Stop Sending Client Documents to AI Vendors Who Haven't Signed a Data Processing Agreement
Photo by Kaede Nakamura on Unsplash
6 min readJune 16, 2026

Stop Sending Client Documents to AI Vendors Who Haven't Signed a Data Processing Agreement

NJ RPC 1.6AI vendor contractsdata processing agreement

There's a document gap quietly sitting inside most small law firms in New Jersey, and it has nothing to do with a missed filing deadline or a misfiled pleading. It's a missing contract — specifically, a Data Processing Agreement (DPA) — between your firm and the AI tool you've been using to summarize depositions, draft motions, or extract key clauses from contracts.

You probably signed up for the tool with an email address and a credit card. You may have clicked through a Terms of Service. But did you receive, review, and execute a DPA? If not, every client document you've uploaded is living in a legal gray zone your malpractice carrier almost certainly hasn't priced in.

Why the DPA Is the Document That Actually Matters

A Terms of Service agreement governs your use of a platform. A Data Processing Agreement governs what the vendor can do with the data you hand them. These are fundamentally different instruments, and conflating them is one of the most common mistakes solo and small-firm attorneys make when adopting AI tools.

Under NJ RPC 1.6(a), you are prohibited from revealing information relating to the representation of a client unless the client gives informed consent. The NJ Supreme Court's comment to RPC 1.6 makes clear that the duty extends to inadvertent disclosure — including disclosure to third-party vendors who lack adequate contractual constraints on how they handle your data.

When you upload a client's deposition transcript or a draft settlement agreement into an AI tool, that vendor becomes, functionally, a data sub-processor. Without a DPA in place, you have no contractual assurance that:

  • The vendor won't use your client's data to train its models
  • The data is stored within a specific geographic boundary (relevant for matters with cross-border sensitivity)
  • You will be notified if there's a breach
  • Data is deleted when your subscription ends

The absence of those assurances isn't just a business risk. In New Jersey, it's a potential ethics problem.

What a Bare-Minimum DPA Must Include

Not every AI vendor will offer a bespoke DPA, but the better ones — particularly enterprise-tier products — will either have a standard DPA available on request or a dedicated security page where you can download one. Here's what you need to see before signing:

1. A clear statement that client data is NOT used for model training. This should be unambiguous. Vague language like "we may use aggregated, de-identified data" is insufficient. Ask for a written carve-out specifically excluding your firm's data from any training pipeline.

2. Data residency commitment. Where, exactly, are your files stored? For most NJ practitioners, domestic (U.S.-based) storage is the floor. Some practice areas — immigration, matters involving foreign nationals, or federally regulated industries — may require more specificity.

3. Sub-processor disclosure. AI platforms rarely operate alone. They use cloud infrastructure providers, vector databases, third-party APIs. A solid DPA will list these sub-processors and commit to notifying you before adding new ones that handle your data.

4. Breach notification timelines. New Jersey's data breach notification law (N.J.S.A. 56:8-163) requires notification to affected individuals in "the most expedient time possible." Your vendor should contractually commit to notifying you within 72 hours of discovering a breach — giving you time to satisfy your own downstream obligations.

5. Data deletion on termination. When your subscription ends, your client files shouldn't linger in a vendor's object storage bucket. The DPA should specify a deletion timeline (typically 30–90 days) and offer a mechanism for you to request confirmation of deletion.

A 30-Minute Vendor Vetting Workflow

You don't need outside IT counsel to do this, at least not for the initial screen. Here's a practical starting point:

  1. Search the vendor's website for "DPA," "Data Processing Agreement," or "Business Associate Agreement." Reputable platforms publish these proactively. If you can't find one after five minutes of searching, that's informative.
  2. Email their sales or legal contact and ask two direct questions: (a) Do you offer a DPA for law firm customers? (b) Is client data used for model training?
  3. Read Section 3 of their Terms of Service — that's typically where data use rights are buried. Flag any clause that grants them a license to your content.
  4. Run the vendor name through the NJ LETF Ethics Hotline archives or a quick search of ACPE opinions to see if the tool has surfaced in any guidance.
  5. Document what you find. A one-paragraph internal memo summarizing your diligence — saved to the client file or firm policy folder — is defensible evidence of competent vendor evaluation if questions ever arise.

The Practical Bottom Line

Signing up for an AI tool without a DPA is the 2025 equivalent of faxing confidential documents to an unverified number and assuming it arrived safely. The technology is genuinely useful. The risk is manageable. But "manageable" requires a 30-minute conversation with a vendor's legal team and a signed piece of paper — not just a checkbox on an onboarding screen.

NJ solo attorneys are already operating lean. The last thing you need is an ethics inquiry tracing back to a vendor contract you never read. Pull the DPAs. Ask the hard questions. If a vendor won't provide one, that answer tells you everything.

Get the weekly roundup

New AI Sidebar articles delivered to your inbox. No spam, unsubscribe anytime.