How can a small law firm use AI to review sensitive documents safely?

Yes, a small law firm can use AI to review sensitive documents, but only on a business or enterprise plan that is configured not to train on your files. The tool you pick matters far less than the tier and the settings: a personal ChatGPT login and a business account behave very differently with the exact same document. If you get the setup right, reviewing sensitive documents with AI is a reasonable, careful thing to do. If you get it wrong, you have handed a client's privileged file to a system that may keep it and learn from it.

Is it safe to use AI to review sensitive client documents?

It is safe when two things are true: the account does not train on your inputs, and you have decided in advance which documents are allowed through it. Safety here is a configuration decision, not a question of which brand of AI is best. The same underlying model can protect your files or expose them, depending entirely on the plan it runs under and the controls you turn on. So the useful question is not "is ChatGPT safe for lawyers," it is "is this account, on this plan, set up the way a firm handling client confidences needs it to be."

Why does the plan tier matter more than the model?

Because the training default is set by the plan, not by the model. On consumer plans (OpenAI lists Free, Plus, Go, and Pro), your conversations may be used to train the model unless you opt out in the data controls. On business plans, the default flips: OpenAI states it does not train on inputs or outputs from ChatGPT Business, ChatGPT Enterprise, or the API by default, and organizations are opted out of data sharing unless they explicitly opt in. The model underneath can be identical. The contract around it is not. That gap is the single most common mistake a small firm makes: doing real client work on a personal login because it was already open.

What does "won't train on your data" not actually cover?

It means your files are not added to the model's training set. It does not mean your files never leave your office. On a business plan your documents still travel to the vendor's servers and are stored there for a period. OpenAI's enterprise setup saves chats by default until deleted, and an enterprise workspace can set a custom retention policy with a minimum of 90 days. On the API, abuse-monitoring logs are retained for up to 30 days unless a customer is approved for zero data retention, and recent legal developments can force providers to hold data longer than their normal policy. So "no training" is necessary but it is not the whole privacy picture. Retention, who can access the data, and where it is processed all matter too.

How should a small firm set up AI for document review?

Treat it as a setup project, not a download. A short written rule and a correctly configured account do most of the protective work. The shape looks like this:

• Use a business or enterprise plan for anything that touches a client file. Never a personal login.
• Confirm in the vendor's own documentation that the plan does not train on your inputs by default, and keep that page on file.
• Set the shortest data retention your workflow can tolerate, and ask about zero data retention if you handle the most sensitive matters.
• Decide in advance which document types are allowed through AI and which are off limits, then write it down in one page.
• Keep a simple record of what went through which tool, so you can answer a question about it later.

That is the shape, not the entire build. The judgment calls about specific matters, and the way these tools wire into the systems a firm already uses, are where your own professional judgment and, often, outside setup help come in. The goal is a configured account and a clear rule, not a science project.

What should you never run through AI, even on a business plan?

The material where exposure would be hardest to undo deserves a human-only path until you are confident in the setup. A correctly configured business account lowers the risk of routine review work, but it does not erase the fact that the document leaves your environment. For the most sensitive client confidences, the careful default is to keep them out of any external tool until you have verified the plan, the retention settings, and your own comfort with where the data goes. Start AI document review on lower-stakes material, confirm the behavior matches the vendor's promises, and widen the circle from there.

The takeaway: safe AI document review is a setup decision before it is a tool decision. Get the plan tier and the configuration right, write a one-page rule for what is allowed, and the question of which model you use becomes a much smaller one. If you want help mapping which of your documents are safe to run through AI and configuring an account so client confidences stay protected from day one, book a 20-minute call and JurisLabs will walk your firm through it.