Security & Compliance
Keeping your personal data secure is a top priority at ClauseBuddy. As former data protection experts, we understand the importance of complying with GDPR —and have therefore created a product built around data protection by design.
Data protection features
- Hosted entirely within the EU (Finland or Spain) for our EU customers.
- We use only suppliers established in the EU, with the exception of Microsoft (Office 365).
- Our software and infrastructure is periodically audited by outside security experts (penetration tests).
- All data in transit is encrypted using encrypted Websocket (WSS) and HTTPS traffic.
- All our data backups are stored in a different data centre from another hosting provider, and are encrypted with a key known only to our own staff.
- Any data stored within DOCX files (e.g., values of data fields, legal terms, styling settings, and so on) is encrypted. The default setting is that only persons within the same company can read such data.
- Refined access controls are offered, so that any subfolder, anywhere, can be subject to different access policies.
- Strictly controlled Artificial Intelligence for clause matching, that does not require gigabytes of old data to work correctly.
Avoiding compliance pitfalls
ClauseBuddy contains a wealth of functions that invite you to create a structured legal library with clean clauses. Obviously, this takes some effort.
Some competing products therefore promise to build your clause library in a completely automated manner through the magic of Artificial Intelligence (AI). Unfortunately, for each clause type, AI requires thousands of examples to learn from. Obviously, not even the biggest international law firms meet this requirement.
AI-only based products therefore require you to open all your data gates, so their AI-engine is flooded with example data. Their AI-engine will then take your gigabytes of old contracts and try to extract as much clauses as possible, to come up with a library you can search in. This approach has serious problems:
- Noisy libraries with outdated clauses and hundreds of clause with trivial grammatical variations.
- Little to no legal classification, focusing on keyword search. While keyword searches work well for case law and legal doctrine, they break down when searching through hundreds of clauses, except when unique keywords can be used.
- Data infringement by design, as you are reusing documents containing often highly sensitive personal data, for a purpose (drafting comfort) incompatible with the initial purpose (handling a client file). As authorities uphold increasingly strict interpretations of the GDPR, such "repurposing" of personal data is a fundamental GDPR breach, and will at the very least require the (unmanageable) consent of all the persons (in)directly mentioned in those documents.
- Ineffective scrubbing. While vendors may argue to automatically "scrub" files to remove personal data, this will never reach the extremely high anonymisation level that data protection authorities require.
- Various other GDPR issues, such as data quality problems due to the storage of outdated personal data; and a difficulty to update stored clauses, because underlying documents have to be changed.
- Breaching confidentiality. By making confidential information available to random persons in your company / firm, you may breach typical confidentiality obligations in NDAs ("access must be restricted on a need-to-know basis") and/or local bar rules. With an automatically generated library that is not guaranteed to be segmented and entirely scrubbed, team members will inherently "stumble over" diverse snippets of confidential information.