Home / Insights / How to vet a legal AI vendor: the security questionnaire that protects clients

How to vet a legal AI vendor: the security questionnaire that protects clients

By Jamie Kloncz, Founder, RankShield · Updated July 16, 2026 · Informational, not legal advice.

A legal AI vendor cannot be cleared for privileged material on a SOC 2 report alone, because certifications attest a vendor’s processes, not where your client data actually flows. Effective vetting pairs a pointed security questionnaire, covering sub-processors, model training, retention, consent capture, and deletion, with contractual no-training safeguards and continuous, independently verifiable evidence that the vendor’s answers remain true long after the signature [1][3][4]. Legal AI vendor due diligence is now a core confidentiality obligation, not a procurement formality. ABA Formal Opinion 512 makes clear that lawyers must understand how a generative AI tool uses and retains data, and must obtain informed consent before inputting client information into a self-learning tool [3]. Meanwhile, courts in 2026 discovery disputes have begun requiring AI tools that touch confidential material to carry contractual no-training safeguards, deletion capability, and onward-disclosure limits [4]. This guide covers why certifications alone fall short, the 12 questions your security questionnaire should ask, how to interpret the answers, the contract terms to insist on, and how to keep verifying a vendor after the ink dries.

Why SOC 2 alone cannot clear a legal AI vendor for privileged material

A SOC 2 Type II report tells you something real: an independent auditor confirmed that the vendor operated defined security controls over a review period. What it attests, however, is process, not data flow. The report will not tell you which country your prompt lands in, which sub-processors can read an uploaded deposition transcript, whether that transcript enters a training corpus, or how long fragments of it persist in logs. Frameworks like the multi-layer due-diligence model described by Lexitas treat certifications as exactly one layer among several, alongside data handling, model behavior, contractual terms, and ongoing monitoring [1].

For lawyers, this gap is not academic. ABA Formal Opinion 512 grounds generative AI use in the Model Rule 1.6 duty of confidentiality: a lawyer must understand how the tool uses and retains client data, and must obtain informed client consent before inputting client information into a self-learning tool [3]. A badge cannot satisfy a duty of understanding. To be fair to vendors, SOC 2 remains necessary; it screens out weak corporate perimeters and immature security programs. It is simply not sufficient, because it never claims to answer the question that privilege turns on: where does the client’s data actually go?

The 12 questions every legal AI security questionnaire should ask

A useful questionnaire forces specificity. Vague answers such as “industry-standard encryption” or “we take security seriously” are non-answers; the questions below are designed so that evasion is itself a signal. They align with the layered diligence approach practitioners now recommend [1] and with workflow checklists built specifically for law firm AI selection [2]. Send them in writing, require written answers, and keep both: they become the representations you later verify and, if needed, enforce.

Score the responses the way structured selection workflows suggest: red, yellow, or green for each answer, with any red on training, retention, or sub-processors treated as disqualifying until cured [2]. The last four questions matter more than they first appear. Editable logs cannot support a later dispute about what the tool did, and matters involving trade secrets, estates, or long-lived corporate records can demand confidentiality that outlasts today’s cryptography, which is why quantum-safe record integrity belongs on a legal questionnaire in 2026.

How to read model-training and data-retention answers

Training answers hide in verbs. “We may use customer content to improve our services” usually means training; press for whether that includes fine-tuning, evaluation sets, and derivative models built on aggregated data. “De-identified” deserves particular skepticism in legal work, because a fact pattern can identify a client even with names stripped. Under Opinion 512, if the tool is self-learning on your inputs, you need informed client consent before client information goes in at all, so the training answer directly determines your consent workflow, not just your risk rating [3].

Retention answers need the same dissection. “Thirty days for abuse monitoring” raises follow-ups: who can access data during that window, is it human-reviewed, and is a zero-retention tier available or reserved for enterprise contracts? Ask where deleted data survives in backups and how long. Diligence frameworks treat data handling and model behavior as separate layers precisely because vendors often score well on one and poorly on the other [1]. Map each answer to your red/yellow/green sheet, and record the exact language: ambiguity discovered now is a negotiating point; ambiguity discovered after an incident is an exposure.

The contract terms courts and clients now expect

Questionnaire answers only bind anyone once they become contract terms. That shift is no longer optional: in 2026 discovery disputes, courts have required AI tools handling confidential material to carry contractual no-training safeguards, deletion capability, and onward-disclosure limits, with protective orders emerging as a point of dispute when those terms are absent [4]. Sophisticated clients increasingly ask outside counsel to certify the same terms in their own vendor stack. The following provisions should be non-negotiable in any legal AI agreement:

Treat these terms as the enforceable mirror of your questionnaire. If a vendor answered “we never train on customer data” but resists a no-training clause, the questionnaire answer was marketing. Structured selection workflows recommend resolving this before any pilot begins, then running the pilot with audit logs enabled and restricted matters routed away from the tool until the contract and technical controls are proven [2]. Contract language also gives litigators something concrete to present when a protective order requires proof of safeguards [4].

From questionnaire to proof: verifying vendor claims continuously

Here is the questionnaire’s structural weakness: every answer is a point-in-time representation. Vendors change sub-processors, swap underlying models, and revise retention policies between annual reviews, and a diligence file from January says nothing about what happened to a privileged document in June. Practitioner frameworks acknowledge this by making ongoing monitoring its own diligence layer [1], and workflow checklists build in pilots with audit logs and restricted-matter routing for the same reason [2]. The question is what ongoing monitoring should look like when the stakes are privilege rather than uptime.

The emerging answer is continuous verification: replacing “trust the badge” with per-interaction attestations, signed records that bind each AI interaction to the approved tool, the isolation method in force, and the consent on file. RankShield Legal produces exactly that record layer, attesting architecture and consent with independently verifiable records rather than editable logs. Honesty requires a caveat: no platform can promise to prevent privilege waiver, because the confidentiality duty under Model Rule 1.6 and Opinion 512 stays with the lawyer [3]. What continuous attestation changes is your evidentiary position, so that when a client, regulator, or court asks where the data went, you can prove the answer instead of asserting it [4].

Frequently asked questions

Is a SOC 2 report enough to approve a legal AI vendor?

No. SOC 2 is necessary but not sufficient. It attests that a vendor operated defined security processes over a review period; it does not tell you where client data flows, which sub-processors see it, whether it enters model training, or how long it is retained. ABA Formal Opinion 512 requires lawyers to actually understand a tool’s data use and retention, which a certification badge alone cannot demonstrate [1][3].

What does ABA Formal Opinion 512 require before using generative AI with client data?

Issued in July 2024, Opinion 512 grounds generative AI use in the Model Rule 1.6 duty of confidentiality. Lawyers must understand how a tool uses and retains data before relying on it, and must obtain a client’s informed consent before inputting client information into a self-learning AI tool. That makes due diligence and consent records ethics obligations, not optional procurement extras [3].

What contract terms should a law firm require from an AI vendor?

At minimum: a no-training clause that covers fine-tuning and derivative models, deletion capability with proof, onward-disclosure limits that bind sub-processors, and breach notification measured in hours. Courts in 2026 discovery disputes have already required no-training safeguards, deletion capability, and onward-disclosure limits for AI tools handling confidential material, so these terms are becoming table stakes rather than negotiating wins [4].

RankShield Legal is a verifiable AI and quantum security platform for law firms: it certifies cited authorities and attests privilege isolation with independently verifiable records. This article is general information, not legal advice; consult a licensed attorney about your situation.

References

[1] Lexitas. Vendor due diligence in the age of AI legal technology. https://www.lexitaslegal.com/resources/vendor-due-diligence-ai-legal-technology

[2] Promise Legal. AI vendor selection for law firms: a workflow checklist. https://blog.promise.legal/ai-vendor-selection-for-law-firms-a-workflow-checklist-for-sanctions-cfius-and-cross-border-data-controls/

[3] ABA. Formal Opinion 512 announcement. https://www.americanbar.org/news/abanews/aba-news-archives/2024/07/aba-issues-first-ethics-guidance-ai-tools/

[4] Sidley. Generative AI in discovery: protective orders as an emerging point of dispute. https://www.sidley.com/en/insights/newsupdates/2026/04/generative-ai-in-discovery-protective-orders-as-an-emerging-point-of-dispute

Verify your filings before you sign them.

RankShield Legal certifies that cited authorities exist, are quoted accurately, and are good law before you file, and proves privileged material never reached a third-party AI model. Request early access to the legal pillar of the RankShield Network.

Request early access