Data handling, in detail.

Matter data — intake records, medical records, correspondence, demand letters, depositions, exhibits, motions, and the work product the firm produces inside the JustineAI™ tenant — is processed inside the customer’s tenant to generate the artifacts the firm requests. Processing is bounded by the workflow: the four-pass demand-letter pipeline reads the matter, the medical-chronology analyzer reads the records, the citation verifier resolves cited authorities against the public CourtListener corpus.

Processing happens inside Microsoft Azure’s US regions for US customers. The Eve-Legal F5/reasoner inference calls route to Azure OpenAI and Azure AI Foundry endpoints inside MindHYVE.ai™’s tenant. Frontier-model providers have contractual terms that prohibit them from retaining inference content or using it to train future models.

We do not train models on customer data. Eve-Genesis (Law Edition) — the synthetic-data substrate that fine-tunes the legal reasoner — is 100% synthetic by construction. Your firm’s matter data is not used to train any model. Not the legal reasoner. Not the classifier. Not the frontier models we compose into our reasoning loop. Not third-party providers.

The training discipline is structural, not contractual. The pipeline that produces Eve-Genesis runs in Islamabad against a documented corpus composition. Customer matter data is never in scope for that pipeline. There is no path for customer data to enter the training corpus by mistake — the customer-data partition and the training-data partition are different storage accounts, in different subscriptions, under different identities.

We do not sell customer data. We do not share matter or client data for advertising, lead generation, or third-party legal research. The only services that touch customer data are the subprocessors documented on the subprocessors page, each bound by a written agreement with data-protection commitments at least as protective as our agreement with the customer.

Frontier-model inference uses inference content only to generate the response. The content is not retained by the provider. Citation verification uses only the public citation string for the CourtListener lookup — no matter content is transmitted in the verification request.

Every action a user takes inside the JustineAI™ tenant is written to a structured audit log with actor identity, timestamp, action type, and matter reference; the reasoning steps behind an action are recorded alongside it. Records older than 90 days are moved nightly to integrity-signed long-term storage. Logs are retained for the contractually agreed period (enterprise customers may extend), and are exportable on request as JSON for litigation discovery, ethics review, or malpractice-insurance audit.

On written deletion request, we delete or anonymise the customer’s personal information within 90 days, subject to legal-hold and contractual retention obligations. Tenant deletion is final and cryptographically verifiable — customer-managed keys are revoked at the firm’s direction, after which the encrypted matter data is unreadable.

Audit logs survive deletion for the contracted retention period to support post-termination ethics or malpractice review. Logs do not contain matter content; they contain action records.