Back to App
Why Choose Thea

Privacy-First Architecture

How Thea protects confidential legal information

Legal professionals handle extremely sensitive information: client confidences, trade secrets, personal data, litigation strategy, and privileged communications. Traditional timeline tools and generic AI services weren't built with this level of confidentiality in mind.

Thea was designed from the ground up with privacy as a core requirement, not an afterthought.

Our Privacy Principles

1. Data Sovereignty

All data stays in the EU

  • Documents processed only on EU servers
  • Database hosted in European data centers
  • AI processing through Azure OpenAI EU endpoints
  • Backups stored within EU jurisdiction

Why this matters: European data protection standards are among the strongest in the world. Your data never crosses borders to jurisdictions with weaker protections.

2. Encryption Everywhere

Multiple layers of protection

  • TLS 1.3 for data in transit
  • AES-256 encryption for data at rest
  • Encrypted backups with separate keys
  • Encrypted database storage

Why this matters: Even if systems were compromised, encrypted data is unreadable without keys.

3. No Model Training

Your documents remain yours

  • Never used to train or improve AI models
  • Never shared with AI providers for analysis
  • Processed in real-time, not stored by AI services
  • Contractual guarantees from Azure OpenAI

Why this matters: Your confidential case information can't leak into AI models that others might query.

4. Minimal Data Collection

We only collect what's necessary

  • Email for account recovery
  • Display name (optional)
  • Documents you explicitly upload
  • Usage data for service operation only

No behavioral tracking, no marketing surveillance, no unnecessary data harvesting.

5. You Control Your Data

Full ownership and control

  • Export timelines anytime
  • Download documents anytime
  • Delete projects instantly
  • Delete account with complete data removal

Why this matters: You're not locked in, and you can comply with client data requests.

GDPR Compliance

Thea fully complies with the General Data Protection Regulation (GDPR):

Your Rights

  • Right to access - Export all your data
  • Right to rectification - Edit your information
  • Right to erasure - Delete your account completely
  • Right to data portability - Download in standard formats
  • Right to object - Control how data is processed

Our Obligations

  • Data Processing Agreement - Available for enterprise clients
  • Data Protection Officer - Designated contact for privacy matters
  • Breach notification - 72-hour notification requirement
  • Privacy by design - Built-in protections from the start

Security Measures

Technical Safeguards

  • Encrypted data transmission and storage
  • Secure authentication (Supabase Auth)
  • Isolated processing environments
  • Regular security audits
  • Automated vulnerability scanning
  • Intrusion detection systems

Organizational Safeguards

  • Employee confidentiality agreements
  • Principle of least privilege
  • Security awareness training
  • Incident response procedures
  • Vendor risk assessments
  • Regular security reviews

Access Controls

  • Authentication required for all access
  • Session management and timeouts
  • Support staff cannot access documents without permission
  • Audit logs of system access

Comparison: Thea vs. Generic Tools

Generic AI Services (ChatGPT, Claude, etc.)

❌ May train on your inputs ❌ Data processed across multiple jurisdictions ❌ Terms of service designed for consumers, not legal professionals ❌ No Data Processing Agreements ❌ Limited data residency guarantees ❌ No professional confidentiality obligations

Thea

✅ Never trains on your documents ✅ All processing in EU ✅ Terms designed for legal confidentiality requirements ✅ DPA available for enterprises ✅ Guaranteed EU data residency ✅ Built for attorney-client privilege protection

PowerPoint/Excel

✅ Local control ❌ No encryption at rest ❌ Easy to accidentally share via email ❌ No audit trails ❌ Vulnerable to device theft/loss ❌ No centralized security management

Thea

✅ Encrypted storage and transmission ✅ Controlled sharing (coming soon) ✅ Complete version history and audit trails ✅ Protected even if device is compromised ✅ Cloud-based backup and disaster recovery

Vendor Trust

We carefully select our vendors with privacy in mind:

Supabase (Database & Storage)

  • EU-hosted infrastructure
  • SOC 2 Type II certified
  • GDPR compliant
  • Open-source transparency

Azure OpenAI (AI Processing)

  • EU endpoints with data residency
  • Microsoft Enterprise Agreement protections
  • No data retention for abuse monitoring
  • GDPR compliant
  • Contractual data protection guarantees

All vendors undergo security assessments and maintain compliance certifications.

Handling Privileged Information

Legal documents often contain attorney-client privileged information. Thea's architecture respects this:

Confidentiality by Design

  • Documents isolated to your account
  • No cross-account data access
  • Staff cannot view without explicit permission
  • Audit trails of all access

Privilege Protection

  • Your documents are not reviewed by Thea staff
  • AI processing is automated and transient
  • No human review of document contents
  • Support access requires your authorization

Client Confidentiality

Law firms have ethical obligations to protect client confidences. Thea helps you meet these requirements:

Professional Responsibility

  • Reasonable security measures (encryption, access controls)
  • Data breach notification capabilities
  • Vendor due diligence documentation
  • Compliance with bar association guidance
  • Clear terms of service explaining data use
  • Optional: Get client consent for cloud tool use
  • Ability to delete client data upon request
  • Transparent data handling practices

Transparency

We believe in transparency about data handling:

  • Privacy policy - Clear explanation of data practices
  • Terms of service - Straightforward legal terms
  • Security documentation - Available upon request
  • Data flow diagrams - Enterprise clients can review our architecture
  • Compliance certifications - Happy to provide proof of compliance

Incident Response

In the unlikely event of a security incident:

  1. Immediate containment - Stop the threat
  2. Assessment - Determine scope and impact
  3. Notification - Inform affected users within 72 hours
  4. Remediation - Fix vulnerabilities
  5. Reporting - Notify authorities as required
  6. Prevention - Update procedures to prevent recurrence

Your Responsibilities

To maintain security:

  • Strong passwords - Use unique, complex passwords
  • Secure devices - Keep your devices protected
  • Careful uploading - Only upload documents you have authority to share
  • Report issues - Alert us immediately to any concerns
  • Review access - Check who has access to your account

Enterprise Security

Need additional security measures?

Available for Enterprise Clients

  • Custom data retention policies
  • Dedicated encryption keys
  • Private deployment options
  • Enhanced audit logging
  • Custom Data Processing Agreements
  • Service Level Agreements (SLAs)
  • Dedicated support with response time guarantees

Contact us for enterprise security options →

Privacy FAQs

Can Thea staff see my documents?

No. Your documents are stored encrypted and support staff cannot access them without your explicit permission. AI processing is automated.

Will my documents train AI models?

No. Thea never uses your documents to train AI models. Azure OpenAI has contractual guarantees preventing this.

What happens if Thea is acquired?

Your data remains yours. Any acquirer must honor existing privacy commitments, and you always retain the right to export or delete your data.

Can I use Thea for classified information?

Thea is designed for confidential business and legal information. For classified government information, please contact us to discuss specialized arrangements.

Is Thea approved for law firm use?

Many law firms use Thea. We provide documentation for your IT and compliance teams to review. We're happy to answer questions about security and compliance.

Conclusion

Privacy isn't a checkbox for Thea—it's foundational to everything we do. We understand the sacred trust legal professionals have with their clients, and we've built our platform to honor that trust.

Learn More

Get Started

Ready to experience privacy-first timeline creation?

Create your first timeline →

Time Savings & ROI

How Thea saves hours of billable time on every timeline

Thea vs. Manual Tools

How Thea compares to traditional timeline creation methods

On this page

Why Privacy Matters in Legal TechOur Privacy Principles1. Data Sovereignty2. Encryption Everywhere3. No Model Training4. Minimal Data Collection5. You Control Your DataGDPR ComplianceYour RightsOur ObligationsSecurity MeasuresTechnical SafeguardsOrganizational SafeguardsAccess ControlsComparison: Thea vs. Generic ToolsGeneric AI Services (ChatGPT, Claude, etc.)TheaPowerPoint/ExcelTheaVendor TrustSupabase (Database & Storage)Azure OpenAI (AI Processing)Handling Privileged InformationConfidentiality by DesignPrivilege ProtectionClient ConfidentialityProfessional ResponsibilityClient ConsentTransparencyIncident ResponseYour ResponsibilitiesEnterprise SecurityAvailable for Enterprise ClientsPrivacy FAQsCan Thea staff see my documents?Will my documents train AI models?What happens if Thea is acquired?Can I use Thea for classified information?Is Thea approved for law firm use?ConclusionLearn MoreGet Started