Your Data, Your Control: How :Harvey: Manages Customer Data

Legal teams handle some of the most sensitive data in the world, and Harvey’s architecture was built with that responsibility at its core. We believe that customer data (e.g. customer inputs, outputs, and documents uploaded to Harvey) belongs only to the customer. Our systems are designed to access only the information relevant to a request, and only for the time period needed to fulfill it.

This principle is embedded into every layer of our infrastructure, from access control to encryption. Trust isn't something we apply after the fact — it's engineered into the system from the start. Our internal mantra for security is "Provably Secure," and we bring that discipline into every design decision. Throughout the rest of this post, I’ll walk through the core pillars that bring this mission to life.

Zero Data Access

Harvey is built on the principle that customer data should never be within reach of anyone who doesn’t absolutely need it. By design, the only entity that interacts directly with customer data is the Harvey architecture itself.

Our engineers and operations staff do not have access to customer data except where required or requested by our customers (for instance, to investigate a support request). Role-based access controls, network segmentation, and identity federation enforce this separation. Rather than relying on policy alone, we design our automations and systems to ensure customer data remains sealed off, even from our own team.

Infrastructure as Code and Just-in-Time Processing

Harvey’s backend environments are configured and managed through Infrastructure as Code (IaC), a SaaS security best practice. IaC manages and provisions infrastructure, such as networks, virtual machines, and load balancers, using machine-readable definition files instead of manual configuration of each component.

This approach allows Harvey’s infrastructure to be defined, deployed, and updated through code. Any changes to the core architecture by the Engineering team are versioned and reviewed, which makes it easier for human experts to track and audit changes. It also allows our environments to be recreated or rolled back to a known state when needed.

Encryption and Customer Control

Encryption isn’t a box we check, it’s a fundamental part of how Harvey keeps customer data under customer control.

All customer data and content handled by Harvey is encrypted both in transit and at rest. Encryption is applied automatically across every storage and communication layer, ensuring protection wherever your data resides or moves. There are no unencrypted pathways in our system; confidentiality is enforced by design, not by policy.

For organizations that require additional control, Harvey supports Bring Your Own Key (BYOK). With BYOK, customers manage the encryption key used to secure their stored data. They can rotate or revoke that key at any time, immediately rendering the data inaccessible to any system, including Harvey. This gives customers full cryptographic ownership of their information and the ability to define their own trust boundary.

Context Without Retention

When Harvey's models process a request, they work only with the data needed to complete that specific task. The relevant text or documents are assembled into a temporary query, with context that exists just long enough for the model to generate a response. Once the relevant model output is delivered and the AI request is complete, our model partners immediately delete that data.

By design, customer information does not persist between sessions, and no context is shared across users or workspaces unless you intentionally share selected data through a secure, scoped mechanism. (Learn more about Shared Spaces and our new collaboration capabilities here.)

Data Flow: From Input to Deletion

Customer data enters the Harvey environment in two primary ways: through prompts and through document uploads. Each one follows a distinct, tightly controlled path.

Prompt Data

When a user submits a prompt, Harvey's vector search engine identifies the most relevant documents from the customer's selected vault or uploaded documents. Those documents are then retrieved and incorporated into the model's temporary context window for inference. No document leaves the customer's environment or becomes visible to any other workspace.

Uploaded Documents

When customers upload files, those files are transmitted over encrypted channels (TLS 1.2+) to blob storage within the customer's regional environment, and each file is encrypted at rest using an AES-256 key. When Harvey's application later retrieves a document for a query, it's decrypted only in memory. Once the customer-defined retention period expires (Harvey supports retention from time of upload and time of last use), the source file is securely destroyed.

This lifecycle ensures that every byte of customer data — from upload to deletion — remains encrypted, isolated, and ephemeral.

Continuous Monitoring

In addition to the above protocols, Harvey’s Security team continuously monitors data access and system activity to ensure our controls work as intended. Every access attempt — whether by a user, service, or internal process — is logged and correlated across multiple systems for auditing and anomaly detection.

Our systems automatically monitor behavior that deviates from expected patterns, such as unusual access times, locations, or volume. These alerts feed into automated and human review where we assess system activity and metadata — never your customer data by default — to confirm that no unauthorized activity has occurred. In this way, monitoring isn't just a compliance requirement; it validates that our principles of least privilege, isolation, and ephemeral access hold true in daily operation.

A Platform Built for Trust

Every aspect of the Harvey platform — including how it stores, processes, and protects data — is designed around a single principle: The customer stays in control.

Access is deliberate, temporary, and verifiable. Encryption secures data even when it's not in use. Our systems discard context as soon as it's no longer needed. Continuous monitoring confirms that these guarantees hold true, consistently.

Harvey's approach to security is about architecture, not checklists. We build systems that enforce confidentiality by default, so our customers can focus on their work knowing their data remains theirs alone.

If you want to learn more about how Harvey manages and protects customer data, contact our team: