1. Which foundation models are used in Legistify’s AI features?
Legistify uses foundation models available through AWS Bedrock. Currently supported models include:
Claude Opus 4.6
Claude Opus 4.5
Claude Haiku 4.5
Claude Sonnet 3
Claude Sonnet 3.5
Llama 3 – 8B Instruct
Llama 3 – 70B Instruct
These models are accessed via AWS Bedrock APIs and are deployed in the AWS Mumbai Region (ap-south-1).
Client data is not used to train, fine-tune, or improve any foundation models provided by AWS or third-party providers.
2. Is customer data stored when using AI features?
No. Customer data is not stored by the AI models or Bedrock service.
Prompts and responses are directly processed through AWS Bedrock APIs without persistent storage by the model providers.
No indexing, vectorization, or embedding storage is performed as part of the AI request flow.
3. What AWS services are used to process AI requests?
AI requests are processed using:
AWS Bedrock for model inference and AI processing
Uploaded documents or files may be stored in Amazon S3, which is encrypted and secured within Legistify’s AWS infrastructure.
4. How is data encrypted when using AI features?
Legistify enforces encryption at multiple levels.
Data in transit
Encrypted using TLS 1.2+
Data at rest
Protected using AWS KMS encryption (SSE-KMS) for storage systems such as Amazon S3 and logs.
Encryption keys follow least-privilege IAM access policies, and Bedrock access is managed through controlled IAM users.
5. How does Legistify handle PII and sensitive data?
Legistify uses Amazon Bedrock Guardrails to detect and manage sensitive information.
Guardrails use machine learning to identify sensitive data such as:
Names
Addresses
Email IDs
Financial identifiers
Guardrails can be configured in two modes:
Block Mode
Stops AI requests containing sensitive information.
Mask Mode
Automatically anonymizes or redacts PII by replacing it with tags such as
{NAME}.
This ensures sensitive data is protected during AI processing.
6. Is customer data used to train AI models?
No.
Customer prompts, uploaded files, and AI outputs are never used to train, fine-tune, or improve AWS or third-party models.
AWS Bedrock also does not store, retain, or reuse inference data.
7. Does AWS Bedrock retain prompts or outputs?
No.
AWS Bedrock operates on a stateless inference model, meaning prompts and outputs are processed only for the duration of the request.
AWS guarantees that:
Prompts are not stored
Outputs are not retained
Data is not reused by the service
For more details:
https://aws.amazon.com/bedrock/sla/
8. Can model providers access customer data?
No.
Model providers cannot access:
Customer data
Deployed inference environments
API invocation flows
Logs generated within the Legistify infrastructure
All interactions occur within Legistify’s AWS account environment.
9. Which AWS region is used for AI processing?
All AI processing occurs in:
AWS Region:
Mumbai, India (ap-south-1)
No AI processing occurs outside India.
10. How are logs and monitoring handled?
Legistify maintains detailed monitoring and logging using:
AWS CloudTrail
AWS CloudWatch
ELK Stack
These logs capture:
Application activity logs
Model invocation logs
API request logs
Security controls ensure that sensitive data or PII is not captured in logs.
Log retention practices:
User activity logs: retained for over 1 year
Technical infrastructure logs: typically retained for 15 days in monitoring environments such as CloudWatch.
11. How is access to AI services controlled?
Access to AI resources is governed through Role-Based Access Control (RBAC) using AWS IAM.
Security practices include:
Least-privilege access policies
IAM guardrails for AI resources
Controlled access to Bedrock APIs and infrastructure
12. What security certifications does Legistify maintain?
Legistify complies with internationally recognized security standards including:
SOC 2 Type II
ISO/IEC 27001
These certifications apply to the infrastructure and services used by the platform.
13. How long is customer data retained?
Customer data is typically retained for up to 7 years to comply with legal and tax requirements.
Customers can request deletion of their data at any time.
Upon contract termination or a verified deletion request, Legistify performs a hard deletion of the organization's data.
Deletion timelines are communicated upon request.
In certain cases, cryptographic erasure may be performed by deleting associated AWS KMS encryption keys.
14. How are uploaded files handled and secured?
Uploaded files are stored in Amazon S3 and protected with encryption at rest.
Security measures include:
Logical segregation of files using customer unique IDs
SSE-KMS encryption
Controlled access through IAM policies
Bedrock Guardrails also scan content derived from uploaded files to detect:
PII
Harmful content
Policy violations
Upon contract termination or a verified deletion request, files are permanently deleted from production systems and backups.
Supporting Documentation
AWS Service Terms
https://aws.amazon.com/service-terms/
AWS Bedrock Data Protection
https://docs.aws.amazon.com/bedrock/latest/userguide/data-protection.html
AWS Bedrock Guardrails – Sensitive Information Filters
https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-sensitive-filters.html
Guardrail PII Configuration
https://docs.aws.amazon.com/bedrock/latest/APIReference/API_GuardrailPiiEntityConfig.html
AWS Bedrock Security & Responsible AI
https://aws.amazon.com/bedrock/security-privacy-responsible-ai/