Why Your Law Firm's Cloud Software Is a Malpractice Risk
Every time you upload a client document to a cloud service, you're making a trust decision about a company you've probably never audited. Most attorneys don't read privacy policies. We did — and what we found in 12 of the most popular platforms should concern every practicing attorney.
ABA Model Rule 1.6 requires attorneys to take reasonable precautions to protect client information. ABA Formal Opinion 477R clarifies this extends to cloud services. Many state bars have issued additional opinions. "I didn't read their privacy policy" is not a defense to a bar complaint.
The Privacy Risk Report Card
Google scans documents for policy violations. Business accounts have slightly better protections but data still flows through Google infrastructure. Their TOS allows use of content to improve services.
Dropbox employees CAN access your files for compliance purposes. Their privacy policy explicitly reserves this right. Files are stored on Amazon S3 — another party with access.
Otter.ai explicitly states it uses your transcriptions to train AI models. Every deposition you transcribe becomes training data. Their free tier is particularly aggressive.
OpenAI uses conversation data to train models unless you opt out via API. Many attorneys use the consumer interface without realizing their case facts are being ingested.
Microsoft's enterprise agreements provide better protections. But consumer Microsoft accounts and 'connected experiences' features scan documents. Requires explicit configuration to disable.
Zoom recordings are stored on their servers. For attorney-client privileged calls, this creates exposure. Zoom's AI features have been controversial for data usage.
DocuSign is generally well-regarded for legal use. Documents are encrypted in transit and at rest. However, they do store executed agreements indefinitely on their servers.
Clio is built specifically for legal use and maintains strong data segregation. SOC 2 compliant. Still involves third-party server storage — review your engagement letters.
Harvey claims enterprise privacy protections. But at $50K+/year, most solo attorneys aren't using it — and the privacy controls depend entirely on your enterprise contract terms.
Files are processed entirely in-memory in the user's browser. Nothing is transmitted to or stored on ShieldDrop servers. Zero data retention by architectural design.
Adobe cloud sync features upload documents to Adobe servers. Disable Document Cloud sync when working with privileged materials. Local Acrobat is safer.
Notion stores all content on their servers. Their AI features use your notes as training context. Not appropriate for client-privileged information.
What "zero retention" actually means
Most "privacy-first" companies still transmit your data to their servers — they just promise to delete it quickly. ShieldDrop is architecturally different: all file processing runs in WebAssembly inside your browser. Your documents are never transmitted anywhere.
This isn't a policy choice. It's impossible for us to store your files because we never receive them. That's the only standard that holds up under ABA scrutiny.
7-day free trial. No credit card required.
Start Free Trial →