Privacy-First Architecture

Why Privacy Matters in Legal Tech

Legal professionals handle extremely sensitive information: client confidences, trade secrets, personal data, litigation strategy, and privileged communications. Traditional timeline tools and generic AI services weren’t built with this level of confidentiality in mind.

Thea was designed from the ground up with privacy as a core requirement, not an afterthought.

A Fully European AI Stack

Thea runs on an entirely European technology stack. Every component that touches your data is hosted and operated within the EU.

Component	Provider	Location
AI Analysis	Mistral AI	France
Document OCR	Mistral AI	France
Database & Storage	Supabase	EU data centers
Embeddings	Azure OpenAI	EU endpoints
Backups	Supabase	EU jurisdiction

No US cloud. No transatlantic data transfers. Your documents are processed by Mistral AI — a French company subject to EU law — and stored in European data centers protected by GDPR.

Why Mistral AI?

We chose Mistral AI as our primary AI provider because:

• European company — Mistral is headquartered in Paris, France. Unlike US-based providers, it operates under EU jurisdiction and is subject to European data protection law.
• No data retention — Mistral’s enterprise API guarantees zero data retention. Your documents are processed in real-time and never stored on Mistral’s servers.
• No model training — Your documents are never used to train or improve AI models. This is contractually guaranteed.
• State-of-the-art performance — Mistral’s large language models deliver extraction quality on par with the best models available, without the privacy trade-offs.

Mistral powers both our document analysis (using mistral-large for complex legal extraction) and our document OCR (using mistral-ocr for converting PDFs, Word documents, and images into structured text).

Our Privacy Principles

1. Data Sovereignty

All data stays in the EU

• AI processing through Mistral AI (France)
• Document OCR through Mistral AI (France)
• Database hosted in European data centers (Supabase EU)
• Embeddings processed on Azure OpenAI EU endpoints
• Backups stored within EU jurisdiction

Why this matters: European data protection standards are among the strongest in the world. Your data never crosses borders to jurisdictions with weaker protections. Unlike tools built on US cloud infrastructure, Thea is not subject to the US CLOUD Act or other extraterritorial data access laws.

2. Encryption Everywhere

Multiple layers of protection

• TLS 1.3 for data in transit
• AES-256 encryption for data at rest
• Encrypted backups with separate keys
• Encrypted database storage

Why this matters: Even if systems were compromised, encrypted data is unreadable without keys.

3. No Model Training

Your documents remain yours

• Never used to train or improve AI models
• Never shared with AI providers for analysis
• Processed in real-time, not stored by AI services
• Contractual guarantees from Mistral AI’s enterprise API

Why this matters: Your confidential case information can’t leak into AI models that others might query.

4. Minimal Data Collection

We only collect what’s necessary

• Email for account recovery
• Display name (optional)
• Documents you explicitly upload
• Usage data for service operation only

No behavioral tracking, no marketing surveillance, no unnecessary data harvesting.

5. You Control Your Data

Full ownership and control

• Export analyses anytime
• Download documents anytime
• Delete projects instantly
• Delete account with complete data removal

Why this matters: You’re not locked in, and you can comply with client data requests.

GDPR Compliance

Thea is built for GDPR compliance from the ground up — not retrofitted. Because our entire stack operates within the EU, there are no complex cross-border data transfer mechanisms (like Standard Contractual Clauses or adequacy decisions) to worry about.

Your Rights Under GDPR

• Right to access (Art. 15) — Export all your data at any time
• Right to rectification (Art. 16) — Edit your information
• Right to erasure (Art. 17) — Delete your account and all associated data completely
• Right to data portability (Art. 20) — Download in standard formats (PDF, Word)
• Right to object (Art. 21) — Control how your data is processed
• Right to restriction (Art. 18) — Request limited processing

Our Obligations

• Data Processing Agreement — Available for all clients
• Data Protection Officer — Designated contact for privacy matters
• Breach notification — 72-hour notification requirement (Art. 33)
• Privacy by design — Built-in protections from the start (Art. 25)
• Records of processing — Maintained as required by Art. 30
• Data Protection Impact Assessment — Conducted for high-risk processing

No Schrems II Concerns

A key advantage of Thea’s European stack: you don’t need to worry about the Schrems II ruling, which invalidated the EU-US Privacy Shield. Since all data processing occurs within the EU by EU-based providers, there are no transatlantic transfers that require additional safeguards.

Security Measures

Technical Safeguards

• Encrypted data transmission and storage
• Secure authentication via Mino SSO
• Isolated processing environments
• Regular security audits
• Automated vulnerability scanning
• Intrusion detection systems

Organizational Safeguards

• Employee confidentiality agreements
• Principle of least privilege
• Security awareness training
• Incident response procedures
• Vendor risk assessments
• Regular security reviews

Access Controls

• Authentication required for all access
• Session management and timeouts
• Support staff cannot access documents without permission
• Audit logs of system access

Comparison: Thea vs. Generic Tools

Generic AI Services (ChatGPT, Claude, etc.)

❌ May train on your inputs	❌ Data processed in the US or across multiple jurisdictions
❌ Terms of service designed for consumers, not legal professionals	❌ No Data Processing Agreements
❌ Subject to US CLOUD Act	❌ No professional confidentiality obligations

Thea

✅ Never trains on your documents	✅ All processing in the EU (Mistral AI, France)
✅ Terms designed for legal confidentiality requirements	✅ DPA available
✅ Not subject to US data access laws	✅ Built for attorney-client privilege protection

PowerPoint/Excel

✅ Local control ❌ No encryption at rest ❌ Easy to accidentally share via email ❌ No audit trails ❌ Vulnerable to device theft/loss ❌ No centralized security management

Thea

✅ Encrypted storage and transmission ✅ Controlled sharing (coming soon) ✅ Complete version history and audit trails ✅ Protected even if device is compromised ✅ Cloud-based backup and disaster recovery

Vendor Trust

We carefully select our vendors with privacy and EU data residency in mind:

Mistral AI (AI Processing & OCR)

• French company, headquartered in Paris
• Enterprise API with zero data retention
• No model training on customer data
• Contractual data protection guarantees
• Subject to EU law and GDPR

Supabase (Database & Storage)

• EU-hosted infrastructure
• SOC 2 Type II certified
• GDPR compliant
• Open-source transparency

Azure OpenAI (Embeddings)

• EU endpoints with data residency
• Microsoft Enterprise Agreement protections
• No data retention for abuse monitoring
• GDPR compliant

All vendors undergo security assessments and maintain compliance certifications.

Handling Privileged Information

Legal documents often contain attorney-client privileged information. Thea’s architecture respects this:

Confidentiality by Design

• Documents isolated to your account
• No cross-account data access
• Staff cannot view without explicit permission
• Audit trails of all access

Privilege Protection

• Your documents are not reviewed by Thea staff
• AI processing is automated and transient — Mistral does not retain your data
• No human review of document contents
• Support access requires your authorization

Client Confidentiality

Law firms have ethical obligations to protect client confidences. Thea helps you meet these requirements:

Professional Responsibility

• Reasonable security measures (encryption, access controls)
• Data breach notification capabilities
• Vendor due diligence documentation
• Compliance with bar association guidance
• Full EU data residency simplifies compliance assessments

Client Consent

• Clear terms of service explaining data use
• Optional: Get client consent for cloud tool use
• Ability to delete client data upon request
• Transparent data handling practices

Transparency

We believe in transparency about data handling:

• Privacy policy — Clear explanation of data practices
• Terms of service — Straightforward legal terms
• Security documentation — Available upon request
• Data flow diagrams — Enterprise clients can review our architecture
• Compliance certifications — Happy to provide proof of compliance

Incident Response

In the unlikely event of a security incident:

1. Immediate containment — Stop the threat
2. Assessment — Determine scope and impact
3. Notification — Inform affected users within 72 hours
4. Remediation — Fix vulnerabilities
5. Reporting — Notify authorities as required
6. Prevention — Update procedures to prevent recurrence

Your Responsibilities

To maintain security:

• Strong passwords — Use unique, complex passwords
• Secure devices — Keep your devices protected
• Careful uploading — Only upload documents you have authority to share
• Report issues — Alert us immediately to any concerns
• Review access — Check who has access to your account

Enterprise Security

Need additional security measures?

Available for Enterprise Clients

• Custom data retention policies
• Dedicated encryption keys
• Private deployment options
• Enhanced audit logging
• Custom Data Processing Agreements
• Service Level Agreements (SLAs)
• Dedicated support with response time guarantees

Contact us for enterprise security options →

Privacy FAQs

Can Thea staff see my documents?

No. Your documents are stored encrypted and support staff cannot access them without your explicit permission. AI processing is fully automated via Mistral AI’s API — no humans are involved.

Will my documents train AI models?

No. Thea never uses your documents to train AI models. Mistral AI’s enterprise API contractually guarantees zero data retention and no model training on customer data.

Where is my data processed?

All data is processed and stored within the European Union. AI analysis runs through Mistral AI (France), document storage is on Supabase (EU data centers), and embeddings are processed on Azure OpenAI EU endpoints. No data leaves the EU.

What about the US CLOUD Act?

Because Thea’s core AI processing uses Mistral AI (a French company) and data is stored on EU infrastructure, your data is not subject to US extraterritorial data access laws like the CLOUD Act.

What happens if Thea is acquired?

Your data remains yours. Any acquirer must honor existing privacy commitments, and you always retain the right to export or delete your data.

Can I use Thea for classified information?

Thea is designed for confidential business and legal information. For classified government information, please contact us to discuss specialized arrangements.

Is Thea approved for law firm use?

Many law firms use Thea. We provide documentation for your IT and compliance teams to review. We’re happy to answer questions about security and compliance.

Conclusion

Privacy isn’t a checkbox for Thea — it’s foundational to everything we do. By building on a fully European AI stack with Mistral AI at its core, we ensure that your confidential legal information never leaves EU jurisdiction and is never used to train AI models. We understand the sacred trust legal professionals have with their clients, and we’ve built our platform to honor that trust.

Learn More

• Privacy & Data Handling (detailed)
• Contact & Support
• About Thea

Get Started

Ready to experience privacy-first legal analysis?

Create your first analysis →