All posts

Document Comparison Security: What Lawyers Should Ask Before Uploading

· 13 min read

Every time you upload a contract to a document comparison tool, you are trusting that tool with your client's confidential information. Pricing terms, indemnification caps, termination conditions, non-compete clauses, settlement amounts, personally identifiable information. The content of legal documents is, by definition, sensitive. That is why clients hire lawyers to handle it.

Yet the security evaluation for a document comparison tool often gets less scrutiny than the evaluation for a new office printer. A lawyer who would never email an unencrypted contract to opposing counsel may paste the same contract into a free online diff tool without a second thought. The tool works. The comparison appears. The security question never gets asked.

This post is not a scare piece. Cloud-based document comparison tools can be entirely appropriate for confidential legal work, provided you ask the right questions before you upload the first file. The goal here is to lay out those questions clearly, explain why each one matters, and give you a framework for evaluating any document comparison tool's security posture, whether it is free, paid, cloud-based, or on-premise.

Why document comparison security matters

Document comparison is different from most SaaS tools lawyers use. A case management system stores metadata: names, dates, matter numbers. A billing system handles time entries and invoices. These contain sensitive information, but they do not contain the substance of the legal work itself.

A document comparison tool, by contrast, receives the actual documents. The NDA with the mutual non-solicitation clause your client negotiated for three weeks. The MSA with the liability cap that determines your client's maximum exposure. The employment agreement with the compensation terms and equity vesting schedule. The settlement agreement with the confidential payment amount. These are the documents you are uploading. The full text, every clause, every tracked change, every comment.

The security question is not hypothetical. If a document comparison tool is breached, if an employee accesses uploaded files without authorization, if the tool retains documents indefinitely and they surface in a future data incident, the exposure is not abstract. It is the actual content of your client's confidential legal agreements.

That does not mean cloud-based comparison tools are inherently unsafe. It means that document comparison security deserves the same diligence you would apply to any system that handles client confidential information. The problem is not that lawyers use cloud tools. The problem is that many lawyers do not evaluate them before they start uploading.

Seven questions to ask before uploading

These are the specific questions that separate a comparison tool built for confidential work from one that is not. You should be able to answer all seven before you upload the first document.

1. Where are documents stored?

When you upload a document to a cloud-based comparison tool, that file goes somewhere. The "where" matters for several reasons. Different countries have different data protection regimes. Some client contracts or regulatory requirements specify data residency. Your firm's own information security policies may restrict where client data can be processed.

Ask specifically: Which cloud provider hosts the service? In which geographic region are uploaded documents processed and stored? Can you select a data center region? Are documents transferred across borders during processing?

A vendor that cannot answer these questions precisely either does not know the answer (a serious concern) or has not thought about it (equally concerning). The infrastructure details may not be exciting, but they are the foundation of every other security claim the vendor makes.

2. How long are documents retained?

Data retention is one of the most important document comparison security questions, and one of the least consistently answered. Some tools delete documents immediately after comparison. Some retain them for a limited window so users can retrieve results. Some store them indefinitely. Some do not say.

The ideal answer is: documents are deleted as soon as the comparison is complete and results have been delivered. A short retention window (24 to 72 hours) is reasonable if it serves a clear user need and is automatically enforced. Indefinite retention is a red flag. "Retained as needed" with no definition of "needed" is a red flag.

Ask specifically: When are uploaded files deleted? Is deletion automatic or manual? Does the retention policy apply equally to the documents themselves and to any derived data (comparison results, extracted text, cached content)? Can you verify that deletion has occurred?

3. Who can access uploaded documents?

Access control is about more than whether the connection is encrypted. Even if data is encrypted in transit and at rest, the question remains: which people and systems can decrypt and access your uploaded documents?

In a well-designed system, the answer should be narrow. The processing pipeline reads the documents to produce the comparison. Automated systems may access files for monitoring or error recovery. But the list of humans who can access your uploaded content should be extremely limited, ideally zero during normal operations.

Ask specifically: Can vendor employees access uploaded documents? Under what circumstances? Are access events logged? Are documents accessible to third-party processors or subcontractors? Is customer data logically isolated from other customers' data?

4. Is the connection encrypted?

Encryption is the baseline. It is not sufficient by itself, but its absence is disqualifying. There are two layers to evaluate.

Encryption in transit. Data moving between your browser and the server should be encrypted with TLS 1.2 or higher. This prevents interception during upload and download. Any reputable web service provides this, but it is worth confirming that the tool enforces HTTPS (redirects HTTP to HTTPS) and does not allow unencrypted connections.

Encryption at rest. Data stored on the server should be encrypted using AES-256 or equivalent. This protects against unauthorized access to the storage layer. If someone gains access to the physical storage or the database, encrypted data is not readable without the encryption keys. Ask whether encryption keys are managed by the vendor or by a dedicated key management service, and whether keys are rotated regularly.

Encryption is table stakes for document comparison security. A tool that does not encrypt in both transit and at rest is not built for confidential documents.

5. Does the tool have SOC 2 or equivalent certification?

Security certifications are not guarantees, but they are evidence. A SOC 2 Type II audit means an independent auditor has verified that the vendor's security controls exist and have operated effectively over a sustained period (typically 6 to 12 months). The audit covers specific "trust service criteria" including security, availability, processing integrity, confidentiality, and privacy.

ISO 27001 is another recognized standard for information security management systems. It requires documented policies, risk assessments, and regular reviews.

A vendor without any certification is not necessarily insecure, but it means their security claims are self-attested and unverified. For a tool that handles confidential legal documents, that is a weaker basis for trust than independently audited controls. Ask whether the vendor has SOC 2 Type II, ISO 27001, or equivalent certification, and whether they can share the report or a summary with prospective customers.

6. What happens to document metadata?

This question catches most lawyers off guard. When you think about uploading a contract to a comparison tool, you think about the text: the clauses, the defined terms, the commercial provisions. But a .docx file contains far more than visible text.

Document metadata can include: author names and email addresses, company name and department, creation and modification dates, revision history showing previous authors, tracked changes (which may reveal negotiation strategy and concessions), comments (which may contain privileged legal analysis), embedded file paths that reveal internal directory structures, and custom document properties.

All of this metadata travels with the document when you upload it. A document comparison tool needs to read some metadata to produce a useful comparison (tracked changes, for instance, are relevant to the comparison output). But what happens to that metadata after the comparison? Is it retained? Indexed? Accessible to vendor employees? Used for analytics?

The security evaluation should treat metadata as equivalent to document content. Author information, revision history, and comments can be just as sensitive as the clauses themselves. A tool that has a clear retention policy for document files but no policy for extracted metadata has a gap.

7. Is there a data processing agreement available?

A data processing agreement (DPA) is a contract between you and the vendor that governs how your data is handled. It specifies the vendor's obligations around data processing, security measures, breach notification, data deletion, and subprocessor use. For firms subject to GDPR, a DPA is a legal requirement when a third party processes personal data on your behalf. Even outside the GDPR context, a DPA provides contractual commitments that go beyond the vendor's published security page.

Ask whether the vendor offers a DPA. If they do, review it for specifics: What security measures are contractually committed, not just described in marketing materials? What are the breach notification timelines? Does the vendor use subprocessors, and if so, are they listed? What happens to data when the agreement terminates?

A vendor that offers a DPA has thought about data governance at a contractual level. A vendor that does not, or that responds with confusion when you ask, is likely not accustomed to handling data with confidentiality requirements.

The security risks of free comparison tools

Free document comparison tools occupy a specific place in the security landscape. They are convenient, accessible, and genuinely useful for quick checks. They are also, in most cases, not built with the security requirements of confidential legal work in mind.

This is not a moral judgment. Free tools serve a different market with different expectations. But the gap between what lawyers need and what free tools provide is worth understanding clearly.

The business model question

When a tool is free, you are not the customer. The revenue comes from somewhere else: advertising, premium upsells, enterprise licensing, or data. Understanding which of these applies tells you how your uploaded documents fit into the business model.

Some free comparison tools display ads alongside your comparison results. Advertising-supported tools typically use analytics and tracking that capture information about what you upload and how you use the service. That data has value to advertisers.

Other free tools use uploaded content to improve their services. This is increasingly common with AI-powered tools: your documents may be used as training data for machine learning models. The terms of service may include language like "you grant us a non-exclusive, worldwide license to use, reproduce, and process content you upload for the purpose of operating and improving our services." That language is broad enough to encompass AI training.

We covered the full cost picture of free comparison tools in our post on the true cost of free document comparison. Security is one dimension of that cost, but it is the one with the most serious professional consequences.

Terms of service and content licenses

Free tools typically require you to agree to terms of service before using the tool. Those terms often include a content license: a grant of rights from you to the vendor over the content you upload. The scope of that license varies, but it is rarely limited to "processing your comparison and deleting the files."

Read the terms of service before you upload a client's contract. Look specifically for: the scope of the content license (what rights you are granting), whether uploaded content is used for service improvement or AI training, the data retention policy (how long files are stored, whether deletion is automatic), and whether the vendor shares data with third parties.

If the terms are vague or the content license is broad, that is your answer. The tool was not designed for documents with confidentiality requirements.

No accountability, no SLA

Free tools typically come with no service level agreement, no uptime guarantee, no breach notification commitment, and no contractual liability for data handling. If your client's confidential contract is exposed through a security incident at a free comparison tool, the vendor's legal obligation to you is likely zero. There is no DPA. There is no contractual commitment to security measures. There is no obligation to notify you if a breach occurs.

For internal documents or non-confidential content, this lack of accountability may be acceptable. For client-confidential legal documents, it is a risk that should be weighed deliberately, not accepted by default because the tool is free and convenient.

The metadata problem most lawyers overlook

Lawyers are trained to think about the text of a document. The clauses, the defined terms, the obligations. But from a document comparison security perspective, the metadata in a legal document can be as sensitive as the text itself.

Consider what a typical Word document carries beyond the visible content:

Author and revision information. The document properties may show who created it, who last modified it, and when. If multiple people have edited the document, their names and email addresses are recorded in the revision history. This can reveal which lawyers at a firm worked on a deal, which individuals at the client reviewed the document, and the timeline of revisions.

Tracked changes. If tracked changes were accepted or rejected before the document was sent, the document may still contain residual change data that reveals what was negotiated and conceded. A comparison tool that processes the document at the XML level can potentially access tracked change history that is not visible in the normal Word interface.

Comments. Internal comments left during drafting may contain privileged legal analysis, negotiation strategy, or candid assessments of risk. A comment that says "Client will not accept more than $5M here; push for $8M as opening position" reveals negotiation strategy that should never be exposed to the other side. If that comment remains in the document metadata when the file is uploaded to a comparison tool, it is now on the vendor's servers.

File paths and linked content. Documents may contain embedded file paths (from linked images, templates, or cross-references) that reveal internal directory structures, matter names, client names, or project code names.

Before uploading any document to a comparison tool, consider running Word's Document Inspector to identify and remove sensitive metadata. This is good practice regardless of the tool's security posture, because it reduces the amount of sensitive information that leaves your control.

Cloud vs. on-premise: what actually matters

The cloud vs. on-premise debate in document comparison security is often presented as a binary: cloud is risky, local is safe. The reality is more nuanced than that.

On-premise advantages

On-premise tools process documents on your own hardware. No data leaves your network. You control the physical security of the servers, the access controls, the retention policies, and the encryption. For firms with strict data residency requirements or client agreements that prohibit cloud processing, on-premise is the only option.

Word Compare is the most common example of local processing. The comparison runs entirely within Microsoft Word on your machine. No upload, no server, no third-party involvement. From a document comparison security perspective, this is as controlled as it gets. The tradeoff is that Word Compare lacks change classification, has limited table comparison, and produces noisy output for reformatted documents. Security is strong. Capability is limited.

Cloud advantages

Cloud-based comparison tools can offer security features that are difficult or expensive to replicate on-premise. Dedicated security teams monitoring for threats. Automatic patching and updates. Redundant backups across geographically distributed data centers. SOC 2 audits verifying controls that a small firm's IT setup may not have.

A well-architected cloud tool with documented encryption, access controls, retention policies, and independent audits can be more secure in practice than a desktop tool running on an unpatched laptop connected to an unsecured Wi-Fi network. The security of on-premise software depends entirely on the security of the environment it runs in. If that environment is well-managed, on-premise is strong. If it is not, the local processing advantage is undermined by the surrounding infrastructure.

The practical question

For most small and mid-size law firms, the practical question is not "cloud or on-premise" in the abstract. It is: does this specific tool, in its specific deployment model, provide adequate security for the documents I need to process? A cloud tool with SOC 2 certification, AES-256 encryption, automatic deletion after processing, and a published DPA is a defensible choice. An on-premise tool on a well-managed network is also a defensible choice. The deployment model matters less than the specific security controls in place.

Ethical obligations and the reasonable measures standard

Document comparison security is not just a technology question. It is an ethics question. The tools you use to handle client documents are subject to the same confidentiality obligations as the documents themselves.

ABA Model Rule 1.6

ABA Model Rule 1.6(a) prohibits lawyers from revealing information relating to the representation of a client unless the client gives informed consent. Rule 1.6(c), added in 2012, requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."

The key phrase is "reasonable efforts." The rule does not require perfect security. It does not prohibit cloud-based tools. It requires that the lawyer evaluate the technology they use and take steps that are reasonable under the circumstances to protect client information.

Comment [18] to Rule 1.6 provides factors for determining what is reasonable: the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients.

Uploading a confidential M&A agreement to a free online diff tool with no published security policy, no encryption documentation, and terms of service that grant a broad content license does not satisfy the "reasonable efforts" standard. The sensitivity is high, the likelihood of disclosure is uncertain (because you have no information about the tool's security), and alternatives with better document comparison security exist.

State bar opinions on cloud computing

Multiple state bars have issued formal opinions on lawyers' use of cloud computing services. The consensus is clear: cloud-based tools are permissible, but lawyers must exercise due diligence before using them for client data.

Common requirements across these opinions include: understanding the technology and its security features, evaluating the vendor's data handling practices, reviewing the terms of service, ensuring data can be retrieved and deleted, having a plan for what happens if the vendor goes out of business or is acquired, and maintaining the ability to comply with preservation obligations.

None of these opinions prohibit cloud tools. All of them require that the lawyer make an informed, documented evaluation before using them. That evaluation is exactly what the seven questions in this post are designed to support.

The reasonable measures standard in practice

"Reasonable measures" is intentionally flexible. What is reasonable for a solo practitioner handling residential real estate closings is different from what is reasonable for a 200-lawyer firm handling cross-border M&A. The standard scales with the sensitivity of the work and the resources of the firm.

At a minimum, reasonable measures for document comparison security include:

  • Knowing what happens to documents you upload (retention, access, use)
  • Using tools that encrypt data in transit and at rest
  • Avoiding tools with terms of service that grant broad content licenses
  • Documenting your evaluation of the tool's security posture
  • Revisiting that evaluation periodically as the tool and its policies change

The bar is not impossibly high. It is: did you think about it, did you ask the right questions, and can you explain your reasoning? The seven questions in this post are a defensible framework for that evaluation.

What Clausul does

We will be direct about what Clausul provides, because trust content that hides the vendor's own practices is not trust content.

Document retention. Uploaded documents are deleted after comparison. We do not retain client documents on our servers beyond the time needed to produce and deliver the comparison results.

No training on client data. Uploaded documents are not used for AI training, analytics, service improvement, or any purpose beyond producing the comparison you requested. This is a firm policy, not a default setting.

Encryption. Data is encrypted in transit using TLS and encrypted at rest. Documents are processed in a controlled environment with access restricted to the automated comparison pipeline.

Access controls. Customer documents are not accessible to Clausul employees during normal operations. Access to production systems is logged and restricted to essential maintenance.

These are factual statements about how the system works, not marketing claims. If any of them raise follow-up questions, we are happy to answer them. You can reach us at hello@clausul.com.

If you want to see the comparison itself, you can upload two documents and evaluate both the comparison quality and the security posture firsthand.

Security evaluation checklist

Use this checklist to evaluate any document comparison tool before uploading confidential documents. It works for cloud tools, desktop tools, free tools, and paid tools alike. Not every item applies to every tool, but every item is worth considering.

Data handling

  • Where are uploaded documents stored? (Provider, region, data center)
  • How long are documents retained after comparison?
  • Is document deletion automatic or manual?
  • Does the retention policy cover derived data (extracted text, cached results)?
  • Are documents used for AI training, analytics, or service improvement?
  • Can you verify that your documents have been deleted?

Encryption and access

  • Is the connection encrypted with TLS 1.2 or higher?
  • Is data encrypted at rest (AES-256 or equivalent)?
  • Who can access uploaded documents? Under what circumstances?
  • Are access events logged?
  • Is customer data logically isolated from other customers' data?
  • How are encryption keys managed and rotated?

Certifications and compliance

  • Does the vendor have SOC 2 Type II certification?
  • Does the vendor have ISO 27001 or equivalent certification?
  • Can the vendor share audit reports or summaries with prospective customers?
  • Does the vendor offer a data processing agreement (DPA)?
  • What are the breach notification procedures and timelines?

Terms of service

  • What content license does the vendor require for uploaded documents?
  • Is the license limited to processing the comparison?
  • Does the vendor share uploaded content with third parties?
  • What happens to your data if you cancel the service?
  • What happens to your data if the vendor is acquired or goes out of business?

Metadata

  • Does the tool process document metadata (author, comments, tracked changes)?
  • Is metadata subject to the same retention and deletion policies as document content?
  • Can you strip metadata before uploading (and does the tool still function)?

You do not need to score each item. The checklist is a conversation framework. If you can get clear answers to most of these questions and the answers are satisfactory, the tool is likely appropriate for confidential work. If you cannot get clear answers, or if the answers reveal gaps, that is useful information too.

The bottom line

Document comparison security is not about choosing the most locked-down tool available. It is about making an informed decision before you upload your client's confidential documents to a third-party system. The questions are straightforward: Where does the data go? How long is it kept? Who can see it? Is it encrypted? Is it used for anything beyond the comparison? What are the vendor's contractual commitments?

Most lawyers would never hand a paper copy of a confidential contract to a stranger and say "read this, do something with it, and I trust you'll handle it appropriately." But uploading that same contract to a free online tool with unknown security practices is functionally the same act. The digital medium makes it feel different. The obligation is the same.

Ask the questions. Read the terms of service. Evaluate the security documentation. Document your reasoning. The standard is "reasonable efforts," and reasonable efforts start with asking.

Frequently asked questions

Is it safe to upload confidential contracts to a document comparison tool?

It depends entirely on the tool. Cloud-based document comparison tools vary widely in how they handle uploaded files. Before uploading anything confidential, verify four things: that the connection uses TLS encryption, that documents are encrypted at rest, that there is a published retention policy stating when files are deleted, and that the vendor does not use uploaded content for AI training or analytics. If the tool cannot answer these questions clearly, it is not built for confidential legal work. Local tools like Word Compare avoid the question entirely because documents never leave your machine, but they lack the classification and output features of cloud tools.

Does ABA Model Rule 1.6 apply to document comparison tools?

Yes. ABA Model Rule 1.6 requires lawyers to make reasonable efforts to prevent unauthorized disclosure of client information. This obligation extends to technology choices, including document comparison tools. The rule does not prohibit cloud-based tools, but it requires you to evaluate the security measures a tool provides before uploading client documents. Several state bar opinions have confirmed that using cloud computing services is permissible as long as the lawyer takes reasonable steps to ensure confidentiality. What counts as "reasonable" depends on the sensitivity of the documents, the security measures offered by the tool, and the alternatives available.

What document comparison security certifications should I look for?

SOC 2 Type II is the most relevant certification for cloud-based document comparison tools. It verifies that the vendor has controls for security, availability, and confidentiality that have been independently audited over a sustained period. ISO 27001 is another recognized standard for information security management. Beyond certifications, look for published documentation on encryption standards (TLS 1.2 or higher in transit, AES-256 at rest), data center locations, access controls, and incident response procedures. A certification alone does not guarantee safety, but the absence of any certification or published security documentation is a significant red flag for tools handling confidential legal documents.

How long should a document comparison tool retain my files?

The shortest retention period that serves the tool purpose. Ideally, documents should be deleted immediately after the comparison is complete and the user has downloaded results. Some tools retain files for a limited window (24 to 72 hours) to allow users to retrieve results, which is reasonable as long as the retention period is clearly documented and enforced. Indefinite retention or vague policies like "retained as needed for service improvement" are warning signs. Ask specifically: when are my uploaded files deleted, is deletion automatic, and can I verify that deletion occurred? The answer should be precise, not aspirational.

Are free document comparison tools safe for legal work?

Most free document comparison tools are not built with legal confidentiality requirements in mind. Free tools often monetize through advertising, analytics, or by using uploaded content to improve their services. Their terms of service may grant broad licenses to uploaded content. They typically lack documented security controls, SOC 2 certification, data processing agreements, and clear retention policies. This does not mean every free tool is unsafe, but it means you need to read the terms of service carefully and verify the security posture before uploading client documents. Word Compare is an exception: it processes locally, so there is no upload and no data exposure, though it lacks the classification and output features of dedicated comparison tools.

What metadata in legal documents can create security risks?

Word documents contain substantial metadata beyond the visible text. Author names and email addresses, revision history and previous authors, tracked changes (which may reveal negotiation strategy), comments (which may contain privileged analysis), document properties like company name and department, embedded objects, and file paths from linked content. When you upload a document to a comparison tool, all of this metadata is uploaded as well. A security-conscious comparison tool should process metadata only as needed for comparison and should not retain, index, or expose it beyond the comparison output. If the tool does not address metadata handling in its security documentation, assume metadata is treated the same as document content and evaluate accordingly.

About this post. Written by the Clausul team. We build document comparison software for legal teams. This post aims to be educational rather than promotional. The security questions apply to any comparison tool, including ours. If something here is inaccurate or incomplete, let us know and we'll correct it.

Last reviewed: March 2026.