No hedging. If the answer is "no," we say no. If the answer is "not yet," we say not yet and tell you when. Categories: legal posture, security & data, scraping & liability, product, procurement, and platform partnership.
No. DriftPatrol is a software tool. We are not a law firm, we do not employ your attorneys, and we are not licensed to practice law in any jurisdiction. The Service produces machine-generated summaries of publicly retrieved content. It is informational. It is not legal advice. No attorney-client relationship is formed by your use of the Service. See Not Legal Advice.
We have structured the Service, the Output format, and all Customer-facing materials to describe what changed, not what the change means legally. Output is explicitly marked informational. Every digest and dashboard view carries a non-legal-advice notice. We do not represent clients, render opinions, appear before tribunals, or perform any act reserved to licensed attorneys. Customers retain independent counsel to interpret material changes — that is the entire point of the hand-off.
If you operate under state UPL statutes more stringent than the mainstream (e.g., select jurisdictions in the Northeast), consult your bar counsel before formal adoption. We are happy to provide our framing language for their review.
Attorney-client privilege and work-product doctrine do not automatically attach simply because a law firm uses a software vendor. Privilege is preserved when (a) communications remain between the client, the attorney, and agents of the attorney engaged to assist in providing legal services; (b) reasonable confidentiality is maintained; and (c) no waiver occurs by disclosure to third parties outside that ring.
Our Data Processing Addendum binds us to confidentiality, limits Processing to Customer's instructions, and restricts access to authorized personnel. If a firm wants to treat DriftPatrol as a privileged vendor for specific matters, engage us under the DPA plus any additional engagement letter your risk team prefers. We will sign.
Output is a machine-generated summary of public content. Standing alone, it is not work product. Once your attorneys annotate Output, incorporate it into case analysis, or direct the Service to monitor URLs specifically in anticipation of litigation, the annotated materials may qualify as work product under your jurisdiction's rules. We do not represent that Output is work product in its raw form.
The Terms of Service expressly disclaim any duty to detect every change and cap our aggregate liability at twelve months of fees paid. We believe the Service is materially better than manual review, but it is not a substitute for attorney judgment. You are responsible for reviewing source pages before action. This is standard SaaS risk allocation for legal-tech tools.
We retrieve only publicly accessible pages, without circumventing authentication, CAPTCHAs, or paywalls. Under hiQ Labs v. LinkedIn (9th Cir. 2022), accessing publicly available data without bypassing access barriers does not violate the Computer Fraud and Abuse Act. Site-ToS breach claims exist in some circuits as state-law tort theories, but enforcement against single-page monitoring at modest frequency is rare and our AUP obligates Customers to represent they have the right to monitor a given URL. We respect robots.txt, publish a transparent user agent (DriftPatrolBot/1.0), and honor takedown requests. See Scraping Posture.
We honor takedowns within five business days, globally — the URL or domain is added to an internal block list that applies across all Customers. We do not fight C&Ds on behalf of Customers. If a Customer needs to maintain monitoring after a takedown, that is a Customer-to-site dispute we do not insert ourselves into.
No. Prohibited by the AUP. Do not configure us to bypass authentication. This is both a security boundary and a CFAA/contract-law boundary. We have enforcement hooks to detect and block such attempts; accounts that repeatedly designate gated URLs are terminated.
Summarization of public web content for the purpose of informing a business user of a change is classic transformative fair use under 17 U.S.C. § 107: transformative purpose, non-expressive use of factual content, minimal copying of protected expression in Output. We do not republish substantial verbatim content; our digests describe changes in summary form. We respond to DMCA notices per 17 U.S.C. § 512. Our designated agent is registered with the U.S. Copyright Office.
Incidental personal data captured from a public page (e.g., an author's name on a vendor policy page) is governed by our DPA. We Process on your instruction, restrict to Service purposes, and delete on request. We do not enrich, sell, or redistribute. If a Monitored URL systematically contains special-category personal data, the AUP prohibits monitoring that URL.
Yes — and this is one of the most important questions to ask any GenAI vendor before using it for client work. Op. 512 (July 2024) sets duties around competence, confidentiality, supervision, fees, and candor. We address each:
Full compliance walkthrough: /ai-governance.
No. Per Anthropic's Commercial Terms of Service, commercial-API submissions are not used to train any Anthropic model. We submit Customer Data to the API only for the inference required to produce a summary; Anthropic deletes the data after the standard zero-retention window closes. We do not fine-tune any custom model. We do not export Customer Data to any third party for training. Detailed in DPA Exhibit C and AI Governance §2.
Not yet. SOC 2 Type I audit is scheduled for 2026 H2, Type II for 2027 H1. We operate today on a SOC 2 Type II-ready architecture (Cloudflare Workers, D1, KV — all running on SOC 2 Type II-certified infrastructure) with the administrative controls required for the audit already in place. We provide a detailed Security Questionnaire to qualified prospects under NDA and are happy to fill out your firm's template.
Primary data stores are Cloudflare D1 (SQLite at the edge) and KV, operated by Cloudflare with global replication. Personnel access is US-based. A subset of Processing (LLM summarization) occurs via Anthropic's API in the US. Data residency options for EU-only Processing are available on Enterprise plans. See DPA, Exhibit B for the full subprocessor list.
Yes. TLS 1.2+ in transit with HSTS; AES-256 at rest on all persistent stores. Secrets are stored exclusively in Cloudflare's encrypted secret store. No secret value is ever checked into source control.
Customer access is passwordless via single-use, time-limited magic links bound to an authenticated email. Administrative access to production uses WebAuthn hardware keys and is scoped by least privilege. Every administrative action is logged and reviewable.
Notification within 72 hours of confirmed Personal Data Breach per the DPA, including scope, nature, likely consequences, and remediation. For non-personal-data incidents (availability, data-integrity), our target is 24 hours to initial Customer notice with continuing updates. Full procedure in Security Overview, § 8.
Yes, on Enterprise plans, case-by-case. Send your BAA template to [email protected]. We do not accept monitored URLs that systematically expose PHI, but monitoring a hospital system's public compliance pages or a vendor's published SLA does not typically require a BAA.
Available on Enterprise. We offer a dedicated-instance tier deployed within a Customer-chosen Cloudflare account, with separate D1 and KV namespaces. Single-tenant deployments into AWS/GCP/Azure are considered for multi-year contracts.
You submit URLs you want watched (competitor terms, vendor SLAs, regulator pages, your own policies). We retrieve each page on a scheduled cadence, compute what changed relative to the prior retrieval, and email you a plain-English summary every Monday — with flagged keywords for items you care about (arbitration, indemnity, rate changes, etc.). Full change history is stored for audit.
Standard: once per 24 hours. Professional and Enterprise: configurable down to four-hour intervals on designated URLs. We do not crawl more aggressively than necessary — doing so would trip rate limits and is discourteous.
Our default crawler fetches static HTML, which covers most TOS, SLA, regulator, and policy pages. For SPA-rendered content, Professional and Enterprise plans enable headless rendering through a secondary crawler path. We flag pages we cannot render and work with Customers to configure.
Plain-text email, Monday 9 a.m. Eastern. Grouped into Material / Other / No-Change buckets. Each material change includes: URL, label, flagged keywords, 2–4 sentence plain-English summary, and a link back to the full history in the dashboard. See a sample at sample digest.
Available on Professional and above. REST API covering URL management, diff retrieval, snapshot export, webhook delivery for material-change events. OpenAPI 3.1 spec provided. Rate-limited at a level generous for firm-scale integration; unlimited on Enterprise.
Webhook-based integration with any system that accepts HTTP callbacks (NetDocuments, iManage, Clio, Splunk, SIEM tools). Native connectors are on the roadmap for Clio, NetDocuments, and Slack. Ask on Professional+.
All three. We hash content at each retrieval for fast change detection, then compare old and new versions to extract line-level differences, then pass both versions plus your flagged keywords to a large-language model trained for legal-text comprehension. The LLM produces the plain-English summary and flags material changes. The keyword list you set is a hard signal; the LLM judgment is soft. Both appear in the digest.
We use Anthropic's Claude family (Sonnet tier) via API. Claude API requests are not used for model training per Anthropic's commercial data-use policy. Retrieved content is sent to Anthropic solely to produce the summary and is not retained by Anthropic beyond transit processing. Anthropic is a listed subprocessor in our DPA.
Yes. CSV and JSON export of monitored URLs, snapshots, and diffs are available from the dashboard and via API. Enterprise plans include scheduled S3-compatible export for archive.
You have 30 days post-termination to export. We delete within 90 days thereafter. Backups are purged within 12 months and remain subject to the DPA until purged.
On Enterprise, yes — send it over. On Standard and Professional, our Terms plus DPA are the agreement; redlines are considered for multi-year commitments.
Yes. We run a limited Design-Partner Program: 10 firms receive 90 days of Professional tier at no charge, in exchange for structured feedback and permission to reference the firm by name. Beyond that cohort, we offer a 14-day paid trial on Standard and Professional.
15% discount on annual pre-payment on Standard and Professional. Enterprise pricing is custom and typically includes multi-year commitment pricing.
Yes. 50% discount for 501(c)(3) non-profits, pro-bono clinics, and accredited law schools. Email [email protected] with your EIN or accreditation.
Standard and Professional: credit card via Stripe. Enterprise: ACH, wire, or check against invoice on Net-30 terms.
Yes. Email [email protected]. We do not currently maintain external commercial insurance — our liability cap in the Terms (12 months of fees paid) is the operative ceiling. If your procurement process requires Certificate of Insurance, flag it during sales conversation and we will discuss either acquiring coverage as a deal condition or adjusting contractual terms.
Yes — that's our primary distribution strategy. We offer three partnership models:
Partnership inquiries: [email protected]. See For Platforms.
You could. You would spend 4–8 months engineering the scheduling, diff extraction, LLM-prompt tuning for legal text, delivery pipeline, and the three legal documents (ToS, Privacy, DPA) that let your enterprise sales close. Opportunity-cost math typically favors acquisition at our asking price over build-from-scratch for platforms with established distribution.
Exclusivity is available. Non-exclusive API licensing starts at a lower annual commitment; exclusivity in a named vertical (e.g., practice-management platforms) or geography carries a premium. Asset acquisition is by definition exclusive.
API licensing: a platform adds "TOS drift monitoring" to their feature set, we power the backend, platform retains the customer relationship and billing. Typical structure: annual license fee plus per-active-end-customer metering. White-label: dedicated instance within the platform's cloud tenancy, flat annual plus per-seat. Acquisition: lump-sum plus earn-out against integration milestones. We will send a term sheet to qualified inquiries under mutual NDA.
We answer every diligence question in writing. No broker games, no talking past you.
