Confidentiality & security
Can lawyers use AI without breaching client confidentiality or privilege?
Yes — provided the tool is built for it. The risk is not AI itself but where your data goes: consumer chatbots may use your inputs to improve their models and may store them offshore, which can put confidentiality at risk. Legal-grade AI keeps client content under a contractual confidentiality and no-training commitment and stores it securely. Privilege is generally preserved when you use a confidential, contracted service provider with proper access controls — but the lawyer remains responsible for vetting the vendor.
The real risk is where your data goes
Putting a client document into a tool is a disclosure. The question is who receives it, whether they keep it confidential, whether they use it to train a model that could surface it to others, and where in the world it is stored and processed.
Consumer AI tiers are the danger zone: many reserve the right to use your inputs for training and make no confidentiality commitment to you. That is a poor fit for privileged client material.
What to check before you put client data into AI
Confirm there is a contractual commitment that your content is not used to train AI models; that client content is stored securely (encrypted in transit and at rest) and you know where; that access is controlled; and that the vendor holds recognised security credentials such as ISO/IEC 27001 certification and a SOC 2 attestation.
Ask for a written data processing agreement. A vendor built for legal work will have clear answers to all of this; if the answers are vague, treat that as your answer.
Privilege considerations
Disclosing privileged material to a confidential service provider engaged under contract to assist you generally does not waive privilege, in the same way that using an external typing or document-management service does not. The keys are confidentiality obligations and controlled access.
This is general information, not legal advice on your matter — confirm your firm’s position against your professional-conduct obligations and your PI insurer’s guidance.
Where Quillio sits
Quillio stores client documents, queries and outputs in Australia on Australian-owned hosting, encrypts data in transit and at rest, and does not use client content to train any AI model — a contractual commitment. It is ISO/IEC 27001:2022 certified, holds a SOC 2 Type 2 attestation, and is aligned with IRAP, the Australian Privacy Principles and GDPR.
Frequently asked questions
Does using AI waive legal professional privilege?
Not inherently. Disclosing material to a confidential service provider engaged under contract to assist you generally preserves privilege, provided access is controlled and confidentiality is contractually protected. Vet the vendor’s terms before relying on this.
Can I put confidential client documents into ChatGPT?
It’s risky on consumer tiers, which may use your inputs for training and make no confidentiality commitment. Use legal-grade AI with a contractual no-training commitment and clear data-storage terms instead.
What should I ask a vendor about confidentiality?
Whether your content trains their models (it shouldn’t), where client content is stored and processed, how it’s encrypted, who can access it, what certifications they hold (e.g. ISO 27001, SOC 2), and whether they’ll sign a data processing agreement.
See how Quillio handles this in practice
AI built for Australian and New Zealand law — a citation on every answer, client content stored in Australia, and a free trial so you can test it on your own files.