Security & Governance
Legal-Grade AI Security.
Designed to Pass Review.
Arivu.Legal is engineered for environments where confidentiality, client trust, and regulatory compliance are non-negotiable. Every security control is inherited from Microsoft 365 — not recreated.
Arivu is not a SaaS platform in the traditional sense. It is a Resident Agent—a secure, containerized intelligence layer that operates within your organizational boundaries.
The Resident Agent: Native In-Tenant Execution
Most Legal AI uses an Extraction Model (sending your data to their cloud). Arivu uses an In-Situ Model.
- The Boundary: Your data stays within your Microsoft 365 / Azure Tenant.
- The Compute: Arivu interacts with a private instance of the Large Language Model (LLM). Your prompts and document snippets are processed in a “stateless” environment—meaning the data is never stored, never logged, and never used to train the model.
- Zero External Indexing: Unlike Litera or Harvey, we do not build a “shadow database” of your files on our servers.
Zero-Tagging: Semantic Indexing vs. Manual Metadata
The “KM Tax” (manual tagging) is the primary reason Law Firm knowledge projects fail. Arivu replaces manual labor with Neural Search.
- Vector Embeddings: Arivu converts your documents into mathematical vectors that represent legal meaning rather than just keywords.
- Contextual Discovery: Because the agent lives next to your SharePoint, it “sees” the relationship between a master agreement, its amendments, and the surrounding email threads in Outlook.
- No Pre-Processing: You don’t need to “clean up” your SharePoint folders. The Resident Agent maps the context of your data in real-time.
Identity-First Enforcement (Entra ID Native)
AI systems frequently create “Permission Leakage” when they aggregate data. Arivu is the only solution that mirrors your existing Microsoft Entra ID and Purview permissions in real-time.
- Real-Time Permission Trimming: If a Partner restricts a SharePoint folder at 2:00 PM, Arivu’s Resident Agent stops seeing that data for unauthorized users at 2:01 PM. No manual sync required.
- No “Admin” Backdoor: Unlike external platforms where a vendor admin might have access to your “Vault,” Arivu respects your tenant’s internal access controls. You own the keys, you own the access.
Governance by Inheritance (Purview Ready)
Arivu doesn’t recreate your governance model; it inherits it.
- Sensitivity Labels: Arivu respects “Confidential” or “Secret” tags in Microsoft Purview.
- DLP Enforcement: Your existing Data Loss Prevention rules prevent the AI from surfacing information to unauthorized users.
- Unified Audit Trail: Every query, retrieval, and response is logged directly in your Microsoft Unified Audit Log for total transparency.
The Arivu Security Standard
| Security Pillar | Legacy “Vault” | Arivu Resident Agent |
| Data Location | Third-party Cloud | Your M365 Tenant |
| Identity Management | Proprietary/Sync | Native Entra ID (SSO) |
| Permission Sync | Manual/Scheduled | Real-Time / Native |
| Audit Logging | External Vendor Logs | Native Microsoft Audit Log |
| Attack Surface | Increased (New Cloud) | Zero Change (In-Tenant) |
Data Flow: How it Works
| Step | Action | Location |
| 1. Trigger | User asks a question in Word or Teams. | Your M365 Tenant |
| 2. Auth | Entra ID verifies the user’s identity and file permissions. | Your M365 Tenant |
| 3. Retrieval | Resident Agent pulls relevant “snippets” from authorized files. | Your M365 Tenant |
| 4. Synthesis | Snippets are sent via private API to a secure LLM instance. | Private Azure/AWS |
| 5. Response | The answer is delivered back to the user’s Word/Teams UI. | Your M365 Tenant |
The CISO Summary
- Data at Rest: Remains in your SharePoint.
- Data in Transit: Encrypted via TLS 1.3.
- Data in Use: Processed in private, stateless sessions. No Training.
- Identity: Managed by your existing Entra ID.
Security Throughout the AI Lifecycle
Legacy architecture forces lawyers to bridge gaps manually.
Ingestion
Uses existing SharePoint search schemas only.
Processing
Occurs within tenant-approved compute.
Response
Trimmed dynamically by user permissions.
Audit
Logged in Microsoft’s unified audit log.