Patent pending

LegisGate™ is a proprietary compliance intelligence engine — deterministic regulatory rules with AI-assisted analysis layered on top. Not a chatbot. AI Tool Intelligence Reports your Data Protection Team can act on at the click of a button.

Trust & Security

Trust & Security Center

Short, factual answers for procurement and legal review—plus direct links to supporting documents.

Trust & Security

Clear, direct answers about how LegisGate™ handles your data, our compliance posture, and our security controls. Detailed legal language and technical diagrams live in linked documents.

Request DPARequest SOC 2 status

Your data

Where it’s stored, how long it’s kept, and who can access it.

Where is customer data stored?

Customer data is stored in our production database and encrypted at rest and in transit. Attachments are not required for assessments; if used, they remain scoped to your tenant. We do not use customer content to train AI models.

How long is data retained?

Data is retained for the duration of your subscription and can be deleted on request. Backups follow a rolling retention window aligned to operational recovery needs. Contractual retention terms can be provided in a DPA.

Who can access it?

Access is restricted via role-based access controls and audited. Your users can only access your organization’s data. Support access is permissioned and time-bound when required to resolve issues.

Compliance & certifications

Status and ready-to-use contractual artifacts.

SOC 2

SOC 2 status is available on request. We can provide a current status summary and relevant supporting materials under NDA if needed.

Request

DPA (GDPR)

A GDPR-compliant Data Processing Agreement is available on request, including standard processor commitments and security measures.

Request

EU SCCs / UK IDTA / Swiss SCCs

Standard contractual clauses (and UK/Swiss equivalents) are available for cross-border transfers when required.

Request

Security

The facts, not the process.

Encryption

Encryption in transit (TLS) and at rest (industry-standard encryption) is enforced for customer data.

Access controls

Role-based access controls, tenant isolation, and audit logging are used to control and trace access.

Incident response

We maintain incident response procedures and will coordinate with customers for security incidents. Response SLAs and notification commitments are available in contractual documents where applicable.

Sub-processors & contacts

A clean registry plus direct contacts for legal, security, and support.

Sub-processor registry

ProviderData typeLocation
Supabase, Inc.All LegisGate™ application dataUS (AWS us-east-1) — EU region available
Anthropic, PBCAssessment intake data, vendor public information, organizational context (sent per-request for AI analysis, not stored by Anthropic)US
Microsoft CorporationSecurity scorecards, app catalog data, cloud app discovery — read via Microsoft Graph APICustomer's Microsoft tenant region (for customer data); LegisGate's tenant (for vendor catalog only)
Vercel, Inc. (if applicable)Application delivery, static assetsGlobal CDN (Edge network)
Resend, Inc. (if applicable)Email addresses, notification contentUS

Need the full Article 28(2) language and change notification terms? Request the DPA.

Contacts

Legallegal@legisgate.com
Securitysecurity@legisgate.com
Supportsupport@legisgate.com

← Back to home