Before You Click "I Agree": A 12-Clause AI Vendor Contract Checklist for NJ Solo Attorneys

Most solo attorneys who adopt an AI tool spend more time on the free trial than on the contract. That's understandable — the product demos are slick, the efficiency gains are real, and the terms of service feel like fine print. But for a New Jersey solo or small firm attorney, that contract is your data governance policy. It defines who can touch your client information, for how long, and what happens when something goes wrong.

Here's the thing: most AI vendor agreements are written to protect the vendor, not you. And unlike a SaaS subscription for project management software, an AI legal tool processes privileged, confidential client communications — which means a poorly negotiated agreement isn't just a business risk, it's an ethical one.

What follows is a practical, clause-by-clause checklist. Use it before you sign. Use it when you renew. Use it to go back and audit agreements you've already executed.

---

1. Data Processing Agreement (DPA) — Does One Exist?

Before anything else: if the vendor doesn't offer a separate Data Processing Agreement or Data Processing Addendum, that's a red flag. A DPA formally defines the vendor's role as a data processor, not a data controller. For client data, that distinction matters. If the vendor won't provide one, ask why — or walk.

2. Business Associate Agreement (BAA) — Required for Any Health-Adjacent Work

If your practice touches healthcare law, personal injury, workers' comp, or any matter involving protected health information (PHI), a BAA is non-negotiable under HIPAA. Many AI vendors offer a BAA only on enterprise tiers. If you're handling PHI and the vendor won't execute a BAA on your plan, you are not compliant — full stop.

3. Data Residency — Where Does Your Data Actually Live?

Ask explicitly: where are servers located? Can data be transferred internationally? Many AI vendors use cloud infrastructure spanning multiple countries. New Jersey RPC 1.6's confidentiality obligations don't evaporate when your client memo crosses a border. Request that your data be stored exclusively in U.S.-based infrastructure, and get that in writing.

4. Zero-Retention Default — Does the Vendor Store Your Prompts?

This is perhaps the most critical clause for AI tools specifically. Many large language model APIs default to retaining your input data for 30 days — sometimes to improve their models. You want language confirming a zero-retention default: inputs and outputs are not stored beyond the immediate session, and are never used for model training. If the contract doesn't say this explicitly, assume the opposite is true.

5. Training Opt-Out — Your Client Data Is Not a Training Set

Related but distinct: even if a vendor doesn't retain data long-term, confirm that your firm's usage is excluded from model training and fine-tuning — permanently. Acceptable contract language looks like: "Customer data shall not be used to train, improve, or fine-tune any AI model." Vague language like "we may use aggregated, de-identified data" is not sufficient. Push for explicit exclusion.

6. Subcontractor and Sub-Processor Disclosure

Your AI vendor almost certainly uses third-party sub-processors — cloud hosting, analytics platforms, infrastructure providers. You need a complete, current list, and the right to be notified before any new sub-processor is added. Redline for: (a) a disclosure schedule attached to the contract, and (b) advance written notice of at least 30 days before sub-processor changes take effect.

7. Breach Notification Window — 72 Hours Is the Standard

In the event of a data breach, how quickly must the vendor notify you? Some contracts bury language allowing 30 or even 60 days. That is far too long. You need to be in a position to notify affected clients and regulators promptly. Negotiate for 72-hour breach notification, consistent with GDPR-era standards that have become the practical industry benchmark. New Jersey's own data breach notification law (N.J.S.A. 56:8-163) also imposes obligations on your firm — you can't meet them if your vendor takes a month to tell you.

8. Indemnification — Who Pays When the Vendor Fails?

Read the indemnification clause carefully. Vendors typically indemnify you only for their own IP infringement claims — not for data breaches caused by their negligence. You want mutual indemnification for data security incidents caused by the vendor's failure to maintain reasonable security controls. If they won't agree to that, understand that you are absorbing their risk.

9. Liability Cap — Is It Meaningful?

Many vendor agreements cap total liability at the amount you paid in the prior 12 months. For a solo attorney paying $50/month, that's a $600 cap on a breach that could expose thousands of client records. Negotiate for a minimum liability floor — or at minimum, an exception to the cap for data breaches and willful misconduct.

10. Security Standards — Ask for SOC 2 Type II

Require that the vendor maintain — and provide you with annual evidence of — SOC 2 Type II certification (or ISO 27001 as an alternative). These aren't just marketing badges; they represent audited, third-party verification of real security controls. A vendor that can't produce a current SOC 2 report on request is a vendor you should not trust with client data.

11. Termination and Data Return — You Get Your Data Back. All of It.

When you end the relationship, what happens to your data? Acceptable language requires the vendor to: (a) return all customer data in a portable, machine-readable format within 30 days of termination, and (b) certify in writing that all copies have been deleted from their systems and those of any sub-processors. Without this clause, your client data may persist indefinitely on vendor servers after you've moved on.

12. Governing Law and Dispute Resolution — Home Court Matters

Finally, confirm that the agreement is governed by New Jersey law and that any disputes are resolved in New Jersey courts. Vendors often default to Delaware or California jurisdiction. For a solo NJ practitioner, litigating a vendor dispute in another state's courts — or worse, through mandatory arbitration in a distant venue — is practically unworkable.

---

One Final Thought

Reviewing a vendor contract clause-by-clause takes time. But it is also, in itself, a form of competence under RPC 1.1. You don't have to be a tech-transactions attorney to work through this checklist — you just have to ask the right questions before you click "agree."

If a vendor refuses to negotiate on data retention, training opt-outs, or breach notification, that tells you something important about how they view your interests. There are vendors in this space who will negotiate, who do maintain SOC 2 certification, and who will execute a proper DPA. Hold out for them.

Your signature on that agreement is your firm's first line of defense — not your last.

---

Adam Elias is the founder of Elias Advisory LLC, helping solo attorneys and small law firms adopt AI responsibly and operate more efficiently. Questions about AI vendor contracts or firm data governance? Connect with Elias Advisory.