Security & Trust

Security a law firm can sign off on.

Tero is GDPR-native by design. Your documents are end-to-end encrypted and stored as ciphertext sealed even from us — no one at Tero can read them. To run an AI feature, only what your request needs is decrypted in memory, within the EU, for that request alone, then re-sealed — never kept in plaintext, and never used to train a model. Here is exactly how.

End-to-end encrypted

Documents are encrypted client-side with AES-256 before they reach us, and TLS 1.3 protects them in transit. The Vault holds only ciphertext — sealed even from Tero staff. Content is decrypted only in memory, in the EU, for the single AI request that needs it.

EU data residency

Your matter data and AI processing run exclusively in EU regions. No personal data leaves the EU/EEA in connection with your use of the platform.

Never trained on

Prompts and responses are processed for your query alone — not retained beyond the session, and never used to train foundation models.

Where your data lives

Hosted in the EU, processed in the EU

The Tero platform and its AI inference run on managed cloud infrastructure entirely within EU regions, under the relevant Data Processing Addenda. Every sub-processor — cloud, database, compute and AI inference — operates within the EU/EEA, and we give advance notice of any material change so you can object before it takes effect.

Our full, named sub-processor list is available under our GDPR Data Processing Agreement — request it any time at privacy@tero.legal.
Encryption & key handling

End-to-end encrypted — sealed even from us

Documents are encrypted client-side with AES-256 before they reach Tero, so we hold only ciphertext we cannot read. TLS only protects the connection; your data stays encrypted even from us. When you ask the Assistant or run a Review, only what that request needs is decrypted in memory and processed within the EU for that query alone — never retained beyond the session, never used to train a model, and never transferred outside the EU/EEA.

On a clear, documented path to ISO 27001 & ISAE 3000
  • AES-256, end-to-end
    Encrypted client-side before it reaches us; TLS 1.3 in transit. We hold only ciphertext.
  • Private AI endpoints on request
    For organizations requiring complete inference isolation, Tero can route AI processing to private or on-premise LLM endpoints — your documents never touch shared AI cloud infrastructure.
  • No cookies, no tracking
    The website sets no cookies and loads no analytics or third-party trackers — only two functional UI preferences, stored locally on your device.
  • 72-hour breach notification
    Regulators and affected users notified within 72 hours.
  • Deletion on termination
    Encrypted content deleted within 30 days of termination; Tero cannot decrypt it.
  • DPA on request
    A GDPR data processing agreement is available to every customer.
Retention & your rights

You stay in control of your data

Clear retention

Account data is kept for your subscription; session logs up to 12 months; billing records 5 years under Danish law. Then data is securely deleted or irreversibly anonymised.

GDPR rights

Access, rectification, erasure, portability and objection — exercised any time by contacting us, and unaffected by any sub-processor arrangement.

Talk to our team

Security questions, a DPA, or a sub-processor review? Email privacy@tero.legal — we answer the questions a DPO actually asks.

Full detail in our Privacy Policy and Platform Terms.

Get started

See Tero on your own matters

Tell us about your practice and we'll set up a walkthrough tailored to the work your team actually does.

We use your details only to arrange your demo. See our Privacy Policy.