AI Vendor Contracts for NJ Law Firms: What the Fine Print Is Actually Saying About Your Client Data
Photo by Álvaro Serrano on Unsplash
6 minJuly 11, 2026

AI Vendor Contracts for NJ Law Firms: What the Fine Print Is Actually Saying About Your Client Data

AI Vendor ContractsNJ RPC 1.6Client Data Security

A solo attorney in Hackensack signs up for an AI drafting tool on a Tuesday afternoon. She clicks through a standard online agreement, enters a credit card, and starts uploading client documents by Wednesday morning. Nothing about that sequence feels unusual. But buried in the terms of service she accepted are clauses that let the vendor train its models on her inputs, share data with unnamed subprocessors, and store files on servers outside the United States, with no data deletion timeline specified.

She hasn't violated any rule yet. But she's one data breach away from a serious RPC 1.6 problem, and she has no contractual leverage to fix it.

This is one of the least-discussed gaps in how NJ solo firms are adopting AI. The conversation in the bar community has rightly focused on competence, disclosure, and supervision. But the actual contract with the vendor, the document that governs what happens to client data once it leaves your office, gets almost no attention.

What NJ's RPC 1.6 Actually Requires of You as a Buyer

RPC 1.6(c) requires NJ attorneys to make reasonable efforts to prevent the unauthorized disclosure of client information. The NJ Supreme Court's 2024 guidance on AI (issued through the Supreme Court AI working group report) reinforced that this duty extends to vendor selection and oversight. You can't delegate confidentiality. You can contract around risk, but only if you read the contract.

So what counts as "reasonable efforts" when you're buying a SaaS AI product? At minimum, it means understanding where your data goes, who can access it, and what rights the vendor claims over it. Generic terms of service for consumer-grade AI tools frequently fail all three tests.

The Four Clauses That Matter Most

Training data opt-outs. Many AI products default to using your inputs to improve their models. Some offer an opt-out buried in an enterprise settings panel. Others require you to be on a paid business tier to get it at all. If you're using a free or entry-level subscription and uploading anything that touches client matters, check this first. The NJ Advisory Committee on Professional Ethics hasn't issued a formal opinion specifically on AI training data as of this writing, but the analysis under RPC 1.6 is straightforward: permitting a vendor to train on your client's confidential communications is a disclosure. It needs either client consent or a clear contractual prohibition.

Subprocessor lists. Your vendor's privacy policy likely says something like "we may share your data with trusted third-party service providers." That sentence is doing a lot of work. Ask, in writing, or check their publicly maintained subprocessor page, who those parties are and where they operate. If your client data routes through an overseas infrastructure provider with no contractual privacy floor, you have a problem that a privacy setting can't fix.

Data residency. For most NJ civil matters, data residency isn't a hard legal requirement. But it becomes one fast when you handle immigration files, healthcare clients, or anything touching federal regulated data. Even absent a specific mandate, storing client data on servers in jurisdictions with weak privacy law is a risk factor your malpractice carrier is going to find interesting someday.

Deletion timelines and breach notification. What happens when you cancel? Does the vendor delete your data in 30 days or 18 months? Do they notify you within 72 hours of a breach, or "as required by applicable law," which could mean very little depending on where they're incorporated? These aren't hypotheticals. Vendor breaches happen, and your clients will ask what you had in writing.

What to Actually Do Before Signing

If you're evaluating a new AI tool, ask the vendor directly for a Data Processing Addendum (DPA) before you commit. Reputable legal AI vendors, Clio, Harvey, CoCounsel, and others serving law firms, either have DPAs available on request or publish them. If a vendor can't produce one, that's your answer.

For vendors that do offer a DPA, check four things specifically: (1) whether model training on your data is prohibited, (2) whether there's a specific breach notification window (48-72 hours is standard), (3) whether a list of subprocessors is maintained and updated, and (4) whether data deletion upon termination is time-bound and confirmed in writing.

If the vendor won't negotiate these terms and the standard agreement doesn't address them, the tool may simply not be appropriate for client matters. You can still use it for internal work, firm marketing drafts, template research, internal memos, where no client confidential information is involved.

One Practical Shortcut

The International Legal Technology Association (ILTA) and several state bar associations have started publishing AI vendor due diligence checklists. The New Jersey State Bar Association's Law Practice Management division is a good starting point. These checklists won't substitute for reading the contract, but they give you a framework for the questions to ask before your trial period runs out and inertia sets in.

The attorneys who will avoid problems aren't the ones who stopped using AI. They're the ones who spent 45 minutes reviewing a DPA before uploading their first client file.

Get the weekly roundup

New AI Sidebar articles delivered to your inbox. No spam, unsubscribe anytime.