# Security — How Niyam Protects Your Legal Work

> Legal confidentiality is a professional obligation. We build Niyam's security posture around that principle: your queries, documents, and matters are not for anyone else's eyes.

## How we think about security

Legal work is confidential by nature. An advocate's brief, an in-house counsel's risk analysis, a researcher's matter notes — these are privileged in professional and often in legal terms. Confidentiality is not a preference for legal professionals; it is a professional obligation. We do not treat security as a compliance checkbox; we treat it as a condition of being trustworthy enough to be used by legal professionals.

We do not hold certifications such as SOC 2 or ISO 27001 at this time. We are honest about that. What we commit to is building and operating Niyam with security controls appropriate to a service that handles sensitive professional work, and being transparent about where we are, what we have implemented, and where we are investing next.

Security is not a fixed state — it is a practice. We review and improve our controls as the product grows, as our understanding of the threat landscape evolves, and as we onboard users whose work demands higher assurance.

## Data confidentiality

Your work product is private. The queries you run, the documents you upload, the research you conduct, and the drafts you generate are not shared with other users, not sold to third parties, and not used to train public AI models.

We operate on a strict principle: your client's matters are your matters, not ours. Niyam processes your data to deliver the service you requested and for no other purpose.

## Encryption

Data in transit between your browser and Niyam's servers is encrypted using TLS (Transport Layer Security). Data at rest is encrypted using industry-standard encryption. We do not transmit or store credentials in plain text.

Passwords are not stored as readable text — they are kept as salted, hashed values, so that even we cannot read your password. Encryption keys are managed through our infrastructure provider's key-management facilities rather than being hard-coded into the application, and access to them is restricted on the same least-privilege basis as the rest of production.

## Access controls

Access to production systems and user data within our team is restricted to personnel who need it to operate and support the service. We use role-based access controls internally. Administrative access to production infrastructure is logged.

Your account is protected by the authentication mechanism you configure. We support secure credential handling and encourage the use of strong, unique passwords.

## Infrastructure

Niyam runs on cloud infrastructure with established security practices. We follow the principle of least privilege for service accounts and API keys. Secrets are managed through environment-level configuration, not hard-coded in source.

We monitor our systems for anomalous activity and maintain the ability to respond to incidents. In the event of a breach affecting user data, we are committed to notifying affected users promptly.

## AI model and data pipeline

The AI models Niyam uses do not train on your inputs. Your queries and documents are used to generate your responses and are not retained for model training purposes, whether by us or by the underlying model providers we work with.

We apply contractual and technical controls to ensure that data passed to AI model providers for inference is handled in accordance with our confidentiality commitments.

## Data retention and deletion

We retain your data for as long as your account is active and as needed to provide the service — your matters, drafts, and saved research stay available to you until you remove them or close your account. We do not keep your work product longer than we have a reason to.

You can delete individual matters, documents, and queries from within the product. If you close your account, we delete or de-identify the associated work product within a reasonable period, subject to any narrow retention required to meet a legal or accounting obligation. Where law requires us to retain certain records, we retain the minimum necessary and nothing more.

If you have a specific deletion or data-export request, write to us at hello@niyam.ai and we will action it. Our full treatment of personal data is set out in the Privacy Policy and, for organisations, the Data Processing Agreement.

## Sub-processors and third parties

Niyam does not operate every layer of its stack alone. We rely on reputable cloud infrastructure providers to host the service and on AI model providers to perform inference. We share with them only the data necessary to deliver the capability you asked for, and we work to ensure that data passed for inference is not retained by those providers to train their models.

We bind the third parties we rely on to confidentiality through contractual and, where available, technical controls. We follow the principle of least data: a provider sees only what it needs to do its job, and no more. We do not sell your data to anyone, and we do not introduce advertising or data-broker relationships into a product that handles privileged legal work.

## Account security is shared

Security is a shared responsibility. We are responsible for protecting the service and the data within it; you are responsible for protecting access to your account. Use a strong, unique password, keep your credentials private, and do not share a single login across people who should have separate accounts.

If you believe your account has been accessed without authorisation, contact us immediately at hello@niyam.ai so we can help you secure it. For organisations onboarding a team, write to us about access management for multiple users.

## Backups and availability

We back up the data that runs the service so that your matters, drafts, and saved research survive ordinary hardware and software failures. Backups are protected with the same confidentiality posture as live data — encrypted, access-restricted, and not used for any purpose other than recovery.

We aim to keep Niyam available when you need it and to recover quickly when something breaks, but we are honest that no online service is available every second of every day. We do not publish a formal uptime guarantee we cannot yet stand behind. What we commit to instead is monitoring the service, responding to outages with urgency, and being straight with you about status rather than hiding behind a status page that says everything is fine when it is not.

## Privilege and your professional obligations

Lawyers carry their own duty of confidentiality to their clients, and that duty does not transfer to a vendor. Whatever tool you use — a cloud document store, an email provider, or Niyam — the professional judgment about whether it meets your obligations remains yours. We build to support that judgment, not to ask you to suspend it.

That is why our commitments are concrete rather than decorative: your work product is private, it is not sold, it is not used to train public models, and it is handled as your client's confidential matter. If your practice or your client imposes specific requirements, tell us — we would rather understand your constraints than have you guess at ours.

## Vulnerability disclosure

If you believe you have found a security vulnerability in Niyam, please report it to us at hello@niyam.ai. We will acknowledge receipt, investigate, and work to remediate confirmed vulnerabilities promptly. We ask that you give us reasonable time to respond before public disclosure.

## What we are working toward

We are a product in active development. Our security posture grows as the service grows. Areas we are actively investing in include: formal security review of our infrastructure, expanded logging and anomaly detection, and structured incident response procedures.

We will update this page as our security programme matures. If you have specific security requirements for your organisation's use of Niyam, write to us at hello@niyam.ai.

## Frequently asked questions

**Q: Is Niyam SOC 2 or ISO 27001 certified?**

Not at this time. We do not hold formal certifications currently. We operate with security controls appropriate to a service handling sensitive professional data and are transparent about our current posture.

**Q: Is my data used to train AI models?**

No. Your queries, documents, and work product are not used to train public AI models, either by Niyam or by the underlying model providers we work with.

**Q: How do I report a security vulnerability?**

Email us at hello@niyam.ai with details of the issue. We will acknowledge promptly and work to remediate confirmed vulnerabilities.

**Q: Is data encrypted?**

Yes. Data in transit is encrypted using TLS. Data at rest is encrypted using industry-standard encryption.

Security enquiries: hello@niyam.ai

https://niyam.ai/security