What Should a Florida Law Firm Actually Evaluate Before Buying an AI Tool?

A Florida managing partner who has been through three legal AI vendor pitches in the past year asked us a clarifying question: are there a few specific things I should be asking every vendor that would let me cut through the marketing? The honest answer is yes. There are eight questions. They cut through nearly all of the differentiation theater that legal AI marketing produces, and they expose whether a vendor can meet a Florida firm's obligations under Florida Bar Rule 4-1.6, ABA Model Rule 1.6, and Florida Bar Opinion 24-1.

This article presents those eight questions, the reasoning behind each, the red flags that signal a vendor cannot answer it favorably, and a decision framework for converting the answers into a yes-or-no purchase decision.

The goal is to give a Florida managing partner a defensible vendor selection process. The questions are the same regardless of which vendor is being evaluated; the answers are what differentiate the vendors.

The Eight Questions

The questions below are ordered by their typical impact on the purchase decision. Questions 1 through 3 are the architecture and data handling questions; failing any of them generally disqualifies the vendor for confidentiality-sensitive practice. Questions 4 through 6 are the operational diligence questions. Questions 7 and 8 are the economic and integration questions.

1. Where Is Our Data Processed?

Ask: Is our firm's data processed on the vendor's cloud infrastructure, on our own hardware, or in a hybrid model? What jurisdictions does the data touch?

Why it matters: Florida Bar Rule 4-1.6 governs disclosure of client information. Cloud processing is a disclosure to a third party that requires informed client consent under the rule, per Florida Bar Opinion 24-1. On-premise processing does not involve third-party disclosure for that processing. The architecture choice is the threshold question for Rule 4-1.6 compliance posture.

Red flags:

• The vendor cannot give a clear answer
• The vendor uses sub-processors in jurisdictions outside the United States and cannot identify them
• The vendor's data flow includes processing in jurisdictions whose data protection regimes differ materially from Florida or U.S. federal law

What you want to hear: A specific, unambiguous description of where the data is processed, who processes it, and what jurisdictions are involved.

2. Does the Vendor Train Models on Our Inputs?

Ask: Does the vendor use our firm's inputs (questions, documents, retrieved content) to train, fine-tune, or improve any model? What is the contractual prohibition? How is it enforced?

Why it matters: A vendor that trains on the firm's inputs is using the firm's confidential information for the vendor's own commercial benefit. Even with consent under Rule 4-1.6, training-on-inputs creates retention and use exposure that exceeds the consent given for the immediate processing.

Red flags:

• Training is enabled by default and the firm must opt out
• The contractual prohibition is in a click-through ToS rather than a negotiated MSA
• The vendor's terms reserve broad rights to use inputs for "service improvement" without defining the scope
• The vendor cannot describe how the prohibition is technically enforced

What you want to hear: Training on the firm's inputs is contractually prohibited, the prohibition is in the firm's MSA, and the vendor can describe the technical enforcement (separation of training data from production data, audit logs).

3. What Is the Data Retention Policy?

Ask: When client information is processed by the tool, what is retained on the vendor's infrastructure? For how long? Can the firm require deletion?

Why it matters: Retention extends the duration of the disclosure under Rule 4-1.6. A vendor that retains all inputs indefinitely creates ongoing exposure beyond the immediate use. A vendor that retains only what is operationally necessary minimizes the exposure.

Red flags:

• The vendor retains all inputs indefinitely as the default
• Deletion requires a formal request rather than being automatic at session end
• Backups retain inputs for periods longer than the active retention
• The vendor cannot describe what gets retained vs. what is ephemeral

What you want to hear: A specific retention period that is short and operationally justified, automatic deletion at the end of the period, and contractual ability for the firm to require earlier deletion.

4. What Is the Vendor's Security Posture?

Ask: What are the vendor's security certifications (SOC 2, ISO 27001, equivalent)? What is the vendor's breach history? What is the breach notification commitment?

Why it matters: Florida Bar Rule 4-1.6(e) requires reasonable efforts to prevent unauthorized access to information relating to the representation. The vendor's security controls determine whether reasonable efforts are met.

Red flags:

• The vendor has no security certifications
• The vendor cannot produce a current SOC 2 Type 2 report
• The vendor has had a publicly disclosed breach with inadequate notification or remediation
• The breach notification commitment exceeds 72 hours from discovery

What you want to hear: Current SOC 2 Type 2 (or equivalent), no material disclosed breaches in the past 24 months, and a breach notification commitment of 72 hours or less from discovery.

5. What Is the Verification Architecture?

Ask: When the tool returns an answer, how does the firm verify the answer is correct? Are source citations included? Does the citation point to a specific document and location?

Why it matters: Florida Bar Rule 4-1.1 (competence) and Rule 4-3.3 (candor) require the attorney to verify AI-generated content before reliance. Florida Bar Opinion 24-1 reinforces this. The verification architecture determines whether verification is fast or slow.

Red flags:

• The tool does not return citations on every answer
• Citations point only to general documents rather than specific locations
• The tool occasionally returns content that cannot be traced to any source (a sign of generative output rather than retrieval)
• The vendor cannot describe how hallucination is prevented or detected

What you want to hear: Citations on every answer, citations to specific document and page locations, and a clear architectural description of how the tool grounds answers in the firm's actual documents.

6. What Is the Support Model?

Ask: When the firm has a question or issue, what is the support response time? Is support included in the base contract or is it an add-on? Is support U.S.-based?

Why it matters: An AI tool that fails or behaves unexpectedly during a closing or filing deadline creates real operational exposure. The support model determines whether the firm can resolve issues in time.

Red flags:

• Support is community-only or self-service only
• Support response time is measured in business days rather than hours
• Support is not included in the base contract
• Support is offshore with limited U.S. business hours coverage

What you want to hear: Same-day or next-business-day support response, included in the base contract, with U.S. business hours coverage at minimum.

7. How Does the Pricing Scale?

Ask: What is the pricing structure? How does it scale if the firm grows or shrinks? Are there per-attorney, per-matter, or per-query charges? What price escalations are anticipated?

Why it matters: A pricing structure that scales linearly with attorney count creates a cost that grows as the firm grows. A one-time installation cost does not. The choice between these structures is a strategic decision about the firm's cost structure over time.

Red flags:

• Per-attorney pricing without volume protection at scale
• Aggressive price escalation clauses (10% annual or more)
• Add-on charges for features the firm needs (advanced retrieval, integrations, additional users)
• Multi-year contracts with no exit provisions

What you want to hear: A pricing structure that aligns with the firm's growth pattern, modest or no price escalation, and clear contract exit provisions.

8. How Does the Tool Integrate With Our Existing Systems?

Ask: How does the tool integrate with our document management system, case management system, and email infrastructure? Is integration native or via API?

Why it matters: An AI tool that requires a separate workflow from the firm's existing systems creates friction and adoption barriers. A tool that integrates with existing workflows is more likely to be adopted and used productively.

Red flags:

• The tool is a standalone web app with no integration to existing firm systems
• Integration requires significant IT resources from the firm
• The vendor cannot describe how the integration is maintained as the firm's other systems update
• The integration is one-way (tool reads from firm systems but does not write back) when bi-directional integration is needed

What you want to hear: Integration with the firm's primary document management system either natively or via well-documented API, low IT burden on the firm, and ongoing maintenance commitments from the vendor.

A Decision Matrix

Convert the eight answers into a yes-or-no purchase decision using the following matrix:

Question	Answer	Pass Criterion
1. Where is our data processed?	Specific and unambiguous	Architecture matches firm's Rule 4-1.6 strategy
2. Training on our inputs?	Contractually prohibited, technically enforced	No training, in MSA
3. Data retention policy?	Specific, short, automatic deletion	Period operationally justified
4. Security posture?	Current SOC 2 Type 2	No material breaches in 24 months
5. Verification architecture?	Citations on every answer	Citations to specific locations
6. Support model?	Same-day response, included	U.S. business hours minimum
7. Pricing scaling?	Aligned with firm growth	Modest escalation
8. Integration?	Native or documented API	Low IT burden

A vendor that fails on questions 1 through 3 is generally disqualified for confidentiality-sensitive practice without a major workaround (extensive client consent, specialized engagement letter language). A vendor that fails on questions 4 through 6 has operational risk that the firm should weigh carefully. A vendor that fails on questions 7 or 8 has commercial or technical issues that the firm can usually address through negotiation.

The Cloud vs. On-Premise Decision Framework

The threshold architectural choice (cloud or on-premise) follows from the answers to questions 1 through 3. The framework can be summarized as follows.

Cloud AI is the right architecture when:

• The firm's practice is mainly commercial or transactional rather than confidentiality-intensive
• The firm has the operational capacity to maintain ongoing vendor due diligence
• The client base is comfortable with informed consent disclosures for AI vendor use
• The firm's economics support per-attorney recurring fees
• The firm prefers external infrastructure management over internal hardware operations

On-premise AI is the right architecture when:

• The firm's practice includes confidentiality-intensive work (family law, immigration, criminal defense, certain commercial matters)
• The firm prefers to avoid the consent and ongoing diligence burden of cloud vendors
• The firm has confidence in its existing internal infrastructure controls
• The firm's economics favor a one-time installation cost over recurring per-attorney fees
• The firm's growth is linear or moderate rather than highly elastic

Neither architecture is universally better. The choice depends on the firm's practice composition, client base, operational preferences, and growth trajectory.

What a Vendor Worth Buying Looks Like

A vendor that passes all eight questions has a defensible product fit for a Florida law firm. The vendor:

• Processes the firm's data in a way the firm can describe to clients without difficulty
• Does not train on the firm's inputs and can prove the prohibition is enforced
• Retains inputs only as long as operationally necessary
• Has current security certifications and a clean breach record
• Returns citations on every answer that can be verified quickly
• Provides timely U.S.-based support included in the base contract
• Has pricing that aligns with the firm's growth pattern
• Integrates with the firm's existing infrastructure without significant IT burden

A vendor that fails on multiple questions, particularly on questions 1 through 3, is generally not a good fit for a Florida firm with a confidentiality-sensitive practice mix. The vendor may still be viable for narrow use cases where confidentiality concerns are minimal, but the firm should not deploy the tool broadly.

What Mi Assist Legal Does

Mi Assist Legal is an on-premise AI document search system installed on a Mac Mini or compatible server inside the firm's office. The product was designed to answer the eight questions above in a way that fits a 5-30 attorney Florida firm with confidentiality-sensitive practice areas.

• Question 1: Data is processed entirely on the firm's hardware. No vendor cloud is involved in routine processing.
• Question 2: No training on firm inputs. The model and the indexed corpus are separate; nothing the firm enters is used to train the model.
• Question 3: Retention is governed by the firm's existing data retention policy applied to the firm's own hardware.
• Question 4: The deployment uses the firm's existing internal security controls. The hardware is on the firm's network, behind the firm's existing security perimeter.
• Question 5: Every answer includes source citations to the specific document and page location.
• Question 6: U.S.-based support included.
• Question 7: One-time installation pricing rather than per-attorney recurring fees. Pricing describes the structure.
• Question 8: Integration with the firm's existing document management system through standard file system access.

How the system works and the security architecture describe the deployment in detail.

Frequently Asked Questions

Q: How long does this evaluation typically take?

A thorough evaluation of a single vendor typically takes 4 to 8 hours of partner-level time spread over 2 to 3 weeks. The diligence involves vendor calls, document review, and internal discussion. Firms evaluating multiple vendors should expect a multiplier on this.

Q: Can we compress the evaluation by skipping some questions?

Questions 1 through 3 are architecture and data handling questions that determine the firm's compliance posture. Skipping any of them creates Rule 4-1.6 exposure. Questions 4 through 8 can sometimes be addressed in less depth for clearly low-risk vendors, but the analysis should be documented.

Q: What if the vendor's answers change over time?

Florida Bar Rule 4-1.6(c) requires reasonable efforts to prevent unauthorized access to information relating to the representation. The reasonable efforts duty is ongoing. A vendor whose practices materially change during the engagement triggers a fresh diligence obligation. The MSA should require the vendor to notify the firm of material changes to data handling, security posture, or sub-processors.

Q: Should we use a vendor that fails one or two of the questions?

Not categorically. A failure on questions 1 through 3 generally disqualifies the vendor for confidentiality-sensitive practice. A failure on questions 4 through 8 can sometimes be remediated through contract negotiation, additional internal controls, or workflow design. The firm should document the diligence and the remediation if the vendor is selected despite a failure.

Q: Can we use this framework for vendors other than legal AI?

The framework adapts well to any technology vendor that processes client information. The specific Florida Bar references would change for vendors processing different categories of data, but the eight-question structure (data flow, retention, training, security, verification, support, pricing, integration) applies broadly.

---

This article is intended for educational purposes for Florida law firm administrators and partners evaluating AI tools. It does not constitute legal advice. Attorneys should consult current Florida Bar Rules, Florida Bar Opinion 24-1, and ABA Model Rules in evaluating vendor decisions.