Built for legal teams who take confidentiality seriously
TwinCounsel is designed from the ground up to protect attorney-client privilege and meet the strictest data security standards. Every commitment on this page is contractual — made in our Terms of Service, with the section cited.
Nothing sends without your approval
TwinCounsel drafts; you approve. A hard technical constraint prevents the system from sending emails, filing documents, or contacting third parties without an Authorized User's explicit confirmation (Terms §5.1).
US data centers
All data is stored and processed exclusively in US-based data centers operated by AWS (Terms §13.3). Your client information never leaves the country.
Contractual security program
Our information security program — least-privilege access, personnel MFA, logging, annual penetration testing, secure development — is a contractual commitment (Terms §11.1), with SOC 2 Type II and ISO 27001 certification in progress.
Encryption everywhere
AES-256 encryption for data at rest and TLS 1.2+ for data in transit (Terms §11.1). Your communications are protected at every step.
How We Protect Your Data
Account access
- OAuth access to Gmail/Google Workspace and Microsoft 365 — read-only by default; write access only where you authorize it
- Nothing is ever sent, filed, or served without your explicit approval (Terms §5.1)
- Connect multiple accounts with per-account visibility rules — e.g., a business inbox only you can see (Terms §2.4)
- Access can be revoked instantly from your email provider settings
Data handling
- Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Zero Data Retention agreements with all AI providers — your data never trains any model (Terms §§3.3, 8.1)
- We never sell your data or use it for advertising or profiling — contractually (Terms §11.3)
- Export your data and playbooks any time; 90-day export window after a matter closes, with notice before any deletion (Terms §7.4)
Employee access
- No routine human access — your content is processed by automated pipelines (Terms §10.2)
- Access only with your explicit written consent or where required by law; every access logged with identity, timestamp, scope, and purpose
- You're notified of any employee access within 2 business days (Terms §10.2)
- Every employee and contractor individually bound by confidentiality agreements
Ethics & Compliance
We've consulted with legal ethics experts to ensure TwinCounsel can be used responsibly within professional conduct rules, including guidance from ABA Formal Opinion 512 on generative AI.
Attorney-client privilege: TwinCounsel operates as your non-legal agent under contractual confidentiality, with per-matter data isolation and zero data retention with AI providers — the architecture is designed to support preservation of privilege where recognized under applicable law, the same framework you rely on for your email and practice management software. Our Professional Responsibility Guide walks through the authorities in detail.
Duty of competence: Using AI appropriately can help attorneys meet their duty of competence by enabling more thorough case preparation and reducing the risk of missed deadlines. Every behavior of the system is governed by human-readable SKILL files you (or a bar reviewer) can read — designed to satisfy Model Rule 1.1, Comment 8.
Duty of confidentiality: Our security measures are designed to protect client confidentiality consistent with ABA Formal Opinions 477R and 512. We do not train AI models on your data — contractually (Terms §§3.3, 8.1).
We recommend attorneys review their state bar's guidance on technology use and make informed decisions about AI tools in their practice.
Your Rights
Data portability
Export all your data at any time in standard formats — and your playbooks (SKILL files) in human-readable form, with the right to keep using them if you leave (Terms §7.2).
Right to deletion
Request complete deletion of your data within 30 days. Matter data follows the export-then-delete process in Terms §7.4, with notice before anything is permanently deleted.
Access control
Revoke our access instantly through your email provider settings, and control which team members can see which accounts (Terms §2.4).
Transparency
Review our Terms, Professional Responsibility Guide, and sub-processor list anytime. Material sub-processor changes come with 30 days' advance notice (Terms §7.5).
Security FAQ
Can your employees see my client emails?
Not in the ordinary course. Our systems process your content through automated pipelines. The narrow exceptions — debugging with your explicit written consent, or legal requirement — are logged with identity, timestamp, scope, and purpose, and we notify you of any employee access within 2 business days. These are contractual commitments in Terms of Service §10.2.
What happens if TwinCounsel is breached?
We maintain documented incident response procedures for investigating, containing, and remediating security incidents, and we commit contractually to notifying affected customers without undue delay — and in no event later than 72 hours after confirmation where required by applicable law (Terms §11.2).
What happens if I'm subpoenaed for data about a client matter?
Each matter lives in its own isolated sandbox, so legal process directed at one matter reaches only that matter's data — no other client's data exists in that container. Our terms commit to advance notice of compelled disclosure where legally permitted, early enough for you to seek a protective order (Terms §10.3). AI providers retain nothing under our Zero Data Retention agreements.
How do I delete my data?
Request deletion at any time through your account settings or support@twincounsel.com; we delete within 30 days of your request. When a matter closes, you have a 90-day export window before raw content is deleted, and we give written notice before permanently deleting anything (Terms §7.4). On termination we provide a full export of your data and SKILL files.
Do you sell my data to third parties?
No — and it's contractual, not just policy. We will never sell your data or use it for advertising, third-party marketing, or profiling (Terms §11.3), and we never train AI models on it (Terms §§3.3, 8.1).
Is using TwinCounsel ethically permissible?
Yes, when used appropriately. AI tools like TwinCounsel are similar to other legal technology — tools that attorneys supervise and remain responsible for. Our Professional Responsibility Guide covers the framework (ABA Opinions 477R and 512, state bar guidance) in detail. We recommend reviewing your state bar's guidance on technology use.
Ready to learn more?
See how your legal twin works — privilege-safe from day one.