Security and
AI Overview

Updated January, 2025

Poppy understands the confidential nature of your team’s legal invoices and the information you store on our systems. We take seriously the responsibility of ensuring the privacy, security and proper use of your data.

We use Amazon Web Services and Google Cloud as our hosting services, as well as Amazon’s Bedrock and Google’s Vertex as AI infrastructure. 

We inherit the security guarantees of these enterprise-grade services.

1. Security

We use systems, adopt business practices, and implement safeguards that seek to minimize the risk of unauthorized access to your information.  These include:

  • System Monitoring: We regularly monitor our code, system configurations and system updates to ensure our systems are protected against unauthorized access.

  • Encryption: We use in-transit and at-rest encryption using industry best practices to ensure all data transmitted and stored securely.

  • Employee Security Practices: Regular security training and employee background checks, as well as required two-factor authentication and secure passwords for critical internal systems.

  • Physical Security: We utilize Amazon Web Services and Google Cloud’s SOC 2 certified Data Centers for hosting data, both of which incorporate state-of-the-art physical security.

  • Access Controls: We implement the Principle of Least Privilege, where employees receive the minimum permissions needed for their role.

  • Firewalls: Our application uses a managed web application firewall to protect against a variety of attack vectors.

2. AI Use and Training

Poppy uses certain AI models and systems as part our software. We understand that there may be concerns with how these systems use and share information. However, we do not use, nor do we allow for the use of, your data to train any AI models.

How does Poppy use AI?

Poppy uses AI models in two primary ways.

First, we use AI systems to ingest invoice information.  This allows Poppy to intake legal invoices of a wide variety of formats, styles and structures, and store that information in a structured database for your access and reporting.

Second, Poppy uses AI to analyze invoice information to provide insights on billing practices and areas of potential concern to your business.  Poppy performs this analysis on an individual line item basis for invoice review.  But Poppy also performs analysis of your data on longer time horizons, providing insights on law firm, matter and timekeeper performance over the course of quarters or years.

Does Poppy use customer data to train models?

No. Poppy does not use customer data to train models, nor do we allow customer data to be used for the training of third party models.

Our system uses Amazon’s Bedrock and Google’s Vertex as AI infrastructure. Both Bedrock and Vertex are enterprise-grade services with significant security and privacy guarantees, including that information is not shared with third-party model providers, neither as a model input nor as a model output.  In addition, neither Bedrock nor Vertex use customer data to train any Amazon, Google, or third-party models.