Security & Compliance

How Pleadly protects attorney-client privilege by design — not by policy.

United States v. Heppner — What Every PI Firm Needs to Know

Written Opinion: Feb 17, 2026

On February 10, 2026, Judge Jed Rakoff of the U.S. District Court for the Southern District of New York ruled that 31 documents a criminal defendant generated using the consumer version of Claude — and later shared with his attorneys — were not protected by attorney-client privilege or the work product doctrine. Judge Rakoff issued a written opinion on February 17, 2026.

The reason privilege failed was not that the documents were AI-generated. It was that the defendant used a public AI tool whose terms of service allow the provider to collect prompts and outputs, use them for model training, and disclose them to third parties — including government regulatory authorities. Sharing privileged information with a system operating under those terms was treated as a disclosure to a third party, which defeated confidentiality.

This analysis applies to every cloud-hosted AI tool that processes client case content under a standard commercial TOS — regardless of the vendor’s marketing language about “security.”

The court noted that the outcome might have differed had counsel directed the AI use under a Kovel-type arrangement, where the AI functions as an agent of counsel. Pleadly is structured precisely this way: the attorney directs the analysis, the system runs on hardware the firm’s vendor controls under a formal engagement agreement, and no client content reaches any third-party AI provider’s servers.

United States v. Heppner, No. 25-cr-00503-JSR (S.D.N.Y. Feb. 17, 2026), Dkt. No. 27.

The question to ask any AI vendor

“Does my client’s case content — medical records, accident facts, demand text — pass through a server you don’t control, under terms that allow the vendor to collect, train on, or disclose that data?”

For every cloud-hosted legal AI tool, the honest answer is yes. Pleadly’s answer is no — by architecture, not by promise.

Infrastructure

Three-Plane Architecture

Control Plane

Vercel / Supabase

Authentication, billing, firm settings, case status. Never processes case content.

User sessions, org metadata, billing

Privileged Content Boundary

Intelligence Plane

On-premises — Miko Labs facility

All AI inference. Document classification, demand drafting, treatment gap analysis. Case content never leaves this plane.

GMKtec EVO-X2 · AMD Ryzen AI Max+ 395 · 96 GB unified memory · Qwen3.5-35B-A3B

Data Plane

Encrypted local storage

Case files, demand drafts, firm memory. LUKS full-disk encryption. No external replication.

Encrypted at rest

The critical boundary: privileged case content — client names, injury details, medical records, police reports, demand letter text — never transits any external API or cloud service. The Intelligence Plane has no inbound access from the public internet.

Compliance

ABA Formal Opinion 512 — Plain Language

ABA Formal Opinion 512 (July 2024) requires attorneys to understand what their AI tools do with client data — specifically whether the tool uses client information for self-learning, and whether that triggers disclosure obligations. Here is how Pleadly satisfies each relevant requirement.

Requirement	Pleadly	Cloud AI Tools (typical)
Case data leaves firm network	No — processed entirely on-premises	Yes — transmitted to provider cloud
Third-party AI provider access	No — no external AI provider in the pipeline	Yes — OpenAI / Anthropic / Google
Self-learning on client data (ABA Op. 512 disclosure trigger)	No — on-premises model; no self-learning without explicit written opt-in	Present — most SaaS legal AI tools require informed consent under Op. 512
Model training on client data	No (opt-in only, anonymized, PII-stripped)	Varies; often default opt-in
Attorney-directed AI use (Heppner / Kovel)	Yes — attorney directs all analysis through formal engagement	No — client/paralegal-operated SaaS tool
Encryption at rest	LUKS full-disk encryption	Provider-managed; varies
Audit log available to firm	Yes — 90-day metadata retention, available on written request	Rarely
Breach notification	Within 72 hours of confirmed breach	Varies; often contractual only
Data deletion on termination	Within 14 days of written request, permanent and irreversible	Varies; often 30–90 days, not always permanent

Case data leaves firm network

Pleadly: No — processed entirely on-premises

Cloud AI: Yes — transmitted to provider cloud

Third-party AI provider access

Pleadly: No — no external AI provider in the pipeline

Cloud AI: Yes — OpenAI / Anthropic / Google

Self-learning on client data (ABA Op. 512 disclosure trigger)

Pleadly: No — on-premises model; no self-learning without explicit written opt-in

Cloud AI: Present — most SaaS legal AI tools require informed consent under Op. 512

Model training on client data

Pleadly: No (opt-in only, anonymized, PII-stripped)

Cloud AI: Varies; often default opt-in

Attorney-directed AI use (Heppner / Kovel)

Pleadly: Yes — attorney directs all analysis through formal engagement

Cloud AI: No — client/paralegal-operated SaaS tool

Encryption at rest

Pleadly: LUKS full-disk encryption

Cloud AI: Provider-managed; varies

Audit log available to firm

Pleadly: Yes — 90-day metadata retention, available on written request

Cloud AI: Rarely

Breach notification

Pleadly: Within 72 hours of confirmed breach

Cloud AI: Varies; often contractual only

Data deletion on termination

Pleadly: Within 14 days of written request, permanent and irreversible

Cloud AI: Varies; often 30–90 days, not always permanent

Pleadly’s ABA 512 Architecture Attestation (v1.3, March 2026) is available for download without a form or email gate. Firms may attach it to their AI vendor due diligence files.

Download Attestation (PDF)

Technical Safeguards

Architecture Details

On-Premises AI Inference

All AI model inference runs on dedicated hardware at Miko Labs’ facility. No case content is transmitted to OpenAI, Anthropic, Google, or any third-party AI provider at any point in the processing pipeline. The language model is served locally via a private inference server with no public internet exposure.

HMAC-Signed Request Authentication

Every request to the intelligence layer is authenticated via HMAC-SHA256 signature. Requests without a valid signature are rejected before any AI processing occurs. Signatures include a timestamp component to prevent replay attacks.

Encrypted at Rest and in Transit

Case data is protected by LUKS full-disk encryption. Encryption keys are never stored on the same physical media as the encrypted data. All data in transit uses TLS 1.3. Internal service communication is isolated to a private Tailscale mesh VPN.

Evidence Provenance Architecture

Every claim in a Pleadly demand letter is linked to its source document by ID, page, and character offset. The system requires the AI to return a source_document_id for each citation; outputs without recognized source IDs are rejected before delivery. Hallucinated citations are architecturally prevented, not just warned against.

Multi-Tenant Isolation

Each law firm’s case content is stored in a dedicated, org-scoped vector collection. No case content from Firm A is ever in the same query scope as Firm B. Row-level security policies enforce org isolation at the database layer — not just at the application layer.

No Training on Client Data

Pleadly does not use client case data to train, fine-tune, or update AI models without explicit written consent. The attorney review workflow (accepting or rejecting demand drafts) generates anonymized, PII-stripped training signals only when the firm has separately opted in writing. Opting out has no impact on service quality or pricing.

Third Parties

Subprocessors

Pleadly uses a limited set of third-party subprocessors for non-privileged functions only. No subprocessor has access to case content, demand letter text, medical records, or any other privileged client information.

Subprocessor	Function	Data Accessed
Vercel	Control Plane application hosting	Authentication tokens, session management. No case content.
Supabase	Control Plane database	User accounts, firm metadata, billing relationships. No case content.
Stripe	Subscription billing	Payment and subscription data. No case content.
Resend	Transactional email (status notifications)	Notification type and case identifier (no case content, no PHI). Subject lines contain only status codes.
Backblaze B2	Encrypted document backup storage	AES-256-GCM encrypted case document backups only. All files encrypted client-side on Miko Labs infrastructure before upload. Backblaze has no access to encryption keys or plaintext case content.

Vercel

Control Plane application hosting

Authentication tokens, session management. No case content.

Supabase

Control Plane database

User accounts, firm metadata, billing relationships. No case content.

Stripe

Subscription billing

Payment and subscription data. No case content.

Resend

Transactional email (status notifications)

Notification type and case identifier (no case content, no PHI). Subject lines contain only status codes.

Backblaze B2

Encrypted document backup storage

AES-256-GCM encrypted case document backups only. All files encrypted client-side on Miko Labs infrastructure before upload. Backblaze has no access to encryption keys or plaintext case content.

All AI inference, case data storage, and demand generation occur exclusively on Miko Labs LLC on-premises infrastructure, with no subprocessor involvement.

Legal

Formal Attestation

The following is excerpted from the Pleadly ABA 512 Architecture Attestation, v1.3, March 2026, executed by Miko Labs LLC:

1.No privileged client case content processed through Pleadly.ai is transmitted to any third-party AI model provider, cloud inference service, or external API.
2.All AI inference on case-related content occurs exclusively on on-premises hardware operated by Miko Labs LLC, isolated from the public internet.
3.Case data is encrypted at rest using LUKS full-disk encryption and in transit using TLS 1.3.
4.Pleadly does not use client case data to train or fine-tune AI models without explicit written consent from the firm.
5.Audit logs of all case-related processing are maintained for 90 days and are available to the firm upon written request. Logs do not contain the text of privileged communications.
6.In the event of a confirmed security breach affecting client case content, Miko Labs LLC will notify the affected firm in writing within 72 hours of internal confirmation.
7.Upon subscription termination or written firm request, all firm case data will be deleted from active Pleadly infrastructure within 14 days, and from backup media within 30 days under the standard backup rotation cycle.
8.Each law firm’s case content is stored in dedicated, organization-scoped storage and query collections. No case content from one firm is accessible to any other firm.
9.Miko Labs LLC will provide at least 30 days written notice to existing clients before implementing any material change to the architecture described in this attestation that would affect the privilege protection analysis.
10.Miko Labs LLC will execute a Business Associate Agreement with any law firm that requires one for HIPAA compliance purposes. This attestation is not itself a BAA.

Miko Labs LLC — Operating as Pleadly.ai

Date: March 2026

Contact: legal@mikolabs.ai

Responsibilities

Your Firm’s Responsibilities

Pleadly’s architecture eliminates the primary disclosure risk identified in ABA Opinion 512. However, firms retain responsibility for the following:

Supervisory review

All Pleadly-generated demand letters are drafts requiring attorney review before transmission to opposing parties or insurers. Attorneys must exercise independent professional judgment and verify the accuracy of AI-generated content.

Client disclosure

Attorneys should evaluate whether disclosure of AI use is required under their engagement agreements or applicable state bar rules. California attorneys should review COPRAC Practical Guidance alongside the Pleadly attestation.

Conflict checks

Pleadly does not perform conflict-of-interest checks. Firms must maintain their own conflict-check and matter-opening procedures.

Jurisdiction-specific rules

Firms must comply with any state bar ethics rules regarding AI use that differ from ABA Model Rules. Consult ethics counsel for jurisdiction-specific requirements.

Security architecture questions

security@pleadly.ai

ABA 512 Attestation

Download PDF

Compliance review

Book a compliance review call

Pleadly