:Harvey:

Debunking the Myths of Data Sovereignty and US-Based Service Providers

Our General Counsel shares how we approach government data requests and why the scenario of “secret subpoenas” is exceedingly unlikely for Harvey.

Sep 3, 2025

John LaBarre

John LaBarre

Connected Lines Image

As regulatory complexity continues to grow globally, one question that comes up is: “If you’re US-based, can the US government secretly access our data?”

With over half of our customers based outside the US and Harvey offices in London and Australia, we are designed to meet the needs of our global clients. Our approach to privacy is grounded in legal rigor, operational transparency, and a commitment to the highest standards of data protection. This post outlines exactly how we approach government data requests and why the scenario referenced above is not just unlikely — it’s inconsistent with our values as a company.

American, but Global

Our roots may be in the US, but Harvey is by every measure a global company:

  • More than 50% of our customers are based outside the US.
  • We offer EU- and Swiss-based processing, as well as Australian-based processing.
  • We are committed to upholding the highest international standards of data protection and privacy, regardless of where our customers are located.

Below, I’ll break down:

  • What US law actually says about government access to data, including the much-misunderstood Clarifying Lawful Overseas Use of Data (CLOUD) Act.
  • Why the nightmare scenario of indiscriminate “secret subpoenas” is exceedingly unlikely for a company like ours.
  • The concrete, layered safeguards we put in place — technical, operational, and contractual — to protect customer data, no matter which jurisdiction knocks on our door.

And because I’m a lawyer, I’m obligated to provide this disclaimer: This is not legal advice. It’s an explanation in (hopefully) plain language, of how we think about data requests and what we do to keep our customers’ information safe.

Setting the Stage: The Laws in Play

Let’s start with the CLOUD Act, which tends to be the statute that usually triggers the loudest alarms and fear, uncertainty, and doubt (FUD). Passed in 2018, the CLOUD Act clarified US law in one critical respect: A US court can compel a service provider subject to US jurisdiction to produce data within its “possession, custody, or control,” even if that data sits on a server located outside US borders. In essence, it says, “If a US court already has jurisdiction over you, you can’t dodge a lawful warrant merely by storing data abroad.”

It’s important to clarify three things the CLOUD Act doesn’t do:

  • It doesn’t permit bulk surveillance or mass data grabs. Law enforcement still needs to meet traditional warrant standards (that is, probable cause that a specific crime has occurred or is occurring and the place to be searched contains evidence of the crime, sworn affidavits, independent judicial approval, and particularity about what they’re looking for).
  • It doesn’t override conflicting foreign laws automatically. If complying with a US request would break another country’s law (professional secrecy, for instance), the service provider can challenge or negotiate the scope of the request.
  • It doesn’t stop service providers from notifying customers unless a court issues a gag order — and those gag orders must be narrowly tailored and time-limited.

It’s also important to remember that non-US companies are generally subject to the Cloud Act (and other US laws and regulations generally) if they have operations in the US or serve US-based customers.

Another acronym that surfaces in the FUD around this issue is FISA, which stands for the Foreign Intelligence Surveillance Act. Section 702 of FISA allows the government to target specific non-US persons outside the United States for national-security reasons, but the FUD surrounding FISA was addressed by the US government through the Data Privacy Framework (DPF).

The measures introduced under the DPF limit how the US government can conduct surveillance on certain non-US individuals and it provides such individuals with the ability to seek redress in US courts. Harvey was one of the first AI companies to be certified under the DPF, and we continue to commit to the adherence of the DPF principles.

The other area that sometimes gets raised when discussing this issue are National Security Letters (NSLs). NSLs can only be directed to specific kinds of entities such as wire and electronic communications service providers, financial institutions, and consumer reporting agencies, and Harvey does not provide the kinds of services that have historically been found to fall within these categories. Even if an NSL came our way, it couldn’t compel disclosure of content — only limited subscriber information.

Why We’re an Unlikely Target

We are a generative AI company that supports the legal profession, not a telecom giant or a social media behemoth. We process user-generated prompts and store precisely what our customers ask us to store — and nothing more. Simply put, we’re not the low-hanging fruit if US intelligence agencies go data-hunting. The reality is, companies like ours are unlikely to receive a clandestine dragnet order, and here’s why:

  • Data volume and context: We only have what customers choose to upload. We don’t sit on years of inboxes, photo libraries, or phone metadata. That makes us an inefficient stop for investigators.
  • Customer-controlled retention: Our customers can set strict retention periods, or request deletion at any time. Short-lived data means fewer troves for any authority to mine.
  • Professional secrecy and jurisdiction hurdles: The CLOUD Act includes mechanisms for challenging requests that would violate foreign laws — including professional secrecy or data protection regulations in the EU. Any legal request that forces a breach of those duties invites a serious conflict-of-laws showdown — something US courts try hard to avoid.
  • No precedent: To date, we have never received a request for customer data from the US government, nor from any other government around the world. We just aren’t the kind of company that is likely to be targeted.

Technical and Procedural Safeguards

Since nearly the very beginning of Harvey, we have had clear policies around how we would handle any law enforcement requests, and those policies are available on our website. The short version is that if we receive a request — unless we are legally unable to do so — we will immediately inform any impacted customer and discuss with them how to proceed. And, in any event, we will challenge any request that we think is unlawful, overboard, or unsubstantiated.

But we don’t just come at this from a contractual perspective. We are transparent with our customers about where their data is processed and stored. We offer three data processing locations: our Standard Region (where customer data can be processed in the US, the EU, and Switzerland), our EU Region (where customer data is processed in the EU and Switzerland), and our Australian Region (where customer data is processed in Australia).

Beyond these three data processing regions, we offer customers a myriad of choices about where their data is stored (with possible regions including over 30 different countries). And, at all times, customers control the retention periods for their data.

What Happens if We Get a Request?

Could we get a legal request tomorrow? Yes, we could. But if that happens, we have a clear playbook that puts our customers front and center. Let’s walk through a hypothetical where we do get a request.

Step 1: Receipt and Customer Notice

Unless a court expressly forbids it, we notify the affected customer right away. And, if we are forbidden from notifying a customer, we would use our best efforts to obtain a waiver of the prohibition. Secret subpoenas are only “secret” when a judge determines that notice would severely harm an investigation (think imminent risk to life, evidence destruction, or witness intimidation). Even then, gag orders are time-limited (generally to one year or less).

Step 2: Verification

We verify the request’s legal validity. Is it signed by a judge? Does it cite the right statute? Is it overly broad? If it fails any bar, we push back and pursue any possibilities of appeal.

Step 3: Assess Conflicts of Law

Does the request collide with GDPR, professional secrecy, or other local laws? If so, we would challenge it or seek narrower scope. Under the CLOUD Act, providers can ask courts to modify or quash orders that create international conflicts.

Step 4: Minimal Disclosure

If we must comply, we produce only the specific data identified in the order — no fishing expeditions, no extra metadata.

Our Approach to Privacy and Security

Data privacy is not about geography — it’s about governance, transparency, and control. We’re committed to giving our customers all three. Our approach has been to bake privacy and security into Harvey from day one, give customers transparent choices about where and how their data is handled, and be crystal clear about how we’ll respond if the law comes knocking.

Being US-based doesn’t mean we ignore European law or international privacy concerns. It means we work harder to meet the gold standard, everywhere. We’ve built our infrastructure, legal agreements, and culture around earning and keeping our customers’ trust. We must continue to earn and keep your trust by being brutally transparent about how we handle your data, invest in cutting-edge security, and push back on any request that doesn’t meet rigorous due-process standards.

In short, data protection isn’t about where your company is headquartered; it’s about the systems, commitments, and culture you build. We take that responsibility seriously, and we’re always happy to go deeper on any of these points. Drop us a line, schedule a security review, or quiz us on the CLOUD Act — we welcome the conversation.