Zeno passes ISO 27001, ISO 27017 and ISO 27018 with zero nonconformities

Zeno has passed three independent security audits, without a single non-conformity.

ISO 27001, ISO 27017, and ISO 27018 are the most widely recognised international standards for information security, and together they cover everything from how a company is run, to how your data is stored, to how personal information is protected.

Most AI providers only pursue one of these. We pursued all three. Here’s more on why that matters for our users.

Why ISO 27001 Matters: Independent Security Certification for Technology Providers

1. Your data security starts before you upload a single file

Before you trust a tool with client data, you want to know the company behind it takes security seriously. Not because they say so on their website, but because someone independent has checked.

That is what ISO 27001 does. It looks at how an organisation is set up to protect information at a premier international standard. Are there clear rules about who can access what? Is there a plan for when things go wrong? Are risks identified and managed?

2. Why Legal AI tools need third-party security audits, not just claims

At Zeno, security is part of how we work every day. Every team member operates within a defined security framework, and we have formal processes for managing risk and responding to incidents. ISO 27001 confirmed that all of this is in place and working.

When you are choosing a legal AI provider, this is the certification that tells you the organisation itself has security as a foundation.

Why ISO 27017 matters: Certified Security With EU Data Residency

1. Your data remains yours

When you use an AI tool, your data is processed on servers. The question is: where are those servers, who manages them, and is your information kept separate from everyone else's?

ISO 27017 answers that question. It specifically tests how data is protected in the environment where it is stored and processed. Are different clients' files properly separated? Is the system secured? Are the responsibilities between the provider and the client clearly defined?

2. Your client data stays in the European Union

Zeno stores all data within the European Union. Your files are encrypted and kept separate from those of other clients on our platform. ISO 27017 confirmed that these protections meet the international standard.For law firms, this is especially relevant. Where your data is hosted and how it is protected are not just IT questions. They are compliance questions.

Why ISO 27018 matters: GDPR-Aligned Privacy Controls for Client Data

1. Personal data in your client files is handled with care

Your client files often contain sensitive personal information: names, addresses, financial records, case details. When you upload these to any platform, you need to know exactly what happens with that data.

ISO 27018 sets the rules. Can the provider use your data for anything other than delivering the service? No. Are there limits on how long data is stored? Yes. Is there a clear process if a breach occurs? Yes.

At Zeno, we never use client data to train our models. Your data is used to deliver the service you are using, and nothing else. ISO 27018 verified that our practices meet the standard, and those rules align closely with what GDPR already requires of you.

This certification gives you confidence that the personal data in your files is handled under audited, internationally recognised rules.

A fully certified legal AI platform: Audited, Verified, Ready

Passing all three audits with zero nonconformities means the auditors found nothing to flag. No gaps, no partial measures, no items to fix later.

The timing is relevant. The Dutch Bar Association (NOvA) made clear in its 2025 AI recommendations that using AI responsibly is a professional obligation. Across Europe, new regulation is raising the bar for security and transparency. Firms are being asked to demonstrate that the tools they use meet the standard.

We built Zeno to meet that standard from day one. Now it is independently confirmed.

You can review our certifications and security documentation at trust.zeno.law.

Frequently Asked Questions

1. What is an ISO certification?

An ISO certification is carried out by independent, external certification bodies. It is in essence a third-party attestation that a company operates a management system which conforms to one of the international standards developed and published by ISO. (International Organisation for Standardisation)

2. What is the impact on users of LegalTech of ISO 27001, ISO 27017, and ISO 27018 certifications?

Passing all three certifications with zero nonconformities means that users are rest assured and know:

• Their data is secured end-to-end (ISO 27001)

• The environment holding it is specifically hardened (ISO 27017)

• Their personal data is actively protected with explicit privacy controls. In other words, your data remains yours. (ISO 27018)

3. Why did you pursue all three certifications?

Each certification addresses a different dimension of trust. We wanted to give law firms and legal teams the third-party assurance that is grounded in international standards. This shows we take your security seriously, and confirms how we handle personal data securely.

4. What does this mean for my data?

It means your data is protected by formally audited controls at every level. These controls cover how we manage security risks overall, to how we secure the infrastructure your data lives on.

5. How were the certifications obtained?

All three were awarded following independent audits conducted by an internationally accredited certification body. The process is rigorous and involves a thorough review of our policies, technical controls, and documentation. It is not self-certified.

6. How often are the certifications renewed?

ISO certifications require annual surveillance audits and a full recertification every three years. This means our compliance isn’t a one-time achievement, it is continuously verified and earned.