Security and Privacy

How we protect your data

We use industry-standard measures to protect your data: encryption in transit (TLS) and encryption at rest (AES-256). Access to production systems is restricted and audited. Your documents and analysis results are stored in EU data centers and processed by EU-based AI infrastructure. We do not use your documents to train public or shared models.

EU data sovereignty (no US CLOUD Act exposure)

Clara’s pipeline is 100% EU-owned: storage (Scaleway), AI (Mistral AI), and email (Brevo) operate in the EU. We do not send your documents or analysis to US providers. That means your data is not subject to US CLOUD Act requests. For EU-based lawyers and firms, this supports confidentiality and regulatory expectations.

Where your data is stored (Scaleway, EU-only)

Documents and derived data are stored in Scaleway object storage in the EU; metadata, user accounts, and analysis results are in Scaleway managed PostgreSQL (EU); and processing is done by Mistral AI in the EU. We do not use US-based AI APIs for your documents or replicate your data to regions outside the EU for normal operation.

AI and confidentiality (how Mistral processes documents)

Mistral AI processes your documents only to perform the analysis you request. We send content to Mistral’s API under strict data processing terms. Mistral does not use your data to train its general models. Processing happens in the EU. We do not use ChatGPT, Claude, or other US-hosted LLMs for contract analysis.

GDPR compliance

We are designed to be GDPR-compliant: data is processed in the EU, we have appropriate data processing agreements with our providers, and we support your rights (access, rectification, erasure, portability, etc.). You can request a data export and account deletion from the app. Our privacy policy and terms describe the legal bases and your rights in detail.

Data retention and deletion policies

We retain your data for as long as your account is active and you use the service. When you delete your account, we remove your profile, documents, analyses, and related data from our systems; deletion is permanent. If you cancel and move to read-only, we retain your existing data so you can still access it and do not use it for new processing; you can delete your account at any time to have all data removed. We do not keep deleted documents or account data for backup beyond what is required for legal or operational recovery in line with our policies.

Security practices (encryption, access controls)

We use TLS 1.3 in transit and AES-256 at rest for stored documents and data. Access is role-based and production access is limited and logged. Passwords are hashed and we support 2FA (TOTP) for an extra layer of security. We monitor for suspicious activity and respond to incidents in line with our security and privacy commitments. For more, see our Security and Privacy pages.