Why Security Diligence Is Distinct for AI Contract Review
Traditional legal software procurement — document management systems, practice management platforms, e-discovery tools — follows a well-worn security evaluation path. You verify the vendor's SOC 2 report, review their data center certifications, sign a standard data processing agreement, and move on. AI contract review tools break that model in three fundamental ways that most procurement processes fail to account for.
First is the training data problem. Unlike a document management system where your data sits in an encrypted bucket and is never touched by the vendor's algorithms, AI contract review tools send your contracts — often containing trade secrets, pricing terms, M&A provisions, and personally identifiable information — through large language models. The question of whether those models are trained on your data after processing is not a theoretical concern; it is the single most consequential contractual term in any AI contract review deal. The only acceptable answer for enterprise-grade platforms is a contractual commitment to zero data retention with model providers, meaning your data is not used for model training or improvement and is deleted immediately after processing.
Second is the third-party model provider ecosystem. Most AI contract review tools do not run their own large language models. They rely on API access to models hosted by OpenAI, Anthropic, Google, or other providers. This creates a subcontractor chain that traditional software procurement rarely encounters. Your data may pass through the vendor's infrastructure, then through the model provider's API, and potentially through model provider sub-processors. Each hop introduces additional exposure points that must be contractually controlled.
Third is the model exposure risk. Even when a vendor commits to zero data retention, the act of inference itself carries risk. Model inversion attacks — where an adversary can reconstruct training data from model outputs — are an active area of security research. For highly sensitive contracts (M&A due diligence, patent licensing, government procurement), the mere fact that your data passed through a shared model infrastructure may be unacceptable. This is why private instance deployment and, increasingly, confidential computing environments are emerging as the gold standard for the most security-conscious legal teams.
The market data underscores the urgency. A Thomson Reuters 2023 survey found that 31% of legal departments are already using AI for contract analysis and review, with another 24% planning to implement within 12 months. The global legal AI market is projected to reach $3.90 billion by 2030 at a 17.3% compound annual growth rate. As adoption accelerates, the security diligence gap will widen — unless GCs and compliance officers build the evaluation frameworks their organizations need.
The Certification Landscape Decoded: SOC 2, ISO 27001, GDPR, and ISO 42001
Security certifications are the first thing procurement teams ask for and the last thing they actually understand. For AI contract review, the certification landscape is more complex than a simple checklist because no single certification covers all the risks introduced by AI processing. Here is what each major certification actually verifies — and, more importantly, what it leaves unaddressed.
| Certification | What It Verifies | Assessment Duration | AI-Specific Coverage | Key Gap |
|---|---|---|---|---|
| SOC 2 Type I | Design of security controls at a single point in time | Point-in-time snapshot | None | Does not test whether controls actually operate effectively over time |
| SOC 2 Type II | Operational effectiveness of security controls over a period of 6+ months | 6–12 months of continuous monitoring | None | Does not verify AI-specific training data policies or model governance |
| ISO 27001 | Information security management system (ISMS) — policies, procedures, risk management | 3–12 months for implementation, annual audits | None | Focuses on management system, not technical AI controls |
| GDPR Compliance | Data protection principles, lawful processing, data subject rights, cross-border transfer mechanisms | Ongoing obligation, not a one-time certification | Covers personal data processing but not contract data that lacks personal identifiers | Does not address model training on non-personal commercial data |
| ISO 42001 | AI management system — risk assessment, transparency, accountability for AI systems | Emerging standard, implementation timelines vary | Yes — specifically designed for AI governance | New standard with limited adoption; certification infrastructure still developing |
The critical distinction for GCs is between SOC 2 Type I and Type II. A vendor that holds only SOC 2 Type I has demonstrated that their security controls look good on paper at a single moment. A vendor with SOC 2 Type II has proven that those controls actually functioned effectively over a sustained period — typically six months or more. For any tool handling client confidential contract data, SOC 2 Type II should be the minimum acceptable standard. Type I is a starting point, not a destination.
ISO 42001, published in late 2023, is the first international standard specifically designed for AI management systems. It requires organizations to establish AI risk assessment processes, document transparency measures, and implement accountability frameworks. While adoption is still limited — few AI contract review vendors currently hold ISO 42001 certification — it represents the direction of travel for AI-specific governance. GCs should ask vendors about their roadmap for ISO 42001 certification as a leading indicator of AI governance maturity.
GDPR compliance is often treated as a checkbox, but for AI contract review it carries specific implications. Even when contracts do not contain personal data (many commercial contracts do not), the GDPR's principles around data minimization, purpose limitation, and cross-border transfer restrictions provide a useful framework for evaluating any vendor's data handling practices. For vendors processing contracts that do contain personal data — employment agreements, consumer contracts, healthcare provider agreements — GDPR compliance is legally mandatory, not optional.
Five Critical Security Questions Every GC Must Ask Vendors
Feature comparisons and pricing negotiations dominate most AI contract review procurement cycles. Security diligence is often deferred to a separate infosec questionnaire that arrives late in the process and is reviewed by IT staff who may not understand the specific risks of AI model inference. The following five questions should be asked early — ideally during the initial vendor demonstration — and the answers should be documented in the vendor's formal response before any contract is signed.
1. Do you train your models on customer contract data?
This is the single most important question, and the only acceptable answer for enterprise deployment is a contractual commitment that customer data is not used for model training or improvement. Some vendors offer different tiers: consumer-grade tools may default to training on user inputs, while enterprise tiers commit to zero data retention. The distinction must be in the contract, not just in a sales conversation. Several major platforms, including GC AI and DraftPilot, explicitly state that they do not use client data to train their models and maintain zero data retention agreements with their model providers.
2. Where is my data stored and processed?
Data residency requirements vary by jurisdiction. A US-based law firm may be comfortable with data stored in AWS US-East, but a multinational corporation with EU operations may require data to remain within the European Economic Area. The vendor should be able to specify: the geographic location of primary data storage, the location of any backup or disaster recovery sites, the data centers used by their model providers, and whether data ever transits through jurisdictions with inadequate data protection laws. For organizations subject to GDPR, the vendor must also identify the appropriate cross-border transfer mechanism — typically Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework (DPF).
3. What encryption standards do you apply at rest, in transit, and in use?
Encryption at rest (AES-256) and encryption in transit (TLS 1.3) are table stakes — any vendor that cannot commit to both should be eliminated immediately. The emerging differentiator is encryption in use, also known as confidential computing or secure enclaves. This technology encrypts data while it is being processed by the AI model, meaning that even the vendor's own infrastructure cannot access the plaintext during inference. Few vendors offer this today, but for law firms handling the most sensitive M&A, litigation, or regulatory contracts, it is becoming a requirement.
4. Can you deploy in a private instance or on-premise?
Multi-tenant SaaS architectures are the norm for AI contract review tools, and for most use cases they are perfectly adequate. But for organizations with strict data sovereignty requirements — government contractors, financial institutions, healthcare organizations — a private instance (dedicated infrastructure for a single customer) or on-premise deployment may be necessary. The vendor should be able to describe: whether private instance is available, the cost and timeline for deployment, whether the private instance uses the same model infrastructure or a separate model endpoint, and whether on-premise deployment is possible for air-gapped environments.
5. What does your DPA actually say about data retention, sub-processors, and audit rights?
The data processing agreement is where the vendor's security promises become legally enforceable. Too many GCs accept a vendor's standard DPA without reviewing the specific terms that matter for AI processing. The DPA must specify: the exact data retention period (not just "as long as necessary" but a defined number of days after processing), the complete list of sub-processors (including model providers and any infrastructure subcontractors), the notification obligation and consent requirement before adding new sub-processors, the cross-border transfer mechanism, and the customer's audit rights — including the right to review the vendor's SOC 2 Type II report and any penetration testing results.
The Data Processing Agreement Checklist
The DPA is the contractual backstop for every security question above. A vendor's sales team may promise zero data retention during a demo, but if the DPA does not reflect that commitment, the promise is effectively worthless. The following checklist covers the DPA terms that are specific to AI contract review and often overlooked in standard software DPAs.
| DPA Term | What to Look For | Red Flag |
|---|---|---|
| Data retention after processing | Defined retention period (e.g., 30 days) with automatic deletion; zero data retention with model providers | "As long as necessary" or no defined retention period |
| Sub-processor list and restrictions | Complete, named list of all sub-processors including model providers; contractual obligation to notify before adding new sub-processors | Vague references to "affiliates" or "service providers" without naming them |
| Cross-border transfer mechanism | Explicit identification of SCCs, DPF, or Binding Corporate Rules for each data flow | No mention of transfer mechanism, or reliance on adequacy decisions without verification |
| Audit rights | Right to review SOC 2 Type II report annually; right to request penetration testing results; right to conduct or commission independent security assessment | Audit rights limited to "reasonable requests" with no defined scope or frequency |
| Data deletion upon termination | Contractual obligation to delete all customer data within a defined period after termination; certification of deletion | No deletion obligation, or deletion subject to vendor's "data retention policy" without defined timeline |
| Model training prohibition | Explicit prohibition on using customer data for model training, fine-tuning, or improvement by both vendor and all sub-processors | No mention of model training, or permission to use anonymized/aggregated data without defining what that means |
| Security incident notification | Defined notification timeline (e.g., 48 hours) for any security incident involving customer data; defined escalation contacts | Notification obligation tied to "legal requirements" rather than a fixed timeline |
| Data processing instructions | Clear statement that the vendor processes data only on documented instructions from the customer; no secondary processing | Broad language allowing vendor to use data for "service improvement" or "analytics" |
Professional Responsibility: Tying ABA Formal Opinion 512 to Operational Security
ABA Formal Opinion 512, issued in July 2024, establishes that lawyers have specific ethical obligations when using AI tools — and those obligations directly translate into operational security requirements that GCs must enforce during vendor evaluation. The opinion is not a general ethics advisory; it creates concrete duties that map to specific Model Rules, and each duty has a corresponding vendor diligence step.
Under Model Rule 1.1 (Competence), the opinion requires lawyers to understand the capabilities and limitations of the AI tools they use. For contract review, this means the GC must understand not just what the tool does (extract clauses, flag deviations, generate redlines) but how it does it — what model architecture underlies the tool, what data it was trained on, and what its documented failure modes are. A lawyer who deploys an AI contract review tool without understanding its training data provenance or accuracy benchmarks has likely failed the competence obligation.
Under Model Rule 1.6 (Confidentiality), the opinion requires lawyers to make reasonable efforts to prevent the disclosure of confidential client information. For AI contract review, this directly implicates the training data question, the encryption standards, the sub-processor chain, and the data retention terms. The opinion is clear: boilerplate consent in engagement letters does not satisfy the informed consent obligation. The GC must understand and document how the vendor's AI system handles confidential data before deployment, not after.
Under Model Rules 5.1 and 5.3 (Supervision), the opinion requires lawyers to supervise both non-lawyer personnel and, by extension, the AI tools that function as part of the legal team. This means the GC must establish policies for how the AI tool is used, what review processes apply to its outputs, and how the firm ensures that the tool is not making unsupervised decisions that affect client rights. The security diligence questions above — particularly around data retention, model training, and audit rights — are not optional technical details; they are components of the supervision obligation.
For a deeper analysis of how ABA Formal Opinion 512's four-duty framework applies to AI contract analysis tool selection, see our dedicated guide:
For a practical template on building internal AI governance policies that satisfy these supervision obligations, see:
AI Ethics in Legal Practice 2026: The Rules, the Sanctions, and the One-Page Policy Your Firm Needs
Market Snapshot: Vendor Certifications and Data Usage Policies
The following table provides a factual, source-cited overview of certifications and data usage policies for several AI contract review platforms. This is not an exhaustive list, and certification status should be verified at time of evaluation, but it illustrates the range of security postures in the current market.
| Vendor | Certifications | Data Training Policy | Encryption Standards | Deployment Options |
|---|---|---|---|---|
| GC AI | SOC 2 Type II, SOC 3, GDPR compliant | Zero data retention with OpenAI and Anthropic; does not train on customer data | AES-256 at rest; TLS in transit | Cloud (multi-tenant) |
| DraftPilot (Axiom) | SOC 2 Type II, ISO 27001 | Does not use client data to train models | AES-256 at rest; TLS in transit | Cloud (multi-tenant) |
| Dioptra | SOC 2 Type II | Documents not used to train AI models | Not publicly specified in detail | Cloud (multi-tenant) |
| Docsum | Not publicly specified in detail | Documents not used to train AI models | Not publicly specified in detail | Cloud (multi-tenant) |
AI Contract Review Software in 2026: A Category-Based Comparison for Legal Teams
What the market snapshot reveals is that the leading enterprise-grade platforms have converged on a baseline security posture: SOC 2 Type II certification, zero data retention commitments, and AES-256 encryption. But significant variation remains in areas like ISO 27001 certification (only DraftPilot among the sampled vendors holds it), encryption in use capabilities (none of the sampled vendors publicly highlight confidential computing), and on-premise deployment options (none of the sampled vendors offer it as a standard option). These gaps represent the next frontier of security differentiation in the AI contract review market.
A Phased 4-Week Due Diligence Framework
Security due diligence for AI contract review tools should not be a single meeting or a checkbox on a procurement form. It requires a structured, phased approach that moves from initial screening through technical review, legal and compliance review, and practical testing. The following framework is adapted from the LeanLaw evaluation methodology and is designed to fit within a typical 4-week procurement timeline.
| Phase | Timeline | Activities | Deliverables |
|---|---|---|---|
| Week 1: Initial Screening | 5 business days | Send security questionnaire to vendor; verify SOC 2 Type II certification; review basic architecture documentation; confirm data residency capabilities | Completed security questionnaire; certification verification; initial pass/fail decision |
| Week 2: Technical Review | 5 business days | Review full SOC 2 Type II report; request and review penetration testing results; evaluate encryption standards (at rest, in transit, in use); assess private instance or on-premise feasibility | Technical assessment report; identified gaps and remediation requirements |
| Week 3: Legal & Compliance Review | 5 business days | Review DPA against checklist; verify sub-processor list and restrictions; confirm cross-border transfer mechanisms; negotiate audit rights and data deletion terms; review model training prohibition language | Redlined DPA; compliance assessment; legal sign-off or conditional approval |
| Week 4: Practical Testing | 5 business days | Set up sandbox or trial environment; upload sample contracts (including sensitive test documents); run extraction and review workflows; audit outputs for accuracy and data handling; test data deletion process | Test results report; final security assessment; go/no-go recommendation |
Each phase builds on the previous one. A vendor that fails the initial screening (no SOC 2 Type II, no commitment to zero data retention) should be eliminated before Week 2 begins. A vendor that passes the technical review but cannot accept reasonable DPA terms should be flagged for executive escalation. A vendor that passes all three prior phases but fails practical testing — for example, by producing inaccurate extractions on your sample contracts — should be rejected regardless of their certification status.
Throughout the process, document every finding and every vendor commitment. The documentation serves two purposes: it provides the evidentiary basis for your procurement decision, and it demonstrates that you satisfied the professional responsibility obligations under ABA Formal Opinion 512 to understand and evaluate the vendor's data practices before deployment. In the event of a security incident or ethics inquiry, this documentation is your primary defense.
For GCs and compliance officers who also need to build the business case for AI contract review adoption alongside the security diligence process, see our dedicated guide:
AI Contract Review ROI: Building the Business Case for In-House Legal Teams
For a complementary analysis of the liability and ethics dimensions of AI contract review, see:
Limits and Liabilities: A Professional Responsibility Framework for AI Contract Review in 2026
Comments
Join the discussion with an anonymous comment.