawLegal know-how / guidance

    data: Attorney-editor-maintained guides, templates, checklists; generative AI search layer.

    Named alongside Westlaw in the FedRAMP 'In Process' announcement.

    CoCounsel Legal / CoCounsel EssentialsAI legal assistant (drafting, review, research)

    data: Document uploads, prompts, matter data.

    Separately scoped in the MSECB ISO 27001 certificate (unlike Westlaw); CoCounsel is stated not to train models on user content or prompts.

    // What to watch

    • Both are real, currently-active Thomson Reuters Westlaw products per the vendor's own FAQ ('What is the difference between Westlaw Advantage and Westlaw Edge with AI-Assisted Research?'). This assessment treats them as the same corporate trust/compliance program but AIFOXX's listing should clarify which specific product/URL it is displaying.
    • OVER-CLAIM RISK: Thomson Reuters' GDPR whitepaper states 'we maintain ISO 27001 certification for our strategic data centers,' which could be read by a customer as covering Westlaw. The only located, currently-valid ISO 27001 certificate (MSECB CERT-001130, valid 2026-03-30 to 2028-10-05) explicitly scopes to named products/sites and does NOT list Westlaw, Westlaw Edge, Westlaw Advantage, or Practical Law - only Contract Express, Case Center, HighQ, CoCounsel, Imagen, ONESOURCE, Confirmation, C-Track, BigRedSky, RAMS, and Software Tax Assistant. Do not display 'ISO 27001 certified' for this product without a Westlaw-specific certificate.
    • SOC 2 status is corporate-level and conditional ('may engage third party auditors... provide customers with information on the audit' / 'available on request under NDA'), not a standing public attestation for Westlaw - do not display SOC 2 as held.
    • FedRAMP is 'In Process' only (not full Authorization) as of the source press release; Thomson Reuters' own stated target for full Authorization is early 2026 - verify current status before listing FedRAMP as achieved.
    • Thomson Reuters is a very large, multi-entity conglomerate (dozens of products/legal entities); corporate-wide security claims (NIST CSF alignment, SOC1/2, PCI-DSS, HIPAA, SOX 404) are real but are explicitly stated to apply per-product via separate attestations, so they cannot be safely generalized to Westlaw without a Westlaw-named source, which is why several certs above are graded false despite TR clearly performing those audit types elsewhere in the business.

    // At a glance

    Pricing model

    Enterprise subscription/quote-based (contact sales; '888-728-7677'); no self-serve public pricing found for Westlaw Edge/Advantage.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Thomson Reuters Corporation (Westlaw is a West Publishing Corp. / Thomson Reuters brand; Nasdaq/TSX: TRI)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    thomsonreuters.com

    > Browse all vendor trust reports