Subprocessor Update FAQs
Subprocessor Update FAQs
Last updated: May 13, 2025
1. Why are you adding Amazon Web Service (AWS) and Google Cloud Provider (GCP) as subprocessors?
To continue delivering high-quality responses, Counsel AI is expanding its use of advanced foundational models. Our engineers have evaluated the Gemini and Claude series of large language models (LLM) and found that, in certain contexts, these models further enhance Harvey’s performance.
We are utilizing Amazon Bedrock, a fully managed AWS service that is designed to provide secure use of LLMs. GCP will similarly provide access to LLMs, through its AI platform, Vertex.
Regardless of which AI models or foundational model providers are used, Counsel AI ensures that customer data is never used to train AI models unless explicitly authorized by both the customer and Counsel AI.
2. What models are we using?
Gemini and Claude series.
3. What personal data will the new subprocessors be processing?
AWS and GCP will ephemerally process Customer Data and Customer Content, including any personal data they contain.
“Customer Data” refers to any document uploaded to Harvey, while Customer Content includes any query or input you upload to Harvey, as well as any output you receive from Harvey.
To protect the security and privacy of your data, we have imposed strict technical and organizational safeguards on our foundational model providers. These include:
- Zero data retention – subprocessors do not store your data; it is only processed ephemerally.
- Encryption in transit and at rest.
- No human review – data is not reviewed by subprocessors.
- No training – your data is never used to train AI models.
4. Where do the subprocessors process the personal data?
AWS and GCP will process our data in the United States, European Union, or Australia. If we have made a commitment to store or process your data in a specific region, we will continue to honor that commitment.
5. What safeguards or legal mechanisms has CounselAI put in place to transfer EEA/UK/Swiss data to the new subprocessors?
Our Data Protection Agreements with AWS and GCP include the appropriate and approved transfer mechanisms to ensure the lawful transfer of personal data from the EEA, UK, and Switzerland to countries without an adequacy decision. Counsel AI has signed the Standard Contractual Clauses (“SCCs”) approved by the European Commission with the new subprocessors as well as the UK International Data Transfer Addendum (“UK Addendum”) issued by the UK’s Information Commissioner’s Office.
Please note that GCP and AWS are certified participants in the Data Privacy Framework.
6. How does Harvey send our data to the subprocessors?
We send a request to the API endpoint within the GCP Environment or AWS Environment, which authenticates our request and forwards it to the model instance. The model processes the request, and the endpoint returns the result. At all times, the traffic is encrypted using TLS 1.2+, and this level of encryption is maintained between all other endpoints within the service.
For an updated security diagram that shows how Harvey will access LLMs via Bedrock and Vertex AI see here.
7. What security and privacy commitments have the new subprocessors made to Counsel AI?
AWS
- Maintains SOC 2 Type I and SOC 2, SOC 3 compliance.
- All Customer Data and Content is encrypted in transit and at rest.
- AWS will perform regular external vulnerability assessments and penetration testing of the AWS network, and will investigate identified issues and track them to resolution in a timely manner.
Infrastructure monitoring tools are utilized to monitor systems, infrastructure, and performance.
GCP
- Maintains SOC 1, SOC 2, SOC 3 compliance and ISO/IEC 27001/27017/27018/27701 certification.
- Data is encrypted through HTTPS encryption.
- Employs multiple layers of network devices and intrusion detection to protect its external attack surface. Google considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.