Skip to main content

🏆 We are proud to be the only Legal AI vendor that shares their accuracy statistics. Read more.


Privacy & Security Policy 

Client Data 

During implementation, clients are provided with their own private data stores. 

  • All client data, including all uploaded contracts, will be stored on their dedicated data stores 
  • ThoughtRiver may not access client data without permission (e.g. for a support request) 
  • Client data is backed up continually to private data stores at a second site to facilitate disaster recovery and data restore 
  • All client data is encrypted at rest and in transit; different client’s data stores employ different encryption keys 


Contextual Interpretation Engines 

ThoughtRiver’s AI or Contextual Interpretation Engines are housed in our distributed architecture as shared services. During contract analysis: 

  • Contract data is sent to the AI Engines for predictions and training 
  • All resultant information is recorded back to the client data stores 
  • The AI Engines do not record any client-identifiable data  

Clients may request that ThoughtRiver perform machine learning training on their contracts to extend the capabilities of the out-of-the-box predictions. Where this occurs, a copy of the customer data will be taken into a separate private data store accessible by ThoughtRiver staff which will be used to develop a new iteration of the out-of-the-box prediction models. No data is added to this store without explicit client consent and there is no obligation to agree to this process. None of this data is accessible by any of ThoughtRiver clients. 


The following client data is collected and stored by third party analytics providers who provide product analytics services to ThoughtRiver to support iterative product feature enhancement and customer success support for clients. The usage data is collected via all of ThoughtRiver’s applications (including the Microsoft Word Plug-In, Negotiations Application and Flow email connector): 

  • Domain name of the user's email address. For example, “thoughtriver” is recorded for a user with the email 
  • The user’s universally unique identifier (UUID) which is generated automatically when a new user is created 
  • The business role/s assigned to a user 
  • The sub-account the user accesses 
  • Each ‘event’/feature that a user interacts with within the applications including length of time interacting and frequency of the interaction. ThoughtRiver may track interaction with all features including, for example, uploads, resolution of issues, creation of issues, use of Advice Notes, use of Clause Suggestions.  
  • The amount of time a user spends with any of the ThoughtRiver platform’s interfaces on a contract and how much time is spent remediating each version of a contract and how a user is interacting with the available content and application features in relation to a contract. 

The analytics provider logs additional information automatically. This includes geographic location, first-party cookies, data related to the device/browser, IP address, etc. 


Data Segregation and Destruction 

  • All customer data is held on a dedicated database separate from the web application. 
  • On completion of trial or paid subscription, then this data, including backup copies, will be fully deleted, unless it is requested to be maintained within the ThoughtRiver ecosystem. 



ThoughtRiver employs a fully managed security operations centre, intrusion detection / prevention and escalation / remediation plans.  ThoughtRiver maintains certification to ISO standard 270001.  

Penetration testing and secure code reviews are performed periodically by independent qualified experts and ethical hackers.  

ThoughtRiver is also security-tested against industry standards at the application level.  

All relevant employees are screened against criminal record checks.  

NDATriage Free Trial

Any data an NDATriage free trial user uploads via email is stored in a shared data store.  That data is purged every 24 hours.

Changes to this policy  

This privacy and security policy was published in September 2021 and last updated in April 2024.  ThoughtRiver may change this policy from time to time and when we do we will inform you via the Platform.  

Acceptable Use Policy

The terms used in this policy shall have the same meaning as defined in the ThoughtRiver Terms unless defined otherwise.

  • Acceptable use of the Platform by an Authorised User shall mean use which is not in excess of what would be reasonably expected by that Authorised User given the nature and responsibilities of their job and level of experience. 
  • The Customer shall ensure each Authorised User maintains a secure password for use of the Platform.
  • The Customer shall not access, store, distribute or transmit any Virus or any material during the course of its use of the Platform that is unlawful, inappropriate or illegal. ThoughtRiver reserves the right, without liability or prejudice to its other rights, to disable the Account in relation to any breach or suspected breach of this Policy. Virus means anything or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation, accessibility, performance or availability of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device.
  • The Customer shall not, except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted by ThoughtRiver:
    • attempt to copy, modify, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Platform (as applicable) in any form or media or by any means; or
    • attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Platform; or
    • access all or any part of the Platform in order to build a product or service which is similar to the Platform; or
    • use the Platform to provide services to third parties; or
    • license, sell, rent, lease, distribute, or otherwise commercially exploit the Platform; or
    • copy or clone any of the Premium Risk Policies.

The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Platform and, in the event of any such actual or suspected unauthorised access or use, shall promptly notify ThoughtRiver.

Backup Policy

  1. All customer data is backed up and encrypted on a daily basis:
    1. Daily incremental backup
    2. Weekly full backup
  2. Data retention period is 2 weeks
  3. Backup facility is located in the same region as main data centre (UK, US or India for Singapore) at a second site.
  4. Backups are segregated. Each client’s virtual server (thus data) is on a separate backup*

Privacy and Security Policy

Summary of Changes - March 2024

  • ThoughtRiver manages its security operations directly rather than via a managed service provided by Cloud Direct
  • ThoughtRiver is ISO270001 certified; this is now noted in the policy.  

Summary of Changes - April 2024

  • As part of the launch of NDATriage free trial accessible via our website, the Privacy and Security Policy has been updated to detail how any data uploaded is stored.