CTF: Rate This AI Vendor — Would You Sign the Contract?

Difficulty: Hard | Time: 25–35 min | Linked product: AI Governance Pack ($97)​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌‌​‌​‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌‌​

---

The Setup

You're the operations manager for a 40-person legal services firm in Sydney. Your firm handles family law, commercial litigation, and property conveyancing. The partners have asked you to evaluate an AI contract drafting tool called DraftAI (fictional) that a few of the lawyers have been trialling using personal accounts.

DraftAI promises to reduce contract drafting time by 60%. It's built on GPT-4-class models, hosted on AWS US-East, and markets itself to law firms specifically.​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌‌​‌​‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌‌​

You've been sent:

1. Their privacy policy (a 14-page PDF)
2. Their terms of service
3. A draft enterprise agreement their sales rep emailed over

You have one week to decide: approve for firm-wide deployment, reject, or negotiate modifications.

Below are five excerpts from their documents. For each, decide: (A) acceptable, (B) acceptable with modifications, or (C) dealbreaker. Justify your rating.

---

The Challenge

---

Excerpt 1 — From the Privacy Policy, Section 4.2:

"We may use Customer Data to improve, develop, and train our AI models. By using the Service, you grant DraftAI a non-exclusive, worldwide, royalty-free licence to use Customer Data for these purposes. You may opt out of model training by submitting a written request to privacy@draftai.com within 30 days of account creation."

Rate: A / B / C. Justify. What specific modification would you request?

---

Excerpt 2 — From the Terms of Service, Section 8.1 (Limitation of Liability):

"To the maximum extent permitted by law, DraftAI's total aggregate liability to you for any a

nd all claims arising out of or related to this Agreement shall not exceed the amount paid by you in the three (3) months preceding the claim."

Rate: A / B / C. Justify. For a firm paying $600/month, what does this cap mean in dollar terms if DraftAI causes a data breach affecting your clients' privileged legal communications?

---

Excerpt 3 — From the Enterprise Agreement, Section 12 (Subprocessors):

"DraftAI may engage third-party subprocessors to assist in delivering the Service. A current list of subprocessors is available at draftai.com/subprocessors. DraftAI may add or change subprocessors at its discretion and will provide notice via email to the primary account holder at least 7 days before any material change."

Rate: A / B / C. Justify. What's missing from this clause that matters for your Privacy Act obligations?

---

Excerpt 4 — From the Privacy Policy, Section 7.1:

"DraftAI stores all Customer Data on AWS infrastructure located in the United States. We do not currently offer data residency options for Australian customers. DraftAI has self-certified under the EU-U.S. Data Privacy Framework."

Rate: A / B / C. Justify. The vendor mentions EU-U.S. DPF compliance. Does this help your Australian Privacy Act position?

---

Excerpt 5 — From the Enterprise Agreement, Section 15.3 (Security):

"DraftAI maintains SOC 2 Type II certification, renewed annually. DraftAI will notify Customer of any security incident affecting Customer Data within 72 hours of DraftAI becoming aware of the incident. Upon request, DraftAI will provide Customer with a copy of its most recent SOC 2 report under NDA."

Rate: A / B / C. Justify. Is 72 hours sufficient for your Privacy Act obligations? What additional security clause would you want?

---

Bonus Question — The Privilege Problem

Your lawyers will be uploading draft contracts, legal advice memos, and litigation strategy documents to DraftAI. This is legally privileged material. If DraftAI's model training uses this data, or if DraftAI is subpoenaed in a US legal proceeding, privilege may be at risk.

• Does uploading privileged legal material to a US-hosted AI platform waive privilege in Australia?
• What clause would you add to the enterprise agreement to protect privilege?

---

Hints

Hint 1 (Excerpt 1): A 30-day opt-out window from account creation is a deliberate friction design. By the time you've deployed the tool firm-wide and a lawyer notices the clause, you're likely outside the opt-out window. The correct modification: make opt-out the default (opt-in to training, not opt-out), and make it available at any time. For a legal firm, model training on your client documents is a per se dealbreaker regardless of opt-out availability.

Hint 2 (Excerpt 2): Three months of fees = $1,800 liability cap for a firm paying $600/month. A data breach affecting privileged legal communications could result in client complaints to the Law Society, regulatory action, professional indemnity claims, and reputational damage worth multiples of that. Limitation of liability clauses in vendor contracts are negotiable for enterprise deals. Push for: (1) carve-out for negligence and wilful misconduct, (2) carve-out for data breaches affecting personal information, (3) a higher cap tied to annual contract value.

Hint 3 (Excerpt 12): The missing element is your right to object to new subprocessors, not just receive notice. Under APP 8, you are accountable for what your subprocessors do with Australian personal information. "We'll tell you 7 days before" is not the same as "you can say no." Also missing: what specific information will you receive about new subprocessors? Country of operation, security certifications, purpose?

Hint 4 (Excerpt 7.1): The EU-U.S. DPF is an EU-to-US data transfer mechanism. It is entirely irrelevant to Australian Privacy Act compliance. Australia has its own cross-border transfer obligations under APP 8, and there is no equivalent self-certification framework. The vendor's mention of EU-U.S. DPF is a compliance credential that sounds impressive but does nothing for your Australian legal obligations. You need a contract clause that binds DraftAI to protect the data in a manner consistent with the APPs.

Hint 5 (Excerpt 15.3): Your 30-day NDB assessment window starts when you have "reasonable grounds to believe" a breach has occurred. If DraftAI notifies you at the 72-hour mark, you've already used up a significant portion of your assessment window. You want notification as fast as possible — and you want it to include enough detail to begin your own assessment. Additional clause: penetration testing schedule, and your right to request an updated SOC 2 report mid-cycle if you have concerns.

---

Reveal: Full Answer to Excerpt 1

Rating: C (Dealbreaker) for a legal firm — B (Acceptable with modification) for most other SMBs

Why it's a dealbreaker for a legal firm:

Uploading client contracts, legal advice, and litigation strategy documents to a platform that trains on your data is a fundamental conflict with your professional obligations. The Law Society of NSW (and equivalent state bodies) have issued guidance that lawyers must exercise care before uploading client information to AI platforms that may use it for purposes beyond the specific service. If DraftAI trains on your uploaded contracts, that client data is, in effect, being shared with every future user whose prompts trigger model recall.

The 30-day opt-out window is designed so that by the time you've deployed the tool and a lawyer reads the fine print, you've missed it. This is not good faith drafting.

The modification you'd request:

Replace Section 4.2 entirely with:

"DraftAI will not use Customer Data (including any inputs, outputs, or metadata associated with Customer's use of the Service) for the purpose of training, fine-tuning, or improving any AI model, without explicit written consent from Customer on a case-by-case basis. Customer's use of the Service does not constitute consent to model training. DraftAI shall implement technical controls to enforce this restriction and shall make those controls available for Customer audit upon request."

This is standard language in enterprise AI agreements for professional services firms. If DraftAI won't accept it, that tells you something about their commitment to data governance.

For non-legal SMBs:

If you're not a law firm and your data doesn't include legally privileged material, model training can be acceptable — but only if:

1. Opt-out is the default, not opt-in
2. The opt-out can be exercised at any time
3. You understand what "training" means for your data specifically (is it fine-tuning? RLHF? Retrieval augmentation?)

The clause as written is a B (Acceptable with modification) for most SMBs, with the modification being: opt-out default, any-time opt-out, and a written commitment that previously uploaded data will be deleted from training sets upon opt-out.

---

Get the Full Answer Key

You've seen the full analysis for Excerpt 1. The remaining excerpts — covering liability cap negotiation, subprocessor objection rights, APP 8 compliance for US-hosted AI, SOC 2 sufficiency, and the legal privilege problem — are covered in the AI Governance Policy Pack for SMBs.

The pack includes:

• AI vendor contract review checklist (30 questions to ask before signing)
• Data processing agreement template for AI vendors
• Model training opt-out clause template
• Liability carve-out negotiation guide
• Privilege protection clause for professional services firms

Get the AI Governance Pack for $97 → lil.business/products/ai-governance-pack

Or buy via Polar: https://buy.polar.sh/polar_cl_8KEjRB7rL8QidCD5EAXNOJavkYIVqdLdazVqE4SaII2

---

DraftAI is a fictional vendor created for this post. Contract excerpts are illustrative. Legal references are to Australian law as at April 2026. This post is educational and not legal advice.