How Law Firms Should Evaluate
AI Video Enhancement Vendors

Why Standard Vendor Due Diligence Is Not Enough for AI Video

Most law firms have established processes for vetting technology vendors — cloud document management systems, e-discovery platforms, time and billing software. These processes typically cover basic security questions, data residency, and contractual protections. They are a good foundation, but they are not sufficient for AI video enhancement vendors for a specific reason: AI video tools have data characteristics that differ from most legal technology platforms in ways that create unique risks.

Unlike a document management system that stores files and provides controlled access, an AI video platform actively processes the content of uploaded files. It applies machine learning models to the video frames, which means the platform's AI infrastructure is directly accessing and analyzing the content of your client's footage. The question of whether that analysis creates training data, how the model's behavior changes in response to user uploads, and what persists after processing completes is not a standard question on most IT vendor questionnaires.

Additionally, AI video platforms are largely built for consumer and creator markets. Their privacy policies, terms of service, and data handling practices are designed for users who upload cat videos and YouTube tutorials — not for lawyers with professional conduct obligations around client confidentiality. The gap between what the platform was designed for and what you need it to do is the source of most of the risk.

Phase 1: Initial Screening (30 Minutes)

Before investing time in a full vendor evaluation, conduct a quick initial screen to filter out obviously unsuitable vendors:

Terms of service review: Search the ToS for "train," "machine learning," "improve our services," "AI," and "anonymized data." Any of these in the context of user-uploaded content is a potential training data clause. If the ToS permits use of uploaded content for AI training, the vendor fails initial screening for legal use unless they offer a documented opt-out mechanism and will contractually commit to the opt-out.

Privacy policy review: Look for data retention periods, third-party data sharing policies, and subprocessor disclosures. An absence of any defined retention period is a red flag. Third-party data sharing for purposes beyond the service (analytics, advertising, "partners") is disqualifying for most legal use.

Encryption basics: Check that the platform uses HTTPS for all connections. Most modern platforms do, but absence is immediately disqualifying. Look for any mention of encryption at rest.

Contact availability: Is there a privacy contact, legal contact, or enterprise sales contact? Consumer platforms with no way to contact a human about privacy or legal questions are not appropriate for professional use.

Phase 2: Detailed Technical Evaluation

Vendors that pass initial screening deserve a deeper look at their technical architecture and data handling practices.

AI training policy: Request written confirmation — not just a policy statement, but a contractual commitment — that uploaded videos are not used to train, fine-tune, or update AI models in any way. Ask specifically about: the primary model training pipeline, fine-tuning processes, and federated learning (if applicable). Ask whether any anonymization process precedes training use and whether that means training still occurs on content derived from uploads.

Data retention: Obtain the specific retention periods for: uploaded original files, processed output files, backup copies, disaster recovery snapshots, log files, and any metadata records. These may have different retention periods — understand all of them. Ask whether user deletion propagates to backup systems and on what timeline.

Subprocessors: Most cloud platforms use multiple third-party services for storage, compute, and operations. Obtain the vendor's subprocessor list and review their data handling policies. If the vendor uses a third-party GPU provider to process video, that provider also receives your client's footage. Ensure the vendor's agreements with subprocessors include equivalent confidentiality protections.

Access controls: Who at the vendor organization can access uploaded videos? Under what circumstances? What oversight exists? Is access logged? For legal use, vendor access to client footage should be limited to automated processing only, with any human access requiring documented justification.

Breach notification: What is the vendor's process for detecting and reporting data breaches? What is the notification timeline? Ensure this is adequate for your jurisdiction's breach notification obligations and your own client communication responsibilities.

Phase 3: Contractual Protections

Technical evaluation tells you what a vendor currently does. Contractual protections define what they are legally obligated to do. For legal use, both are necessary.

Data Processing Agreement (DPA): The DPA governs the data protection relationship between your firm and the vendor. A law firm DPA for AI video use should include:

• Explicit restriction of data use to the contracted service only — no training, analytics, advertising, or third-party sharing
• Data retention schedule with defined maximum retention periods for all data types
• Security requirements the vendor commits to maintaining
• Breach notification obligation within a defined period (14 or 30 days is typical)
• Subcontractor restriction: vendor must not engage additional processors without your consent or must maintain a list of approved subprocessors
• Audit right: your firm's right to audit or receive audit reports confirming the vendor's compliance
• Data return and destruction: how data will be returned or destroyed at contract end
• Indemnification provisions for breach of the DPA

Confidentiality agreement: Separate from the DPA, a confidentiality agreement establishes that the vendor recognizes the confidential nature of the content you are sharing and agrees to maintain it accordingly. This creates an additional contractual basis for claims arising from disclosure beyond the technical framework of the DPA.

Jurisdiction and dispute resolution: Ensure that the governing law and dispute resolution provisions are appropriate. Consumer ToS often specify arbitration clauses and venue provisions that are impractical for law firm disputes.

Phase 4: Ongoing Oversight

Vendor due diligence is not a one-time event. The risk profile of an AI vendor can change significantly when they update their terms of service (which they can do unilaterally in most consumer agreements), change their business model, are acquired, or experience a breach.

• Subscribe to vendor privacy policy and terms of service update notifications if available
• Review the vendor's privacy policy annually and after any material business change
• Monitor for news about vendor data breaches, regulatory actions, or ownership changes
• Ensure your DPA includes a provision requiring the vendor to notify you of material changes to their data handling practices
• Maintain a record of which matters involved the vendor's tools, so you can notify affected clients if a breach occurs

The Complete Vendor Evaluation Checklist

• ☐ Terms of service reviewed for training and data use clauses
• ☐ Privacy policy reviewed for retention, sharing, and subprocessor policies
• ☐ Written confirmation that uploads are not used for AI training
• ☐ Specific retention periods obtained for all data types (uploads, outputs, backups, logs)
• ☐ Subprocessor list reviewed
• ☐ Access controls documented: who can access content and under what circumstances
• ☐ Breach notification procedures evaluated
• ☐ Encryption confirmed: TLS in transit, AES-256 or equivalent at rest
• ☐ DPA negotiated and signed
• ☐ Confidentiality agreement in place
• ☐ Governing law and dispute resolution provisions reviewed
• ☐ Ongoing monitoring plan established
• ☐ Internal policy created for how the tool may be used and for which matter types
• ☐ Ethics review completed under applicable state bar rules on technology in practice

BetterVideo's Due Diligence Documentation

BetterVideo maintains a plain-English privacy policy that addresses the questions in this checklist directly. We do not train AI models on uploaded footage. Our retention policy is 30 days with automatic deletion. Our technical architecture — isolated GPU containers, access-controlled storage, TLS + AES-256 encryption — is documented in our technical specification. We are available to discuss DPA requirements with firms conducting vendor evaluation.

We recognize that law firms have specific professional conduct obligations that require more than a consumer privacy policy. Our goal is to provide enough technical transparency that a firm's IT and legal teams can complete a meaningful due diligence process.