Security & privacy

Your dispute, your data, your control.

Parat handles the sharpest possible content — legal exposure, financial records, private correspondence. We treat your data with the same seriousness as a lawyer's office: encrypted, minimised, never used to train our models, and fully yours to take away.

01

Your data is never training data.

No document you upload, no answer you give, no brief you generate is used to train or improve any AI model — ours or anyone else's. This is contractual, not aspirational.

02

EU hosting, by default.

Your case data is stored in Norway (or EU, if you choose). AI inference runs exclusively through AWS Bedrock in EU regions (eu-west-1 / eu-central-1), which does not use your content to train or improve AI models.

03

Encrypted at rest, per-case.

Every case is encrypted with its own key. An attacker reading a raw disk cannot read your data. Keys are managed in an EU-hosted HSM and rotated on a scheduled basis.

04

Export and delete, one click each.

You can export your entire case — documents, facts, brief, correspondence — as a zip at any time. You can permanently delete a case, and the erase is complete within 30 days, including from backups.

What happens to a document when you upload it.

Every step, in order. Nothing hidden.

Step 01

Upload

Encrypted in transit with TLS 1.3. Received by our ingest service, which validates type and size and assigns it to your case.

Browser → Parat (Oslo)
Step 02

Store

Encrypted at rest with an AES-256 key specific to your case. Raw files live in EU object storage; access is logged.

Case-scoped encrypted store
Step 03

Process

Text is extracted and passed to AWS Bedrock for classification and fact extraction. AWS Bedrock does not use prompts or responses for model training.

AWS Bedrock · eu-west-1
Step 04

Index

Extracted facts are saved back to your case, linked to the source document. AWS Bedrock retains no prompt content — operational logs (CloudWatch) record metadata only, not content.

Your case · encrypted
Step 05

Delete

When you delete a document, or the case, or your account — all copies are purged within 30 days, including from backups and logs.

Guaranteed in 30 days

Data flow — from you to AWS Bedrock.

Most AI products use your prompts for model training. We don't — and neither does AWS Bedrock, the only AI provider we use. AWS Bedrock is contractually prohibited from using customer data for training.

Your browser

You

  • Uploaded documents
  • Interview answers
  • Case metadata
Encrypted in transit · TLS 1.3
EU boundary
Parat · Oslo

Your workspace

  • Per-case encryption
  • Access-logged
  • Never mixed across users
AES-256 · HSM-managed keys
No model training
AWS Bedrock · EU (eu-west-1)

Inference only

  • No training on content
  • No prompt retention
  • GDPR Art. 28 sub-processor
AWS DPA · contractually enforced

Your data leaves your workspace only for the moments an AI call is running. AWS Bedrock does not use content for training — operational logs (CloudWatch) record metadata only.

AWS Bedrock — our AI infrastructure.

AI inference in Parat runs exclusively through AWS Bedrock, deployed in EU regions. AWS acts as a sub-processor under GDPR Article 28 and is bound by the AWS public GDPR Data Processing Addendum (DPA).

Regions

EU-exclusive

  • eu-west-1 (Irland)
  • eu-central-1 (Frankfurt)
  • No transfer outside EEA
Datacentres within EU/EEA
GDPR Art. 28
Training guarantee

Never used for training

  • Prompts not used for model improvement
  • Responses not used for model improvement
  • Stipulated in AWS service terms
Contractually enforced
AWS DPA
CloudWatch

Operational metadata only

  • Metadata, not content
  • Not accessible for model training
  • For operational purposes only
Standard AWS CloudWatch logging

AWS is registered as a sub-processor under GDPR Article 28 and is bound by the public AWS GDPR Data Processing Addendum. Customers can request a complete sub-processor list by contacting us.

Specific controls, specifically.

Encryption

Layered, per-case, rotated.

Every case has its own AES-256 data key. Data keys are wrapped by a master key held in an EU HSM. Master keys rotate every 90 days; data keys rotate on case archive.

TLS 1.3 · AES-256-GCM · FIPS 140-2 L3 HSM
Access

Only you, by default.

No Parat employee can read your case content as a matter of course. Support access requires a time-bound, auditable escalation and is only granted with your written consent — and logged to your account.

Role-separated admin · break-glass logging
Authentication

Passwordless by default, MFA on everything sensitive.

Sign in with email magic link or passkey. Any high-risk action — exporting a case, deleting data, changing billing — requires a second factor even if you're already signed in.

WebAuthn · passkeys · TOTP supported
AI providers

AWS Bedrock, EU regions, no training.

AI inference runs exclusively through AWS Bedrock in eu-west-1 and eu-central-1. AWS Bedrock does not use customer data to train or improve models — guaranteed by AWS service terms and the AWS GDPR Data Processing Addendum (DPA). AWS acts as a sub-processor under GDPR Article 28.

AWS DPA · eu-west-1 / eu-central-1 · audited quarterly
Logging

Metadata only. Never content.

Our system logs which case was touched, when, and by whom — not what it said. Application logs exclude document content, interview answers, and brief text. Logs are retained for 90 days for security and debugging, then automatically discarded.

Content excluded · 90-day retention
Backup

Encrypted, regional, deletable.

Backups are taken daily, encrypted with the same per-case keys, and stored in a second EU region. When you delete, deletions propagate to backups — the 30-day purge window reflects backup rotation, not delay.

Daily · cross-region EU · purges propagate
Data portability

Everything, always, as a zip.

From any case you can export: all original documents, extracted facts as JSON, the full brief as .pdf and .docx, your correspondence log, and your timeline. No lock-in — if you cancel tomorrow, you leave with everything.

One-click export · machine-readable format
Retention

You choose how long.

By default, cases live as long as your subscription plus 12 months read-only after cancellation. You can set shorter retention per case — auto-delete after 6 months, after the case resolves, or on demand.

Configurable · auto-delete supported

What we will do. And what we won't.

We will tell you in 72 hours.

If we ever have a security incident that might affect your data, you hear from us within 72 hours — direct email, not a status page buried in marketing copy.

We will resist bad subpoenas.

If law enforcement requests your data without a valid legal order, we refuse. Valid orders we comply with — but we notify you first, unless prohibited.

We will sign a DPA.

A data processing agreement is available on request at every tier. If your lawyer or DPO wants one, email us and we'll send one back by end-of-day.

We will publish our subprocessors.

A current list of every third-party subprocessor — hosting, AI providers, email — is maintained on this page and updated with 30 days' notice before any change.

We will not train on your content.

Your uploads, answers, and briefs are never used to train AI models — ours or any third party's. This is a contractual promise, not a settings toggle.

We will not sell, share, or advertise.

We're paid by you, directly, in kroner. We don't sell data, we don't serve ads, we don't share with partners. If the business model ever changes, we'll tell you — and you'll be able to leave with everything.

We will not read your cases.

No one at Parat browses your case data for product research, support troubleshooting, or curiosity. Access requires your explicit consent and is logged to your audit trail.

We will not claim we're your lawyer.

Parat prepares you for a lawyer — it does not replace one. We don't offer legal advice, privileged communication, or representation. Your actual lawyer does that.

Compliance, as a practice.

Parat is a Norwegian company. We operate under Norwegian law, the GDPR, and the EU AI Act. Our data processing is registered with Datatilsynet. Our infrastructure is hosted with providers that themselves hold ISO 27001 and SOC 2 Type II.

We are working toward our own ISO 27001 certification — a process that takes roughly a year for a company of our size. The timeline below is honest, not aspirational.

Regulatory

GDPR

Registered · Datatilsynet
EU/EEA data protection regulation. We act as data processor for your case data. DPA available on request at every tier.
Regulatory

EU AI Act

Compliant · transparent use
We disclose AI model use in-product. We don't deploy any system classified as high-risk under the Act.
Certification

ISO 27001

In progress · expected Q3 2026
Information security management standard. Gap analysis complete; policy framework in implementation phase.

If something goes wrong.

We disclose to affected users within 72 hours of discovering any incident that might have exposed case data. If you think you've found a vulnerability, tell us directly — we respond within 24 hours on business days and we don't sue researchers acting in good faith.

Our full incident policy, including severity levels and notification thresholds, is included in the DPA we sign with every customer who asks. Ask, and we'll send it.

Security disclosure
security@parat.ai
PGP key available · fingerprint on this page’s footer
Data protection officer
dpo@parat.ai
For GDPR requests · access, portability, erasure