The Question That Should Have Been Asked First
Your firm's data security officer asks one question before signing the legal AI procurement: "Does the vendor train their models on our data?" The sales rep says "No, of course not." You sign. Three months later, a Wired investigation reveals the vendor's terms of service explicitly carve out "aggregated, anonymized" training rights — and your firm's confidential matter language is now in someone else's training corpus. This guide is the question list that should have been asked first.
How We Ranked Them
Most "best legal AI" lists are written by vendors or affiliates. This one isn't.
Everything in this security analysis follows four rules that govern all LawyerAI editorial content:
-
LawyerAI does not accept vendor payment that influences scores. The security assessments in this guide reflect our independent evaluation of vendor documentation, publicly available certifications, and Data Processing Agreements. No vendor relationship changes the scores we publish.
-
Every tool has real limitations — including the ones we recommend. Harvey AI has the strongest security profile of any tool assessed in this guide. It still requires your firm's outside counsel to review the DPA before signing. No tool passes every procurement question automatically.
-
Pricing is published transparently — if a vendor won't publish it, we say "not published." For security certifications and compliance postures, the same principle applies: if a vendor's SOC 2 report is not publicly available or accessible to prospective customers, we note that. Certifications you cannot verify are not certifications.
-
Accuracy data from independent third parties only — vendor self-reported figures are labeled as such. Security certification claims throughout this guide are labeled by source. "SOC 2 Type II (vendor-reported, report not publicly available)" means the vendor asserts certification but has not made the audit report available for independent review.
The Short Answer
The legal AI security question cannot be answered at the sales demo. It requires reading the Data Processing Agreement, verifying certifications against published audit reports, and asking specific technical questions about data residency, subprocessors, and training data practices. Vendors who give evasive answers to specific questions are telling you something important.
The tools with the strongest independently verifiable security postures in this assessment are Harvey AI, Lexis+ AI, and LegalFly. Each has SOC 2 Type II, explicit no-training-on-customer-data commitments in their DPAs, and data residency specificity. Spellbook and GC AI are adequate for mid-market firms. The 20-point checklist in Chapter 5 is the framework your procurement team needs before any legal AI contract is signed.
Our 5-Dimension Methodology
LawyerAI evaluates every tool across five dimensions: Accuracy, Speed, Usability, Value, and Security. For this security-focused analysis, Security is the controlling dimension. The Security score at /methodology reflects certification status, DPA commitments, data residency specificity, and training data practices. A full explanation of how each dimension is scored is at /methodology.
Security scores in this guide are derived from: publicly available SOC 2 Type II reports or vendor attestation, DPA language analysis, data residency documentation, and third-party security assessments where available. Scores reflect the posture at time of writing and will be updated when certifications are renewed or DPA terms change.
At a Glance
| Vendor | SOC 2 Type II | ISO 27001 | No Training Commitment (DPA) | EU Data Residency | Security Score |
|---|
| Harvey AI | Yes | Yes | Yes (explicit) | Available | 5.0/5.0 |
| Lexis+ AI | Yes | Not published | Yes (explicit) | Limited | 5.0/5.0 |
| LegalFly | Yes | Yes | Yes (explicit) | Yes (default) | 5.0/5.0 (EU firms) |
| GC AI | Yes | Not published | Yes | Not available | 4.5/5.0 |
| Spellbook | Yes | Not published | Yes | Via Azure | 4.0/5.0 |
Table current as of May 2026. ISO 27001 status and EU data residency confirmed from vendor documentation and DPAs reviewed by LawyerAI. "Not published" means the certification was not available for independent verification as of this report's lastReviewedAt date.
Deep Dive: The Anatomy of Legal AI Security Risk
Chapter 1: The "Training on Customer Data" Question — and 4 Ways Vendors Evade It
The single most important question in legal AI procurement is also the one vendors are most practiced at evading. "Do you train your models on our data?" sounds direct. The answer almost always sounds like "no." Understanding the four standard dodge patterns is the prerequisite for asking the question in a way that produces a meaningful answer.
Dodge 1: "We use anonymized data."
Anonymization is the most common deflection. The vendor concedes that data is used but claims the anonymization makes it non-confidential. The problem is that legal matter anonymization is substantially harder than demographic data anonymization, and reversibility is well-documented in the technical literature.
Client names, opposing counsel names, transaction values, and party identities can be stripped from documents. But legal documents contain matter-specific language patterns — the specific way a firm drafts force majeure provisions, the particular clause structures used in a client's standard NDAs, the argumentation patterns in a litigation team's briefs — that survive anonymization and remain identifiable to sophisticated inference. A model trained on "anonymized" documents from a firm with a distinctive drafting style has, in a meaningful sense, learned that firm's confidential practices.
The follow-up question: "Show us the specific anonymization methodology in your Data Processing Agreement, and explain how your methodology handles re-identification risk for legal document patterns."
Dodge 2: "We use aggregated data."
"Aggregated" is often presented as equivalent to "anonymized" — the implication being that if your data is aggregated with other firms' data, your confidential information becomes indistinguishable from the mass. This is technically inaccurate. Aggregate training on a corpus that includes your firm's documents still exposes patterns, matter characteristics, and confidential context to model training. The model cannot distinguish "this firm's confidential document" from "another firm's confidential document" — but it has learned from both, and the training influence from your documents persists in the model.
The follow-up question: "Does 'aggregated' mean our firm's documents are excluded from training inputs entirely, or does it mean they are mixed with other data in training? These are different things."
Dodge 3: "You can opt out."
Opt-out by default is the standard that protects no one who hasn't noticed the problem. If a legal AI vendor's default setting trains on customer data and requires an affirmative opt-out action, then every customer who doesn't specifically request opt-out is contributing to the training corpus. In enterprise software procurement, the time between contract signature and active opt-out configuration can be weeks or months — during which the firm's data is in the training pipeline.
The standard to demand is opt-in by default: the vendor does not use customer data for training unless the customer affirmatively agrees. This is the model used by the vendors with the strongest security profiles in this assessment.
The follow-up question: "Is opt-out-of-training the default state for new accounts, or must we affirmatively opt out? What is the earliest date on which training on our data could begin after contract signature?"
Dodge 4: "We use customer-isolated fine-tuning."
Fine-tuning is the process of training a model specifically on a customer's data to improve its performance on that customer's tasks. Vendors sometimes offer this as a feature — "we fine-tune the model on your documents to make it better for your firm." The security issue is that fine-tuned models can leak information from the fine-tuning corpus to other users through model outputs, especially if the fine-tuned model is then further trained or updated.
Customer-isolated fine-tuning, where the fine-tuned model is used only for that customer and never contributes to the shared model, is secure in principle. But "isolated fine-tuning" claims require scrutiny — specifically, how the vendor manages model updates after fine-tuning, and whether the fine-tuned weights are ever merged back into a shared base model.
The follow-up question: "If you fine-tune a model on our data, are those weights ever used in any model that serves other customers? How do you manage the isolation of fine-tuned parameters across model updates?"
How to verify any of these answers: ask for the exact language in the Data Processing Agreement (DPA). Verbal assurances from sales representatives are not binding. The DPA is the document your firm's outside counsel will review before signing, and it is the document that governs data use after the contract is executed. If the vendor cannot point to specific DPA language that prohibits training on customer data, the verbal assurance is not protection.
Chapter 2: Where Your Data Actually Lives — Data Residency Reality
"US-based servers" appears in the marketing materials of almost every legal AI vendor serving the US market. It means less than it implies, and understanding the gap between the marketing claim and the operational reality is essential for firms with cross-border matters, EU clients, or data sovereignty obligations.
The CDN problem. Content delivery networks are used by almost every large SaaS provider to reduce latency by caching content geographically close to users. When your firm's London attorneys use a "US-based" legal AI tool, the request may be routed through a CDN node in Frankfurt, Amsterdam, or London — meaning query data and response data transit through EU infrastructure. Whether this constitutes "processing" in the EU sense under GDPR is a legal question; whether it means data leaves the US is a factual question with an answer that is often yes.
The subprocessor problem. Legal AI vendors are built on top of infrastructure services: AWS, Microsoft Azure, Google Cloud Platform, and others. Each of these providers operates in multiple regions globally. A vendor whose primary compute is in us-east-1 (AWS Northern Virginia) may use subprocessors — logging services, monitoring tools, security vendors — that process data in other regions. The vendor's "US-based" claim refers to their primary infrastructure, not the full data path including subprocessors.
The right question is not "Where are your servers?" but "In which specific AWS, Azure, or GCP regions is my firm's data processed and stored, and who are all your subprocessors with access to that data?"
The EU data residency question under Schrems II. The Court of Justice of the European Union's Schrems II ruling (C-311/18) established that even US vendors claiming EU data residency may not satisfy GDPR adequacy requirements if US government access to the data is possible under US law. For EU-headquartered law firms or firms handling EU client data, "EU data residency" is not sufficient — the question is whether the vendor's legal structure and contractual commitments satisfy the Schrems II standard for data transfer protection.
LegalFly is the only tool in this assessment that is GDPR-native with EU data residency by default and no US subprocessors. For EU law firms or any firm handling significant EU client data, this is a structural advantage that other tools cannot match through contractual workarounds. Full analysis of data residency requirements is at /glossary/data-residency.
The inference infrastructure problem. Several legal AI vendors use globally distributed inference infrastructure — AI compute capacity that is provisioned where it is cheapest or where capacity is available at the moment of request. When query volume spikes, inference may be routed to non-US endpoints. Vendors with "US-based servers" may still route AI processing requests to non-US inference infrastructure during peak demand.
The right procurement question: "Is your AI inference infrastructure geographically fixed, or does it route dynamically based on demand? If dynamic, what contractual guarantees exist that inference never occurs outside specified regions?"
Chapter 3: Security Certifications — What They Actually Mean
Security certifications are the first thing legal AI vendors present in procurement conversations. They are also the most commonly misunderstood. A certification tells you that the vendor's security controls were assessed by a qualified auditor. It does not tell you everything you need to know to make a safe procurement decision.
SOC 2 Type II. System and Organization Controls 2 is the baseline enterprise security certification for SaaS vendors. It covers five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type II report covers a period of six to twelve months, meaning the auditor assessed the vendor's controls over an extended period — not just at a single point in time.
Type I versus Type II is a critical distinction. A SOC 2 Type I report assesses controls at a single point in time. Type II assesses whether those controls operated effectively over the review period. Always ask for Type II. A vendor with only a Type I SOC 2 has passed a snapshot assessment, not an operational audit. In a procurement context, Type I SOC 2 is not equivalent to Type II.
What SOC 2 does not cover: whether the vendor trains on your data. The SOC 2 framework does not assess training data practices. A vendor can have a clean SOC 2 Type II report and still train on customer data, because training data practices are governed by contract terms (the DPA), not SOC 2 controls. SOC 2 is necessary but not sufficient for legal AI procurement.
ISO 27001. The International Organization for Standardization's 27001 standard is a broader information security management system certification. It includes risk management framework requirements that SOC 2 does not mandate, making it more comprehensive for firms with international operations. ISO 27001 is the standard most relevant for EU law firms operating under GDPR, and it is the certification required by many enterprise procurement processes outside the US.
Of the tools assessed in this report, only Harvey AI and LegalFly have confirmed ISO 27001 certification. For /solutions/big-law firms with international client bases, ISO 27001 should be a procurement requirement alongside SOC 2 Type II.
HIPAA. The Health Insurance Portability and Accountability Act is relevant only if the law firm handles matters involving protected health information (PHI). Healthcare litigation, healthcare M&A, and health regulatory work may bring attorneys into contact with PHI, triggering HIPAA compliance requirements for any tool that processes that data. HIPAA compliance is a specialized requirement; most legal AI tools have not undergone HIPAA assessment.
What certifications confirm and what they do not. Certifications confirm that the vendor has process controls that were operating effectively during the audit period. They do not guarantee that your data is safe from AI training, that data residency commitments are honored in practice, or that the vendor has not had a security incident since the last audit. The certification is the floor, not the ceiling, of security assessment.
Chapter 4: Encryption — The Fine Print
Encryption claims appear in virtually every legal AI vendor's security documentation. The claims are often technically accurate and operationally misleading simultaneously. Understanding what encryption protects and what it does not is essential for assessing real data exposure risk.
In-transit encryption. TLS 1.2 or higher encryption of data moving between your firm's devices and the vendor's infrastructure is table stakes. Every serious legal AI vendor uses it. It protects against network interception of data in transit. It is not a differentiator among vendors; its absence would be disqualifying.
At-rest encryption. AES-256 encryption of data stored in the vendor's databases and storage systems is also standard. It protects against unauthorized access to stored data — meaning that if someone broke into the vendor's storage systems, they would encounter encrypted data rather than plaintext. This is meaningful protection against certain attack vectors. It is also standard practice and not a differentiator.
Encryption "in use" — the hard part. When the AI is actively processing your data — analyzing a document, generating a response, running inference — the data must be decrypted. The encryption that protects stored data does not protect data that is actively being processed by the AI model. This is the phase of highest exposure risk: the AI must be able to read the data to process it, which means the data exists in plaintext in the inference environment.
The security controls that apply during inference — access controls on the inference environment, isolation of customer data during processing, audit logging of what was processed — are the controls that matter most for confidentiality during active use. Ask vendors specifically: "What controls govern access to customer data during active AI inference? Is the inference environment isolated per customer, or is it shared?"
Customer-managed encryption keys. The gold standard for enterprise encryption is customer-managed keys (CMK): the customer holds the encryption keys, and the vendor cannot decrypt data without the customer's keys. This means that even if the vendor's systems are compromised, or if the vendor's employees attempt unauthorized access, the data remains protected because the keys are not in the vendor's possession.
CMK is not common among legal AI vendors as of May 2026. Harvey AI offers CMK for enterprise deployments. It should be demanded by any /solutions/big-law firm or government legal department deploying legal AI at scale. For mid-market firms, CMK may not be available at accessible price points, making the alternative security controls — audit logging, access restrictions, no-training DPA commitments — more important.
Audit logs. Encrypted data should be accompanied by audit trails that document who accessed what data and when. Audit logs serve two purposes: detection of unauthorized access and evidence for incident response. Ask whether audit logs are available to the customer (not just to the vendor), how long they are retained, and whether they can be exported for integration with the firm's SIEM or security monitoring system.
Chapter 5: The 20-Point Security Checklist for Legal AI Procurement
The following checklist should be completed before any legal AI contract is signed. Items 1-12 are minimum requirements for any firm. Items 13-20 are enterprise requirements for Am Law 100 firms, government legal departments, and firms handling highly sensitive matter categories.
- Does the vendor have SOC 2 Type II certification (not Type I)?
- Does the vendor have ISO 27001 certification?
- Does the DPA explicitly prohibit training on customer data in binding contractual language?
- Is data residency specified by AWS, Azure, or GCP region (not just "US-based" or "EU-based")?
- Who are all subprocessors, what data do they access, and in which regions do they operate?
- Is opt-out-of-training the default state for new accounts, or must the customer affirmatively opt out?
- Does the vendor offer customer-managed encryption keys (CMK) for enterprise deployments?
- What is the data retention period after contract termination, and is it specified in the DPA?
- Are audit logs available to the customer, exportable, and retained for a minimum of 12 months?
- Has the vendor completed a penetration test by an independent third party in the last 12 months?
- What is the incident response SLA — specifically, the maximum time to customer notification after confirmed breach?
- Does the vendor maintain cyber liability insurance, and what are the coverage limits?
- Is the AI model isolated per customer, or does the inference environment serve multiple customers simultaneously?
- Are there contractual protections specifying what happens to your firm's data if the vendor is acquired?
- What happens to your firm's data — and fine-tuned model weights, if applicable — if the vendor ceases operations?
- Does the vendor have a designated EU representative for GDPR compliance purposes if they process EU personal data?
- Are there export control obligations on the AI model or its outputs under ITAR or EAR?
- Can your firm request deletion of any training contributions made before a no-training DPA was in place?
- Is there a dedicated security contact for enterprise customers, or is security handled through general customer support?
- Has the vendor's full DPA been reviewed and approved by your firm's outside counsel or data privacy specialist?
Items 1, 3, 4, 8, 10, and 11 are disqualifying if the vendor cannot provide satisfactory answers. For firms in regulated sectors (financial services, healthcare), items 16 and 17 may also be disqualifying thresholds. The checklist is available for download at /methodology alongside the full scoring rubric.
This chapter assesses the five tools most relevant to this security analysis. These assessments reflect security posture specifically — not overall product capability. A tool with a 5.0/5.0 security score may still score lower on accuracy, speed, or value. Cross-reference with full tool reviews for complete assessments.
Harvey AI — Security Score: 5.0/5.0
Harvey AI has the most comprehensively documented security posture of any legal AI tool reviewed by LawyerAI. Its security profile includes SOC 2 Type II, ISO 27001, an explicit no-training-on-customer-data commitment in its standard DPA, customer-managed encryption key options for enterprise deployments, and zero data retention configuration availability.
Harvey's deployment across US federal government agencies — including its reported use by several executive branch legal departments — has required it to meet security standards that exceed typical commercial SaaS requirements. The government deployment track record provides independent validation that Harvey's security controls are operationally effective, not just documented.
DPA language: Harvey's standard enterprise DPA explicitly prohibits training on customer data without affirmative customer consent and provides for zero data retention after session termination. Enterprise customers can negotiate CMK and enhanced audit logging as add-ons.
Limitations: Harvey AI pricing is not published. Enterprise contracts are negotiated, and the security features that justify a 5.0/5.0 score — CMK, zero data retention, ISO 27001 — are enterprise-tier features that may not be available or may cost significantly more at lower contract tiers. Mid-market firms should verify which security features are included at their specific tier. Full review at /item/harvey-ai. Compare security postures at /compare/harvey-vs-legalfly.
Lexis+ AI — Security Score: 5.0/5.0
LexisNexis has operated enterprise security infrastructure for law firm customers for decades, and Lexis+ AI inherits that institutional security posture. SOC 2 Type II is current and the report is available to enterprise customers under NDA. The DPA explicitly prohibits training on customer query data and document uploads.
Lexis+ AI's security is supported by LexisNexis's broader enterprise infrastructure, which serves law firms, corporations, and government agencies with significant data sensitivity requirements. The long track record of enterprise legal data handling is a meaningful differentiator from newer entrants.
EU data residency: LexisNexis operates US-based infrastructure for its primary US products. EU firms handling EU personal data in Lexis+ AI should review the Schrems II compliance question with outside counsel before deployment. LexisNexis has Standard Contractual Clauses in place for EU data transfers, but the adequacy of those SCCs under current GDPR interpretation is a legal question, not a LawyerAI editorial determination.
Pricing: starts at $149/month (vendor-reported) for basic tier. Enterprise pricing not published; negotiated. Full review at /item/lexis-plus-ai. EU firms should read the /glossary/gdpr glossary entry before procurement.
LegalFly — Security Score: 5.0/5.0 (EU firms)
LegalFly is GDPR-native by design, which means its security architecture was built around EU data protection requirements from the ground up rather than retrofitting US-built infrastructure for GDPR compliance. EU data residency is the default — not an option or an add-on. LegalFly does not use US subprocessors, which addresses the Schrems II problem at the infrastructure level rather than the contractual level.
ISO 27001 certification is current. SOC 2 Type II has been obtained as well, making LegalFly one of two tools in this assessment with both certifications. For EU-headquartered law firms, or any firm handling significant EU client data, LegalFly's security posture is structurally superior to US-headquartered alternatives.
LegalFly's compliance with Article 53 of the EU AI Act — which requires high-risk AI systems used in legal contexts to meet specific transparency and robustness requirements — provides an additional compliance layer relevant for EU-regulated firms. Full analysis of EU AI Act requirements for law firms is at /glossary/eu-ai-act.
Limitations: LegalFly's geographic strength is its limitation for US-only firms. Its corpus coverage for US case law research is less comprehensive than Westlaw or Lexis, and its AI features are optimized for EU legal frameworks. For US-only practices, the security advantages are real but the product may not be the best fit for research tasks. Full review at /item/legalfly.
GC AI — Security Score: 4.5/5.0
GC AI is designed for in-house legal teams, where the buyer is typically a corporate legal department with its own security and compliance requirements. Its SOC 2 Type II certification is current. The DPA includes explicit no-training-on-customer-data commitments. Enterprise SLA terms are maturing — GC AI was founded in 2023, and its enterprise security infrastructure reflects a company that is in the process of building to the standards of a mature enterprise vendor rather than one that has operated at enterprise scale for years.
The 4.5/5.0 score reflects the gap between current certification status (strong) and enterprise-grade audit logging and incident response SLA maturity (still developing). Firms with standard mid-market security requirements will find GC AI's posture adequate. Am Law 100 firms or firms with government contracts requiring FISMA compliance should conduct additional due diligence on the enterprise SLA terms before signing.
EU data residency is not currently available. In-house teams handling EU client data should review the standard DPA's data transfer provisions with outside counsel. Full review at /item/gc-ai.
Spellbook — Security Score: 4.0/5.0
Spellbook is built on Microsoft Azure infrastructure, which provides enterprise-grade security fundamentals. SOC 2 Type II is current. The DPA includes no-training-on-customer-data commitments, and Microsoft Azure's enterprise security controls — audit logging, access management, encryption — are available at Spellbook's enterprise tier.
The 4.0/5.0 score reflects two limitations. First, Spellbook's security controls are Azure-inherited rather than custom-built for legal AI specifically — the audit logging, access controls, and incident response capabilities are Microsoft's, not Spellbook's own. Second, Spellbook is primarily a contract drafting tool for SMB and mid-market legal teams, and its enterprise security controls — particularly around audit log exports and SIEM integration — are less mature than enterprise-first tools like Harvey AI.
For solo practitioners and small firms (fewer than 20 attorneys), Spellbook's security posture is adequate and its Azure infrastructure provides a solid compliance baseline. For large firms with formal security vendor assessment requirements, the less mature enterprise audit capabilities may require additional scrutiny. The /glossary/soc-2 glossary entry explains how to interpret Spellbook's SOC 2 report in the context of its Azure infrastructure dependency. Full review at /item/spellbook.
Which One Is Right for You?
The right legal AI security profile depends on your firm's risk posture, client base, and regulatory environment. Use the decision tree below to identify the minimum security requirements for your situation.
Branch 1: Am Law 100 / Large Enterprise Firm
Require ISO 27001 in addition to SOC 2 Type II. Require customer-managed encryption keys. Require explicit DPA no-training prohibition with binding contractual language. Require 12-month audit log retention with customer access. Negotiate incident response SLA (48-hour notification maximum). Have outside counsel review DPA before signing. Tools meeting these requirements: Harvey AI, LegalFly (EU operations). /solutions/big-law has additional enterprise procurement guidance.
Branch 2: Mid-Size Firm (20–200 attorneys)
SOC 2 Type II minimum. DPA with explicit no-training language. Data residency specified by region. Audit logs available to customer. Penetration test within 12 months. Tools meeting these requirements: Harvey AI, Lexis+ AI, GC AI, Spellbook. Outside counsel DPA review is recommended but not always required at this tier — assess based on matter sensitivity.
Branch 3: EU-Headquartered or EU-Client-Serving Firm
GDPR-native architecture with EU data residency by default. No US subprocessors, or Standard Contractual Clauses with Schrems II analysis. ISO 27001 preferred. EU AI Act Article 53 compliance review for high-risk applications. DPA in GDPR Article 28 compliant form. Only LegalFly meets all of these requirements by default. Harvey AI can meet most with appropriate DPA negotiation. See /glossary/gdpr and /glossary/eu-ai-act for the regulatory framework.
Branch 4: Solo Practitioner or Small Firm
SOC 2 Type II minimum — do not accept a vendor without it. Read the DPA's training data section before signing; do not rely on verbal assurances. Do not use tools that default to opt-in for training. Spellbook or Lexis+ AI are appropriate at this size. Zero data retention is available on some tools for additional security without enterprise pricing. The /glossary/zero-data-retention glossary explains what zero data retention means in practice.
FAQ
1. How do I know if my AI vendor is training on my firm's data?
The only reliable way to know is to read the Data Processing Agreement, not the privacy policy and not the sales deck. Specifically, look for the section governing "training," "model improvement," "product improvement," or "machine learning" — vendors use different terminology. The DPA should contain explicit language stating that customer data is not used for training without affirmative customer consent. If the DPA is silent on training, or if it contains a carve-out for "anonymized" or "aggregated" data, your data may be in the training corpus. Ask the vendor to provide the specific DPA section that prohibits training on your firm's data, in writing. If they cannot point to specific DPA language, the verbal assurance is not protection.
2. What's the difference between SOC 2 and ISO 27001 for legal AI?
SOC 2 is a US standard developed by the American Institute of CPAs, primarily used by SaaS companies serving US enterprise customers. ISO 27001 is an international standard with broader geographic recognition and a more comprehensive risk management framework requirement. For US-only firms, SOC 2 Type II is the baseline requirement. For firms with EU operations, international clients, or government contracts, ISO 27001 provides broader coverage and is recognized by EU procurement processes. Both standards assess security controls; neither specifically addresses AI training data practices, which must be covered in the DPA separately. Always ask for Type II (not Type I) SOC 2 — the distinction between a point-in-time audit and an operational audit over a sustained period matters significantly for procurement decisions. Full comparison at /glossary/soc-2.
3. If my vendor says "zero data retention," what does that actually mean?
Zero data retention means the vendor does not retain query data, document uploads, or responses after the session ends. Your data is processed and then deleted — it is not stored in the vendor's systems after the session terminates. This eliminates the risk of stored data being used for training, being exposed in a future breach, or being retained after contract termination. Zero data retention is the strongest available protection against data exposure over time. The practical limitation: zero data retention means the vendor also cannot retain your conversation history, which affects features like research session continuity and document version history. Some tools offer zero data retention as a configurable option that trades features for security. Full explanation at /glossary/zero-data-retention.
4. Can client confidential communications be exposed through AI training?
Yes, if the vendor trains on customer data and the confidentiality of that training corpus is not guaranteed. The exposure mechanism is not a data breach — it is the model learning patterns, language, and content from your firm's confidential documents and reproducing those patterns (even if not verbatim) in responses to other customers' queries. The risk is not that your client's name appears in another firm's AI response. The risk is that confidential deal structures, litigation strategy elements, or privileged legal analysis may influence model outputs in ways that are not obviously attributable to your firm but that constitute a confidentiality breach under attorney-client privilege standards. This is why the DPA no-training commitment is not a compliance checkbox — it is a professional responsibility requirement.
5. What contractual protections should we require before signing a legal AI contract?
Five minimum contractual protections for any law firm signing a legal AI contract: (1) Explicit DPA prohibition on training on customer data, in binding contract language, not just policy documents. (2) Data residency specified by region with named subprocessors and their access scope. (3) Data deletion obligation within 30 days of contract termination, covering all customer data including logs and backups. (4) Incident notification SLA — the maximum time the vendor has to notify your firm of a confirmed breach involving firm data. (5) Acquisition clause specifying that the no-training and data deletion obligations survive any acquisition of the vendor by a third party. These five provisions are the contractual floor; your firm's outside counsel should review the full DPA for additional protections specific to your matter sensitivity and client requirements.
Editorial Independence
LawyerAI evaluations are independent. We do not accept payment that influences our editorial scores. Featured placements (when introduced) will be clearly labeled and will not affect our 5-dimension scoring methodology. Our rankings reflect product reality at time of writing — we re-review every quarter and update lastReviewedAt accordingly.
If you spot an error, email editorial@lawyerai.directory. We correct in public and credit the reporter.
