Skip to main content

🏆 We are proud to be the only Legal AI vendor that shares their accuracy statistics. Read more.

Policies

Privacy & Security Policy 

Client Data 

During implementation, clients are provided with their own private data stores. 

  • All client data, including all uploaded contracts, will be stored on their dedicated data stores 
  • ThoughtRiver may not access client data without permission (e.g. for a support request) 
  • Client data is backed up continually to private data stores at a second site to facilitate disaster recovery and data restore 
  • All client data is encrypted at rest and in transit; different client’s data stores employ different encryption keys 

Contextual Interpretation Engines 

ThoughtRiver’s AI or Contextual Interpretation Engines are housed in our distributed architecture as shared services. During contract analysis: 

  • Contract data is sent to the AI Engines for predictions and training 
  • All resultant information is recorded back to the client data stores 
  • The AI Engines do not record any client-identifiable data  

Clients may request that ThoughtRiver perform machine learning training on their contracts to extend the capabilities of the out-of-the-box predictions. Where this occurs, a copy of the customer data will be taken into a separate private data store accessible by ThoughtRiver staff which will be used to develop a new iteration of the out-of-the-box prediction models. No data is added to this store without explicit client consent and there is no obligation to agree to this process. None of this data is accessible by any of ThoughtRiver clients. 

Analytics 

The following client data is collected and stored by third party analytics providers who provide product analytics services to ThoughtRiver to support iterative product feature enhancement and customer success support for clients. The usage data is collected via all of ThoughtRiver’s applications (including the Microsoft Word Plug-In, Negotiations Application and Power automate enabled email flow): 

  • Domain name of the user's email address. For example, “thoughtriver” is recorded for a user with the email user@thoughtriver.com 
  • The user’s universally unique identifier (UUID) which is generated automatically when a new user is created 
  • The business role/s assigned to a user 
  • The sub-account the user accesses 
  • Each ‘event’/feature that a user interacts with within the applications including length of time interacting and frequency of the interaction. ThoughtRiver may track interaction with all features including, for example, uploads, resolution of issues, creation of issues, use of Advice Notes, use of Clause Suggestions.  
  • The amount of time a user spends with any of the ThoughtRiver platform’s interfaces on a contract and how much time is spent remediating each version of a contract and how a user is interacting with the available content and application features in relation to a contract. 

The analytics provider logs additional information automatically. This includes geographic location, first-party cookies, data related to the device/browser, IP address, etc. 

Data Segregation and Destruction 

  • All customer data is held on a dedicated database separate from the web application. 
  • On completion of trial or paid subscription, then this data, including backup copies, will be fully deleted, unless it is requested to be maintained within the ThoughtRiver ecosystem. 

Security 

ThoughtRiver employs a fully managed security operations centre, intrusion detection / prevention and escalation / remediation plans.  ThoughtRiver maintains certification to ISO standard 27001.  This includes both company and application security testing.   

Penetration testing and secure code reviews are performed periodically by independent qualified experts and ethical hackers.  

Employees are screened in accordance with the requirements of the ISO 27001 standard. 

Changes to this policy  

This privacy and security policy was published in September 2021 and last updated in November 2024.  ThoughtRiver may change this policy from time to time and when we do we will inform you via the Platform.  

Acceptable Use Policy

The terms used in this policy shall have the same meaning as defined in the ThoughtRiver Terms unless defined otherwise.

  • Acceptable use of the Platform by an Authorised User shall mean use which is not in excess of what would be reasonably expected by that Authorised User given the nature and responsibilities of their job and level of experience. 
  • The Customer shall ensure each Authorised User maintains a secure password for use of the Platform.
  • The Customer shall not access, store, distribute or transmit any Virus or any material during the course of its use of the Platform that is unlawful, inappropriate or illegal. ThoughtRiver reserves the right, without liability or prejudice to its other rights, to disable the Account in relation to any breach or suspected breach of this Policy. Virus means anything or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation, accessibility, performance or availability of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device.
  • The Customer shall not, except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted by ThoughtRiver:
    • attempt to copy, modify, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Platform (as applicable) in any form or media or by any means; or
    • attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Platform; or
    • access all or any part of the Platform in order to build a product or service which is similar to the Platform; or
    • use the Platform to provide services to third parties; or
    • license, sell, rent, lease, distribute, or otherwise commercially exploit the Platform; or
    • copy or clone any of the Premium Risk Policies.

The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Platform and, in the event of any such actual or suspected unauthorised access or use, shall promptly notify ThoughtRiver.

Backup Policy

  1. All customer data is backed up and encrypted on a daily basis:
    1. Daily incremental backup
    2. Weekly full backup
  2. Data retention period is 2 weeks
  3. Backup facility is located in the same region as main data centre at a second site.
  4. Backups are segregated. Each client’s virtual server (thus data) is on a separate backup.

Privacy and Security Policy

Summary of Changes - March 2024 

  • ThoughtRiver manages its security operations directly rather than via a managed service provided by Cloud Direct 
  • ThoughtRiver is ISO270001 certified; this is now noted in the policy.   

Summary of Changes - April 2024 

  • As part of the launch of NDATriage free trial accessible via our website, the Privacy and Security Policy has been updated to detail how any data uploaded is stored.  

Summary of Changes – November 2024 

  • We have removed reference to NDATriage free trial; in addition we have made minor updates to the section on Analytics and Security.  

Backup Policy 

Summary of Changes – November 2024  

  • We have closed our Singapore based data centre so reference to this has been removed from the policy.