Kingsfield Connect the Judge
Kingsfield · Trust posture

Architectural Commitment is the artifact, not an auditor's paid letter.

Why a SOC 2 report does not answer the privilege question for legal AI.

When you send a matter to a cloud AI tool, the vendor hands you a SOC 2 report and the conversation is supposed to end there. It shouldn't. A SOC 2 report attests that one vendor followed its own controls during an audit window. Your client's confidences travel much further than that one vendor. Follow the path a single prompt actually takes.

WHAT A SOC 2 REPORT ATTESTS — ONE VENDOR, DURING THE AUDIT WINDOW the red path is your client's PII, in the clear, the entire way PERSISTENT STORE PERSISTENT STORE ...and every sub-processor each layer calls OUTSIDE THE SOC 2 BOUNDARY — THE LETTER IS SILENT ON THESE CDN WAF provider hyperscaler compute GPU operator logging platform billing database moderation API Your prompt + client PII names, matter facts, account numbers 01 API gateway TLS / WAF / auth / rate-limit / validate ~5ms 02 Load balancer Envoy / NGINX to GPU clusters ~2ms 03 Tokenization text to BPE token IDs ~3ms 04 Model router capability-aware queue 05 Inference engine prefill / KV-cache / decode / GPU 250-300ms THE MODEL IS ONE LAYER 06 Post-processing sampling + safety models + format ~5ms 07 Response & billing usage written to data warehouse 08 Logging & observ. request body + ids + timestamps logged Answer returns and the prompt now rests in logs & caches

One prompt, ~400ms, fourteen infrastructure layers. The model is one box on the path. Your client's PII rides through, and comes to rest in, the rest, plus every sub-processor outside the dashed line. A SOC 2 report covers the front-most vendor. It does not cover the journey.

Why the letter doesn't answer the question

A SOC 2 Type II report is a real document about a real thing. It is just not the thing a privilege analysis turns on. Four reasons.

01The PII doesn't stop at the vendor boundary.

Once the prompt enters the API gateway, it travels to every sub-processor each subsystem depends on: CDN, WAF, hyperscaler compute, GPU operator, logging platform, billing database, moderation API. The vendor's SOC 2 report says nothing about what those parties do with the bytes once they arrive.

02Each layer is a real handler with its own breach surface.

The observability pipeline logs the request body. The billing warehouse records token-level usage. Both are persistent stores of prompt content that live outside the model, and each inherits the trust posture of whoever operates it.

03The safety boxes are themselves models.

The moderation and safety-filter layers ingest the prompt to classify it. Each is its own model, with its own training-data retention, its own sub-processor chain, and its own audit boundary. The vendor's letter does not bind them.

04A past audit window does not cover this morning's call.

SOC 2 Type II is retrospective and periodic. A busy firm puts tens of thousands of prompts through this pipeline between audit periods. The attestation describes processes that existed at audit time, not what touched the specific bytes of your privileged document today.

What Kingsfield does instead

We do not try to win the attestation contest. We remove the thing the attestation was invented to reassure you about.

A cloud legal-AI tool

Client PII enters layer 1.

The raw prompt, identifiers and all, crosses into the pipeline above. Every box, every log, every sub-processor handles it. The SOC 2 letter is the only thing standing in for inspection, and it covers one box.

Kingsfield

Only tokens enter layer 1.

Client identifiers are stripped on your own machine before anything leaves, and a fail-closed firewall rejects anything PII-shaped at the judge's door. Every box on the path still runs. None of them sees the client's PII, because what entered the gateway was already tokens.

Two gates, both outside the cloud. A tokenizer on the lawyer's own computer strips client identifiers before egress, and a lawyer-confirmed egress gate shows the outbound payload before it sends. At the judge's ingress, a default-deny firewall rejects any submission in which PII is detected. The cloud holds no token-to-PII map, so client names are restored only on your machine, on a clean verdict.

Nothing to attest, because nothing is there. No client matters, documents, or PII are stored in the cloud. A tenant is an authentication identity and a usage counter. The one durable record is the PII-free Audit Capsule chain. That is why the DPA's scope is near-empty by design: it is a selling point, not a gap.

The same move, on the other trust gap

A SOC 2 letter is a confident absolute about privilege. "Built so it cannot hallucinate" is the confident absolute about accuracy. The architecture underneath does not support that one either.

A tool that drafts legal work runs on a large language model, and language models hallucinate. Some tools add a citation filter: before a citation goes out, they confirm the case exists in a corpus. That is worth having. It catches the fabricated case name, the citation to nothing, the Mata v. Avianca failure. It is not the same thing as "cannot hallucinate," because whether a case exists is only one of the things a citation can get wrong.

Four hallucinations a real-case existence check passes clean:

01The wrong holding.

A real case cited for a proposition it does not support. The case exists, so the check passes. The citation is still false. Confirming that a case is real says nothing about whether it says what the brief claims.

02Law that is no longer good.

A real, citable case that has been overruled or superseded. It exists, so it passes. An existence check has no view on treatment, and without a citator, bad law reads as good law.

03The altered quote.

A real case quoted with language it does not contain, or a pinpoint to a page that does not hold the proposition. The reporter is real; the words are not.

04Everything that is not a citation.

The factual narrative, the statutory reading, the analysis, the strategy. None of it is a citation, so none of it enters the check. The largest part of a memo is never looked at.

Every legal LLM hallucinates. A citation filter is itself the admission of it. No one builds a checker for a writer that cannot get things wrong. So Kingsfield rules on the output.

A verdict on every citation. Each citation, quote, and proposition is adjudicated against the corpus: does the cite exist, is the quote exact, does the authority support the claim, is the case still good law. Accept, Reject, or Inconclusive, per citation, signed into the Audit Capsule.

The artifacts

A firm doing diligence does not have to take the architecture on faith. These are the documents that back it.

Data Processing Agreement

Near-empty scope by design, because no PII reaches the cloud. A working draft, open for review.

Draft · available now
Privilege

The architecture facts a firm's own counsel uses to assess whether using Kingsfield preserves privilege and work-product.

Firm-led
Audit Capsule

Every verdict signed and hash-chained, content-addressable, and PII-free. Verifiable without trusting our tooling.

Shipped
PII Tokenizer

The local application that strips client identifiers before egress and holds the map on your machine.

The first gate

Read the architecture in one line

They can publish a diagram of every system your client's PII passes through before the model even sees it. We send the model tokens instead.

See how it works Contact WalkerNash