Kingsfield Connect the Judge
Writing  ·  On privilege

The third party in your privileged work

June 2026Kingsfield

Every cloud legal-AI tool routes your client's confidences through a vendor you do not control. Whether that waives privilege is an open question, not a settled one.

When you type the facts of a matter into a cloud legal-AI tool, that text leaves your firm. It travels to a foundation-model provider, one of a handful of large technology companies, and it is processed on systems you do not run. The interface makes this feel like working inside your own office. The data path says otherwise.

Three things follow from that path.

The prompt is logged. Even under an enterprise agreement with a zero-retention term, prompts commonly pass through the provider's abuse-monitoring systems before anything is discarded. "We do not train on your data" is a narrower promise than "no system at the provider ever sees your data." The two are easy to read as the same sentence. They are not.

The provider is a third party. Disclosing a client's confidences to a non-lawyer vendor is, at a minimum, a question your state bar has opinions about. At the far end, it is an argument opposing counsel can raise that privilege was waived. The point is not that the argument always wins. The point is that you have handed the other side a question to litigate, in a matter where you chose the tool.

The data sits outside your audit boundary. If a regulator or an opposing party asks what happened to that information, you are repeating the vendor's assurances rather than producing your own records. You cannot inspect what you cannot see.

The line that does not survive a network trace

A frequent marketing claim is that "your data never leaves your environment." Read it against the data path. For most cloud tools it is simply not accurate. The data does leave, to the model. A statement that a network trace contradicts is not a security control. It is a sentence.

A contract is a promise about handling. It is not architecture.

This is the gap a data processing agreement is meant to close, and it does not close it. A DPA allocates obligations between your firm and the vendor. It is worth having. It does not change where the data went, and it does not answer the question a court asks during a privilege fight: was this disclosure a waiver? A contract is a promise about how someone will handle information they have received. The privilege question is about the fact that they received it.

The short version of the conversation

The durable answer to "what happens to privileged data at the vendor" is for the vendor never to receive it. Strip the client's identifiers before anything leaves the firm, and the question stops being about how much you trust a third party and starts being about a data path you can trace end to end. The conversation a firm wants to have with a regulator is the short one: the confidential information never went there.

Kingsfield is a judge for legal AI: it rules ACCEPT, REJECT, or INCONCLUSIVE on every citation an AI tool produces, on input from which client identifiers have already been stripped on your own machine. See how it works.
The citation that looked perfect and did not exist Why more context makes a model less reliable