Security
Privileged material
never leaves the EU.
clerk& is built for material you can't afford to mishandle. A barrister's practice and a clerk's room hold client confidences, settlement positions, fee data, and privileged correspondence. We treat that seriously, in architecture rather than in marketing.
Principles
What we promise, and how it works
EU-only processing
Matter content is stored in Dublin (database, files) and Belgium (audio bucket for the transcription pipeline). AI runs in Belgium on Google Vertex AI (Gemini), co-located with the audio bucket. Hosting and analytics also sit in EU regions. Vertex AI is the sole AI processor — there is no fallback provider. Onward transfers are governed by 2021 Standard Contractual Clauses.
Encryption everywhere
TLS 1.3 in transit. AES-256 at rest. Encrypted backups in the same EU region.
Your data is your data
Your dictations, briefs, fee notes, and matters are never used to train AI models. Not by us, not by Google. Contractually guaranteed.
Row-level access control
Every database query is gated by authentication. Postgres row-level security enforces workspace-scoped permissions on every read and write.
DPA on request
Article 28 GDPR Data Processing Agreement, signed and returned within 48 hours of request. Standard Contractual Clauses where required.
72-hour breach notification
In line with Article 33 GDPR, we notify the Data Protection Commission within 72 hours of any breach likely to result in risk to your rights.
Infrastructure
Where your data actually lives
No surprises. No vague “in the cloud.” These are the systems and the regions.
Application hosting
- Processing region
- Dublin
- Processor
- Vercel, Inc.
- Corporate domicile
- Delaware, USA
Database, storage, auth, backend
- Processing region
- AWS Dublin (eu-west-1)
- Processor
- Supabase, Inc.
- Corporate domicile
- Delaware, USA
All AI (transcription, drafting, classification, vision)
- Processing region
- Belgium (Vertex AI Gemini, audio bucket)
- Processor
- Google LLC
- Corporate domicile
- California, USA
Subscription billing
- Processing region
- Ireland
- Processor
- Stripe Payments Europe Ltd.
- Corporate domicile
- Ireland
Opt-in analytics
- Processing region
- AWS Frankfurt (eu-central-1)
- Processor
- PostHog, Inc.
- Corporate domicile
- Delaware, USA
All processors operate under Article 28 GDPR Data Processing Agreements with Leeside Labs Limited and 2021 Standard Contractual Clauses (Module 2) for any onward transfer. Your matter content is processed only by Supabase (database and file storage, Dublin), Google Cloud Storage (audio bucket, Belgium), and Google Vertex AI (Gemini, Belgium). It is not sent to Stripe, PostHog, or any analytics, marketing, or advertising processor.
Most of these processors are US-incorporated; Stripe contracts via its Irish entity SPEL. We rely on 2021 SCCs and supplementary measures — encryption, per-tenant access controls, no AI training on your content — to address the residual US CLOUD Act exposure that follows from US incorporation. See our privacy policy for the full transfer analysis.
GDPR
Your rights, applied
You can exercise all GDPR rights — access, rectification, erasure, portability, restriction, objection — from inside the application or by emailing hello@clerkand.com. We respond to all requests within one month, as required by Article 12 GDPR.
Controller / processor split. clerk&is the controller for your account, billing, and analytics data. For client and case material you process through clerk&, you remain the controller; clerk& is the processor and acts on your instructions.
Cookies. No tracking cookies on the marketing site. Inside the app, analytics is strictly opt-in.
Put your AI clerk to work.
Free 14-day trial. No credit card. Five-minute setup. Whether you’re a sole practitioner or running a busy clerk’s room, clerk& earns its keep on the first fee note.