Trust & Confidentiality

Understanding how Barrow handles your legal documents with managed processing and ephemeral storage.

What We Do

Barrow processes your uploaded documents to provide:

  • Structured summaries — Executive summaries and plain-language explanations

  • Key clause identification — Important provisions highlighted with brief excerpts

  • Risk flag detection — Potential issues identified with severity ratings

  • Entity extraction — Parties, dates, jurisdictions, and amounts

  • Next steps — Surfacing deadlines, required responses, and/or follow-up tasks.

  • Document-grounded Q&A — Ask questions and receive answers with citations

  • Export — Output can be exported and refined by the team.

What We Store vs. Don't Store
Temporarily Stored

Retained only during the retention window (24 hours by default, configurable to 7 days):

  • Source document files (PDFs)
  • Extracted full text from OCR
  • Text chunks and embeddings
  • Searchable indexes
Automatically Deleted

After the retention window expires:

  • Source files permanently removed
  • Extracted text cleared
  • Embeddings and chunks deleted
  • All derived artifacts purged

Immediate Deletion Option

You can delete any document immediately at any time using the "Delete Now" action. This removes all data associated with that document without waiting for the retention window.

No AI Training on Your Data

We do not use your uploaded documents, extracted text, or any derived data to train, fine-tune, or improve our AI models. Your documents are processed solely to provide you with analysis results and are never used for machine learning purposes. This applies to all content including document text, OCR output, embeddings, and chat conversations.

Optional Saved Content

Memo-Style Outputs (Optional)

If enabled by your firm administrator, we save memo-style analysis outputs to your matters:

  • Executive summaries and plain-language summaries

  • Risk flags with severity ratings

  • Key clause highlights

  • Entity extractions

  • Brief citations (1-3 sentences max, not full excerpts)

These memo outputs can persist even after the source document is deleted, providing a work product reference without retaining the full document.

Chat History (Configurable)

By default, chat conversations are saved for your reference. Your administrator can disable chat history saving for enhanced privacy ("Private Mode"), in which case conversations are not persisted after the session ends.

Infrastructure & Compliance

Barrow is built on infrastructure providers that meet rigorous, independently audited security standards. Every layer of the stack — from hosting to payments to AI processing — is operated by a provider that has undergone SOC 2 certification.

Hosting & Deployment — Replit SOC 2 Type II certified. Barrow's application runs on Replit's infrastructure with encryption in transit and at rest.

Database — MongoDB Atlas SOC 2 Type II certified. User data and account information are stored in MongoDB Atlas with encryption at rest and network-level access controls.

File Storage — Google Cloud Storage (via Replit App Storage) SOC 2 Type II certified. Uploaded documents are stored temporarily in Google Cloud Storage with encryption at rest and in transit. Documents are automatically deleted within 24 hours by default, or immediately on request.

AI Processing — OpenAI SOC 2 Type II certified. Document text is sent to OpenAI for analysis over encrypted connections. OpenAI does not use Barrow customer data to train its models.

Application-Level Security Controls

In addition to the infrastructure above, Barrow implements the following controls at the application level:

  • Encryption in transit (TLS) for all connections

  • Encryption at rest for stored data

  • Role-based access controls for multi-user accounts

  • Automatic document deletion (24-hour default retention)

  • Immediate manual deletion available at any time

  • Audit logging of document uploads and deletions

  • Secret management for all API keys and credentials

  • No client document retention beyond the configured retention window

A Note on Transparency

Barrow does not hold its own SOC 2 certification at this time. Pursuing company-level SOC 2 certification is on our roadmap as we grow. What we can tell you today is that every infrastructure provider in our stack has been independently audited, and our application-level controls are designed with SOC 2 readiness in mind.

If your firm requires specific compliance documentation or has questions about our security practices, contact us at hello@barrow.legal.

Security Safeguards

Encryption

Data encrypted in transit (TLS) and at rest

Tenant Isolation

Strict organizational boundaries enforced

Private Storage

Time-limited signed URLs for file access

Log Redaction

No document content in logs or analytics

No AI Model Training

Your documents are never used to train, fine-tune, or improve our AI models. All processing is solely for delivering your analysis results.

Important Notices

Not Legal Advice

Barrow provides analysis and information for educational and research purposes only. This is not legal advice. All outputs require review and verification by a licensed attorney before reliance.

AI Limitations

AI-generated analysis may contain errors, omissions, or inaccuracies. Citations are provided to support verification. Always review original source documents for critical decisions.

Attorney Responsibility

Your firm is responsible for determining whether client notice and/or informed consent is required for the use of third-party technology and for complying with applicable professional responsibility rules. We recommend consulting your bar association's ethics guidance regarding the use of AI tools in legal practice.

Still have questions?

We are here to help. Reach out to our support team.

hello@barrow.legal