Your Client Data Stays Protected
Built-in security that protects privileged communications without requiring an IT department.
How We Protect Your Data
Everything Is Encrypted
Before upload:
- Files are encrypted on your device before they even leave your browser
- Encrypted files are uploaded to secure storage
- No one can read your files without your organization's unique key
1. Your Organization's Key
- Every law firm gets a unique 256-bit encryption key
- Your files can only be read with your key
- Other firms cannot access your data (mathematically impossible)
2. Master Key Protection
- Your organization key is protected by Azure Key Vault
- Stored in hardware security modules (bank-level security)
- Never accessible in plain text
3. Content Encryption
- All documents encrypted with AES-256
- All conversations encrypted
- All case notes encrypted
- Even file names are encrypted
What this means: If someone breaks into our database, they see encrypted gibberish. No key = no access to your data.
Grella Never Sees Your Data in the Clear
Secure Enclaves Protect Your Content
- Your encrypted document stays encrypted during upload
- When you ask a question, the file enters a secure hardware enclave (TEE)
- Content is decrypted only inside this locked-down environment
- Even Grella staff cannot see inside the enclave
- Response is encrypted before leaving the secure environment
What's a TEE? Think of it as a locked safe inside a locked room. Processing happens inside the safe. No one outside can see what's happening inside (not us, not cloud providers, not anyone).
This protection is built in. Every Grella customer gets secure enclave processing.
How AI Processing Works
AI Providers See Your Content During Processing
Here's what happens:
- Content decrypted inside our secure enclave (Grella can't see it)
- Sent to AI provider API (OpenAI, Anthropic, Google)
- AI provider processes your content to generate response
- Response returned to our enclave
- Encrypted before storing
Is this a problem? For most law firms, no. AI providers use enterprise APIs with contractual protections against training on your data. This is significantly more secure than consumer ChatGPT where attorneys upload files individually.
What you get
- Encrypted storage (files at rest protected)
- Encrypted transit (files protected during upload)
- Secure enclaves (Grella staff can't access content)
- Enterprise API contracts (no training on your data)
- AI providers see content during processing (required for AI to work)
For Those Who Really Want Security on the Next Level
GPU TEE (Zero-Knowledge AI)
Want AI that never sees your content? You can upgrade to hardware-isolated GPU processing.
Included with Grella:
- AI providers (OpenAI, Anthropic, Google) receive your content
- They process it on their servers
- You trust their enterprise contracts
GPU TEE upgrade:
- ✓AI runs inside secure GPU hardware (AMD SEV-SNP or NVIDIA H100 with TEE)
- ✓Content never leaves the secure enclave
- ✓AI providers never receive your content
- ✓Even we can't see what the AI is processing
When you need this:
- Government or classified work
- Matters where even AI provider access is unacceptable
- Regulatory frameworks that prohibit third-party processing
- Your firm's security policy requires zero-knowledge AI
Trade-offs:
- Higher cost (dedicated secure GPU infrastructure)
- Potentially slower responses (specialized hardware)
- Limited to specific AI models that support TEE
Most firms don't need this. The included security is strong enough for privileged legal work.
Compare: Who Sees Your Content
| Setup | AI Provider Access | Grella Staff Access | Other Firms Access |
|---|---|---|---|
| Consumer ChatGPT | Yes (full access) | N/A | N/A |
| ChatGPT Enterprise | Yes (enterprise API) | N/A | N/A |
| Grella (included) | Yes (enterprise API) | No (TEE blocks us) | No (encrypted) |
| Grella + GPU TEE | No (hardware isolated) | No (TEE blocks us) | No (encrypted) |
Files Encrypted Before Upload
Even before your files reach our servers:
- Encryption happens in your browser
- Files are encrypted before upload to storage
- Storage providers (CDN, file servers) only see encrypted files
- Files stay encrypted until needed for processing
- Decrypted only when AI needs to process them (inside secure environment)
Why this matters: Even the upload process is protected. Your files are never sent in plain text to storage.
Who Can See Your Data
With Included Security:
With Optional GPU TEE:
Dedicated Infrastructure
Want even more isolation? You can also upgrade to dedicated infrastructure:
Dedicated database:
- Your data on separate servers
- No resource sharing with other firms
- Custom backup schedules
Dedicated secure enclaves:
- Your own TEE instances
- Guaranteed compute resources
- Private deployment options
When you might need this:
- Government contracts requiring physical separation
- Very large case volumes needing dedicated resources
- Compliance frameworks requiring single-tenant systems
Access Controls
Who Sees What
7 permission levels:
- • Owner (managing partner sees everything)
- • Admin (manages users and billing)
- • Partner (broad access to cases)
- • Associate (standard attorney access)
- • Paralegal (limited access)
- • Guest (external counsel, read only)
Per-case controls:
- • Choose exactly who can view each case
- • Set permissions: view, edit, delete, invite
- • Share individual conversations with specific team members
Audit Logs
Complete history of who did what:
- Who accessed which case
- When documents were uploaded
- Who shared conversations
- What files were viewed
Why this matters: If a client or regulator asks "who saw this case?", you have complete records.
Login Security
No passwords to manage:
- Magic link login (click email link to sign in)
- Enterprise single sign-on (SAML, OAuth)
- No passwords means no password theft
Session security:
- Secure cookies (can't be stolen by other websites)
- Automatic session refresh
- Logout from all devices option
What We Don't Do
Your Data, Your Control
You can always:
- Export all your data (standard formats)
- Delete your data permanently
- See audit logs for your firm
- Cancel and remove everything
No vendor lock-in. If Grella doesn't work for you, take your data and go. We don't hold it hostage.
Infrastructure
Where your data lives:
- Microsoft Azure (SOC 2, ISO 27001 certified)
- Hardware security in Azure Key Vault
- Secure enclaves with AMD SEV technology
- Encrypted backups with geo-redundancy
- 99.9% uptime commitment
With optional GPU TEE:
- Dedicated secure GPU hardware (AMD SEV-SNP or NVIDIA H100)
- Content never leaves hardware enclave
- Additional isolation and verification
If Something Goes Wrong
Our incident response:
- Investigate and contain immediately
- Notify affected firms within 24 hours
- Fix the issue
- Transparent report on what happened
Contact for security issues: security@grella.ai
Questions About GPU TEE?
Most firms don't need GPU TEE. The included security provides strong protection with enterprise AI APIs and encrypted storage.
Consider GPU TEE if:
- You handle government or classified matters
- Your clients explicitly require zero-knowledge processing
- Regulatory frameworks prohibit AI provider access
- Your firm's security policy demands hardware isolation
Talk to us: security@grella.ai
The Simple Version
Your files are encrypted before upload. They stay encrypted in storage. Grella staff can't access them. When AI processes your content, it's sent to AI providers (OpenAI, Anthropic, Google) using enterprise APIs with contractual protections. Much more secure than consumer ChatGPT.
Want AI that never sees your content? You can optionally upgrade to GPU TEE where AI processing happens in hardware-isolated environments. True zero-knowledge processing. Most firms don't need this, but it's available if your work requires it.
That's it. Security without complexity.
Stop Wasting Hours on Documents
Upload once, AI remembers forever, with verified citations every time.