Claude Word Confidentiality Guide

The most important decision your firm makes about Claude for Word isn't whether to use it -- it's which tier to buy. Claude Enterprise offers zero data retention and a Business Associate Agreement. Claude Team retains data for 30 days. The consumer version retains data for training. For a law firm handling privileged communications, that tier decision determines whether Claude is an ethical tool or a privilege waiver waiting to happen.

The Heppner ruling put this in sharp focus. When a court found that using consumer AI tools could waive attorney-client privilege, every managing partner should have asked: "What tier are we on?" If you're still using consumer Claude -- or worse, if your associates are using it without firm oversight -- you have a privilege problem, not an AI problem.

Claude Team vs Enterprise: What Each Tier Offers Law Firms

Claude Team ($25/seat/month) provides: no training on your data, 30-day data retention for service improvement, admin controls, SSO, and usage analytics. Your conversations aren't used to train Claude's models, but they exist on Anthropic's servers for 30 days.

Claude Enterprise ($30/seat/month) provides: zero data retention (conversations are processed but not stored), BAA availability for HIPAA-covered data, custom retention policies, enhanced admin controls, SAML SSO, and audit logging. Your data passes through Claude's systems but isn't retained after the session ends.

The consumer version (free or $20/month Pro) provides: data may be used for training unless you opt out, conversations are stored indefinitely, no enterprise security controls, no BAA, no audit trail.

For a law firm, the consumer version is disqualifying for any work involving client information. The question is whether Team's 30-day retention is acceptable or whether Enterprise's zero retention is required.

The Heppner Ruling and Privilege Implications

In Heppner v. Doe, the court addressed whether inputting privileged client communications into a consumer AI chatbot constituted a voluntary disclosure that waived attorney-client privilege. The ruling held that using a consumer AI tool without adequate data protections could constitute a disclosure to a third party, potentially waiving privilege.

The reasoning: attorney-client privilege requires that communications be kept confidential. When an attorney inputs privileged information into a consumer AI tool that retains data for training purposes, the attorney has voluntarily disclosed that information to the AI provider -- a third party. The waiver analysis depends on the specific data handling terms.

This ruling didn't say "all AI use waives privilege." It said "AI use without appropriate confidentiality protections can waive privilege." The distinction matters: Enterprise-tier tools with zero retention and contractual confidentiality protections address the Heppner concern. Consumer tools don't.

Every law firm needs a written AI policy that specifies which tools are approved and which tiers are required for different types of work.

When 30-Day Retention (Team Tier) Is Acceptable

Claude Team's 30-day retention period means your data exists on Anthropic's servers for a month after your session. It's not used for training, but it's stored. For many law firm use cases, this is acceptable.

General legal research that doesn't reference specific clients. Drafting template provisions without client-specific details. CLE preparation and legal education. Internal firm management tasks. Marketing content creation.

The key question: does the data you're inputting include information that would be privileged or confidential if disclosed? If you're drafting a generic force majeure clause, Team tier is fine. If you're asking Claude to analyze a specific client's contract with their counterparty named in the prompt, you're inputting privileged information into a system that retains it for 30 days.

Some firms draw the line at client identification. Use Team tier but never input client names, matter numbers, or facts that would identify the specific engagement. This approach works but requires consistent training and enforcement.

When Zero Retention (Enterprise Tier) Is Required

Enterprise tier is required whenever you input client-identifying information, privileged communications, or confidential business terms. Practically, that means:

Contract review and drafting with actual deal terms. Litigation strategy discussions referencing specific parties. Client communications analysis. Due diligence document review. Any work where the input includes information your client would consider confidential.

For healthcare clients, Enterprise's BAA availability is additionally required under HIPAA. If any client data could constitute protected health information -- common in healthcare litigation, insurance defense, and employee benefits work -- the BAA is a regulatory requirement, not a preference.

The cost delta between Team and Enterprise is $5/seat/month. For a 30-attorney firm, that's $1,800/year. Compare that to the cost of a single privilege waiver motion or a malpractice claim arising from improper data handling. Enterprise is the only defensible choice for firms doing substantive client work with AI.

Building Your Firm's Claude Confidentiality Policy

Every firm using Claude needs a written policy covering five elements.

First, tier requirements: which Claude tier is approved for which types of work. Most firms should mandate Enterprise for any client-specific work and allow Team for general research and internal tasks.

Second, input restrictions: what information can and cannot be entered into Claude, regardless of tier. Some firms prohibit inputting opposing party names, settlement amounts, or litigation strategy even on Enterprise tier.

Third, output handling: how Claude's output should be treated for privilege purposes. If you input privileged information and Claude generates a response, is that response privileged? (Usually yes, as attorney work product, but your policy should address it.)

Fourth, training requirements: mandatory training for all attorneys and staff before Claude access is provisioned. Include the Heppner ruling, your firm's specific rules, and practical examples.

Fifth, monitoring and enforcement: how the firm monitors compliance. Enterprise's audit logging enables this. Team tier provides usage analytics but less granular monitoring. Build accountability into the policy.

The Bottom Line: Enterprise tier's zero retention and BAA cost $5/seat/month more than Team -- that's the cheapest privilege insurance your firm will ever buy.