Security overview

The work never leaves your building

Enterprise-grade security for supervised legal AI. Single-tenant infrastructure, SOC 2 Type II certified, built for the most security-conscious legal teams in the world.

Classification Customer-facing
Last updated April 2026
Audience Procurement / InfoSec / GC
01 — Architecture

Single-tenant by design

Every customer gets a completely isolated deployment. Separate database, separate credentials, separate compute. Your data never co-mingles with another customer's data. This is not a configuration option — it is the architecture.

Isolation
Dedicated per-tenant infrastructure
Each customer gets their own Kubernetes namespace, MongoDB database, application instances, and credentials. No shared resources between tenants.
Hosting
Google Cloud Platform (EU)
Primary hosting on GCP with Azure supported for customers requiring Microsoft environments. Infrastructure managed via Terraform and ArgoCD.
Encryption
TLS everywhere
All data encrypted in transit via TLS. Data at rest encrypted via cloud provider managed encryption. No unencrypted communication paths.
Email integration
Your Exchange, your domain
Agents operate via your Microsoft Exchange environment using Azure Service Principal. Domain allowlists enforced on inbound and outbound. No third-party email routing.
02 — Certifications and compliance

What we hold and what we practise

Certifications
  • SOC 2 Type II — Independent audit completed 2025. Covers security, availability, and confidentiality trust services criteria.
  • Annual penetration testing — Latest report: 2026. Conducted by independent third-party security firm.
  • GDPR compliant — Berlin-headquartered. EU data processing by default. DPA available on request.
Security practices
  • Virus scanning — All uploaded files scanned before processing.
  • Prompt injection detection — Dedicated security workflow scans all inputs before LLM processing.
  • Role-based access control — 6 roles, 15 action types, 65+ resource definitions. Fine-grained permissions enforced at the API layer.
  • Audit trails — Every agent run, message, and workflow step is logged with full traceability.
  • Security headers — HSTS, X-Frame-Options, CSP with dynamic nonces. Standard enterprise web security baseline.
03 — Data handling

Where data lives and how it moves

Your contract data is processed inside your dedicated environment and stored in your isolated database. It is not used to train models, not shared across tenants, and not accessible to other customers.

Data residency
Primary hosting in EU (Google Cloud Platform). Azure available for customers requiring Microsoft environments. Regional deployment to meet specific data residency requirements.
LLM provider handling
Flank integrates with four LLM providers (OpenAI, Anthropic, Google Vertex AI, Azure OpenAI). Contract data is sent to these providers for processing under enterprise data processing agreements. No provider uses your data for model training. Provider selection is configurable per-customer.
No model training on customer data
Your documents, playbooks, and contract data are never used to train any AI model — Flank's or any provider's. Data is processed for your tasks only.
Retention and deletion
Data retention policies configurable per-customer. Full data deletion available on request. Your isolated database means clean deletion is straightforward — no data entangled with other tenants.
04 — Authentication and access

Enterprise SSO and granular permissions

Flank supports your existing identity provider. No separate credentials for your team to manage.

CapabilityDetail
SSO providersGoogle OAuth, Microsoft OAuth, Okta, Microsoft Entra (Azure AD)
Session managementJWT-based with secure token refresh. Configurable session lifetimes.
Role modelSix roles from default user to app admin. Relation-based permissions (e.g., agent admin scoped to their agents only).
Supervision accessDedicated supervision interface for legal team oversight. Full visibility into agent decisions and outputs.
05 — Available documentation

What we can share

The following documentation is available on request for customers in procurement or security review.

SOC 2 Type II report
Full independent audit report covering security, availability, and confidentiality controls. 2025 report available under NDA.
Penetration test report
2026 penetration test results conducted by independent security firm. Available under NDA.
Technical architecture overview
Detailed architecture documentation covering system components, data flow, and integration channels.
Security questionnaire
Pre-completed master security questionnaire available to accelerate your procurement process.
Policy suite
Information security, network security, physical security, acceptable use, vendor management, and AI-specific policies. Available on request.
Data Processing Agreement
Standard DPA available for GDPR compliance. Customisation available for specific regulatory requirements.
Contact

For security documentation, questionnaire responses, or to schedule a technical deep-dive with our security team, contact contact@flank.ai or speak with your account team.

Subscribe

The Intake

Weekly briefings on what's actually changing in legal AI — the market shifts, regulatory moves, and structural questions that matter for enterprise legal teams.

Subscribe on Substack
Flank

Insource legal work to supervised agents

Enterprise legal teams use Flank to handle high-volume contracting end-to-end — NDAs, MSA redlines, procurement, triage. Agents that know your templates, terms, and escalation rules.

Learn more at flank.ai

Insource enterprise legal work to supervised agents.
flank.ai

© 2026 Flank. Security documentation is current as of April 2026. For the latest information, contact contact@flank.ai.