Security

Security & Data Protection

Magpie is purpose-built for law firms handling sensitive client documents. Every layer of our platform is designed to protect the confidentiality, integrity, and availability of your data.

Your Data Is Never Used for AI Training

We contractually prohibit all AI providers from using your data to train, improve, or develop their models. This applies to every document, query, and output processed through Magpie.

All providers we use operate on enterprise or paid API tiers where data exclusion from training is automatic and contractual. Each provider holds SOC 2 Type II certification or equivalent.

This is not a policy — it is a contractual obligation enforced at the API level. Full sub-processor details are available under NDA as part of our Data Processing Agreement.

Encryption Everywhere

In transit: All data is encrypted using TLS 1.2+ between your browser, our servers, and our AI providers.

At rest: Documents stored on our platform are encrypted using AES-256-GCM, the same standard used by financial institutions and government agencies. Encryption is mandatory in our production environment.

Data Isolation

Each organisation's data is strictly isolated through database-level row-level security policies. This means:

  • Users can only access documents belonging to their organisation
  • There is no shared data layer between organisations
  • Isolation is enforced at the database level, not just the application level — even in the event of an application bug, one organisation's data cannot be accessed by another

Audit Trail

All actions within Magpie are logged, including:

  • Document uploads and deletions
  • Summary generation and data extraction
  • User access and permission changes
  • Organisation setting modifications

Audit logs include the identity of the actor, the action performed, the resource affected, and the timestamp. Logs are available to organisation administrators on request.

Data Retention Controls

Organisations have full control over how long documents are retained:

Automatic deletion: Set a retention period (30, 60, 90, 180, or 365 days) and documents are permanently deleted after the specified time.

Manual deletion: Choose to manage document lifecycle manually, with the ability to delete any document and its associated data at any time.

When a document is deleted, all associated data — including the original file, generated summaries, extracted terms, and internal processing data — is permanently removed. Usage records are retained solely for billing purposes.

Protecting Legal Professional Privilege

In February 2026, a US federal court ruled in US v. Heppner that documents created using consumer AI tools were not protected by attorney-client privilege, on the basis that public AI platforms do not guarantee confidentiality.

Magpie is designed as an enterprise tool with:

  • Contractual confidentiality guarantees with all AI providers
  • No data retention by AI providers beyond the processing window
  • No training on customer data
  • Organisation-level data isolation and access controls
  • Full audit trail of all document processing

This architecture provides a defensible basis for maintaining privilege when using AI to process legal documents — distinguishing Magpie from consumer AI tools that courts have found may waive privilege.

Compliance

Magpie is designed to meet the requirements of data protection regulations across our operating jurisdictions:

United Kingdom: UK GDPR and Data Protection Act 2018

Kenya: Data Protection Act 2019

Singapore: Personal Data Protection Act (PDPA)

We support jurisdiction-specific data transfer mechanisms and our infrastructure is hosted in the EU (AWS eu-west-1) to support cross-border compliance requirements.

SOC 2 Type II (In Progress)ISO 27001 (In Progress)

Role-Based Access Control

Magpie supports organisation-level roles to control access:

Owner: Full administrative access including billing and organisation settings

Admin: Can manage team members, invitations, and organisation settings

Member: Can upload documents and generate summaries within their organisation

All role changes are logged in the audit trail.

Infrastructure

All infrastructure and AI providers used by Magpie hold SOC 2 Type II certification or equivalent. Our application and data infrastructure is hosted in AWS eu-west-1 (Ireland), providing low-latency access for UK, European, and African clients.

A full list of sub-processors and their certifications is available as part of our Data Processing Agreement.

Questions?

For security inquiries, DPA requests, or to discuss your firm's specific requirements:

security@magpie-legal.com

We are happy to provide:

  • Completed security questionnaires
  • Data Processing Agreements
  • Penetration test reports (when available)
  • Detailed technical architecture documentation