How Should Patent Practitioners Evaluate AI Tools for Data Security and Confidentiality?

‍

Patent practitioners evaluating AI tools face a gatekeeping question that supersedes the proven business case outlined in last week’s piece: are AI patent drafting tools safe to use with sensitive client data?

‍

Invention disclosures contain trade secrets, competitive positioning, and technical details that, if exposed, could undermine entire patent strategies. Attorneys' professional obligations demand strict confidentiality and their ethical duty to clients means that AI adoption can’t risk exposure. The question is how to distinguish between vendors who treat security as a compliance checkbox versus those who architect it as a foundational requirement. This article serves to stress this importance and show that, since inception, security remains Solve Intelligence’s number one priority. 

What are Key Security Evaluation Criteria of AI Patent Workflow Solutions?

Data usage: Does the AI provider use client data for model training? 

This cannot be anything short of a clear "no.”

• Data Protection: Solve Intelligence implements comprehensive data protection measures for all user inputs to our AI interface, including prompts, uploaded files, and user feedback.
• Zero Data Retention: Solve Intelligence maintains zero-data retention agreements with all third-party LLM providers. This means no user input data is stored, logged, or used for abuse monitoring or training by third party AI providers.
• Data Sandboxing: All customer data is logically separated using tenant-specific isolation at the application and data layers with row-level security. User data is sandboxed per individual user, and no third party can view, access, or monitor any customer data (not even Solve Intelligence).
• Confidentiality Enforcement: All AI interactions are covered by strict data processing agreements with confidentiality clauses consistent with Solve Intelligence’s Terms of Service.

Data storage: Where are servers located?

• Solve Intelligence stores all customer data in secure AWS environments (in US or EU) with encryption, backup redundancy, and strict authentication controls (Single Sign-On, Multi-Factor Authentication).

Encryption: Are files encrypted at rest and in transit?

• All Solve Intelligence customer data is encrypted in transit (TLS 1.3) and at rest (AES-256) on AWS enterprise servers. Information is stored in isolated, access-controlled environments on AWS. We follow a strict zero-trust, least-privilege access model and conduct regular vulnerability scans, penetration tests, and access audits.

Data protection: Solve Intelligence acts as a Data Processor for customers.

• Solve Intelligence processes customer data solely on their instructions and does not determine the purposes or means of processing. All data is sandboxed to individual users, and Solve Intelligence has no access to or control over customer data.
• Solve Intelligence maintains compliance with the Data Protection Act 2018 where applicable to our services provided. All personal data is handled in compliance with GDPR, CCPA, and other applicable data protection laws.

Solve Intelligence’s Security Certifications: SOC 2, ISO 27001, GDPR compliance.

• All statutory, regulatory, and contractual requirements (such as SOC 2, GDPR, and CCPA) are defined, documented, and reviewed regularly as part of Solve Intelligence’s compliance framework. Our policies are aligned with ISO 27001 and ISO 42001 standards and are reviewed at least bi-annually.
• Solve Intelligence is SOC 2 Type II certified and our controls are aligned with ISO 27001, NIST Cybersecurity Framework, and CSA CCM standards.
• Solve Intelligence maintains a comprehensive Information Security Management Program documented in our Information Security Policy and supporting policies, audited through our SOC 2 Type II certification.
• For customers with a European presence, and for EU regulation, Solve Intelligence also undertakes to comply with the European Artificial Intelligence Act 2024 as both an AI Provider and Deployer. Solve Intelligence has established a compliance roadmap for the EU AI Act that builds on preparing for ISO 42001 for AI management systems.

Questions Attorneys Should Ask AI Patent Software Vendors

Firms need to conduct due diligence on vendor data governance, security infrastructure, access controls, and incident planning. Vendors need to have air-tight answers to these 7 common questions:

“How do you ensure the quality and accuracy of outputs generated by the AI?”

• Continuous Evaluation: LLM response correctness is measured through continuous human evaluation against real patent drafting tasks, assessing factual grounding, legal consistency, and structural completeness.

• Performance Monitoring: Solve Intelligence track error rates, user overrides, and revision time across sessions to monitor performance over time.

• Quality Controls:
  
  • Robust automated evaluation pipelines with expert human review,
  • Internal evaluations to establish qualitative and quantitative benchmarks,
  • Bias testing conducted semi-annually or with each major model update, and
  • Retrieval-augmented generation (RAG) constrains outputs to user-provided context

• User review requirement: All of Solve Intelligence’s AI output is clearly labelled (e.g., via track changes) and must be reviewed and accepted by users using our software.

“Do you use client data to train your models?”

• Solve Intelligence does not perform any AI learning or training process on user input provided by our customers.
• Our commitment is enforced through: 
  
  • (1) Contractual Provisions: Our Terms of Service,
  • (2) Zero-Data Retention: Strict zero-data retention agreements with all LLM providers, ensuring no data is stored beyond the immediate processing of requests, and
  • (3) Technical Implementation: We do not fine-tune models or perform any training on customer data. 

“Where is data processed and who has access?”

• Third-party services (AWS, LLM providers) operate under zero-data retention agreements and vendor risk assessments, but do not have direct system access that would require monitoring of connection times.
• No Solve Intelligence staff can access customer data by default.

“How do you ensure the segregation of information provided across firms?”

• All data is fully sandboxed per user. Each firm's data is logically isolated at both the application and infrastructure levels using row level security. No one at Solve Intelligence can view customer data, and data from one client is never used to train models or influence outputs for another.
• Solve Intelligence enforces strict multi-tenant data isolation using access controls, encryption, and zero-retention agreements with our LLM providers.

“Is any client data stored permanently?”

• Clients can configure their own data retention settings, including automatic deletion after a specified period of inactivity (e.g., 30 days), or deletion on sign-out. Once deleted, data is permanently and irreversibly removed from Solve Intelligence’s systems. 
• Users can permanently delete data at any time via the user interface. Data can be configured to auto-delete after periods of inactivity or on sign-out, effectively meaning nothing is stored between sessions.

“How are we updated on any changes to AI providers or updates to the platform?”

• Update Process: Changes to AI providers (e.g., adding or replacing LLM providers) are treated as subprocessor changes following our documented change management process.
• Notification Process: Solve Intelligence provides prior written notice of subprocessor changes and allows customers to object within the permitted timeframe as outlined in our Data Processing Agreement.
• Release Management: Product updates are communicated through release notes and customer notifications.

“Do you provide training on AI literacy?”

• Solve Intelligence can provide security awareness training on the secure and responsible use of GenAI as part of onboarding with Solve Intelligence. This includes generative AI compliance training for patent practitioners covering ethical AI practices, data privacy and security, bias detection and mitigation, and appropriate use of AI tools.

Common Misconceptions about AI Confidentiality

• Myth: “All AI tools feed your data back into the public internet.”
• Myth: “Using AI tools means risking confidentiality breaches by default.”
• Myth: “Use of AI tools negatively impact associate training programmes.”

Note: There are major differences between consumer AI tools (such as ChatGPT, Claude, or Gemini) vs enterprise-grade legal AI products like Solve Intelligence. In the world of AI, highly specialised vertical solutions with tailored security considerations showcase the greatest ROI.

Best Practices for Law firms Adopting AI securely

• Involve IT/security teams in AI patent software procurement early.
• Conduct a formal security review and vendor questionnaire.
• If there is perceived risk, to progress adoption, start piloting solutions with low-risk use cases before scaling firm-wide.
• Establish firm wide guidelines for AI use and literacy; law firms need to establish a roadmap to fill the skills gap in order to adopt AI at scale.

Conclusion

Without robust data protection, efficiency gains and cost savings remain theoretical because firms cannot risk client trust.

The evaluation criteria outlined here separate AI patent workflow solution vendors who architect security as a foundational requirement from those treating it as a compliance checkbox. Patent practitioners who ask these questions early avoid discovering inadequate protections after confidential data has already been processed.

At Solve Intelligence, security infrastructure enables adoption rather than constraining it. Firms gain efficiency without compromising confidentiality through zero-retention agreements, sandboxed data isolation, SOC 2 Type II certification, and client-controlled retention settings.

For detailed security documentation or to discuss your firm's specific requirements, please see our Security Portal or contact our Partnerships at partnerships@solveintelligence.com.

‍