Security
Judgment-gated AI for firms that need control.
AI can move legal work faster without removing the firm's control. FlowCounsel keeps review boundaries explicit, firm context separated, and work history inspectable across both Growth and Matters.
In Growth, that means approved creative, compliance review, and bounded optimization. In Matters, that means review queues, approval states, provenance, and role-based workflow.
Control model
The product should make control legible without a policy interpreter.
Attorney review is the default boundary before external effect.
Campaign, document, and communication changes stay attached to visible history.
Firm-scoped settings and review state matter more than generic “AI” claims.
Bounded optimization is acceptable. Unreviewed autonomy is not.
Records-governance work is now explicit in both Growth and Matters planning.
Review is part of the system, not an optional step.
Governance principles
Governance is a workflow behavior, not a policy slogan.
The right trust model for legal AI is not “trust us.” It is explicit review, visible history, firm-scoped context, and configurable boundaries around where the system is allowed to act.
Judgment-gated
Attorney review is the control boundary.
FlowCounsel is built around reviewable work, not autonomous effect. Specialists can prepare. Attorneys decide what moves forward.
Auditability
Runs, edits, and approvals stay visible.
Review state, edits, approvals, and externally effective transitions are part of the product model, not an afterthought added later.
Firm scoping
Firm work stays firm-scoped.
Workspace and matter boundaries stay explicit so firm context is used for firm work, not blended across customers.
Controls
The firm chooses where AI is allowed to operate.
Capabilities, workflows, and review expectations should stay configurable by surface, role, and matter type instead of assuming one universal automation setting.
Growth controls
Growth needs security and compliance controls too.
The Growth roadmap is not just campaigns and reporting. It explicitly carries approval-gated creative, compliance review, firm-scoped settings, auditability, and bounded optimization against retained-client outcomes.
Creative control
Approved creative is the source model.
Growth uses approved assets, derived variants, explicit versioning, and reviewable lineage instead of freeform prompt-to-ad generation.
Compliance gating
Launch eligibility depends on review state.
Campaign and channel work is designed to stay approval-gated, with compliance review as a required part of launch eligibility rather than a post hoc checklist.
Bounded optimization
Optimization is constrained by firm rules.
Growth is moving toward retained-client outcome optimization, but within explicit firm constraints, approved assets, and recommendation-first promotion rather than unreviewed auto-publishing.
Firm settings
Roles, integrations, and billing stay firm-scoped.
Team roles, brand inputs, integrations, and firm-level settings are part of the product boundary, so campaign execution is not detached from firm identity or access control.
Matters controls
Matters is being built around review state, provenance, and role boundaries.
The Matters roadmap already treats approve / reject / edit boundaries, document lifecycle state, audit continuity, and provenance-aware review as core product behavior rather than optional enterprise add-ons.
Review queue
Generated work stages before external effect.
Matters is being built around review-ready states, approve / reject / edit boundaries, and explicit progression from draft to approved to externally effective.
Lifecycle states
Documents do not just appear and disappear.
Review-ready, approved, superseded, sent, and externally effective state changes are part of the operating model so firms can see what changed and what status a document actually carries.
Provenance
Source-visible review is part of the direction.
The roadmap explicitly calls for provenance-aware review, clause-level trace-back, citation sidecars, and review with supporting context visible instead of implied.
Role boundaries
Not every role gets the same actions.
The Matters roadmap already distinguishes between upload, staging, review, approval, and externally effective actions so multi-role firms can work inside one controlled system.
Firm boundaries
Scope, retrieval, and external effect should all stay bounded.
What matters is how the product behaves: firm context stays scoped, review states stay visible, and externally effective actions stay gated.
Firm-scoped storage
Matter records, uploads, and review history remain scoped to the firm workspace.
The product roadmap consistently treats storage, routing, and review continuity as firm- and workspace-scoped behavior. That boundary matters more than generic AI claims.
Bounded retrieval
Assistants and specialists should work from the relevant workspace and matter context.
The right model is not “read the whole corpus.” It is controlled runtime context tied to the current firm, matter, surface, and approved history.
No silent effect
Externally meaningful actions pass through visible review states.
Campaign launches, document approvals, communications, and filing-ready work should never depend on hidden transitions that firms cannot inspect later.
Provenance
Audit trail should be a product artifact, not a disclaimer.
The strongest trust surface is not a promise that “we log things.” It is a visible record shape for what a run, review, or approval actually captures.
The product direction already supports explicit review history, role boundaries, approval states, and provenance-aware follow-ons. This is the trust surface to keep deepening.
Records governance
Export, retention, deletion logging, and preservation are now explicit roadmap work.
Records governance is explicit roadmap work, not implied trust-page language. The direction is now captured plainly across both Growth and Matters.
Export
Firm-owned export behavior is now explicit in the roadmap.
Both Growth and Matters now carry follow-on work for exportable firm records so campaign history, matter history, review state, and approved work do not feel trapped in a vendor surface.
Retention
Retention policy shape is being treated as product work.
This is not being left to generic trust-page language. The roadmap now explicitly captures retention-policy direction for campaign, pipeline, matter, document, and review history.
Destruction logging
Deletion should be logged, not silent.
The roadmap now calls out deletion and destruction logging so the system can distinguish between superseded history, retained audit records, and truly destructive actions.
Legal-hold-ready
Preservation state is part of the plan.
We are not claiming a finished enterprise records suite. We are explicitly planning preservation-ready states so firms can keep matters, documents, campaign history, and compliance records from being cleaned up silently.
Subprocessors
Vendor boundaries should be visible too.
A short list is a design choice. Fewer subprocessors means fewer boundaries where firm data crosses into systems FlowCounsel does not control.
FAQ
The questions firms actually ask.
Security reviews usually come down to the same questions: where data lives, how it is scoped, what gets logged, and what happens when something is rejected.
Firm data is everything your workspace puts into the system: uploaded documents, extracted matter state, deadlines, communications, approved work product, review history, and the learned patterns that compound from attorney-approved output over time. All of it is keyed to your firm's workspace. FlowCounsel is the custodian of that data, not the owner.
Closing point
Governance is not a policy page. It is a product decision.
SOC 2 Type II and ISO/IEC 42001:2023 are on our roadmap. Until they are complete, we will not claim them. The control model in this page and the architecture behind it are what those audits measure. We are building the substance first.