TrustAI Governance & Vendor Posture
What attorneys need to know before using DriftPatrol.
Effective: April 25, 2026 · Version: 1.0 · For: bar counsel, GCs, IT, procurement
DriftPatrol uses generative AI (Anthropic's Claude family) to summarize content differences detected on Monitored URLs. This page documents the governance posture so attorneys subject to ABA Formal Opinion 512, Colorado AI Act §6-1-1701, NY State Bar Op. 1219, California State Bar Practical Guidance (Nov 2023), and analogous state-bar guidance can satisfy their professional-conduct obligations.
1. Model and provider
- Provider: Anthropic, PBC (a Public Benefit Corporation, San Francisco, CA)
- Model family: Claude (Sonnet tier, current production version: Claude Sonnet 4.6)
- Access mode: Anthropic Commercial API (not consumer Claude.ai product)
- Anthropic compliance attestations: SOC 2 Type II, ISO/IEC 27001:2022, GDPR Article 28 Data Processor
- Anthropic published terms: Commercial Terms of Service · Usage Policy · Privacy Policy · Trust Center
2. Training-data posture
Anthropic does not use commercial-API submissions to train its models. This is an explicit commitment in Anthropic's Commercial Terms of Service. Customer Data submitted by DriftPatrol to the Anthropic API is not added to any training corpus, is not used to fine-tune any current or future Anthropic model, and is segregated from data submitted via Anthropic's consumer products.
DriftPatrol does not fine-tune any model on Customer Data. DriftPatrol does not maintain a custom-trained model. DriftPatrol does not export Customer Data to any third party for the purpose of model training, evaluation, or benchmarking.
3. Retention posture
Anthropic API: Per Anthropic's published commercial terms, inputs and outputs are retained only for the time required to perform inference and detect abuse. Anthropic's standard zero-retention default applies. After the inference is complete and abuse-detection windows close, the data is deleted from Anthropic systems.
DriftPatrol storage: Inputs (Monitored URL snapshots) and outputs (machine-generated summaries) are retained in Customer's tenant within DriftPatrol's Cloudflare D1 database (encrypted at rest, AES-256). Customer-tenant data is logically segregated by customer_id and accessible only to authorized DriftPatrol personnel under documented access controls. Retention follows the schedule in the DPA: duration of subscription plus 90-day post-termination export window plus deletion within 90 days, with backup purge within 12 months.
4. ABA Formal Opinion 512 alignment (July 2024)
ABA Formal Opinion 512 sets out attorney duties when using generative-AI tools. DriftPatrol's posture supports each duty:
| Model Rule duty | How DriftPatrol supports compliance |
|---|
| 1.1 Competence — understand the technology | This page + DPA Exhibit C provide the substantive understanding attorneys need to satisfy the competence inquiry. We disclose model, retention, training, and limitations. |
| 1.6 Confidentiality — informed-client consent for confidential information | The Service is structured for monitoring publicly accessible URLs. Customer is responsible for not designating URLs that contain client-confidential information. If Customer's use case involves client-confidential URLs, Customer should obtain informed consent before using the Service for that purpose. DriftPatrol does not require client-confidential information to operate. |
| 1.5 Reasonable fees — bill accurately | Time saved by automated monitoring should not be billed to clients as if performed manually. The Service produces a record (digest archive) showing what was actually generated automatically. |
| 3.3 Candor toward tribunal — no fabricated citations | Output is a summary of detected changes, not a legal-research output. Output should not be cited as primary authority. Every digest carries a "machine-generated; verify against source" disclaimer. Customer must independently verify before any tribunal filing. |
| 5.1 / 5.3 Supervision — supervise non-lawyer assistance | The Service is a tool, not a non-lawyer assistant. Output requires attorney review for any legal interpretation. Audit logs document who accessed what and when, supporting supervisory review. |
5. Colorado AI Act §6-1-1701 (effective Feb 2026)
The Colorado Artificial Intelligence Act categorizes certain AI systems used in legal-decision support as "high-risk." DriftPatrol's analysis of high-risk classification:
- Determination: DriftPatrol's machine-summarization Output may inform but does not make legal decisions affecting Colorado consumers. The Service does not adjudicate eligibility for any service, denial of any benefit, employment-related decisions, housing-related decisions, or any "consequential decision" as defined in §6-1-1701(3).
- Human-in-the-loop: The Service is designed and contractually conditioned on Customer human review before any consequential action. Output explicitly disclaims primary-authority status.
- Documentation maintained: Model cards (via Anthropic's published documentation), known limitations (this page §7), recommended use-case fit, and bias/accuracy considerations are all available on request to [email protected].
- Risk Assessment Summary (formal): Available to Colorado-based Customers on signed NDA prior to onboarding. Updated upon any material model version change.
- Disclosure to consumers: If Customer's Authorized Users use the Service in a manner that produces Output affecting Colorado consumers, Customer is responsible for the consumer-facing disclosure required by §6-1-1703(7)(b).
6. State-bar generative-AI guidance — what we satisfy
- NY State Bar Op. 1219 (2024) — informed consent + supervisory duties: addressed via §4 above
- California State Bar Practical Guidance for Generative AI (Nov 2023) — confidentiality + competence: addressed
- Florida Bar Op. 24-1 (2024) — confidentiality + supervision + fees: addressed
- DC Bar Op. 388 (2024) — diligent verification of AI output: addressed in disclaimer
- Texas State Bar (informal guidance, Aug 2024) — competence: addressed
7. Known limitations and failure modes
- Hallucination: The Claude model occasionally produces plausible-sounding but factually incorrect summaries, particularly for unusual document structures, novel legal concepts, or low-frequency vocabulary. Customer must verify against the source URL before reliance.
- JavaScript-rendered content: Default crawler retrieves static HTML. SPAs that render content client-side may be incompletely captured on Standard tier (headless rendering available on Professional+).
- Soft 404s and template changes: A site that returns a 200 status code with a "page moved" template can produce a false-positive material change. We flag and de-emphasize these but cannot eliminate them.
- Rate-limited or paywalled content: Per our Scraping Posture, we do not retrieve gated content. URLs that move behind authentication post-onboarding will return error states; Customer is notified.
- Model version drift: When Anthropic releases a new model version, summary style and emphasis may change. Customer is notified at least 14 days before any material model change.
8. Customer obligations
- Conduct Customer's own competence inquiry under Model Rule 1.1 before relying on Output for any client matter.
- Obtain informed-client consent under Model Rule 1.6 if Customer's use case involves submitting client-confidential URLs to the Service.
- Verify any Output before action; Output is informational, not legal advice.
- Bill clients fairly under Model Rule 1.5; do not bill automated time as manual.
- Maintain Customer's own conflicts-of-interest screening; DriftPatrol does not perform conflicts checks across Customers.
9. Auditability
Customer may export, on demand, a complete audit trail of:
- Every Monitored URL designated by Customer and the timestamp of designation
- Every snapshot retrieved (URL, timestamp, content hash)
- Every diff produced (timestamp, model version used, input + output preserved)
- Every digest sent (timestamp, recipient, contents)
- Every Authorized User action affecting Customer-tenant data
Audit data is exportable as CSV, JSON, or PDF on request. Enterprise tier includes scheduled S3-compatible archival export.
10. Documentation requests
For procurement, security, or bar-counsel review, DriftPatrol provides on request:
- Anthropic Commercial Terms current version
- DriftPatrol DPA + Exhibits A–D
- Security Overview (architecture, encryption, access)
- Subprocessor list with attestation summaries
- Pre-Founding-10 Risk Assessment Summary (Colorado AI Act conformance)
- This page (signed PDF) under mutual NDA
Email [email protected]. Response within one business day.
