How we protect your data
Security, privacy, and compliance for sensitive legal data
HarkIQ processes call transcripts that contain some of the most sensitive information a law firm holds: client health details, vulnerability indicators, legal proceedings, and financial circumstances. We built HarkIQ knowing that this data demands the highest level of care. Here is exactly how we handle it.
Looking for the full briefing for your DPO? Download the DPO Briefing Document or the DPIA Template.
Your data, your control
You are the data controller. We are the data processor.
Your firm decides what data to upload and how the analysis is used. HarkIQ processes transcripts solely on your instructions, to provide the analysis service. We never make independent decisions about your data.
Your data is never shared with other firms.
HarkIQ is multi-tenant with strict data isolation. Every firm's data is segregated at the database level using PostgreSQL row-level security. No firm can ever see, access, or be affected by another firm's transcripts or analysis. This is enforced at the infrastructure level, not just the application level.
Your data is never sold, licensed, or monetised.
We do not sell your data. We do not licence it to third parties. We do not use it for marketing purposes. Your transcripts and analysis exist solely to provide you with the HarkIQ service.
You can export or delete your data at any time.
Every analysis can be exported as a PDF report or CSV file directly from your dashboard. If you cancel your subscription, your data is retained in read-only mode for 60 days so you can export everything you need, then permanently deleted.
How AI analysis works
HarkIQ uses the Anthropic Claude API — a closed AI model.
When you upload a transcript, it is sent to the Anthropic Claude API for analysis. This is important to understand:
- PII redacted by default: personal identifiers and financial details are removed from every transcript before it reaches the AI. The model never sees your callers’ names, phone numbers, NHS numbers, card numbers, bank details, or IBANs.
- Closed model: your transcripts are not used to train the AI. Anthropic’s API terms explicitly state that prompts and completions are not used for model training.
- Limited retention: Anthropic retains API inputs only for a short period for abuse and safety monitoring, then deletes them. They are not stored permanently.
- No human review: your transcripts are processed by the AI model. They are not read by Anthropic employees unless required for safety or legal compliance.
- Encrypted in transit: all data sent to the API is encrypted using TLS 1.3.
What the AI does and does not do
HarkIQ's AI analyses each transcript against eight quality dimensions and returns a structured score, vulnerability flags, and recommendations. It does not:
- Record, intercept, or listen to live calls. HarkIQ only processes transcripts your firm has already created.
- Make decisions. Scores and flags are management intelligence tools. Your professionals apply the judgement.
- Store transcripts beyond what is needed. Once analysis is complete, the AI provider does not retain your data.
The AI never sees who your callers are
HarkIQ automatically redacts personally identifiable information from every transcript before it is sent to the AI for analysis. This is on by default for every firm.
What gets redacted before AI analysis:
- Phone numbers
- Email addresses
- Addresses and postcodes
- NHS numbers
- NI numbers
- Card numbers and expiry dates
- CVV/security codes
- Bank sort codes and account numbers
- IBANs
- Dates of birth
What the AI sees:
The conversation itself — what was said, how it was said, and whether the caller was handled well.
Why this matters:
Call quality scoring is based on how a conversation was handled — the empathy, the listening, the information gathering, the compliance. None of that requires knowing who the caller is. By stripping personal identifiers before they reach the AI, we significantly reduce the sensitivity of the data being processed and simplify your firm's data protection position.
Security architecture
HarkIQ's security is designed for the sensitivity of legal sector data.
Encryption at rest
All stored data is encrypted using AES-256 via Supabase managed encryption.
Encryption in transit
All communications between your browser, our servers, and the AI API use TLS 1.3.
Row-level security
Database-level isolation ensures each firm’s data is completely separated. This is enforced by PostgreSQL, not application code.
Role-based access
Four permission levels — Admin, Manager, Analyst, Viewer — control who sees what within your firm. Handler performance data is restricted to management roles.
Authentication
Email and password login with optional multi-factor authentication. Session tokens with configurable expiry.
Audit trail
Every data access event, analysis, and user action is logged with timestamp and user identity for compliance reporting.
PII redaction
On by default. Phone numbers, email addresses, postcodes, NHS and NI numbers, card numbers, bank details, IBANs, and dates of birth are automatically stripped from transcripts before AI analysis.
Rate limiting and input validation
All API endpoints are rate-limited and validated using structured schemas to prevent abuse.
Where your data is stored and processed
All stored data — transcripts, analyses, and firm accounts — is held on EU servers. The only international transfer involving transcript content is to Anthropic for AI analysis, and that data is PII-redacted before transfer.
Transparency about where data flows is important. A full list of services, their data processing locations, and transfer mechanisms is set out in the International data transfers section below.
Compliance and governance
UK GDPR
HarkIQ is designed for UK GDPR compliance. We operate as a data processor under Article 28. A Data Processing Agreement is available for all customers and is provided during onboarding. Our DPA covers processing scope, security measures, breach notification, sub-processor management, and data deletion.
Special category data
We recognise that call transcripts may contain special category data under UK GDPR, including health information and details of legal proceedings. Our security architecture, data isolation, closed AI model, and retention policies are specifically designed to handle this classification of data appropriately.
Data Protection Impact Assessment
We provide a DPIA template to help your firm's DPO assess the data protection implications of using HarkIQ. This covers the data processed, lawful basis guidance, risk assessment, and the technical mitigations HarkIQ provides. Download our pre-populated DPIA template to get started — it includes HarkIQ-specific information covering data flows, sub-processors, risk assessments, and recommended measures, with fillable fields for your firm's DPO to complete.
Breach notification
In the event of a personal data breach, we will notify affected customers within 72 hours, in line with UK GDPR requirements. Notification includes the nature of the breach, data subjects affected, likely consequences, and measures taken.
Our approach to SRA compliance
HarkIQ has been designed in line with the SRA's compliance guidance for solicitors using AI and legal technology, updated February 2026. We recommend that every firm considering HarkIQ reads this guidance before making a decision. You can access it directly here: SRA Compliance Tips for Solicitors Regarding the Use of AI and Technology.
The sections below set out how HarkIQ addresses each of the SRA's requirements.
COLP involvement
What the SRA expects from your firm
The SRA is explicit: the Compliance Officer for Legal Practice (COLP) should be responsible for regulatory compliance when new technology is introduced, with board-level oversight of both the purchasing decision and ongoing use.
Before going live with HarkIQ, we recommend your firm does the following:
- Involve your COLP in approving the decision to use HarkIQ. Download the DPO Briefing Document and DPIA Template to support their review, and contact us at david@harkiq.com for our Data Processing Agreement.
- Ensure board oversight is in place, both for the initial decision and for monitoring ongoing use.
- Complete a risk and impact assessment. Our DPIA template gives you a ready-made starting point tailored to HarkIQ's specific processing activities.
- Create a brief internal policy covering how HarkIQ outputs should and should not be used — in particular, that AI scores support professional judgement and are not used as the sole basis for any consequential decision about a client or a member of staff.
- Provide awareness training to anyone who will use HarkIQ, covering what the scores mean, how vulnerability flags should be acted on, and the limits of AI analysis.
Call recording consent
Your responsibility as data controller
HarkIQ analyses call transcripts that your firm has already created. We do not record calls. However, for HarkIQ to be lawfully used, your call recording consent notices and client-facing privacy notices must cover AI-powered analysis of transcripts as a processing purpose.
Your standard call recording announcement — the message callers hear at the start of a call — and your firm's privacy notice should state that calls may be transcribed, and that transcripts may be analysed using AI tools for quality monitoring, vulnerability detection, and compliance purposes.
We provide template wording to help your firm update these notices. Contact us to request it.
This is your firm's responsibility as data controller. We flag it here because it is the most commonly overlooked compliance step when firms implement call analysis tools.
Automated decision-making
Our position under UK GDPR
UK GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing where those decisions produce significant legal or similarly significant effects.
HarkIQ does not constitute automated decision-making within the meaning of Article 22. HarkIQ produces scores, flags, and recommendations. It does not make decisions. Every output requires a human professional to review it and apply their own judgement before any action is taken. HarkIQ has no authority to take any action affecting a client or a member of staff.
Your internal policy should confirm that HarkIQ scores are not used as the sole basis for any consequential decision — including disciplinary action, performance management, or safeguarding referrals. The score informs. The professional decides.
If HarkIQ produces an incorrect result
AI analysis is not infallible. A transcript may be mis-scored because of transcript quality, unusual call content, or the inherent limitations of AI pattern recognition.
HarkIQ scores are management indicators, not verified assessments. If a score appears inconsistent with your professional experience of a call or handler, treat your professional judgement as the primary source. Do not act on a score that does not make sense to you without first reviewing the underlying transcript.
If you believe HarkIQ has produced a materially incorrect analysis, contact us. We will investigate, and where the issue is with the model or prompt we will correct it. We maintain version control of all AI prompts and can re-analyse transcripts if required.
Your firm retains full professional responsibility for any decision made using HarkIQ outputs. HarkIQ is a tool. The solicitor remains accountable.
International data transfers
How we handle US-hosted services
HarkIQ's database is hosted entirely within the European Union. All transcripts, analysis results, and firm account data are stored on EU servers and never leave the EU for storage purposes. The primary international transfer is PII-redacted transcript content sent to Anthropic's API in the United States for AI analysis.
The sub-processor table below lists several US-based services. Seeing “United States” in that table does not mean your data is unprotected. UK GDPR does not prohibit international transfers — it requires appropriate safeguards. Here is the position for each service that handles personal data:
| Service | What it does | Location | Receives transcript data? | Transfer mechanism |
|---|---|---|---|---|
| Supabase | Database and authentication | European Union | Yes — stores all data on EU servers. AES-256 encryption at rest. | No international transfer. All data stored on EU servers. |
| Anthropic Claude API | AI transcript analysis | United States | Yes — processes PII-redacted transcripts for analysis, does not retain. Personal identifiers and financial details (card numbers, bank details) are removed before the transcript reaches Anthropic. Deleted within 30 days. | Standard Contractual Clauses plus UK Addendum (ICO, s119A(1) Data Protection Act 2018) |
| Vercel | Web application hosting | US with global edge nodes | No | Not applicable |
| Stripe | Payment processing | United States | No — billing details only | Not applicable |
| HubSpot | Marketing emails | United States | No — email address and firm name only | Not applicable |
Anthropic's full Data Processing Addendum, which includes the UK Addendum covering transfers from the UK to the US, is published at anthropic.com/legal/data-processing-addendum.
Our Data Processing Agreement sets out the transfer mechanism for each sub-processor in full. Enterprise customers can request copies of all sub-processor DPAs by contacting david@harkiq.com.
HarkIQ is a management intelligence tool.
It provides AI-generated scores, vulnerability flags, and recommendations to help law firms understand call quality patterns, identify coaching opportunities, and evidence compliance improvement.
HarkIQ should not be used as:
- The sole basis for disciplinary action against individual handlers
- A clinical or safeguarding determination about individual callers
- Regulatory reporting or SRA self-reporting without independent verification
- A substitute for professional judgement on vulnerability or risk
Vulnerability detection is an assistive flag aligned with the FCA's four-driver model. It highlights calls that may warrant further attention. Your professionals make the decisions.
Documents for your Data Protection Officer
We have prepared comprehensive documentation specifically for Data Protection Officers and compliance leads at law firms considering HarkIQ.
DPO Briefing Document
Comprehensive briefing covering data flows, Law Society GDPR guidance mapping, sub-processors, international transfers, and security architecture. 18 sections.
DPIA Template
Fillable PDF form pre-populated with HarkIQ's information. Your DPO completes the firm-specific sections, records the approval decision, and retains it as part of your data protection records. 10 sections, 41 interactive fields.
Our Terms of Service, Privacy Policy, and Data Processing Agreement are also available on request. Email david@harkiq.com.
Questions?
If you have questions about how HarkIQ handles your data, or if your DPO needs additional information before approving HarkIQ for use, contact us at david@harkiq.com. We are happy to provide our Data Processing Agreement or discuss specific security requirements.
Download the DPO Briefing Document and DPIA Template above, or email david@harkiq.com for our Terms of Service, Privacy Policy, and Data Processing Agreement.