Privileged by Design: Heppner-Dispositive in One Phrase: What Harvey and CoCounsel’s Own Terms Concede
I. Synopsis
In February 2026, a federal judge in the Southern District of New York ruled that a defendant’s communications with a generative AI platform were protected by neither the attorney-client privilege nor the work product doctrine.² The court rested its holding on three independent grounds. The first (that Claude is not an attorney) and the third (that the defendant did not communicate with Claude for the purpose of obtaining legal advice from Claude) track familiar privilege doctrine. The second is the one that reaches every legal AI deployment regardless of marketing or interface: it turned on architecture. The court examined the platform operator’s published policies, found that the operator retained the technical capability to access, log, and disclose user data, and held that no reasonable expectation of confidentiality could exist under those conditions.³ The court did not need a breach to find the privilege destroyed. The capability was enough.
This paper asks a single question: under that standard, what do the published terms of the leading legal AI platforms actually disclose? The April 2026 service terms of Harvey AI and Thomson Reuters’ CoCounsel, together with Harvey’s own publicly-listed subprocessor chain, answer the question on their face. Each platform’s customer-facing legal documents describe the exact category of voluntary third-party exposure that the Heppner court found fatal to privilege.⁴
The exposure is not metadata. The category of data each subprocessor receives, in Harvey’s own published term, is “Customer Content”: the substantive material the customer uploads and the model produces in response, including draft pleadings, witness analyses, client memoranda, and litigation strategy.
And the access chain is not static: Harvey’s subprocessor page reserves the right to add new third parties at its discretion, with only opt-in, after-the-fact notification — no advance notice, no right of objection. New vendors can join the chain that touches client data without the firm’s knowledge or consent.
There is an alternative. AI inference can run inside a Trusted Execution Environment (TEE): a sealed compute region on commodity cloud hardware, isolated from the cloud operator itself by the chip’s design rather than by software permissions, with cryptographic attestation that no data was retained and no unauthorized process accessed the workload. The firm need not own or operate hardware to deploy this architecture.¹ Firms that prefer dedicated equipment can deploy the same architecture on hardware they control, with the same cryptographic guarantees. A second path eliminates the platform from the inference layer entirely: the firm uses its own AI provider key, and inference executes in the firm’s browser without ever traversing the platform’s servers. In every case, the underlying model is frontier-class. The privilege architecture imposes no capability ceiling, and the firm faces none of the typical disadvantages of an on-premises legal-AI deployment. Confidentiality becomes a verifiable architectural property, not a contractual assurance. Under the framework the court itself suggested, these architectures satisfy the standard for treating AI as counsel’s privileged agent.⁵
This paper examines what Heppner held, what leading platforms’ own terms reveal, and what architecture satisfies the legal standard for privilege-safe AI.
For implementations of this architecture, see Veracity-Engine (broad legal market) and Plaintiff Zero (plaintiff-side vertical).
II. The Heppner Framework
What the Court Held
United States v. Heppner was a question of first impression.⁶ In February 2026, Judge Jed S. Rakoff of the Southern District of New York ruled that approximately thirty-one documents memorializing a criminal defendant’s communications with Claude, the generative AI platform operated by Anthropic, were protected by neither the attorney-client privilege nor the work product doctrine.⁷
Heppner had been indicted on securities fraud, wire fraud, and related charges arising from his role as an executive of GWG Holdings, Inc.⁸ After receiving a grand jury subpoena and learning he was a target, Heppner used Claude to prepare reports “that outlined defense strategy, that outlined what he might argue with respect to the facts and the law that we anticipated that the government might be charging.”⁹ He later shared these outputs with his attorneys. The FBI seized the documents during a search of Heppner’s home. When the government later sought to use them in the prosecution, defense counsel asserted privilege.¹⁰
The court denied the claim on three independent grounds.
Ground One: Claude Is Not an Attorney
Attorney-client privilege requires “communications (1) between a client and his or her attorney (2) that are intended to be, and in fact were, kept confidential (3) for the purpose of obtaining or providing legal advice.”¹¹ Claude is not an attorney. As the court stated: “Because Claude is not an attorney, that alone disposes of Heppner’s claim of privilege.”¹² The court cited a Harvard Law School article openly hostile to the concept of AI privilege, noting that all recognized privileges “require, among other things, ‘a trusting human relationship,’ such as, in the attorney-client context, a relationship ‘with a licensed professional who owes fiduciary duties and is subject to discipline.’”¹³ No such relationship exists between a user and an AI platform.
Ground Two: No Reasonable Expectation of Confidentiality
This is the ground that matters for platform architecture. The court did not simply observe that Heppner communicated with a third party. It examined what the platform’s own policies permitted:
[T]he written privacy policy to which users of Claude consent provides that Anthropic collects data on both users’ “inputs” and Claude’s “outputs,” that it uses such data to “train” Claude, and that Anthropic reserves the right to disclose such data to a host of “third parties,” including “governmental regulatory authorities.”¹⁴
The policy “clearly puts Claude’s users on notice that Anthropic, even in the absence of a subpoena compelling it to do so, may ‘disclose personal data to third parties in connection with claims, disputes[,] or litigation.’”¹⁵ The court cited a recent decision from the same district observing that AI users “do not have substantial privacy interests in their ‘conversations with [another publicly accessible AI platform] which users voluntarily disclosed’ to the platform and which the platform ‘retains in the normal course of its business.’”¹⁶
Heppner could therefore “have had no ‘reasonable expectation of confidentiality’ in his communications with Claude.”¹⁷
This reasoning reaches beyond Anthropic’s consumer privacy policy. Any platform whose operator (or whose operator’s subprocessors) retains the technical capability to access, log, or disclose user data faces the same analysis. The court looked at what the platform could do, not what it promised not to do.
Ground Three: No Purpose of Obtaining Legal Advice from Claude
Heppner’s counsel argued he communicated with Claude “for the express purpose of talking to counsel.”¹⁸ But counsel conceded that Heppner “did not do so at the suggestion or direction of counsel.”¹⁹ The court held that “what matters for the attorney-client privilege is whether Heppner intended to obtain legal advice from Claude, not whether he later shared Claude’s outputs with counsel.”²⁰ Claude itself disclaimed the capacity: “I’m not a lawyer and can’t provide formal legal advice or recommendations.”²¹
Moreover, sharing non-privileged AI outputs with counsel after the fact does not retroactively create privilege. The court invoked what it called “black-letter law that non-privileged communications are not somehow alchemically changed into privileged ones upon being shared with counsel.”²²
The Work Product Doctrine
The court also rejected Heppner’s work product claim. The AI Documents “were prepared by the defendant on his own volition,” counsel “did not direct [Heppner] to run Claude searches,” and the documents did not “reflect” counsel’s strategy at the time of their creation.²³ The work product doctrine “provides qualified protection for materials prepared by or at the behest of counsel in anticipation of litigation or for trial.”²⁴ Materials prepared by a client without counsel’s direction do not qualify.
The Kovel Signal
Buried in the court’s analysis of the third privilege element is a passage that points toward a solution. Judge Rakoff wrote:
Had counsel directed Heppner to use Claude, Claude might arguably be said to have functioned in a manner akin to a highly trained professional who may act as a lawyer’s agent within the protection of the attorney-client privilege.²⁵
The court cited United States v. Adlman and United States v. Kovel, the foundational Second Circuit authority for extending privilege to non-lawyer agents acting at counsel’s direction.²⁶ The implication is direct: if counsel directs the use of an AI platform, and if the platform provides the requisite confidentiality, the privilege analysis changes.
The question becomes: can any current platform provide that confidentiality?
III. The Warner Counterpoint and the Agency Framework
On the same day Judge Rakoff ruled from the bench in Heppner, a different federal court reached a different result. In Warner v. Gilbarco, Inc., Judge Patti of the Eastern District of Michigan held that a pro se plaintiff’s use of ChatGPT to research legal questions and draft filings was protected under the work product doctrine.²⁷ The court reasoned that “ChatGPT (and other generative AI programs) are tools, not persons” and that the tool used to prepare litigation materials is irrelevant to the work product analysis.²⁸
These cases are not easily reconciled. Warner treats AI as a tool no different from a word processor, dismissing the relevance of platform operator access to the work product analysis (”even if they may have administrators somewhere in the background”).⁴⁹ Heppner treats the platform operator’s data access capability as the dispositive fact. Both courts applied established doctrine. Both reached defensible conclusions. The tension is real, and it reflects a genuine split in how courts view AI in the litigation process: as a passive instrument of the lawyer’s will, or as a third-party intermediary that receives voluntary disclosures. Some courts will follow Warner‘s pragmatism. Others will follow Heppner‘s skepticism. The prudent firm plans for the more exacting standard.
The critical gap between them is doctrinal before it is architectural. Judge Patti did address the third-party disclosure question, but under the work product standard, where the answer is different. He cited In re Columbia/HCA Healthcare Corp. Billing Practices Litigation for the principle that “the mere showing of a voluntary disclosure to a third person will generally suffice to show waiver of the attorney-client privilege” but “should not suffice in itself for waiver of the work product privilege.”28a Work product waiver requires disclosure to an adversary or in a manner likely to reach one. OpenAI is not the plaintiff’s adversary. Under Heppner, by contrast, any voluntary disclosure to a third party with the capability to access and disclose the data destroys the reasonable expectation of confidentiality required for attorney-client privilege. The same act of using a consumer AI platform can therefore preserve work product protection while destroying privilege. For firms using AI on litigation strategy, case analysis, or client communications, two consequences follow. Privilege protects the client communications at the core of the engagement, not just the firm’s analytical output, and Heppner is the only court to have addressed whether AI use destroys it. Warner‘s narrower work-product result is also not portable: a court applying Heppner‘s framework, where platform access is dispositive, would not preserve work product either. The more exacting standard is Heppner‘s. The architecture has to satisfy it directly.
This gap defines the challenge for every law firm evaluating legal AI. Heppner may or may not influence courts in other circuits, but its reasoning draws on foundational privilege doctrine and cites scholarship openly hostile to the concept of AI privilege (Against an AI Privilege),47 setting a standard that future courts may apply with equal or greater rigor. Any court that examines a platform’s terms of service and data practices through the lens Heppner established will ask the same question: does the architecture withstand scrutiny, or does it rely on the kind of contractual assurances that Judge Rakoff found insufficient?
The framework that emerges from reading Heppner alongside the Kovel doctrine requires three conditions for AI to function as counsel’s privileged agent:
Counsel directs the use of the AI platform. The attorney, not the client acting independently, must initiate or authorize the AI-assisted work.
The platform provides structural confidentiality. The platform operator and its subprocessors must lack the technical capability to access client data. The Heppner court did not ask what Anthropic promised to do with user data. It asked what Anthropic’s privacy policy permitted it to do, and found that the documented capability to collect, retain, and disclose was enough to destroy confidentiality.³⁶
The AI functions as necessary for the representation. The platform must serve the kind of specialized function that Kovel contemplates: enabling the attorney to provide competent legal services.
Condition two is where every cloud-wrapper legal AI platform fails the test.
IV. What the Terms Actually Say: A Privilege Audit of Leading Platforms
To understand whether a legal AI platform satisfies Heppner‘s confidentiality requirement, one must do what the court did: read the platform’s own terms. These are the same documents a court will examine in any privilege dispute. What follows is an analysis of publicly available service terms from two leading legal AI vendors, current as of April 2026.
Harvey
Harvey AI Corporation’s Service Terms (last updated April 10, 2026) and Platform Agreement (last updated January 9, 2026) reveal a multi-layered subprocessor architecture that creates precisely the chain of third-party disclosures Heppner found fatal to privilege.
Harvey’s Knowledge Source and Web Browsing subprocessors are explicitly not HIPAA compliant. Section 4.4 of the Service Terms states without qualification: “The Knowledge Source Subprocessor and Web Browsing Subprocessor are not HIPAA compliant.”²⁹ For any firm handling medical malpractice, personal injury, life sciences, or any matter involving protected health information, this is a categorical exclusion. Harvey’s own terms confess that two of its core research features cannot protect PHI.
Harvey routes client data through multiple separate subprocessors. The Web Browsing Feature uses one subprocessor. The Knowledge Source Feature may use another. Ask LexisNexis uses a third. Email Harvey uses a fourth.³⁰ Each subprocessor is a separate entity with separate data access. Under Heppner‘s analysis, each handoff constitutes a voluntary disclosure to an additional third party. Harvey is not a single-gate system. It is a chain of disclosures, and every link in that chain is a potential waiver point.
Harvey cannot guarantee data residency. Section 4.4 states that the Web Browsing Subprocessor and Knowledge Source Subprocessor “process Customer Data and Content in the location(s) specified on www.harvey.ai/legal/subprocessors and may not process in Your selected data processing region.”³¹ Section 4.5 contains identical language for the LexisNexis Subprocessor.³² For firms with data residency obligations under GDPR, Swiss data protection law, or client-imposed restrictions, this disclaimer means that activating Harvey’s advanced features may breach those obligations.
Harvey does commit to not training on customer data. Section 11.8 of the Platform Agreement states: “Harvey will not train any AI models using Your Content or Customer Data. Subprocessors will not train any AI models using Your Content or Customer Data.”³³ This commitment, while important, is beside the point under Heppner. The court’s analysis did not turn on whether Anthropic trained on Heppner’s data. It turned on whether Anthropic could access and disclose that data. A no-training commitment does not eliminate the access capability that Heppner found dispositive.
The Subprocessor Page
The Service Terms quoted above are not Harvey’s only disclosure. Harvey publishes a customer-facing subprocessor page at harvey.ai/legal/subprocessors that lists, by name, every third party that touches Customer Data or Customer Content.⁴³ This page is the operative disclosure under Heppner‘s analysis: it is what the customer is on notice of at the time of contracting, and it is what opposing counsel will put in front of a court when challenging privilege over a Harvey-assisted work product. Whatever Harvey may carve out in a data processing agreement does not assist a privilege claim built on what was disclosed.
Harvey discloses nine third parties. Five are AI model providers: Microsoft, OpenAI, Google Cloud Platform, AWS, and Anthropic.⁴⁴ One is a voice services provider: ElevenLabs.⁴⁴ Three are research and web subprocessors: SuSea (you.com), Parallel Web Systems, and RELX/LexisNexis.⁴⁴ For each of the nine, the categories of data the subprocessor receives are listed verbatim as “Customer Data, Customer Content.”⁴⁵ The second term is the load-bearing one. “Customer Content” is not telemetry, account information, or usage statistics. It is the substantive material the customer uploads and the model produces in response: draft pleadings, witness analyses, client memoranda, litigation strategy. Harvey’s published disclosure stipulates that each of the nine subprocessors receives that category of material, not merely platform metadata. The page contains no retention qualifier, no training qualifier, no zero-data-retention configuration, no enclave or confidential-compute language, and no sub-sub-processor disclosure. Every privacy configuration an enterprise legal-AI product could plausibly invoke — Azure OpenAI no-storage routing, Anthropic ZDR endpoints, Vertex AI no-training tiers, Bedrock tenant isolation — is absent from the page Harvey controls.
Under Heppner, the access question is not whether Harvey’s subprocessors have accessed client data. The question is whether they can. Harvey’s own page stipulates that they can. In any discovery dispute, the party seeking production need not prove access. Harvey has published the admission.
Any-to-any routing must be assumed. The page does not map Harvey features to vendors. A document review workflow, a drafting workflow, a research workflow, a summarization workflow, and a voice workflow may each route to any subset of the listed providers depending on Harvey’s internal orchestration. For a privileged matter, a firm must therefore assume each workflow potentially touches each vendor. The query-leak surface is the underappreciated consequence. Even when no document is uploaded to Harvey, the model rewrites the user’s question into search queries dispatched to SuSea, Parallel Web Systems, and LexisNexis. A research query that contains a unique factual pattern from the matter discloses the matter to the search vendor regardless of whether the underlying document ever leaves Harvey. Under Heppner, that is a technical-access event by an additional third party.
The change-notice mechanism is opt-in. The subprocessor page commits only that customers “may sign up to receive notifications about new subprocessors.”⁴⁶ Standard enterprise SaaS data processing agreements provide thirty-day advance notice of new subprocessors, a customer right of objection, and termination-without-penalty if the customer objects. Harvey’s surface commitment is to inform the customer, after the fact, if the customer remembered to subscribe. A firm cannot proactively assess the privilege implications of a vendor it does not know has been added.
The cumulative picture is unambiguous. The customer-facing legal artifact discloses a five-model-provider chain of “Customer Content” handlers with no qualifying language, no per-feature routing transparency, and no advance-notice protection. This is the disclosure surface a court will examine under Heppner.
CoCounsel
Thomson Reuters’ CoCounsel Core & CoCounsel Drafting Product Specific Terms (Version 2.1, dated March 4, 2025) present a different variant of the same structural problem.
CoCounsel requires users to authorize third-party data sharing. Section 2.1 states: “If you choose to use a Third-Party Application with the use of the Services, you acknowledge and agree that you are authorizing us to access and share Your Data with the third-party provider on your behalf solely in order for the third-party provider to provide the relevant Third-Party Application to you.”³⁴ This is, by definition, a voluntary authorization of third-party disclosure. Under Heppner, this authorization waives any claim that the data was kept confidential. The user has signed a document agreeing that the platform may share their data with entities outside the attorney-client relationship.
The “solely in order for” limitation does not save the clause. Privilege waiver turns on the fact of voluntary disclosure to a third party, not on the purpose or commercial necessity of that disclosure. As the Sixth Circuit explained, “the mere showing of a voluntary disclosure to a third person will generally suffice to show waiver of the attorney-client privilege.”⁴⁸ CoCounsel’s clause meets that test on its face. The user has consented in writing to the platform’s transfer of “Your Data” to a “third-party provider.” Whether the third-party provider is technically necessary to deliver a particular feature is not part of the privilege analysis a court will run. And in any event, the premise that third-party sharing is technically necessary is false. The architectures described in Part V deliver equivalent legal-AI functionality without routing client data outside the attorney-client relationship. CoCounsel’s third-party authorization clause reflects a vendor design choice, not a technical requirement.
CoCounsel reserves discretion over multi-tenant hosting. Section 3.3 provides: “Except as otherwise expressly set forth in the Order Form, the Syncly DMS service may be hosted in a single or multi-tenant environment in our discretion.”³⁵ Multi-tenancy means that multiple customers’ data resides on the same physical infrastructure. If one tenant’s data is subpoenaed, the scope of forensic examination may extend to the entire physical environment, including metadata, access logs, and system-level artifacts. Thomson Reuters retains unilateral discretion over this decision. The customer has no architectural guarantee of isolation.
The Pattern
Both platforms follow the same structural model. They offer contractual assurances of confidentiality while simultaneously requiring users to authorize data sharing with third parties, routing data through subprocessors with independent data access, and disclaiming control over where data is processed. Under the Heppner framework, the contractual assurance is legally irrelevant when the architecture permits access. The court examined Anthropic’s privacy policy and concluded that the capability to access and disclose, standing alone, destroyed any reasonable expectation of confidentiality.³⁶ Harvey’s and CoCounsel’s terms document the same capability, often more explicitly.
A firm relying on these platforms cannot tell a court, “Our AI communications were confidential.” The platform’s own terms say otherwise.
V. The Architectural Alternative: Structural Confidentiality
Heppner identifies the problem. The Kovel doctrine suggests the solution. If privilege requires that the platform operator lack the capability to access client data, then the architecture must make access impossible, not merely prohibited.
What the Heppner Test Requires
Four architectural properties follow directly from the court’s reasoning:
No third party with access. Every subprocessor in the data path that retains the technical capability to access client communications is, under Heppner‘s analysis, an additional third party. A privilege-safe architecture eliminates them in one of two ways. Either no intermediary handler exists in the inference path at all (the BYOK / BYOS architecture, where inference executes in the firm’s browser without ever traversing the platform’s servers), or every intermediary handler is cryptographically excluded from access (the TEE-based architecture, where the cloud operator running the hardware cannot decrypt the workload it hosts). The court scrutinized Anthropic as a single third party. Harvey’s published subprocessor page documents nine.
Hardware isolation. Multi-tenant environments share physical infrastructure across customers. The platform operator (and potentially other tenants’ forensic processes) can access the shared environment. A privilege-safe architecture must provide dedicated, physically isolated compute that no other entity can access.
Cryptographic attestation. Contractual promises of data protection are, as Heppner demonstrates, insufficient. A court needs evidence it can evaluate independently. Cryptographic attestation provides that evidence: a mathematical proof, verifiable at any time, that the code running inside the enclave is the code that was audited, that no data was retained, and that no unauthorized access occurred. This is the difference between a vendor’s promise and a provable fact.
Verifiable data residency. When a platform’s own terms state that data “may not process in Your selected data processing region,” the platform cannot guarantee compliance with data residency obligations. A privilege-safe architecture must process data in a location the customer selects and controls.
Veracity-Engine: Two Privilege-Safe Architectures
Veracity-Engine offers two architecturally distinct paths to the requirements above. The first removes the platform from the inference pathway entirely. The second isolates inference inside a trusted execution environment (TEE) with cryptographic attestation of zero data retention. A firm selects between them based on its deployment posture, not its tolerance for risk: both eliminate operator access to client communications.³⁷
Bring Your Own Key / Bring Your Own Stack (inference-relay). The firm uses its own AI provider API key, or, where preferred, its own complete inference stack. Inference executes in the browser. The platform orchestrates workflow, decomposition, verification, and tool execution, but is mathematically excluded from the inference path itself. The firm’s API key never leaves the browser. No data transits the platform’s servers. Zero subprocessors. The firm’s existing relationship with its AI provider (and any existing BAA) applies directly, because the platform is not a party to the inference.³⁸
Sovereign Shield — Enterprise (dedicated enclave). A hardware-isolated trusted execution environment provisioned for the firm, with a custom endpoint, air-gapped retrieval-augmented generation, reproducible builds, KMS-gated encryption keys, and zero data retention. Cryptographic attestation means the firm can verify, at any time, that the exact code running inside the enclave is the code that was audited and approved.³⁹ This verification is not a contractual representation. It is a mathematical proof, producible in court, that the platform operator never accessed the data.
Sovereign Shield — Pro (managed private inference). TEE-backed inference with pay-per-token pricing and no infrastructure for the firm to manage. Zero data retention by the platform. The managed tier for firms that require private inference without provisioning dedicated hardware.
Across all three deployment paths, there is no chain of third-party disclosures to scrutinize, no subprocessor list to audit, no HIPAA disclaimer to discover in the fine print. The inference pathway is either controlled by the firm itself (BYOK / BYOS), isolated inside dedicated hardware (Enterprise), or processed through confidential computing infrastructure with zero platform retention (Pro).
The Privilege Comparison
Privilege Factor
Contractual Confidentiality
Structural Confidentiality
Basis of protection
Platform operator’s written promise
Hardware attestation (Enterprise), browser-only inference (BYOK / BYOS), or TEE-backed managed inference (Pro)
Provider data access
Technically possible; prohibited by policy
Mathematically impossible: firm controls the key or stack (BYOK / BYOS), hardware enforces isolation (Enterprise), or confidential computing guarantees zero retention (Pro)
Subprocessor chain
Multiple third parties with data access
Zero subprocessors. Direct inference path controlled by the firm (BYOK / BYOS), isolated inside dedicated hardware (Enterprise), or processed with zero platform retention (Pro).
HIPAA compliance
Explicitly disclaimed for advanced features
Firm’s existing BAA with AI provider applies directly (BYOK / BYOS). Dedicated BAA (Enterprise).
Data residency
“May not process in Your selected region”
Processing location configurable by the firm, determined by enclave deployment region
Kovel compatibility
Fails: third-party access capability exists
Satisfies: platform operator cannot access communications
Under the framework Judge Rakoff articulated, both architectures satisfy the second condition of the Kovel agency analysis. When counsel directs the use of the platform, and the platform either executes inference inside the firm’s own browser using the firm’s own API key or stack, or operates inside a hardware-isolated enclave that the platform operator itself cannot penetrate, the AI functions “in a manner akin to a highly trained professional who may act as a lawyer’s agent within the protection of the attorney-client privilege.”⁴⁰
Confidentiality is no longer a promise. It is a fact.
What the Architecture Enables
Privilege protection does not come at the cost of capability. The platform that solves the Heppner problem is also the platform that does the work. Every feature below runs identically inside the encrypted enclave.
Veracity Engine. Every citation, quote, legal proposition, statute, and procedural rule verified automatically against source text. The engine retrieves the actual opinion, compares quotes word-for-word, validates that holdings support the claimed legal principle, and confirms treatment history. Semantic verdicts explain what passed, what failed, and why.
Proactive Authority Detection. Every authority in every AI response is verified in the background, across multiple dimensions of accuracy, without the lawyer asking. A citation can be real and still be wrong. PAD catches both fabrication and mischaracterization.
Verified Research Pipeline. AI suggests candidate authorities. Each is subjected to a rigorous elimination process: candidates that do not exist are removed, candidates whose holdings do not support the stated legal point are removed, candidates that have been overruled are removed. Only proven results reach the lawyer. Results stream in as they are verified.
Juxtaposition Analysis. Systematic comparison of any two documents to expose misstatements, gaps, contradictions, and unsupported claims. When opposing counsel’s motion to dismiss claims “Plaintiff fails to plead reliance” and paragraph 47 of the complaint pleads exactly that, juxtaposition finds it. The output is a blueprint for the opposition brief.
Agentic Associate. Autonomous agent that receives a directive, decomposes it into task domains, spawns specialized sub-agents, and executes at project scale. Hand it a 2,000-page discovery production. It reads every page, classifies every document, flags inconsistencies, builds timelines, drafts responses, and reports back with structured intelligence. Human-in-the-loop gates are configurable at any decision point. Autonomy never exceeds authorization.
Sovereign Library and the Intelligence Dividend. A growing, cross-user repository of verified legal text. Every authority any user on the platform verifies is cached and 0-rated for every future user: zero token cost, zero latency, zero external API calls. The more the platform is used, the less the firm spends. An architectural advantage that compounds with scale.
Integrated Shepardizing. Full case treatment analysis (overruled, reversed, distinguished, limited, followed, affirmed) integrated into every verification workflow, with citing cases and confidence levels. Treatment data flows into the Sovereign Library. Shepardizing is instantaneous for cached authorities.
Redline Review Engine. Comprehensive document review covering language quality (grammar, style, clarity, argument persuasiveness) and citation accuracy (citation verification, quote checking, shepardizing, proposition validation). Every authority in the document is verified. Suggestions never drift or misalign regardless of how many edits have been applied or in what order.
Citations Tab. Document-wide citation health score with Bluebook compliance checking (e.g., full citation format per B10.1.1, reporter abbreviation per B10.1.2, pincite format per R. 3.2, signal italicization per B1.2, short cite and Id. suggestions per R. 4.1 and R. 10.9). One-click corrections. Hover tooltips show validation status without leaving the document. Statute verification with direct source links.
Matter Pulse. A living synthesis of the entire matter (parties, issues, timeline, key authorities, procedural posture) that updates automatically with every new document uploaded, every new research finding, every new analysis completed. The partner reviewing the file on Wednesday sees the associate’s Monday research without anyone writing a memo.
Total Matter Awareness. Context windows end. Your matter does not. Every document is permanently cataloged with identity, classification, and cross-document metadata, accessible across every conversation and every team member for the life of the matter.
Deviation Detection. Flags non-standard, one-sided, or missing contract terms against market norms. A first-year associate running deviation detection gets the benefit of a senior partner’s pattern recognition, surfaced instantly against the specific document under review.
Document Classification and Extraction. Specialized extraction engines for every major legal document type. Structured, navigable output. Document review that takes an associate hours is completed in seconds.
Knowledge Base. Firm-private document intelligence. Your contracts, templates, internal memos, and client-specific research, searchable by the AI, informing every answer with your firm’s accumulated expertise. Never shared with other users. Never used to train models. In private mode, ingestion runs entirely through the encrypted enclave.
Time, Billing, and Calendar. The AI tracks your time as you work. When you draft a motion, the platform logs the time spent and generates billing narratives. Gap detection identifies periods where you were active but did not log time. Deadline tracking with automatic creation from document analysis. Calendar management with billable/non-billable classification.
Role-Based Access Control. Editor, Commenter, Viewer, or Custom permissions per matter, with ownership transfer, invitation management, and comprehensive audit trails. Every operation validates permissions before execution.
VI. Practical Implications
Discovery Exposure
Opposing counsel moves to compel production of your team’s AI-assisted work product. Under Heppner, the court will examine your platform’s terms of service. If those terms disclose subprocessor chains, HIPAA non-compliance, or third-party data sharing authorizations, the argument for privilege becomes the argument that lost in the Southern District of New York. A platform where inference executes in the firm’s own browser using the firm’s own API key, or inside a dedicated enclave with cryptographic attestation of zero data retention, produces a different evidentiary record: verifiable proof that no third party accessed the communications.
Ethics Compliance
Model Rule 1.6(a) requires lawyers to maintain client confidentiality. Model Rule 1.1 requires competence, which the ABA has interpreted to include competence in the use of technology relevant to the practice.⁴¹ Using an AI platform whose own terms disclaim HIPAA compliance for core features, or whose terms require authorizing third-party data sharing, raises questions under both rules. A firm that has audited its AI platform’s architecture and can demonstrate hardware-enforced confidentiality has a defensible answer. A firm relying on contractual assurances that mirror the policies Heppner found insufficient may not.
Malpractice Insurance
Carriers are beginning to incorporate AI usage questionnaires into underwriting. The question is moving from “do you use AI?” to “how does your AI platform protect client data?” A platform with cryptographic attestation and zero subprocessors is an underwriting answer. A platform with four subprocessors, HIPAA disclaimers, and regional processing drift is an underwriting risk.
Client Expectations
Sophisticated institutional clients (banks, pharmaceutical companies, technology firms) are already including AI usage provisions in outside counsel guidelines. The question these clients ask is direct: what happens to our data when your associates use AI? “We use a platform with hardware-isolated enclaves and cryptographic proof of zero data retention” is a different answer than “we use a platform that promises not to read your data, but routes it through multiple subprocessors that are not HIPAA compliant.”
The Retroactive Risk
Heppner applies to communications that already occurred. Every prompt a lawyer has submitted to a consumer or cloud-wrapper AI platform, containing client facts, case strategy, or privileged analysis, is potentially discoverable. The privacy policies that existed at the time of those communications are the policies a court will examine. Firms that have been using AI platforms with broad data access policies may have already created a privilege exposure they cannot undo. The only question is whether the exposure is compounded going forward or arrested by migrating to an architecture that satisfies the structural standard Heppner‘s reasoning compels, and that the Kovel doctrine recognizes as preserving privilege.
VII. Conclusion
Firms face two problems simultaneously. The first is the one this paper has analyzed: protecting attorney-client privilege and work product in an era where courts examine platform architecture, not marketing promises. The second is the one every firm already knows: harnessing AI to transform legal workflows at the speed and scale the market demands. Most platforms force a choice between the two. Capability or confidentiality. Workflow transformation or privilege protection.
Heppner did not create a new rule. Judge Rakoff applied established privilege doctrine and work product analysis to a new technology and reached the conclusion the doctrine required: confidentiality that exists only as a contractual promise, contradicted by the platform’s own technical capabilities, is no confidentiality at all.⁴² The facts he relied on (platform terms of service, privacy policies, subprocessor disclosures) are objective, documented, and discoverable. Every firm’s AI platform is one motion to compel away from the same scrutiny.
Veracity-Engine eliminates that tradeoff. The same encrypted enclave that satisfies the structural standard Heppner compels runs a verification engine that traces every citation to its source, an autonomous agent that processes thousands of pages with configurable human-in-the-loop gates, a research pipeline that proves every authority before the lawyer sees it, and a verified legal text repository that retrieves any authority the firm needs on demand. Privilege protection and work product security do not come at the cost of capability. They are the foundation on which every capability is built.
Courts across the country will confront these questions. Some will follow Heppner‘s reasoning on privilege. Some may adopt the Warner approach on work product. The prudent firm prepares for both by adopting architecture that structurally satisfies the more demanding standard. Firms relying on contractual disclaimers are betting that no court in their jurisdiction will read their platform’s terms the way Judge Rakoff read Anthropic’s privacy policy.
The question is no longer whether AI will be used in legal practice. The question is whether the platform a firm selects will protect the privilege and work product guarantees on which every client relationship depends, while delivering the verified, autonomous legal AI that transforms how work gets done. The answer is architectural.
For implementations of this architecture, see Veracity-Engine (broad legal market) and Plaintiff Zero (plaintiff-side vertical).
Appendix: Key Excerpts from United States v. Heppner
United States v. Heppner, No. 25 Cr. 503 (JSR), slip op. (S.D.N.Y. Feb. 17, 2026).
On the question presented:
[T]he Court’s ruling in this case appears to answer a question of first impression nationwide: whether, when a user communicates with a publicly available AI platform in connection with a pending criminal investigation, are the AI user’s communications protected by attorney-client privilege or the work product doctrine? For the reasons that follow, the answer is no.⁶
On the confidentiality requirement:
[T]he written privacy policy to which users of Claude consent provides that Anthropic collects data on both users’ “inputs” and Claude’s “outputs,” that it uses such data to “train” Claude, and that Anthropic reserves the right to disclose such data to a host of “third parties,” including “governmental regulatory authorities.”¹⁴
On reasonable expectation:
[Heppner] could have had no “reasonable expectation of confidentiality” in his communications with Claude. And the AI Documents are not like confidential notes that a client prepares with the intent of sharing them with an attorney because Heppner first shared the equivalent of his notes with a third-party, Claude.¹⁷
On the Kovel possibility:
Had counsel directed Heppner to use Claude, Claude might arguably be said to have functioned in a manner akin to a highly trained professional who may act as a lawyer’s agent within the protection of the attorney-client privilege.²⁵
On retroactive privilege:
[I]t is black-letter law that non-privileged communications are not somehow alchemically changed into privileged ones upon being shared with counsel.²²
Endnotes
1 See, e.g., Veracity-Engine, veracity-engine.com; Plaintiff Zero, plaintiffzero.com (implementing this architecture for the broad legal market and the plaintiff-firm vertical, respectively).
2 United States v. Heppner, No. 25 Cr. 503 (JSR), slip op. (S.D.N.Y. Feb. 17, 2026).
3 Id. at 6-7 (examining Anthropic’s Privacy Policy and concluding Heppner “could have had no ‘reasonable expectation of confidentiality’ in his communications with Claude”).
4 Id.; see also Harvey AI Corporation, Service Terms (last updated April 10, 2026), §§ 4.4-4.6; Thomson Reuters, CoCounsel Core & CoCounsel Drafting Product Specific Terms, Version 2.1 (March 4, 2025), §§ 2.1, 3.3.
5 Heppner, slip op. at 7 (citing United States v. Adlman, 68 F.3d 1495, 1498-99 (2d Cir. 1995); United States v. Kovel, 296 F.2d 918 (2d Cir. 1961)).
6 Heppner, slip op. at 2.
7 Id. at 1.
8 Id. at 2.
9 Id. at 3 (quoting transcript of February 10, 2026 pretrial conference at 4).
10 Id. at 3-4.
11 United States v. Mejia, 655 F.3d 126, 132 (2d Cir. 2011), quoted in Heppner, slip op. at 4-5.
12 Heppner, slip op. at 5.
13 Id. at 5-6 (quoting Ira P. Robbins, Against an AI Privilege, JOLT Dig., Harvard L. Sch. (Nov. 7, 2025)).
14 Id. at 6.
15 Id. (quoting Anthropic, Privacy Policy (as of February 19, 2025)).
16 In re OpenAI, Inc., Copyright Infringement Litig., No. 25 MD 3143, ECF No. 1021 at 3 (Jan. 5, 2026), quoted in Heppner, slip op. at 6-7.
17 Heppner, slip op. at 7 (citing Mejia, 655 F.3d at 132-34).
18 Id. at 7 (citing ECF No. 23-5).
19 Id. (noting counsel “did not direct [Heppner] to run Claude searches” (citing ECF No. 23-5)).
20 Id. at 7.
21 Id. at 7-8 (quoting ECF No. 23-6 at 1-2).
22 Id. at 8 (citing Gould, Inc. v. Mitsui Min. & Smelting Co., Ltd., 825 F.2d 676, 679-80 (2d Cir. 1987)).
23 Id. at 9-10 (quoting transcript at 5; citing ECF No. 23-5).
24 In re Grand Jury Subpoenas Dated March 19, 2002, and August 2, 2002, 318 F.3d 379, 383 (2d Cir. 2003), quoted in Heppner, slip op. at 9.
25 Heppner, slip op. at 7.
26 United States v. Adlman, 68 F.3d 1495, 1498-99 (2d Cir. 1995); United States v. Kovel, 296 F.2d 918 (2d Cir. 1961).
27 Warner v. Gilbarco, Inc., No. 2:24-cv-12333, 2026 WL 373043 (E.D. Mich. Feb. 10, 2026). The case is discussed in Jonathan Blecher, Heppner and Warner: What Every Lawyer Needs to Know About AI and Privilege, Substack (2026).
28 Id.
28a Warner, 2026 WL 373043, at *4 (citing In re Columbia/HCA Healthcare Corp. Billing Pracs. Litig., 293 F.3d 289, 306 n.28 (6th Cir. 2002); United States v. Am. Tel. & Tel. Co., 642 F.2d 1285, 1299 (D.C. Cir. 1980)).
29 Harvey AI Corporation, Service Terms (last updated April 10, 2026), § 4.4: “The Knowledge Source Subprocessor and Web Browsing Subprocessor are not HIPAA compliant.”
30 Id. §§ 4.4 (Web Browsing Subprocessor, Knowledge Source Subprocessor), 4.5 (LexisNexis Subprocessor), 4.6 (Email Subprocessor).
31 Id. § 4.4: “The Web Browsing Subprocessor and Knowledge Source Subprocessor process Customer Data and Content in the location(s) specified on www.harvey.ai/legal/subprocessors and may not process in Your selected data processing region.”
32 Id. § 4.5: “The LexisNexis Subprocessor processes Customer Data and Content in the location(s) specified on https://www.harvey.ai/legal/subprocessors and may not process in Your selected data processing region.”
33 Harvey AI Corporation, Platform Agreement (last updated January 9, 2026), § 11.8: “Harvey will not train any AI models using Your Content or Customer Data. Subprocessors will not train any AI models using Your Content or Customer Data.”
34 Thomson Reuters, CoCounsel Core & CoCounsel Drafting Product Specific Terms, Version 2.1 (March 4, 2025), § 2.1: “[Y]ou are authorizing us to access and share Your Data with the third-party provider on your behalf solely in order for the third-party provider to provide the relevant Third-Party Application to you.”
35 Id. § 3.3: “Except as otherwise expressly set forth in the Order Form, the Syncly DMS service may be hosted in a single or multi-tenant environment in our discretion.”
36 Heppner, slip op. at 6-7.
37 Veracity-Engine, Features: Sovereign Shield, available at veracity-engine.com/features.
38 Id.
39 Id.
40 Heppner, slip op. at 7 (discussing the Kovel framework).
41 ABA Model Rules of Professional Conduct, Rules 1.1 cmt. 8, 1.6(a).
42 Heppner, slip op. at 12 (”Generative artificial intelligence presents a new frontier in the ongoing dialogue between technology and the law. . . . But AI’s novelty does not mean that its use is not subject to longstanding legal principles, such as those governing the attorney-client privilege and the work product doctrine.”).
43 Harvey AI Corporation, Subprocessors, harvey.ai/legal/subprocessors (last updated April 10, 2026; accessed [PUBLICATION DATE]). Each subprocessor row in Harvey’s published table lists “Customer Data, Customer Content” as the categories of data received.
44 Id. Harvey categorizes the listed subprocessors as “Model Provider” (Microsoft Corporation, OpenAI, LLC, Google LLC, Amazon Web Services, Inc., Anthropic, PBC), “Voice Services” (ElevenLabs, Inc.), and Web Browsing / Knowledge Source Research (SuSea, Inc. d/b/a you.com, Parallel Web Systems, RELX Group / LexisNexis).
45 Id. Each subprocessor row in Harvey’s published table lists “Customer Data, Customer Content” as the categories of data received, with no further qualifying language.
46 Id. (”Customers may sign up to receive notifications about new subprocessors.”).
47 Supra note 13 (Ira P. Robbins, Against an AI Privilege, JOLT Dig., Harvard L. Sch. (Nov. 7, 2025)).
48 In re Columbia/HCA Healthcare Corp. Billing Pracs. Litig., 293 F.3d 289, 306 n.28 (6th Cir. 2002). See supra note 28a (discussing the Warner court’s reliance on this principle to distinguish privilege waiver from work-product waiver).
49 Warner, 2026 WL 373043, at *4 (concluding that “ChatGPT (and other generative AI programs) are tools, not persons, even if they may have administrators somewhere in the background”).