Noxtua

Europe's sovereign legal AI with its own European-trained legal LLM

Spellbook

AI contract drafting and review directly inside Microsoft Word

Noxtua

Excellent

25/25

Spellbook

Moderate

15/25

Score Breakdown

DimensionNoxtuaSpellbook

Data Residency

Where is your data stored and processed?

Noxtua: Processing occurs exclusively on European infrastructure (Open Telekom Cloud by Deutsche Telekom and IONOS) with no connection to US cloud providers, plus an on-premise deployment option. Best-in-class EU data residency.

Spellbook: Data processed in US and Canada. Zero retention policy with OpenAI API prevents document storage for AI training. Limited EU data residency options may concern European law firms.

5/5

Processing occurs exclusively on European infrastructure (Open Telekom Cloud by Deutsche Telekom and IONOS) with no connection to US cloud providers, plus an on-premise deployment option. Best-in-class EU data residency.

3/5

Data processed in US and Canada. Zero retention policy with OpenAI API prevents document storage for AI training. Limited EU data residency options may concern European law firms.

Legal Jurisdiction

Which laws govern the company and your data?

Noxtua: Incorporated in Germany as Noxtua SE (formerly Xayn AG), an EU/EEA entity with no US parent. Designed to meet German professional-secrecy law (§ 43e BRAO, § 203 StGB).

Spellbook: Incorporated in Ontario, Canada. Canadian privacy law (PIPEDA) provides reasonable protections. Canadian jurisdiction is generally considered acceptable for legal professionals handling confidential client data.

5/5

Incorporated in Germany as Noxtua SE (formerly Xayn AG), an EU/EEA entity with no US parent. Designed to meet German professional-secrecy law (§ 43e BRAO, § 203 StGB).

3/5

Incorporated in Ontario, Canada. Canadian privacy law (PIPEDA) provides reasonable protections. Canadian jurisdiction is generally considered acceptable for legal professionals handling confidential client data.

Data Retention & Training

Is your data used for model training?

Noxtua: Explicitly states customer data is never used to train, retrain or improve AI models, with sovereign/on-premise deployment and enterprise DPA-level controls. Specific configurable retention windows are not publicly detailed but the no-training and isolation posture is strong.

Spellbook: Strong data minimisation posture with zero data retention policy through OpenAI's API. Documents are not stored beyond the session, reducing exposure of sensitive legal content.

5/5

Explicitly states customer data is never used to train, retrain or improve AI models, with sovereign/on-premise deployment and enterprise DPA-level controls. Specific configurable retention windows are not publicly detailed but the no-training and isolation posture is strong.

4/5

Strong data minimisation posture with zero data retention policy through OpenAI's API. Documents are not stored beyond the session, reducing exposure of sensitive legal content.

Certifications

ISO 27001, SOC 2, Cyber Essentials, etc.

Noxtua: Extensive published certification stack: ISO 42001 (first German company), ISO 27001, 27017, 27018, 9001, plus BSI C5 and TISAX. No SOC 2 (US-oriented), but European sector and AI-specific certifications exceed the baseline.

Spellbook: Holds SOC 2 Type II certification. Certification portfolio is limited for a tool handling highly sensitive legal documents; ISO 27001 certification would strengthen the trust posture.

5/5

Extensive published certification stack: ISO 42001 (first German company), ISO 27001, 27017, 27018, 9001, plus BSI C5 and TISAX. No SOC 2 (US-oriented), but European sector and AI-specific certifications exceed the baseline.

2/5

Holds SOC 2 Type II certification. Certification portfolio is limited for a tool handling highly sensitive legal documents; ISO 27001 certification would strengthen the trust posture.

Regulatory Fit

Suitability for regulated industries and professional services

Noxtua: Purpose-built for regulated EU legal work, explicitly meeting attorney confidentiality and professional-secrecy requirements, with backing from major law firms and legal publishers. Suitable for the most demanding EU regulated legal and public-sector use.

Spellbook: Good fit for North American law firms and corporate legal departments. Zero data retention aligns with attorney-client privilege requirements. Limited certifications may require additional due diligence for EU or highly regulated clients.

5/5

Purpose-built for regulated EU legal work, explicitly meeting attorney confidentiality and professional-secrecy requirements, with backing from major law firms and legal publishers. Suitable for the most demanding EU regulated legal and public-sector use.

3/5

Good fit for North American law firms and corporate legal departments. Zero data retention aligns with attorney-client privilege requirements. Limited certifications may require additional due diligence for EU or highly regulated clients.

Total Score

25/25

15/25

Best For

Noxtua

Best for EU-headquartered organisations needing maximum data sovereignty; organisations requiring broad certification coverage (ISO 42001, ISO 27001, ISO 27017); regulated industries (BfDI, BaFin); privacy-conscious teams who need strong data retention controls; organisations that need self-hosted or on-premise deployment.

Spellbook

Best for privacy-conscious teams who need strong data retention controls.

Detailed Comparison

Noxtua vs Spellbook: Trust & Compliance Comparison

Noxtua (Noxtua, DE) scores 25/25 overall with a Gold (Excellent) trust badge. Europe's sovereign legal AI with its own European-trained legal LLM. Spellbook (Rally Legal, CA) scores 15/25 with a Bronze (Moderate) trust badge. AI contract drafting and review directly inside Microsoft Word.

Dimension-by-Dimension Breakdown

#### Data Residency

Noxtua leads with 5/5 vs 3/5.

●Noxtua (5/5): Processing occurs exclusively on European infrastructure (Open Telekom Cloud by Deutsche Telekom and IONOS) with no connection to US cloud providers, plus an on-premise deployment option. Best-in-class EU data residency.

●Spellbook (3/5): Data processed in US and Canada. Zero retention policy with OpenAI API prevents document storage for AI training. Limited EU data residency options may concern European law firms.

#### Legal Jurisdiction

Noxtua leads with 5/5 vs 3/5.

●Noxtua (5/5): Incorporated in Germany as Noxtua SE (formerly Xayn AG), an EU/EEA entity with no US parent. Designed to meet German professional-secrecy law (§ 43e BRAO, § 203 StGB).

●Spellbook (3/5): Incorporated in Ontario, Canada. Canadian privacy law (PIPEDA) provides reasonable protections. Canadian jurisdiction is generally considered acceptable for legal professionals handling confidential client data.

#### Data Retention & Training

Noxtua leads with 5/5 vs 4/5.

●Noxtua (5/5): Explicitly states customer data is never used to train, retrain or improve AI models, with sovereign/on-premise deployment and enterprise DPA-level controls. Specific configurable retention windows are not publicly detailed but the no-training and isolation posture is strong.

●Spellbook (4/5): Strong data minimisation posture with zero data retention policy through OpenAI's API. Documents are not stored beyond the session, reducing exposure of sensitive legal content.

#### Certifications

Noxtua leads with 5/5 vs 2/5.

●Noxtua (5/5): Extensive published certification stack: ISO 42001 (first German company), ISO 27001, 27017, 27018, 9001, plus BSI C5 and TISAX. No SOC 2 (US-oriented), but European sector and AI-specific certifications exceed the baseline.

●Spellbook (2/5): Holds SOC 2 Type II certification. Certification portfolio is limited for a tool handling highly sensitive legal documents; ISO 27001 certification would strengthen the trust posture.

#### Regulatory Fit

Noxtua leads with 5/5 vs 3/5.

●Noxtua (5/5): Purpose-built for regulated EU legal work, explicitly meeting attorney confidentiality and professional-secrecy requirements, with backing from major law firms and legal publishers. Suitable for the most demanding EU regulated legal and public-sector use.

●Spellbook (3/5): Good fit for North American law firms and corporate legal departments. Zero data retention aligns with attorney-client privilege requirements. Limited certifications may require additional due diligence for EU or highly regulated clients.

Certifications at a Glance

Certification	Noxtua	Spellbook
BSI C5	Yes	No
ISO 27001	Yes	No
ISO 27017	Yes	No
ISO 27018	Yes	No
ISO 42001	Yes	No
ISO 9001	Yes	No
SOC 2 Type II	No	Yes
TISAX	Yes	No

Overall Verdict

Noxtua has a clear trust advantage, scoring 25/25 compared to Spellbook's 15/25. Noxtua particularly excels in data residency, legal jurisdiction, data retention & training, certifications, regulatory fit.

Frequently Asked Questions

Which is better for EU compliance, Noxtua or Spellbook?

Noxtua has a TrustKit score of 25/25 while Spellbook scores 15/25. Noxtua currently rates higher across data residency, legal jurisdiction, data retention, certifications, and regulatory fit.

How do Noxtua and Spellbook compare on data residency?

Noxtua scores 5/5 for data residency (Processing occurs exclusively on European infrastructure (Open Telekom Cloud by Deutsche Telekom and IONOS) with no connection to US cloud providers, plus an on-premise deployment option. Best-in-class EU data residency.), while Spellbook scores 3/5 (Data processed in US and Canada. Zero retention policy with OpenAI API prevents document storage for AI training. Limited EU data residency options may concern European law firms.).

Are Noxtua and Spellbook GDPR compliant?

Both tools are assessed across five compliance dimensions. Noxtua has a regulatory fit score of 5/5 and Spellbook scores 3/5. Check the full comparison above for a detailed breakdown.

Explore Each Tool