At Harvey, our goal is to build the most trustworthy AI platform for legal and professional services. From the moment we embarked on this journey, a core, non-negotiable principle has guided our every step: the security and confidentiality of our customers' data. We understand that the information entrusted to us is among the most sensitive and critical, and we’ve built our company from the ground up with this profound responsibility in mind.

At Harvey, security has never been an afterthought. Our founders and first engineers laid a foundation of rigorous security standards, achieving both SOC 2 Type II attestation and ISO 27001 certification before we had a dedicated security team in place. Our early investments set the tone: security is not just a team – it’s a company-wide responsibility.

Our Head of Security joined as employee #23, a testament to our unwavering commitment from the outset. Today, our security team represents a significant portion of our engineering organization, hovering around 10-20% of staff dedicated to security.

We view compliance as an outcome, not the driver, of our security program. Certifications like SOC 2 and ISO 27001 are important table stakes milestones in our industry, but they are the natural result of a robust security posture, not the ceiling of our ambitions.

Our security team brings a wealth of diverse experience, with many engineers having spent years in offensive security, as ethical hackers breaking into systems, or on the front lines of incident response, dealing with real-world breaches. This collective experience shapes our priorities, allowing us to focus on defending against the latest, most sophisticated threats.

We often go far beyond established practices. For instance, very early on, we implemented hardware tokens for multi-factor authentication (MFA) leveraging the FIDO2 standard. Unlike more common SMS, push, or time-code based MFA methods, FIDO2’s challenge-response protocol with digital signatures ensures that each authentication attempt is only valid for the website requesting it, and impossible to copy to other websites, effectively protecting against phishing attacks.

Security is a collaborative effort at Harvey. We embed security engineers within each engineering team who build alongside their colleagues, providing dedicated security expertise and resources while maintaining independent reporting lines. This ensures we can innovate and ship features at unprecedented speed, without compromising on security.

Beyond our internal diligence, we actively seek independent, external validation of our security program by industry leaders:

We believe in providing transparency and peace of mind for our customers. Unlike providers who offer only point-in-time security information or require lengthy negotiations for substantive commitments, Harvey maintains strong, detailed contractual security commitments by default to all our customers. These include incident notification SLAs, vulnerability remediation SLAs, independent audits confirming our role as Data Processor, data residency controls, data deletion guarantees, defining the exact conditions under which our personnel can access your data, no training, and many more. Providing these commitments by default accelerates contracting and reduces redlining, allowing our customers to focus on the value Harvey delivers.

Our high security standards extend to our suppliers and vendors. We rigorously assess their security practices and make this a contractual commitment to our customers. This often means making tough choices and sometimes opting to build services in-house rather than engaging a vendor that doesn't meet our bar. As a leader in application-layer AI, we also leverage our position to secure enhanced commitments or tailored solutions from service providers, ensuring they meet our uniquely high bar for security.

Strong governance underpins our entire security program. Our Board of Directors is regularly briefed on emerging risks, the evolving threat landscape, audit outcomes, security events, and key metrics, such as the number of personnel with administrative access. We've also established an Information Security Risk Governance Council, enabling swift alignment and decision-making on security risks, reflecting our core company value of decisiveness.

Our security program is built on a layered approach:

We designed Harvey from the start to defend against risks that are unique to AI applications, such as prompt injection, sensitive information disclosure, training data poisoning, and excessive agency. If models are trained on confidential data and then shared with other customers or users, there is a risk that this data could be inadvertently disclosed to unauthorized parties. At Harvey, we do not train or fine-tune models on your sensitive data and the same applies for our subprocessors and model providers. Instead, customer data is used at inference time only, categorically eliminating the risk of sensitive data becoming part of the model and thereby categorically protecting against sensitive information disclosure risks.

Attack vectors such as prompt injection and training data poisoning could lead to the system producing incorrect outputs by processing maliciously-crafted documents. While we and our subprocessors have implemented defenses against these types of attacks, no large language model today is completely immune. However, Harvey is designed to assist lawyers, not to replace them. Our product is built to make verification easy, reducing the risks of errors or manipulation and aligning with the high standards expected of legal work.

Our commitment to security is reflected in our achievements:

The landscape of security risks is constantly evolving with new technologies, attack patterns, and the rapid growth of our own company and products. While we are confident in our current security posture and the robust culture and structures we’ve built around it, we remain vigilant. Protecting customer data isn’t a one-time checkbox; it’s an ongoing commitment. That’s why we’re relentlessly focused on anticipating risks, adapting our defenses, and investing in long-term security.

We understand the trust our customers place in Harvey, and we are dedicated to earning and maintaining that trust every single day. Security is not just a feature at Harvey; it is our promise.