Sonomos for legal firms
A quickstart for attorneys, paralegals, legal operations, knowledge management, and IT staff at law firms who want to use AI tools without compromising privileged client information or running afoul of professional responsibility rules.
Who this is for
You’re at a law firm or in-house legal team and you (or your staff) are using AI tools for:
- Drafting and editing briefs, memos, and motions
- Summarizing depositions, transcripts, and discovery
- Legal research and case-law analysis
- Contract drafting, review, and comparison
- Client correspondence and intake summaries
- Document review and eDiscovery prep
- Time-entry narratives and matter summaries
Each of these workflows can pull privileged information into prompts that leave the firm’s controlled environment.
What’s at stake
Two distinct risk surfaces:
- Professional responsibility — ABA Model Rules 1.1 (competence), 1.6 (confidentiality), and 5.3 (supervision of non-lawyer assistance) all reach AI tool use. Many jurisdictions have issued ethics opinions specifically on generative AI; check your bar’s guidance.
- Client privilege and confidentiality — disclosing confidential or privileged information to a third-party AI service can break privilege and trigger contractual obligations under client engagement letters.
Sonomos doesn’t eliminate either risk — that needs policy, training, and engagement-letter language — but it materially reduces the surface for accidental disclosure.
The information Sonomos detects
Sonomos catches every common category of legally sensitive information when it appears in browser-based AI workflows:
- Personal identifiers — names, DOBs, addresses, contact info of clients, opposing parties, witnesses, employees
- Identification numbers — SSNs, EINs, tax IDs, driver’s licenses, passport numbers
- Financial details — credit cards, IBANs, account numbers, routing numbers
- Health information — MRNs, NPI, DEA, diagnoses (for medical malpractice, ERISA, disability matters)
- Free-text contextual identifiers — via on-device AI, including “Patient X”, “the deponent”, “Mr. Smith’s account”
See the Detector Reference for the complete list.
Recommended product stack
| Channel | What to install |
|---|---|
| Web AI chat (Claude.ai, Gemini, Grok, ChatGPT) | Browser extension |
| Online research platforms (Westlaw, Lexis with AI) | Browser extension |
| Native Office Copilot, Adobe AI | Coming: Sonomos Desktop |
| Practice management software | Coming: Sonomos Desktop |
| Developer staff (e.g. firm IT building tools) | Add Canary |
Setup checklist
-
Install the browser extension on every browser used by attorneys, paralegals, and legal staff. See Install.
-
Choose a plan. For firms with multiple attorneys, the Teams plan is essential — it enables admin policy enforcement and per-attorney detection statistics for the responsible attorney to review.
-
Pin Cloak on for Claude.ai, Gemini, and Grok. On Teams, pin via admin policy so attorneys cannot disable it.
-
Set Send Guard to “Modal always” for the matter types that handle the most sensitive data: family law, criminal, M&A, IP, employment, healthcare, financial regulation, and any matter under a litigation hold or protective order.
-
Schedule monthly compliance reports to the firm’s general counsel or knowledge-management lead. The report documents that AI-related disclosure controls were active without exposing the underlying matter content.
-
Update engagement letters and the firm’s acceptable-use policy to reference Sonomos as a technical control for client confidentiality during AI tool use. Coordinate with your bar’s ethics guidance.
Workflows, step by step
Drafting and editing briefs
- Open Claude.ai. Confirm Cloak is on.
- Paste a draft section that may contain client identifiers, opposing parties, witness names, case numbers, and citations.
- Cloak replaces names and identifiers with stable placeholders (
[CLIENT_1],[PARTY_1],[CASE_NUMBER]) before the prompt is transmitted. - The model returns a polished section that references the placeholders.
- Replace placeholders with the real values in your DMS draft — never paste the raw AI output back over client data.
Summarizing a deposition
The most common firm-side AI workflow and the highest-leverage one for Sonomos:
- Paste a chunk of transcript (or the OCR of a printed transcript) into Claude.ai or Gemini.
- Speakers, witnesses, attorneys, and any third parties get masked by Cloak before transmission.
- The model produces a thematic summary referencing placeholders.
- Map placeholders back in your own deposition summary memo.
Contract review and comparison
- For comparing two contracts, redact party names and addresses before paste where you can — these usually aren’t material to the comparison.
- Cloak catches what you miss.
- For a contract with embedded SSNs, EINs, or financial account info, Send Guard’s modal will block submission until you remove or acknowledge.
Legal research
- Research prompts typically have no client PII — green widget.
- If you accidentally include a client name in a hypothetical (“can a client like Acme Corp sue under…”), Cloak masks it before the prompt leaves the browser.
- Watch for amber widgets — they usually indicate you’ve included more context than the research question requires.
Time-entry and matter summaries
- Generating time-entry narratives from your draft notes can pull privileged content into the AI prompt.
- Send Guard modal mode catches client identifiers and forces a deliberate decision before submission.
- Cloak on Claude.ai / Gemini / Grok rewrites these out automatically.
Practice-area considerations
- M&A and securities — Material non-public information requires policy and training in addition to Sonomos. Add the SOX guide for public-company clients.
- Healthcare regulatory — Add the HIPAA guide for clients that are covered entities or business associates.
- Employment — Add the HR-focused quickstart for plaintiff- or defendant-side employment matters.
- Cross-border — Add the GDPR guide for EU personal data and the CCPA guide for California consumer data.
- Financial regulation — Add the GLBA guide and the PCI-DSS guide where relevant.
Pitfalls to avoid
- Document management system (DMS) AI features. iManage, NetDocuments, and other DMS vendors increasingly embed AI summarization. The browser extension only sees the DMS web UI, not the underlying server-side AI. Confirm the vendor’s confidentiality commitments and consider whether DMS AI features require client consent.
- Native Office Copilot. Not visible to the browser extension. Treat with caution until Sonomos Desktop ships.
- eDiscovery review platforms with AI. Relativity, Everlaw, and Reveal increasingly integrate AI for review. The browser extension covers the web UI; the AI itself runs server-side at the vendor.
- Practice management software AI. Clio Duo, MyCase IQ — these are native or server-side and outside the extension’s reach.
- Voice transcription for depositions or client meetings. Otter, Fireflies, and built-in OS dictation are not yet covered.
- Privileged information in shared model contexts. Even with Cloak, do not paste opposing counsel’s confidential settlement communications into a public AI — that’s a policy issue, not a detection issue.
Documenting the control
For attorneys subject to bar reporting on technical safeguards, or firms that want to show clients a clear story:
- Compliance reports (Pro / Teams) document by category and time that detection and masking were active. PHI / PII text is never included.
- Engagement letter language can reference the firm’s Sonomos deployment as a technical confidentiality control.
- Annual ethics CLE is a good place to surface Sonomos use as part of the AI-tool policy discussion.