In partnership with
A lawyer is about to put something sensitive into an AI tool - an unfiled application, a client’s financials, a trade-secret analysis - and does the responsible thing. They stop and ask: is it safe to put this here? The answer comes back from someone at the firm or in-house legal team: we are on the enterprise plan, our data is private, it is not used to train the model. Half of that is correct. The other half was never asked, and it is the half that decides whether a copy of the client’s information is sitting on a server tonight.
Two promises, and only one of them is the default
“We are on Enterprise” bundles two separate guarantees that people hear as one.
The first is no training: on the business tiers the vendor does not use your inputs and outputs to improve its models, by default. The exception is opting in, and the most common opt-in is the feedback button - both OpenAI and Anthropic treat a thumbs up or down as permission to use that exchange to improve the model. Short of that, the instinct that enterprise means they are not learning from my data is correct.
The second is no retention: the vendor does not keep a copy of what you typed. This is a different promise. It is not the default anywhere, and on the chat products most lawyers actually use, you frequently cannot buy it at all. Zero data retention is a separate, request-gated arrangement that mostly lives on the API - the programmatic channel software uses to call the model - not the window your lawyers type into.
So a firm can be fully covered on training and fully exposed on retention, and most lawyers cannot tell you which they hold. The product name answers the training question and stays silent on storage.
Here is where the three tools most firms use actually stand, off the shelf, with no addendum signed.
Tool (off the shelf) | Trains on your data? | Keeps a copy by default? | Zero retention without an add-on? | Where the copy lives |
|---|---|---|---|---|
Claude Team / Enterprise | No, by default | Yes - retention is configurable | No - the chat interfaces are not zero-retention eligible | Anthropic’s servers |
ChatGPT Enterprise / Business / Team | No, by default | Yes - an admin sets the period | No - zero retention is API-only and request-gated | OpenAI’s servers |
Microsoft 365 Copilot Enterprise | No, by default | Yes - logged for audit and eDiscovery | You set retention yourself, via Purview | Your own Microsoft 365 tenant |
Sources: Claude (Anthropic; Claude platform docs). ChatGPT (OpenAI enterprise privacy; OpenAI business data). Copilot (Microsoft Learn; Copilot privacy and protections).
The column most people never ask about
Look at the last column, because it changes the legal analysis and almost no one thinks to ask. With Claude and ChatGPT, the retained copy sits on the vendor’s systems - a third party is holding your client’s information under contract. With Microsoft 365 Copilot, the copy is logged inside your own tenant, under your own retention policy, in tools your firm already administers.
Those are not the same confidentiality posture. "A third party holds a copy under contract" and "the copy is in my own system under my own policy" lead to different answers on who you have to trust, what you may have to disclose, and what you can promise a client. Same prompt, different exposure, decided entirely by which tool someone opened.
Why this is a legal question, not an IT preference
Knowing what your tool does with client data is part of competence, not a nicety. (Model Rule 1.1, comment 8; 37 C.F.R. 11.101 before the USPTO.) The duty to make reasonable efforts against unauthorized disclosure of client information assumes you know where the information goes. (Model Rule 1.6(c).) You cannot take reasonable steps to protect a copy you do not know exists.
It has sharper teeth for IP work. A retained copy held by a vendor under confidentiality terms is not a public disclosure - the provider has not released it to the world, and a trade secret survives. But trade-secret protection does not turn only on whether the secret leaked. It turns on whether you took reasonable measures to keep it (18 U.S.C. 1839(3)), and that is judged by the strength of the measure, not the logo on the contract. A reputable enterprise tool - no training, access controls, a data-processing agreement - is a reasonable measure, and using it for sensitive work helps you, whether or not you also use it for everything else. Uniformly careful is not a problem. The thin case is the opposite one: leaning on a consumer default that trains on your inputs and keeps them under no obligation of confidence, then calling that your protection. The element is not about handling crown jewels differently from routine matters. It is about whether the secret actually got a real measure, and, just as practically, whether you knew enough about the tool to prove it. The sharper question sits underneath that one and is worth its own treatment: not whether the vendor keeps a copy, but how long it stays obligated to keep that copy secret, and whether you can compel its deletion.
What to do
Three questions, answered in writing, not from memory.
Does our tool train on our data? On a business tier the answer is almost certainly no. This is the part you already have.
Does it retain our data - where, for how long, and who controls that copy? This is the part most firms have not confirmed, and the answer differs by vendor.
Is there a zero-retention path, and does our actual work run through it, or through the surface it does not cover?
It is a short email to whoever owns the AI vendor relationship. Send it before the next privileged matter goes in the box.
This is one of several places where the privacy a firm believes it has does not match what its tools actually do. The next post in the series runs the other way: the most capable models often will not let you have zero retention at all, on any tier.
I am writing more about practicing law in the age of agentic AI - using these tools without surrendering judgment, privilege, or the duty of competence - at The Agentic Lawyer. www.theagenticlawyer.com
Educational only, not legal advice, and no attorney-client relationship is created. Views are my own. Attorney advertising in some jurisdictions.
The best prompt engineers aren't typing. They're talking.
Power users figured this out early: speaking a prompt gives you 10x more context in half the time. You include the edge cases, the examples, the tone you want — because talking is fast enough that you don't skip them.
Wispr Flow captures everything you say and turns it into clean, structured text for any AI tool. Speak messy. Get polished input. Paste into ChatGPT, Claude, Cursor, or wherever you work.
89% of messages sent with zero edits. 4x faster than typing. Works system-wide on Mac, Windows, and iPhone.