Litigation‑Grade Security
Crimson is built with information security and data privacy at its core. Designed specifically for high‑stakes litigation, Crimson ensures your case files remain confidential and secure at all times.
Built for the most sensitive cases.
SOC 2 Type II Audited
Crimson meets rigorous security standards verified by independent auditors.
GDPR Compliant
Crimson fully adheres to GDPR's data privacy and processing requirements.
Strict Data Isolation
Each customer's data is stored in its own secure, ring‑fenced environment.
No Model Training
Customer data is never logged, stored or used for external AI model training.
Flexible Data Residency
Customers retain full control over where their data is hosted.
Encrypted SSO
Users access Crimson securely with single sign‑on via Microsoft Entra ID and AES‑256 encryption.
Engineered for secure litigation
Crimson was built from the ground up with the needs of disputes teams in mind. From its architecture to its user interface, every component has been designed to minimise risk, protect confidentiality and preserve privilege.
We conduct annual third‑party penetration testing, maintain strict access controls and ensure that sensitive documents are never surfaced outside their intended context. Our internal development process includes threat modelling, secure defaults and regular peer review of security‑critical code.
Security portal
Crimson maintains a dedicated Security Portal, setting out our information security policies, procedures and technical controls. The portal is regularly reviewed by our security and compliance provider, Oneleet, and provides a comprehensive overview of how we manage risk across the organisation.
All policy documents, including our Audit Log Management Policy, Data Retention Policy and Incident Response Plan, are available to download directly from the portal.
Visit the Security PortalCertifications & Policies
Access comprehensive security documentation, audit reports, and compliance certifications to verify our commitment to protecting your data.
Frequently asked questions
Does Crimson use client data to train its AI models?
No. Crimson does not use client data to train models for any third party. All AI processing takes place in a secure environment within Microsoft Azure, and any output improvements are limited to each customer's own use.
Is client data ever shared between law firms or customers?
No. Each customer's data is logically and operationally isolated. There is no pooling, cross‑training or shared access between law firms, and Crimson does not aggregate or analyse data across customers.
Does Crimson meet SOC 2 Type II standards?
Yes. Crimson's SOC 2 Type II report with no exceptions demonstrates our commitment to best practices in security, reliability and privacy. As part of the assessment process, independent auditors regularly review our policies, processes and systems over an extended period, verifying that our controls meet the most stringent industry standards.
For more information about our SOC 2 Type II audit, including our security policies and controls, please visit our Security Portal.
Is Crimson GDPR‑compliant?
Yes. Crimson is fully compliant with UK GDPR and follows strict data minimisation, purpose limitation and lawful processing principles. All data is processed exclusively for the purposes of providing legal support services through your law firm.
Is Crimson suitable for use on high‑value or sensitive matters?
Yes. Crimson is designed for complex commercial disputes and regulatory matters where data sensitivity is paramount. It is used by litigation teams handling multi‑party, high‑stakes matters involving confidential and privileged content.
Where is our data stored?
Customers have full control over data residency and can choose their preferred Microsoft Azure region for data storage, including the UK, US, EEA and Australia. Crimson does not transfer or replicate your data outside this environment.
Is our data encrypted?
Yes. All data is encrypted both in transit (TLS 1.2+) and at rest (AES‑256). This ensures confidentiality and integrity at every stage of the data lifecycle.
Can third parties, such as Microsoft or OpenAI, access our documents?
No. Crimson uses Azure OpenAI Service with a strict exemption from Microsoft's anti‑abuse monitoring policy. This means no data is logged by third parties, no outputs are stored and no human reviewers – including at Microsoft or OpenAI – ever see your content.
How long does Crimson retain our data?
Crimson retains data only for as long as required under the customer's contract or for legal compliance. Data is securely deleted upon request or contract termination. Archival options are available if long‑term storage is needed.
Is the platform regularly tested and audited?
Yes. Crimson undergoes annual third‑party penetration testing and maintains a secure software development lifecycle. We also work with an independent security and compliance provider to assess our systems and controls.
Ready to explore Crimson?
Experience enterprise-grade security that protects your most confidential case files and client information.
Book a demoLitigation-Grade
Security
Crimson is built with information security and data privacy at its core. Designed specifically for high-stakes litigation, Crimson ensures your case files remain confidential, secure and compliant at all times.
Built for the most sensitive cases.
SOC 2 Type II Audited
Crimson meets rigorous security standards verified by independent auditors.
GDPR Compliant
Crimson fully adheres to GDPR's data privacy and processing requirements.
Strict Data Isolation
Each customer's data is stored in its own secure, ring-fenced environment.
No Model Training
Customer data is never logged, stored or used for external AI model training.
Flexible Data Residency
Customers retain full control over where their data is hosted.
Encrypted SSO
Users access Crimson securely with single sign-on via Microsoft Entra ID and AES-256 encryption.
Engineered for secure litigation
Crimson was built from the ground up with the needs of disputes teams in mind. From its architecture to its user interface, every component has been designed to minimise risk, protect confidentiality and preserve privilege.
We conduct annual third-party penetration testing, maintain strict access controls and ensure that sensitive documents are never surfaced outside their intended context.
Security portal
Crimson maintains a dedicated Security Portal, setting out our information security policies, procedures and technical controls. The portal is regularly reviewed by our security and compliance provider, Oneleet.
Visit the Security PortalCertifications & Policies
Access comprehensive security documentation and compliance certifications.
Frequently asked questions
Does Crimson use client data to train its AI models?
No. Crimson does not use client data to train models for any third party. All AI processing takes place in a secure environment within Microsoft Azure.
Is client data ever shared between law firms or customers?
No. Each customer's data is logically and operationally isolated. There is no pooling, cross-training or shared access between law firms.
Does Crimson meet SOC 2 Type II standards?
Yes. Crimson's SOC 2 Type II report with no exceptions demonstrates our commitment to best practices in security, reliability and privacy.
For more information, please visit our Security Portal.
Ready to explore Crimson?
Experience enterprise-grade security that protects your most confidential case files and client information.
Book a demo