They have a soc 2 so literally an (external) auditor has looked at their data retention policies and if your business is a customer you should request access to the report
but does that matter legally for health, finance and legal sectors? I am not familiar with the laws themselves but I worked in finance for a long time and the internal rules where that sensitive data cannot move off premises no matter what the external party promised/had certified.
Yes there are certifications for each of those sectors. Finance has pci compliance, health has HIPAA.
For legal issues it's a bit more nuanced (eg new york state has guidelines about best practices, but they're honestly fairly sensible and would probably allow SOC 2 or equivalent)
The best thing anybody can do with your data is not store it for very long. Beyond that, they should take sensible measures, like encrypt it at rest, have policies restricting access, etc
So its hard to trust.