Harvey
Counsel AI Corporation (Harvey) · EFROS US AI Vendor Governance Index entry
Composite governance score
B = strong posture. Deployable in regulated workloads with documented compensating controls.
About this vendor
Generative AI platform purpose-built for law firms. Backed by OpenAI; primarily deployed at Am Law 100/200 firms for drafting, research, and matter-aware workflows.
- Enterprise tier
- Harvey Assistant, Harvey Workflows, Harvey Vault (firm-wide licensing)
- Vendor homepage
- https://www.harvey.ai
Twelve-axis governance scoring
Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).
| Axis | Status | EFROS note | Source |
|---|---|---|---|
| BAA / DPA available | Yes | Harvey signs enterprise data-handling agreements equivalent to BAA scope for client-confidential workloads. Firm-level deployment terms address privilege handling. | Harvey Security |
| Training-data opt-out | Yes | Harvey does not train on client data. Tenant isolation contractually enforced. Foundation models accessed via Harvey are configured with zero-retention enterprise contracts. | Harvey Security |
| US data residency option | Yes | US data residency available for enterprise customers. Harvey runs primarily on Azure US regions. | Harvey Security |
| SOC 2 Type II report | Yes | SOC 2 Type II completed. Report available to enterprise customers via direct request. | Harvey Security |
| ISO/IEC 42001 attestation | No | No public ISO/IEC 42001 attestation as of May 2026. | Public posture review |
| NIST AI RMF self-attestation | Partial | Harvey publishes governance documentation aligned to NIST AI RMF principles. No formal self-attestation. | Harvey governance documentation |
| Colorado AI Act readiness | Partial | Harvey acknowledges Colorado AI Act deployer responsibility model in customer documentation; firms own end-deployer obligations. | Harvey customer documentation |
| HHS-OCR Section 1557 readiness | N/A | Legal-vertical positioning. | Harvey positioning review |
| FRB SR 11-7 readiness | N/A | Legal-vertical positioning. | Harvey positioning review |
| ABA Formal Op 512 readiness | Yes | Harvey publishes ABA Formal Op 512 alignment documentation: data isolation, no training on client data, audit logging, privilege-aware retention controls. | Harvey ABA Op 512 documentation |
| Subprocessor list public | Partial | Subprocessor information available to enterprise customers under NDA. Not self-serve public. | Harvey enterprise documentation |
Trust-center maturity
Security page documents core controls; enterprise-grade documentation available on request. Less self-serve maturity than cloud-platform vendors.
Source: harvey.ai/security
Deep dive
Overview
Harvey is the highest-profile legal vertical AI vendor. The governance posture is strong on the dimensions that matter most for law firms (no-train, US residency, BAA-equivalent, ABA Op 512 alignment) but trust-portal maturity lags cloud-platform vendors. The competitive position depends on the firm-specific workflow value rather than cross-cutting governance differentiation.
Strengths
- Purpose-built for legal — privilege handling and matter walls native to product
- ABA Op 512 alignment documented
- Default no-train, US residency, BAA-equivalent
- Foundation-model upstreams contractually configured for zero-retention
Weaknesses
- No ISO/IEC 42001
- No formal NIST AI RMF self-attestation
- Trust portal less mature than cloud-platform peers
- Subprocessor transparency NDA-gated
Best-fit use case
Am Law 100/200 firms with established AI governance, where Harvey's privilege-aware workflow and matter-context features deliver value beyond what a foundation model alone provides.
Avoid when
Smaller firms (under 50 attorneys) where the per-attorney pricing doesn't amortize, and the ChatGPT Enterprise + ABA Op 512 protocol delivers acceptable functionality at lower cost.
Operator's take
Deploy Harvey when am Law 100/200 firms with established AI governance, where Harvey's privilege-aware workflow and matter-context features deliver value beyond what a foundation model alone provides. The composite score of 74 (grade B) reflects a defensible posture for regulated US workloads. Skip the vendor when smaller firms (under 50 attorneys) where the per-attorney pricing doesn't amortize, and the ChatGPT Enterprise + ABA Op 512 protocol delivers acceptable functionality at lower cost. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.
How this scoring is computed
The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.
Read the full methodology →Disagree with this scoring?
EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).
Disagree with a score?
Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Harvey, submit a formal challenge — we re-verify against the source and respond within 14 days.
Other vendors in Legal AI
Same category, scored on the same twelve axes. Useful for head-to-head shortlisting.
Take the scoring into production
The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.