Security at Mino | Mino Blog

Your documents contain your clients’ most sensitive information. We built our infrastructure knowing that one data breach could end careers. Here’s exactly how we protect your work.

The Short Version

European AI processing, EU data residency throughout Your documents are processed by Mistral, a French AI company subject to EU law. Data is stored on EU servers with Standard Contractual Clauses in place across all infrastructure providers.

No training, ever Your documents and timelines are never used to train AI models. This isn’t a setting you have to toggle. It’s the default.

You control access Row-level security means every database query requires authentication. Every read, every write, verified against your identity.

On-premise option available Need air-gapped systems? We can deploy Mino on your infrastructure. Talk to us about enterprise requirements.

Why We Chose a European AI Stack

Most legal AI companies use OpenAI or Anthropic models hosted through US cloud providers. Even when those servers sit in an EU data center, the parent company is American, subject to the US Cloud Act and FISA 702, which can compel disclosure of data stored abroad.

We chose a different path. Mino runs on Mistral, a French AI company headquartered in Paris. This isn’t just an EU data center operated by a US firm. It’s an EU company, built under EU law, processing your data on EU infrastructure.

For lawyers handling privileged communications, this distinction matters. Your documents are never processed by a US company.

Built for Professional Secrecy Obligations

Lawyers operate under strict confidentiality obligations. The NOvA (Dutch Bar Association) and the CCBE (Council of Bars and Law Societies of Europe) have both issued guidance on what responsible AI use requires in practice. Mino is built to meet these requirements by default.

The NOvA recommends that lawyers know where data is stored and processed, avoid entering confidential information into public AI tools, and verify vendor claims through actual contract terms rather than marketing promises. The CCBE guidance is clear: appropriate safeguards must include contractual obligations for the AI provider to treat data as confidential, a data processing agreement limiting use to law firm purposes, and technical safeguards or local deployment options.

Here is how Mino addresses each requirement:

Know where data is stored and processed. Mistral, France, for AI processing. All data stored on EU servers. Full subprocessor list available on request.

No confidential data in public AI tools. We use Mistral’s dedicated commercial API. Your data never touches a public model or shared inference environment.

Verify claims in contract terms, not just marketing. Our Data Processing Agreement and subprocessor list are available on request. What you read here is backed by contracts, not FAQs.

Technical safeguards or local deployment. Row-level database security is active by default. On-premise deployment is available for firms that require air-gapped systems.

How It Actually Works

Where Your Data Lives

When you upload a document to one of our agents:

AI processing happens in Europe, by a European company Mistral’s models run on European infrastructure. The company is incorporated in France and subject to GDPR natively, not through a subsidiary or data processing addendum bolted onto a US corporate structure.
Data is stored and processed within the EU From the moment you upload a document to the moment you see the output, your data remains on EU servers. All infrastructure providers have EU data residency configured and Standard Contractual Clauses in place.
Database security Extracted data (dates, parties, events) is stored in a PostgreSQL database with row-level security. Every single read/write operation checks: “Is this user allowed to see this specific piece of data?” It happens automatically, behind the scenes.

What “No Training” Really Means

Consumer AI tools: Your inputs can improve the model. Some offer opt-outs, but the default often works against you.

Mino: We use Mistral’s commercial API, which contractually guarantees that customer data is never used for model training. Your case files stay yours. Not because you remembered to check a box, because that’s how the system is built.

Authentication and Access Control

Default security:

Session-based authentication (you’re logged out when inactive)
Row-level database security on every query
Encrypted data in transit and at rest

Coming soon:

Two-factor authentication
Password-protected shareable links with expiration dates

The Technical Stack

For your IT team or compliance review:

Component	Technology	Jurisdiction	Purpose
AI Models	Mistral (Large, embeddings)	EU (France)	Document processing, analysis
Database	PostgreSQL (via Supabase)	EU servers, SCCs in place	Structured data storage with RLS
Application	Vercel (serverless)	EU servers, SCCs in place	Application infrastructure
Auth	Supabase Auth	EU servers, SCCs in place	Authentication & session management

Security features:

TLS 1.3 encryption in transit
AES-256 encryption at rest
Row-level security (RLS) on all database operations
OAuth 2.0 authentication
Automatic session expiration

Compliance

Current status:

GDPR compliant, EU data residency throughout
Mistral Data Processing Agreement in place
Standard DPA available upon request
Aligned with NOvA AI recommendations (Dutch Bar Association)
Aligned with CCBE guidance on confidentiality obligations for lawyers using GenAI

Roadmap:

ISO 27001 certification (2026)
SOC 2 Type II audit (2026)
Custom BAAs for healthcare/highly regulated firms

On-premise is always an option. Some firms can’t use cloud tools. Period. We built Mino so it can run entirely on your infrastructure if needed. Talk to us about air-gapped deployments.

Common Questions

Q: Is this the same as using ChatGPT with a business subscription? No. Even ChatGPT Enterprise routes through US infrastructure operated by a US company. We use Mistral, a European AI company subject to EU data protection law. Different company, different jurisdiction, different guarantees.

Q: Are all your infrastructure providers European companies? Not all. Our AI processing runs on Mistral, a French company fully subject to EU law and with no US Cloud Act exposure. Our database and application infrastructure use Supabase and Vercel, which are US-incorporated companies, but with EU data residency configured and Standard Contractual Clauses in place. For firms where full European corporate ownership is a hard requirement, we offer on-premise deployment.

Q: Why does it matter that Mistral is European? Because of the US Cloud Act. American companies, including Microsoft and Google, can be compelled to hand over data stored anywhere in the world. A European company processing data in Europe isn’t subject to that. For attorney-client privileged material, this is a meaningful difference.

Q: Can you see our documents? Only if you explicitly grant us access for support purposes (and we’ll ask first). Row-level security means our team can’t query your data without permission.

Q: What happens if Mino shuts down? You can export all your data (timelines, documents, metadata). No lock-in.

Q: Do you sell data to third parties? No. We’re not an ad business. We make money from subscriptions. Your data has zero value to us beyond making our agents work for you.

Q: Are Mistral’s models as capable as GPT-4? For the tasks our agents perform, document analysis, extraction, structured output, Mistral’s models perform excellently. We chose them because they offer the best combination of capability and data sovereignty. We test continuously and will always use the best model that meets our security requirements.

For procurement teams

Need specific documentation?

Data Processing Agreement (DPA)
Subprocessor list
Architecture diagrams
Mistral compliance documentation

Email security@mino.law with your requirements.

Still have questions?

Technical questions: security@mino.law Enterprise deployments: sjors@mino.law General inquiries: hello@mino.law