Editorial notice: vettedaiagents.com is an independent editorial directory. Not affiliated with, endorsed by, or sponsored by any vendor named on this site. Vetting is editorial, not compliance certification. Verify all claims directly with vendors before purchasing. Vetting last reviewed April 2026
Compliance snapshot, reviewed July 2026

Is Harvey SOC 2 compliant? Yes, plus ISO 27001, ISO 27701 and ISO 42001.

Harvey completes an annual SOC 2 Type II audit and holds ISO 27001, both audited by Schellman, plus ISO 27701 for privacy and ISO 42001 (the AI management standard, certified June 2026). It covers GDPR and CCPA, publishes a DPA, and by default does not train its models on customer data. Harvey passes all seven criteria on this site, scoring 7 of 7.

SOC 2 Type II
Yes (Schellman)
ISO 27001 / 27701
Yes (Schellman)
ISO 42001 (AI)
Yes (Jun 2026)
Trains on your data
No, by default

Source: trust.harvey.ai and harvey.ai/security. Editorial vetting, not a compliance certification; verify directly before purchase.

Data protection for legal teams: training, residency, GDPR

Harvey data handling, residency and GDPR, in detail

Does Harvey train its AI models on my firm's data?

No, not by default. Harvey states it contractually prohibits its model providers from training on customer data and uses your data only to process your requests, not for model improvement. Training on a firm's data happens only if the firm explicitly requests it, in which case a bespoke model is created exclusively for that firm and is not used to train models for other customers.

Does Harvey offer EU data residency?

Yes. Harvey offers in-region data residency, with processing available in the EU and Switzerland, the US, and Australia. This lets multinational firms keep matter data inside a required region rather than relying only on transfer mechanisms. Confirm the specific region and configuration directly with Harvey before purchase.

Does Harvey offer a DPA and is it GDPR compliant?

Yes. Harvey publishes a Data Processing Addendum and a Security Addendum carrying binding terms on data protection, data access, and incident response SLAs, and states it covers GDPR and CCPA. The DPA and data transfer terms are on Harvey's legal pages.

What AI governance certification does Harvey hold?

Harvey announced ISO/IEC 42001:2023, the AI management system standard, in June 2026. ISO 42001 covers AI risk management, transparency, accountability, human oversight, and continuous monitoring, and complements Harvey's ISO 27001 (security) and ISO 27701 (privacy) certifications for regulated legal procurement.

Sources: harvey.ai/security, ISO 42001 announcement, harvey.ai/legal/data-processing-addendum. Editorial vetting, not a compliance certification; verify directly before purchase.

H

Harvey

7/7 criteria
Legal
Vetting last reviewed July 2026

7-Criterion Scorecard

Security Certifications
Public Reference Customers
Pricing Transparency
Data Residency + Training Opt-Out
Outcome Accountability
Time in Market
Team Composition

Security Certifications

Source: trust.harvey.ai

Public Reference Customers

Pricing Transparency

Contact sales

Model: Custom enterprise

www.harvey.ai/contact-sales

Data Residency and Training Opt-Out

Regions: US, EU, Switzerland, Australia

Training opt-out: Yes, available

Retention: Per DPA

www.harvey.ai/security

Outcome Accountability

Model: Task accuracy benchmarks

Published legal task accuracy benchmarks with methodology (BigLaw Bench, vendor-claimed)

www.harvey.ai/blog/introducing-biglaw-bench

Time in Market

Founded: 2022

Public launch: 2023

Customers (min triangulated): 200+

Team Composition

Founders: Winston Weinberg, Gabriel Pereyra

www.harvey.ai/company

For detailed pricing and comparison data for Legal vendors, see Agentic Contract Review.

Vendor at a Glance
Harvey
Score7 of 7
VerticalLegal
Founded2022
PricingContact sales
ISO 42001Yes
SOC 2Yes
ReviewedJuly 2026
Editorial vetting, not compliance certification. Verify before purchase.