Security at PONS isn't a feature. It's the architecture, the operational model, and the culture that everything else is built on top of. When organizations entrust us with their most sensitive legal work, from contracts and privileged communications to litigation strategy and deal-room data, we take that responsibility seriously. Not as a compliance exercise, but as an engineering discipline.
Today I want to share a milestone that reflects how deeply this commitment runs.
Your data never trains our models
Before I get into certifications and audit results, I want to lead with something that matters more than any badge: we never use your data to train AI models. Period.
This is not a policy toggle or a setting you need to opt out of. It's an architectural constraint. Client data, your matters, documents, communications, and files, never leaves the encrypted boundaries of the PONS platform. It is not sent to third-party LLMs. It is not shipped to external AI services. It is not aggregated, anonymized, or repurposed for model training. Your data is yours, and it stays yours.
This guarantee is enforced technically and contractually. We believe it's the baseline for any platform that handles privileged legal information, and we hold ourselves to it without exception.
End-to-end encryption as the foundation
Everything on PONS is built on end-to-end encryption. Not selectively, not partially, but across the entire platform. This is the architectural backbone that makes every other security guarantee possible.
- Data in transit is encrypted using TLS 1.2+ on every connection, with no exceptions.
- Data at rest is encrypted using AES-256 across all storage layers.
- Documents, messages, and files within matters and projects are protected end-to-end, so that only you can access them, not even PONS. All data across platform features and utilities remains end-to-end encrypted at all times.
Whether you're uploading a confidential memorandum, collaborating in a deal room, or exchanging messages with external counsel, the data is protected from the moment it leaves your device until it reaches an authorized recipient. There is no point in the chain where it exists unencrypted or exposed.
For a deeper look at our full security architecture and controls, visit our trust center at security.pons.io.
Independently audited and verified, across the board
PONS has been successfully re-audited and verified for ISO 27001, SOC 2 Type II, and GDPR compliance, all assessed in a combined engagement by an independent, third-party auditor. On top of that, a separate cybersecurity firm awarded PONS an A+ penetration testing rating, the highest grade available.
All four of these are independently conducted by external parties. We invite external scrutiny because our customers deserve that level of assurance.
ISO 27001
ISO 27001 is the international gold standard for Information Security Management Systems. Being re-certified means PONS maintains a comprehensive, continuously improving framework for managing information security risks, spanning people, processes, and technology. At PONS, this isn't a separate program bolted onto engineering; it's woven into how we hire, how we develop software, how we handle incidents, and how we make decisions.
SOC 2 Type II
Where SOC 2 Type I evaluates the design of security controls at a single point in time, Type II goes further: it verifies that those controls are operating effectively over a sustained period. This is the difference between saying "we have a policy" and proving "we follow it, every day, over months of observation." Our SOC 2 Type II report demonstrates that security at PONS isn't a project that gets completed. It's a continuous operational practice embedded in our engineering, our infrastructure, and our internal processes.
GDPR
As a platform serving legal teams across Europe, GDPR compliance is non-negotiable. Our re-audit confirmed that PONS fully adheres to the rigorous data protection requirements of the General Data Protection Regulation. But beyond regulatory adherence, GDPR shapes how we think about data architecture: we collect only what we need, we retain only what's justified, and we give data subjects full control over their information. This philosophy directly influences our platform design, our data flows, and how we build features, ensuring you remain in control of your data at all times.
A+ penetration testing
An independent cybersecurity firm conducted a thorough penetration test of the PONS platform. The result: an A+, the highest possible rating. The assessment tested our defenses against a broad range of real-world attack vectors, including injection attacks, authentication bypass, privilege escalation, and data exfiltration attempts, and confirmed that PONS withstands rigorous adversarial testing. This result reflects the security-first culture our team has built together and the engineering discipline we hold ourselves to every day.
Data stays within boundaries, no exceptions
Data sovereignty is a real concern for legal teams, and we treat it as such. Customer data never leaves the established data boundaries of the platform, and there is no scenario where your data is transferred to jurisdictions or infrastructure outside of the boundaries agreed upon during onboarding. No data is sent to third-party AI providers, large language models, or any external service. Everything from AI-powered features to document processing operates within the architectural and encrypted constraints of our platform. This is how PONS works today.
What this means in practice
Certifications and ratings are proof points, but what matters is what they translate to for the people using PONS every day:
- Vendor due diligence: Our audit reports and pentest results are available for your compliance and procurement teams. We meet the requirements they're evaluating for, and we can demonstrate it with independent evidence.
- Reduced risk: A multi-certification status and A+ pentest rating meaningfully reduce the risk profile of adopting PONS within your technology stack.
- Continuous, not one-off: SOC 2 Type II evaluates controls over time. ISO 27001 requires ongoing review and improvement. These are not achievements we earned once. They're commitments we sustain.
- Client confidence: When your clients ask how their data is protected, you can answer with specifics, backed by independently verified evidence.
Security is a discipline
Law firms, corporate legal departments, and compliance teams operate under immense scrutiny. The platforms they rely on must meet the same standard. PONS was designed from the ground up with this responsibility in mind, and our latest re-audit confirms we continue to deliver on it.
Security is not a destination. It's a discipline, and at PONS, we commit to it every single day.
To learn more about how PONS protects your data, visit our trust center at security.pons.io, explore our Security & Compliance page, or get in touch directly.