Legal Research With No Data Indexing or Human Review: A Confidentiality Checklist

Does legal AI store my searches? Often, yes. Most consumer and standard-API tiers retain your prompts and uploads by default, usually for around 30 days of abuse monitoring, and some keep them longer or embed them into a searchable index. The only way to know is the contract. A vendor protects your client confidences when its data processing agreement promises four separate things in writing: no training, no retention, no shared indexing, and zero data retention (ZDR) with the foundation-model provider so no human reads your data at the model layer. The checklist below is how you verify each one before privileged material leaves your building.

A litigator I know keeps a sticky note on her monitor that reads "would I email this to opposing counsel?" It is her gut check before pasting anything into an AI tool. It is a good instinct.

It is also, on its own, dangerously incomplete, because the thing that determines whether your client's confidences are actually safe is not your instinct in the moment. It is the contract you signed months earlier, and specifically whether that contract promises legal research with no data indexing or human review in language you can hold the vendor to.

Here is the uncomfortable part. Nearly every legal AI vendor in 2026 will tell you, on a marketing page, that they "don't train on your data." That sentence has become so universal it carries almost no information. It is the privacy equivalent of a restaurant advertising that it washes its hands.

What almost none of those pages tell you, in plain terms, is whether your input is retained after the response, whether it gets embedded and indexed into a searchable store, whether a human at the foundation-model layer might read it during abuse monitoring, and whether the vendor holds zero data retention with the model provider underneath them. Those are four separate promises. A vendor can keep three and break the fourth, and you would never know from the homepage.

This post is the decision procedure. If you want the vendor-by-vendor map of where Harvey, Legora, CoCounsel, Lexis, and others actually send your data, read where your legal AI data actually goes. This one is vendor-agnostic and checklist-first: what each phrase has to mean contractually, and how to confirm it before privileged material leaves your building.

Where your data goes with a privilege-architected legal AI tool

The path a privileged document takes, and the guarantees worth checking in the contract.

TL;DR

  • "No training," "no indexing," and "no human review" are marketing phrases until they are written contract terms. Most vendors only put the first one in writing.
  • There are four distinct confidentiality exposures, and each can be true even when the other three are false: training, retention, indexing/embeddings, and human review at the model layer.
  • The most overlooked clause is "no human review." Abuse-monitoring and quality-evaluation pipelines at OpenAI and Anthropic can involve human reviewers unless you hold enterprise zero data retention (ZDR).
  • ABA Model Rule 1.6 (confidentiality) is the duty in play, and ABA Formal Opinion 512 (July 2024) singles out "self-learning" tools and says inputting client confidences into them can require the client's informed consent, not boilerplate buried in an engagement letter.
  • Privilege is not guaranteed: in United States v. Heppner (S.D.N.Y., February 2026) a court held AI chats were protected by neither attorney-client privilege nor work-product, partly because the tool's terms allowed disclosure to third parties.
  • Confidential disclosure is not abstract: 18 U.S.C. 1905 is the general federal crime for unauthorized disclosure of confidential information by those entrusted with it.
  • Use the four-part checklist below, in writing, before you upload. A vendor that hedges on any of the four is telling you something.
Quick check

A vendor promises no human review of your legal research inputs. What contractual clause actually backs that claim?

Part of our legal AI verification and hallucination guide series.

For related verification / hallucination / vendor-trust coverage, see "We Do Not Train on Your Data": How to Verify the Claim and Harvey AI Subprocessors: Where Your Client Data Actually Flows.

Why "we don't train on your data" stopped meaning anything

Walk the floor at any legal tech conference and count the booths promising they will not train on your data. It will be all of them. The phrase survived into 2026 because it is true, cheap to say, and emotionally reassuring. It is also answering a question almost nobody is asking anymore.

The training-leakage fear had a specific shape: that your privileged memo would somehow get baked into model weights and resurface, paraphrased, in a competitor's prompt next quarter. Reputable vendors closed that door years ago with no-training clauses at the API layer. Good. But closing that door does nothing about the other three rooms in the house.

ABA Formal Opinion 512, issued July 29, 2024, is sharper on this than most vendor marketing. The opinion zeroes in on what it calls "self-learning" generative AI tools, and its concern is precise: confidential information a lawyer inputs "may be included in an output from a later prompt." That is an output-leakage worry, not a training worry.

And here is the thing most readers skim past: no-training alone does not foreclose it. A tool can refrain from updating model weights while still retaining your input, embedding it into a retrieval index, and surfacing fragments of it to another user or session through that index. The leakage path the ABA is worried about runs through retention and retrieval, not gradient descent.

Opinion 512 goes further than the average lawyer realizes on consent, too. It treats inputting client confidential information into a self-learning tool as potentially requiring the client's informed consent. Not a generic line in your engagement letter. Informed consent, which means the client understands what they are agreeing to.

You cannot give that, and the client cannot grant it, if you yourself cannot answer the four questions below. We unpack the opinion in depth in our ABA Formal Opinion 512 guide, but the operational takeaway is simple: competence now includes knowing your tool's data flow well enough to describe it to a client.

The duty sits in ABA Model Rule 1.6, the confidentiality rule, which requires a lawyer to make reasonable efforts to prevent unauthorized disclosure of information relating to the representation. Picking a tool whose retention and indexing you never checked is hard to square with "reasonable efforts." Rule 1.1 (competence) and Rules 5.1 and 5.3 (supervising nonlawyer assistants, which now reach your vendors) pull in the same direction. Legal AI confidentiality is not a single yes-or-no setting. It is the sum of where your input goes after you hit enter.

The four exposures, and why they are not the same thing

Treat these as four separate switches. Flipping one off does not flip the others.

ExposureWhat the contract has to sayCommon gap
TrainingNo use of inputs to train or fine-tune, vendor AND model providerClause covers only the vendor, not the upstream provider
RetentionDefined deletion timeline with a trigger"We don't store" said verbally, never papered
Indexing / embeddingsNo persistent or pooled vector index across mattersIndex exists but is not described in the DPA
Human review at model layerEnterprise ZDR with the foundation-model provider"No human review" describes vendor staff only

1. Training

Does the vendor, or the foundation-model provider underneath them, use your inputs to train or fine-tune any model? This is the one everybody answers.

The honest version of the clause names both layers, because the vendor sitting between you and the model is not the only party that touches your data. A clean answer reads: customer inputs are not used to train the vendor's models or the underlying provider's models.

2. Retention

After the model returns an answer, what happens to your input? Is it discarded, or does it sit in logs, in a database, in a cache, for thirty days, ninety, indefinitely? This is the most common gap.

Plenty of tools that genuinely do not train will still retain your prompts and uploads, sometimes because retention is the default at the API layer and nobody turned it off. At the consumer and standard-API tiers of most foundation models, abuse-monitoring retention is on by default and you have to actively negotiate or configure your way out of it. The default cuts against the lawyer.

3. Indexing and embeddings

This is the one that maps directly onto the ABA's "self-learning" worry, and it is the most technically slippery. Retrieval-augmented systems convert text into vector embeddings and store them in an index so the system can search across documents later.

That is a feature when the index is scoped to your own matter and nobody else can reach it. It is an exposure when the index is shared, persistent, or pooled across clients or users.

Ask specifically: are my documents embedded into a persistent index? Is that index scoped to my matter and my firm only, or is it global? When is it deleted? "We don't train" says nothing about this. A vector store is not training. It is arguably the more direct leakage path.

4. Human review at the model layer

The most overlooked of the four, and the reason this post exists. When your prompt reaches OpenAI or Anthropic through a standard API tier, it can pass through abuse-monitoring and quality-evaluation pipelines that, in defined circumstances, involve human reviewers reading flagged content. The vendor you signed with may have no humans reading your data, and still route you through a layer that does.

The way you close this is enterprise zero data retention with the model provider, which removes your traffic from those review pipelines entirely. ZDR is the clause that actually answers "no human review," and it lives at the foundation-model contract, not the vendor's marketing page.

So when a vendor says "no human review," the real question is: do you hold ZDR with the model providers you route to, and can you show me the contractual reference? If they cannot, "no human review" describes their own staff, not the full path your data travels.

This is not abstract. There is a criminal statute.

Lawyers sometimes treat data flow as an IT problem, something below their pay grade. The law disagrees. 18 U.S.C. 1905 is the general federal crime for unauthorized disclosure of confidential information by a person entrusted with it in the course of their duties.

It is a backdrop, not a tool aimed at lawyers using AI, but it makes the point concrete: "where the data goes" is a question the legal system already takes seriously enough to criminalize in specific contexts. Related provisions exist for willful disclosure of information collected under confidentiality pledges, carrying felony exposure and six-figure fines.

You do not need to be litigating a 1905 charge to feel the weight of the principle: confidentiality entrusted to you is not yours to leak through a tool you never vetted.

There is now a ruling pointed straight at this. In United States v. Heppner (No. 25 Cr. 503, S.D.N.Y., February 2026), Judge Jed Rakoff held that a defendant's chats with Claude were protected by neither attorney-client privilege nor the work-product doctrine. The reasoning is the part that matters for everyone: privilege needs a trusted human relationship that an AI platform cannot supply, and the provider's own policy permitted collection and potential disclosure of inputs and outputs to third parties (CDF Labor Law, 2026; DLA Piper, February 2026). So the question "does legal AI store my searches" is not academic. If the tool retains your input under terms that allow disclosure, a court may treat it as discoverable, and privilege may never have attached.

Courts are not fully aligned yet, which is its own warning. Heppner diverges from at least one earlier decision, so the protection you assume may depend on the forum. The safe posture is to assume an unvetted tool offers no privilege and to fix that through the contract, not hope.

And the profession is already living with the consequences of not vetting tools. The 2023 Mata v. Avianca sanctions, where lawyers filed a brief full of fabricated citations from a chatbot, were about accuracy rather than confidentiality. But they did something useful: they made "I didn't understand how the tool worked" stop being an acceptable answer in front of a judge.

The same scrutiny is now turning toward data handling. The Stanford HAI hallucination benchmarking work, which found leading legal AI tools hallucinating on a meaningful share of queries, reinforced that a tool you cannot audit on accuracy is usually a tool you cannot audit on data flow either. The two questions travel together.

The pre-upload confidentiality checklist

Put these in writing, in your data processing agreement conversation, with the same representative who quoted you the price. Verbal reassurance on a sales call is not a contract term. If a vendor will commit on a call but not in the DPA, that gap is the answer.

1. No training, both layers. "Confirm in writing that customer inputs are not used to train or fine-tune your models or the underlying foundation-model provider's models." Watch for answers that cover only one layer.

2. No retention, with a deletion trigger. "What is the retention timeline for prompts, uploaded documents, and outputs in your own infrastructure? When are they deleted, and on what trigger?" "We don't store anything" is good only if it is written down with a mechanism.

3. No persistent or shared indexing. "Are my documents embedded into a vector index? Is that index scoped to my matter and firm only, or pooled? When is it deleted?" This is the question that catches the ABA's self-learning concern. Do not skip it because it sounds technical.

4. ZDR with the model provider, for no human review. "Do you hold zero data retention with OpenAI, Anthropic, or whichever providers you route to, removing my traffic from abuse-monitoring and human-review pipelines? Provide the contractual reference." This is the clause "no human review" actually depends on.

Three supporting questions worth adding once the four core ones are answered. Where is my data physically stored and processed (data residency)? What is your breach-notification SLA in hours? And what is your security posture in evidence, not adjectives: a current SOC 2 Type II report you can share under NDA, encryption at rest (AES-256 is the common baseline) and in transit (TLS 1.2 or higher), and per-tenant isolation so no other customer can reach your index or cache? If a tool cannot produce a SOC 2 report, that is not disqualifying on its own, but ask what stands in for it and when the audit lands.

A vendor that answers the four core questions in writing, and backs them with the supporting evidence above, is one you can defend to a client. A vendor that routes you to a generic privacy page is telling you their data handling is not well-defined enough to put in a contract.

Where the grounding architecture matters

There is a structural point hiding under all of this. A tool that answers from a retrieval-augmented pipeline over public legal sources, rather than by feeding your documents into a model for training, has a fundamentally narrower data-flow surface to begin with.

RAG is not training. When a system grounds its answers in a corpus of public court opinions and statutes and retrieves from that, your privileged input is doing far less traveling than in a tool that ingests your documents to improve itself.

We worked through the architecture and the economics of that distinction in API call versus RAG pipeline, and it is worth understanding before you evaluate any vendor's confidentiality story, because the architecture often determines the answer to all four checklist questions at once.

A worked example of what a defensible disclosure looks like, and the posture Vaquill AI holds: a tool grounds research in millions of US federal and state court opinions plus the U.S. Code, the CFR, and 49 state statute codes, using RAG rather than training on customer queries; holds ZDR with the foundation-model providers it routes to; does not train on customer inputs; keeps US data residency; anonymizes PII before it reaches a model; and is upfront about pending compliance items (SOC 2 Type II not yet in hand, targeted for Q3 2026) so firms that require it as a hard precondition can decide accordingly.

The point is the specificity, not the pitch. That is the level of detail you should demand from every vendor on your list. A public security overview, DPA, and sub-processor list exist so a client question can be answered with specifics, which is the whole test.

The thing to internalize

"No indexing" and "no human review" are not features. They are promises, and promises only count when they are written where you can enforce them.

The lawyer with the sticky note has the right instinct, but the instinct fires too late. By the time you are deciding whether to paste something in, the real protection was either built into the contract months ago or it was not.

Run the four-part checklist before the first privileged document goes anywhere near a tool. Get the answers in writing. If a vendor can satisfy all four, you have something you can describe to a client and defend to a court. If they can only satisfy the first one, the one everybody satisfies, you have a marketing page, not a confidentiality posture.

FAQ

Does legal AI store my searches? Usually, at least for a while. Consumer and standard-API tiers commonly retain prompts and uploads by default, often for around 30 days of abuse monitoring, and some keep them longer or embed them into a searchable index. Whether yours does depends entirely on the contract, not the marketing page. Ask for the retention timeline and deletion trigger in writing.

Is legal AI covered by attorney-client privilege? Not automatically, and a 2026 ruling says often not at all. In United States v. Heppner (S.D.N.Y., February 2026) the court held that a defendant's AI chats were protected by neither privilege nor work-product, partly because the tool's policy allowed disclosure to third parties. Privilege is more defensible when a lawyer directs the use through an enterprise tool with ZDR and no-disclosure terms, but assume nothing without checking the contract.

What is zero data retention (ZDR)? ZDR is a contractual commitment from a foundation-model provider (OpenAI, Anthropic, and others) that inputs and outputs sent through the API are discarded right after processing, not stored, not logged, and not routed into abuse-monitoring or human-review pipelines. It is the clause that actually backs a "no human review" claim. ZDR lives in the model-provider contract, so ask your vendor to point to it.

Does "we don't train on your data" mean my data is private? No. No-training stops your input from updating model weights, but it says nothing about whether the input is retained, embedded into a shared index, or read by a human during abuse monitoring at the model layer. Those are three separate exposures a vendor can leave open while honestly claiming it does not train.

Which ABA rule covers using AI with client information? Model Rule 1.6 (confidentiality) is the core duty: make reasonable efforts to prevent unauthorized disclosure of information relating to a representation. Rule 1.1 (competence) and Rules 5.1 and 5.3 (supervision, now reaching vendors) reinforce it. ABA Formal Opinion 512 (July 2024) applies these to generative AI and flags that inputting client confidences into self-learning tools can require the client's informed consent.

What should I verify before uploading confidential documents to an AI tool? Get four things in writing: no training (vendor and underlying model provider), a defined retention and deletion timeline, no persistent or pooled indexing across matters, and ZDR with the model provider. Then confirm SOC 2 Type II status, encryption at rest and in transit, data residency, per-tenant isolation, and a breach-notification SLA. Verbal reassurance on a sales call is not a contract term.

Is a vector index the same as training? No, and that is why it gets missed. A retrieval index converts your documents into embeddings and stores them so the system can search them later, without changing model weights. It can still leak across matters if the index is shared, persistent, or pooled, so "we don't train" does not answer the indexing question.

Is RAG safer for confidentiality than feeding documents to a model? Often, yes. A retrieval-augmented system that grounds answers in public legal sources (court opinions, statutes) has a narrower data-flow surface than a tool that ingests your documents to improve itself. RAG is not training, and the architecture often settles several of the checklist questions at once. See our API call versus RAG pipeline breakdown.

For more on the no-indexing posture and how it shows up in a real vendor's security documentation, see /security. You can also read Vaquill AI's data posture and start a 7-day trial without handing over a card.

Legal AI that reads your documents and knows the law.
Ask a legal question, review a contract, or search thousands of your files. Every answer shows where it came from. 7-day free trial, no card.
Updated June 20, 202619 min read

New legal AI guides, weekly.

Arshita Anand

Arshita Anand

Co-Founder & CEO · Attorney

Arshita leads product and strategy at Vaquill, building the legal AI suite that solo, small-firm, and in-house US lawyers use to run a matter end to end.