LawyerAILawyerAIIndependent Reviews
  • Search
  • Categories
  • Tag
  • Collection
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
LawyerAILawyerAI
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. Encryption at Rest

Encryption at Rest

Encryption at rest refers to the protection of stored data through cryptographic encoding, so that files, databases, and backups on storage media are unreadable without the appropriate decryption key — a baseline security control required for legal AI tools handling confidential client information.

Last reviewed: 2026/05/19

Definition

Why It Matters for Lawyers

How AI Tools Handle It

Frequently Asked Questions

Q1: What is the difference between encryption at rest and encryption in transit?
Encryption at rest protects data stored on servers and storage media. Encryption in transit (TLS/SSL) protects data as it moves between systems — from your browser or application to the vendor's servers, and between the vendor's servers internally. Both are required: a system with only one type of encryption has a significant gap. Standard legal AI tools implement both.
Q2: What does AES-256 mean, and is it strong enough?
AES (Advanced Encryption Standard) with a 256-bit key is the current industry-standard encryption algorithm endorsed by the US government for protecting classified information. It is considered computationally infeasible to break with current technology. AES-256 is the appropriate standard for protecting confidential legal matter data.
Q3: Does encryption at rest protect data from the vendor itself?
Not if the vendor manages the encryption keys, because the vendor can use their key management system to decrypt data. Customer-managed keys provide stronger isolation — the vendor's infrastructure processes encrypted data, and the firm holds the key required to decrypt it. For matters requiring protection even from the vendor, customer-managed keys or on-premise deployment are the relevant options. --- *Last reviewed: 2026-05-19 by LawyerAI Editorial Team.*

Related Concepts

Security

SOC 2 (for Legal AI)

SOC 2 (Service Organization Control 2) is an independent audit framework that evaluates a service provider's security, availability, processing integrity, confidentiality, and privacy controls — commonly cited by legal AI vendors as evidence of their data security practices.

Security

Confidentiality (Legal AI Context)

In the legal AI context, confidentiality refers to the obligation of lawyers and legal AI vendors to protect client information from unauthorized disclosure, and to the technical and contractual measures that implement that protection when client data is processed by AI systems.

Security

Audit Log

An audit log is a chronological, tamper-evident record of system activities — including user logins, document accesses, queries, and configuration changes — that enables security monitoring, compliance verification, and investigation of incidents in legal AI environments.

Security

Zero Retention

Zero retention is a data handling policy under which an AI tool vendor does not store or retain any client-submitted content after the active processing session ends, ensuring that confidential information is not persisted on the vendor's servers.

Related Tools

  • Harvey AI

    The most expensive legal AI in the market — Am Law 100 firms only.

  • Clio

    Practice management for 150K+ lawyers with native Manage AI for admin automation.

  • Everlaw

    Cloud eDiscovery with AI predictive coding and document summarization.

  • Paxton AI

    Purpose-built US legal AI covering research, drafting, and compliance.

Related Reading

  • How We Score Legal AI Tools: The 5-Dimension Methodology

Last reviewed: 2026/05/19. Definitions are written by the LawyerAI Editorial team. We do not accept affiliate commissions; Featured placement is clearly labeled and does not influence editorial content.

← All glossary terms
LawyerAILawyerAI

Independent Reviews

The independent directory of AI tools for lawyers — reviewed by methodology, not by ad budget.

X (Twitter)
Tools
  • Search
  • Categories
  • Tag
  • Collection
Resources
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
  • Suggest a Tool
  • Newsletter
Company
  • About Us
  • Studio
Legal
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Refund Policy
  • Editorial Independence
  • Sitemap
Editorially independent. Methodology open and versioned.
© 2026LawyerAI Editorial

Encryption at rest refers to the protection of stored data through cryptographic encoding, so that files, databases, and backups on storage media are unreadable without the appropriate decryption key — a baseline security control required for legal AI tools handling confidential client information.

Encryption at rest protects client data in the event of physical theft of storage media, unauthorized server access, or cloud infrastructure breach. Without it, an attacker who obtains access to the physical or logical storage layer could read client documents, queries, and other sensitive legal matter data in plaintext.

For lawyers evaluating legal AI tools under their professional confidentiality obligations, encryption at rest is a baseline security requirement — a minimum expectation for any cloud tool handling confidential client information. Most state bar ethics opinions addressing cloud computing for lawyers implicitly require adequate security measures that include encryption.

Encryption at rest is typically implemented using AES-256, which is the current industry standard. Tools should also encrypt data in transit (using TLS) — both protections together address the primary data exposure risks in cloud environments.

The presence of encryption at rest does not, by itself, mean a tool is adequately secure. Key management practices matter: who controls the encryption keys, whether the vendor could access plaintext data on request or under government compulsion, and whether keys are rotated regularly. Customer-managed encryption keys (where the law firm holds the key, not the vendor) provide a stronger control than vendor-managed keys.

Encryption at rest using AES-256 is standard across major enterprise legal AI platforms. Harvey AI, Clio, Everlaw, and Relativity AI all implement AES-256 encryption at rest as part of their baseline security infrastructure. This is documented in their security pages and confirmed in SOC 2 reports.

The key management dimension is where providers differ. Most vendors use vendor-managed keys, which means the vendor's key management system can decrypt data. This is generally adequate for commercial legal practice but may be insufficient for the most sensitive matters. Some enterprise tools offer customer-managed key (CMK) options, where the law firm controls the encryption key and the vendor technically cannot access plaintext data without the firm's key.

For firms reviewing vendor security documentation, look for: the encryption algorithm used (AES-256 is standard), key management approach (vendor-managed vs. customer-managed), encryption coverage (data at rest, data in transit, and backups), and whether the SOC 2 report confirms these controls are operating effectively.

Encryption at rest is a threshold requirement, not a differentiator. Its absence from a vendor's security posture is a disqualifying factor; its presence is necessary but not sufficient for a complete security assessment.