Keeping client information confidential is central to legal work and to how Smokeball AI is built. All Smokeball AI features, including Archie AI, are designed to help you run your firm more efficiently without compromising privacy, security, or trust. Your firm's and your clients' data stay within Smokeball's secure, ring-fenced environment and is never used to train AI.
Built on the security you already trust
Smokeball AI sits within the same ISO 27001-certified security framework as the rest of Smokeball, with the same encryption and access controls. On top of that, Smokeball AI operates with additional safeguards specific to how AI handles data.
Strict controls on what Archie can access
All Smokeball AI features, including Archie, operate within a secure, ring-fenced environment inside Smokeball - which means your data is never shared for any third party to view, train on, or model with.
This ring-fenced approach puts strict controls on how Archie can access and interact with your information:
- Firm-level isolation: Archie will never share one firm's data with another - what's yours stays visible only to your firm. Archie can only access data belonging to your firm. It cannot access, learn from, or train on the data of any other Smokeball firm.
- Matter-level controls: Archie works strictly within the context of a single matter. It does not cross-reference, merge, or mix data from different matters.
- User-based access permissions: Only users with access to a matter can use Archie on it, and you can switch Archie off for specific users to match your firm's policies. A log of Archie questions is available to authorized users, supporting visibility and best-practice prompting across your firm.
- Protected from third-party use. Archie operates within the Smokeball platform. Your data is not shared with, hosted by, or accessible to third parties for viewing, training, or AI modeling.
Independently verified
Smokeball is certified to ISO 27001:2022 and is independently penetration-tested every year - most recently in October 2025, with no critical, high, or medium issues found - and your data is encrypted at every stage.
Frequently asked questions
Will my clients' data be used to train AI models like ChatGPT?
No. Client data is never used to train AI models - neither Smokeball's nor any third party’s. Archie operates under enterprise agreements with a strict zero-data-retention policy, so data is not stored, retained, or used for training, and no copies are kept. All processing happens within a secure, ring-fenced environment, separate from public or consumer AI tools.
Does Archie send my data out to public AI tools?
No. Archie operates within the Smokeball platform environment, designed to prevent unauthorized access. It is not the public, consumer version of any AI tool.
Do I need to redact or remove sensitive information before using Archie?
Whether to redact sensitive details before prompting Archie is ultimately your firm's call. That said, Archie is built with controls designed to protect that information if it is shared: processing runs under zero-data-retention agreements in a secure, ring-fenced environment, and your data is never shared with third parties for viewing, training, or AI modeling.
Some things, however, should never be entered into any AI prompt - Archie included. That means passwords, login details, and any other credentials used to access other systems.
Could Archie surface another client's or another firm's information?
No. Archie never shares one firm's data with another, and within your firm, it only works with information the user is already permitted to access - it can't surface anything a user isn't entitled to see.
Who can access my data - and who can see Archie's prompts?
Only authorized users in your firm. Archie applies firm-level isolation (it can only access your firm's data) and follows your firm's existing user permissions - it only works with information a user is already entitled to see. Authorized users can also view the log of Archie's questions for the matters they have access to.
Does using Archie change how my data is protected?
No. Archie sits within the same ISO 27001-certified security framework as the rest of Smokeball, with the same encryption (AES-256 at rest, TLS 1.2+ in transit) and the same access controls.
How is my data protected day to day?
Through encryption in transit and at rest, multi-factor authentication, role-based access with least-privilege principles, periodic access reviews, and 24/7 monitoring. Smokeball's products also undergo annual external penetration testing - the most recent (October 2025) returned no critical, high, or medium findings.
Which privacy and compliance standards does Smokeball meet?
ISO 27001:2022 certification, risk-management alignment with HIPAA, and privacy controls consistent with the Australia Privacy Act, UK GDPR, UK Data Protection Act, and CCPA.
Where is my data located?
As a principle, data stays in its home region - Australian data in Australia, UK data in the UK, US data in the US - and any transfers are governed by the relevant data processing agreements. For details specific to your firm's setup, your Smokeball contact can help.
Do you have data processing agreements and a list of sub-processors?
Yes. Smokeball's cloud and AI providers operate under data processing agreements covering how data is handled, including international transfer requirements. The specific sub-processors that apply to your firm depend on the services and integrations you've enabled - these can be reviewed in the Smokeball marketplace, and your Smokeball contact can help identify those relevant to your setup.
Who do I contact with a security question?Â
Smokeball's information security team at infosec@smokeball.com. For more information, please refer to our Security Policy.