Join the next
generation of AI-native lawyers
Private beta for selected lawyers and law firms.
Lawyers carry a duty of confidentiality that most software was never designed for. Referent was. Security here is not a checkbox page - it is the constraint the product was built around.
Referent runs on Google Cloud Platform, the same infrastructure trusted by banks and healthcare systems. Firm data is stored with regional separation: US firms' data is stored in US data centers, EU firms' data in EU data centers.
All data is encrypted at rest with AES-256 and in transit with TLS 1.2 or higher. Backups are encrypted and tested. Access to production systems is restricted to a small number of engineers, logged, and reviewed.
Referent's agents work from your live matter context. That requires trust, so here is exactly how it works:
Multiple models, one rule. We use models from providers including OpenAI and Anthropic, routed by task and orchestrated by top-tier models. Every provider operates under zero-retention, no-training agreements: your data is processed to do the work, then discarded.
We don't train on your data either. Referent never uses client or matter data to train models. Improvement comes from product engineering, not from mining your files.
Agents act inside your workspace. An agent working on your matter sees your firm's context only - never another firm's.
The approval gate. Nothing client-facing leaves the system without the lawyer's sign-off. Drafts wait in your queue. You approve, edit, or reject.
Everything is logged. A full audit trail records what every agent did, when, and on whose approval. You can answer "who did what" at any time - which is more than most firms can say about their inbox.
Referent is built by AI Lawtech Sp. z o.o., an EU company. That is not a legal footnote - it is an engineering advantage. Operating from the EU means privacy-by-design is the default we build from: data minimization, purpose limitation, and the user's right to erasure are architectural decisions, not afterthoughts. Our formal GDPR compliance program is underway alongside our certification work below.
SOC 2 - in preparation
We have mapped the full control set and are aligning our engineering and processes against it.
ISO 27001 - in preparation
Same approach: requirements adopted first, certificate second.
Penetration testing
We conduct penetration tests on the platform and fix what they find.
On the roadmap
SSO for firms that need centralized access control.
We publish status updates as certifications complete. If your firm needs specifics for a vendor review, write to us - we answer security questionnaires directly.
Security questions, vendor due diligence, or a vulnerability report: contact@referent.law. A human from the founding team reads every message. Researchers reporting vulnerabilities in good faith will get a response, not a lawyer's letter.
No. Referent operates under zero-retention, no-training agreements with every AI model provider it uses, and Referent itself never trains models on client or matter data.
When an agent processes your data, the model provider uses it to do the work and then discards it - it is not stored, and it never becomes training material. Product improvement at Referent comes from engineering, not from mining client files.
Referent runs on Google Cloud Platform with regional separation: US firms' data is stored in US data centers, and EU firms' data is stored in EU data centers.
All data is encrypted at rest with AES-256 and in transit with TLS 1.2+, and backups are encrypted as well. Each firm's workspace is isolated, so your data is never mixed with another firm's.
No. Every client-facing or high-risk action an agent prepares waits in your approval queue. You approve it, edit it, or reject it - nothing leaves the system without the lawyer's sign-off.
A full audit trail records what every agent did, when, and on whose approval, so you can always answer who did what.
Not yet, and we would rather tell you that plainly than imply otherwise. SOC 2 and ISO 27001 preparation is underway: the control sets are mapped and our engineering and processes are being aligned against them.
We publish status updates as certifications complete. In the meantime, we answer vendor security questionnaires directly - write to contact@referent.law.
You can export your data, and deletion means deletion. When you remove data - or your firm leaves Referent - it is removed. We do not keep shadow copies, and nothing you delete ends up in a training set or an archive you never agreed to.
Your firm. Every workspace is isolated and encrypted per firm, and access is restricted to authorized firm members.
On Referent's side, production access is limited to a small number of engineers, logged, and reviewed.
Private beta for selected lawyers and law firms.
Personal invite
White-glove onboarding
No data training