Workshop · Claude Code for lawyers · June 11, Amsterdam More info

Back to all posts
Published 9 Feb 2026

Security at Mino

Maurits Fornier
By Maurits Fornier Co-Founder
Security at Mino
9 min read
Share

Your documents contain your clients’ most sensitive information. We built our infrastructure knowing that one data breach could end careers. Here’s exactly how we protect your work.

The Short Version

EU data residency throughout Every document you upload is processed and stored on European infrastructure. Mistral (France) handles case law search and lighter reasoning. The heavier agents run on OpenAI models served through Azure’s EU deployments, so the data layer stays in European datacenters with Standard Contractual Clauses in place across all providers.

No training, ever Your documents and timelines are never used to train AI models. This isn’t a setting you have to toggle. It’s the default.

You control access Row-level security means every database query requires authentication. Every read, every write, verified against your identity.

On-premise option available Need air-gapped systems? We can deploy Mino on your infrastructure. Talk to us about enterprise requirements.

How We Think About Sovereignty

Sovereignty isn’t a single switch. It’s layered: where the model was built, where the inference runs, and where the data lives. Each layer has its own trade-offs, and we make them deliberately rather than pretending they collapse into one decision.

Most legal AI companies use OpenAI or Anthropic models hosted through US cloud providers, and rely on EU data center marketing without addressing the US Cloud Act and FISA 702, which can compel disclosure of data stored abroad by US-incorporated companies.

We took a different path, and we’re transparent about exactly what it covers:

  • Mistral, a French AI company headquartered in Paris, runs Feitlijn (case law search) and Nina (lighter reasoning). EU company, EU law, EU infrastructure across all three layers.
  • Thea (litigation timelines) and Garry (heavy drafting work) run on OpenAI models served through Azure’s EU deployments. The model origin is American; the inference infrastructure and data residency are European.

We tried to run every agent on Mistral. We wrote in detail about why we didn’t: the European model is excellent, but the underlying capacity isn’t yet there for the long-running, high-throughput work Thea and Garry do. We’ll move those workloads back as soon as the European infrastructure can carry them. In the meantime we picked the configuration that keeps your data in Europe and the product reliable.

What you don’t get with Mino, on any agent: a US-incorporated company holding your case files on US-jurisdictional infrastructure.

Built for Professional Secrecy Obligations

Lawyers operate under strict confidentiality obligations. The NOvA (Dutch Bar Association) and the CCBE (Council of Bars and Law Societies of Europe) have both issued guidance on what responsible AI use requires in practice. Mino is built to meet these requirements by default.

The NOvA recommends that lawyers know where data is stored and processed, avoid entering confidential information into public AI tools, and verify vendor claims through actual contract terms rather than marketing promises. The CCBE guidance is clear: appropriate safeguards must include contractual obligations for the AI provider to treat data as confidential, a data processing agreement limiting use to law firm purposes, and technical safeguards or local deployment options.

Here is how Mino addresses each requirement:

Know where data is stored and processed. Mistral (France) for Feitlijn and Nina. OpenAI models on Azure’s EU deployments for Thea and Garry. All data stored on EU servers. Full subprocessor list available on request.

No confidential data in public AI tools. We use Mistral’s dedicated commercial API and Azure OpenAI’s enterprise endpoints. Your data never touches a public model or shared inference environment.

Verify claims in contract terms, not just marketing. Our Data Processing Agreement and subprocessor list are available on request. What you read here is backed by contracts, not FAQs.

Technical safeguards or local deployment. Row-level database security is active by default. On-premise deployment is available for firms that require air-gapped systems.

How It Actually Works

Where Your Data Lives

When you upload a document to one of our agents:

  1. AI processing happens in Europe Feitlijn and Nina run on Mistral, a French company subject to GDPR natively rather than through a subsidiary or addendum bolted onto a US corporate structure. Thea and Garry run on OpenAI models hosted through Azure’s EU deployments — inference happens in European datacenters under European data protection terms, even though the model itself was trained by a US company.

  2. Data is stored and processed within the EU From the moment you upload a document to the moment you see the output, your data remains on EU servers. All infrastructure providers have EU data residency configured and Standard Contractual Clauses in place.

  3. Database security Extracted data (dates, parties, events) is stored in a PostgreSQL database with row-level security. Every single read/write operation checks: “Is this user allowed to see this specific piece of data?” It happens automatically, behind the scenes.

What “No Training” Really Means

Consumer AI tools: Your inputs can improve the model. Some offer opt-outs, but the default often works against you.

Mino: Both Mistral’s commercial API and Azure OpenAI’s enterprise endpoints contractually guarantee that customer data is never used for model training. Your case files stay yours. Not because you remembered to check a box, because that’s how the system is built.

Authentication and Access Control

Default security:

  • Session-based authentication (you’re logged out when inactive)
  • Row-level database security on every query
  • Encrypted data in transit and at rest

Coming soon:

  • Two-factor authentication
  • Password-protected shareable links with expiration dates

The Technical Stack

For your IT team or compliance review:

ComponentTechnologyJurisdictionPurpose
AI Models (FR)Mistral (Large, embeddings)EU (France)Feitlijn case law search, Nina assistance
AI Models (EU)OpenAI via Azure OpenAI EUEU datacenters, SCCs in placeThea timelines, Garry drafting
DatabasePostgreSQL (via Supabase)EU servers, SCCs in placeStructured data storage with RLS
ApplicationVercel (serverless)EU servers, SCCs in placeApplication infrastructure
AuthSupabase AuthEU servers, SCCs in placeAuthentication & session management

Security features:

  • TLS 1.3 encryption in transit
  • AES-256 encryption at rest
  • Row-level security (RLS) on all database operations
  • OAuth 2.0 authentication
  • Automatic session expiration

Compliance

Current status:

  • GDPR compliant, EU data residency throughout
  • Data Processing Agreements in place with Mistral and Microsoft (Azure OpenAI)
  • Standard DPA available upon request
  • Aligned with NOvA AI recommendations (Dutch Bar Association)
  • Aligned with CCBE guidance on confidentiality obligations for lawyers using GenAI

Roadmap:

  • ISO 27001 certification (2026)
  • SOC 2 Type II audit (2026)
  • Custom BAAs for healthcare/highly regulated firms

On-premise is always an option. Some firms can’t use cloud tools. Period. We built Mino so it can run entirely on your infrastructure if needed. Talk to us about air-gapped deployments.

Common Questions

Q: Is this the same as using ChatGPT with a business subscription? No. ChatGPT Enterprise routes through US infrastructure under OpenAI’s standard US-jurisdiction terms. Where Mino uses OpenAI models, we run them through Azure’s EU deployments under enterprise terms — inference and data residency stay in Europe, with no training on your data. Feitlijn and Nina go a step further: they run on Mistral, a European company fully outside US Cloud Act jurisdiction.

Q: Why did you move some workloads off Mistral? We didn’t move them off the European model out of preference; we moved the heavier ones because the European inference infrastructure couldn’t yet carry them reliably under real load. We’ve written about this in detail in Notes from trying to build Thea on European AI. We’ll move those workloads back as soon as that infrastructure catches up.

Q: Are all your infrastructure providers European companies? Not all. Mistral is a French company fully subject to EU law with no US Cloud Act exposure. Our other providers — Microsoft (Azure OpenAI), Supabase, Vercel — are US-incorporated, but with EU data residency configured and Standard Contractual Clauses in place. For firms where full European corporate ownership is a hard requirement, we offer on-premise deployment.

Q: Doesn’t using OpenAI through Azure expose us to the US Cloud Act? The Cloud Act is the honest residual risk in any setup that involves a US-incorporated provider, including Azure. We mitigate it by keeping inference and storage in EU datacenters, by contracting under Microsoft’s EU Data Boundary commitments, and by using providers whose enterprise terms prohibit training on customer data. Firms that need to eliminate this exposure entirely should ask us about on-premise deployment.

Q: Can you see our documents? Only if you explicitly grant us access for support purposes (and we’ll ask first). Row-level security means our team can’t query your data without permission.

Q: What happens if Mino shuts down? You can export all your data (timelines, documents, metadata). No lock-in.

Q: Do you sell data to third parties? No. We’re not an ad business. We make money from subscriptions. Your data has zero value to us beyond making our agents work for you.

Q: How do you decide which model runs which agent? By measuring. We benchmarked both stacks on real Mino workloads. Mistral handles Feitlijn’s case law search and Nina’s lighter reasoning excellently. For Thea’s long-running timeline extraction and Garry’s heavier drafting, OpenAI on Azure EU was both more reliable and substantially faster on the same input. We test continuously and will route each agent to whichever model best meets the quality, reliability, and sovereignty bar — and we’ll move work back to European models the moment that calculus changes.

For procurement teams

Need specific documentation?

  • Data Processing Agreement (DPA)
  • Subprocessor list
  • Architecture diagrams
  • Mistral and Azure OpenAI compliance documentation

Email security@mino.law with your requirements.

Still have questions?

Technical questions: security@mino.law Enterprise deployments: sjors@mino.law General inquiries: hello@mino.law