Tutorial 06: The Claude Legal Plugin

/review-contract

## CONTRACT ANALYSIS: Software License Agreement
**Contract Type**: SaaS Subscription Agreement
**Our Role**: Customer/Licensee
**Counterparty**: Acme Software Inc.

### CLAUSE ANALYSIS

#### 1. LICENSE GRANT (Section 2.1)
GREEN - Acceptable
- Grants non-exclusive, worldwide license
- Includes affiliate usage rights
- Standard use restrictions

#### 2. LIMITATION OF LIABILITY (Section 8)
RED - Must Negotiate
Current: "Vendor's liability shall not exceed $10,000"
Issue: Cap is far below contract value ($150,000 ACV)
Playbook Position: Minimum 12 months fees ($150,000)

**Suggested Redline**:
"Vendor's liability shall not exceed ~~$10,000~~ the greater
of (a) fees paid in the twelve (12) months preceding the
claim or (b) $150,000."

#### 3. INDEMNIFICATION (Section 7)
YELLOW - Should Negotiate
Current: IP indemnity excludes "modifications by Customer"
Issue: Overly broad exclusion could limit protection
Playbook Position: Narrow exclusions to material modifications

**Suggested Redline**:
Add: "provided such modification materially alters the
functionality of the Service in a manner not contemplated
by the Documentation"

### NEGOTIATION PRIORITIES
1. RED Liability Cap (critical gap)
2. RED Data Breach Indemnity (missing entirely)
3. YELLOW Indemnity Exclusions (overbroad)
4. YELLOW Termination Notice (60 vs 30 days)
5. GREEN Auto-renewal period (acceptable at 30 days)

### CUMULATIVE RISK SCORE: 7 (HIGH)
Recommend: Partner review before signing

/triage-nda

## NDA TRIAGE RESULTS

**Document**: Acme Corp Mutual NDA (v2.1)
**Type**: Mutual Non-Disclosure Agreement
**Direction**: Two-way protection

### TRIAGE RESULT: COUNSEL REVIEW

**Reason**: Contains 2 non-standard provisions requiring attorney review

### FLAGGED ITEMS:

1. **Non-Solicit Clause (Section 6)**
   - Not typically included in standard NDA
   - 24-month restriction on hiring
   - May need business approval

2. **Jurisdiction (Section 9)**
   - Specifies Texas courts exclusive jurisdiction
   - Our standard: Delaware or mutual agreement
   - Acceptable but note for negotiation if sensitive deal

### STANDARD ITEMS (No Issues):
- Definition of Confidential Information
- Mutual obligations
- 3-year term
- Standard exclusions
- Return/destruction requirement

### RECOMMENDATION:
Route to associate for 15-minute review of flagged items.
If non-solicit is acceptable to business, can proceed.

/vendor-check [vendor name]

/vendor-check Salesforce

## VENDOR STATUS: Salesforce

**Active Agreements**:
1. Master Subscription Agreement - Expires: Dec 2026
2. Data Processing Addendum - Current
3. Professional Services SOW #3 - Completed

**Upcoming**:
- Renewal negotiation due: October 2026
- Auto-renewal date: November 15, 2026

**Historical Notes**:
- Last negotiated liability cap increase (2024)
- Standard DPA accepted without modification

**Recommended Actions**:
- Begin renewal prep 90 days out (September 2026)
- Review new AI features for data processing implications

/brief [type] [topic/context]

/brief incident data-breach-notification

## INCIDENT RESPONSE BRIEF: Data Breach Notification

**Prepared**: [Date/Time]
**Classification**: Attorney-Client Privileged

### IMMEDIATE ACTIONS (0-24 Hours)
1. Preserve all relevant logs and communications
2. Engage incident response team
3. Notify cyber insurance carrier
4. Begin notification timeline tracking

### NOTIFICATION REQUIREMENTS BY JURISDICTION

**Federal**:
- HIPAA: 60 days (if PHI involved)
- GLBA: "As soon as reasonably practicable"
- SEC: 4 business days (material events, public companies)

**State Requirements** (Selected):
| State | Deadline | AG Notice? | Content Requirements |
|-------|----------|------------|---------------------|
| CA | "Expedient" | Yes >500 | Specific format |
| NY | "Most expedient" | Yes | Format specified |
| TX | 60 days | Yes >250 | Toll-free number |

### TEMPLATE RESOURCES
- Customer notification template: [Link]
- AG notification template: [Link]
- Board briefing outline: [Link]

### KEY CONTACTS
- Outside Counsel: [Name, Number]
- Forensics Vendor: [Name, Number]
- PR/Communications: [Name, Number]

/respond [request-type]

/respond dsar

## DATA SUBJECT ACCESS REQUEST RESPONSE

**Template Version**: 2.1 (GDPR/CCPA Compliant)

---

Dear [Requestor Name],

We are writing in response to your data subject access request
dated [Request Date]. We have verified your identity and are
pleased to provide the following information:

**Personal Data We Hold About You:**

| Category | Data Elements | Source | Purpose |
|----------|---------------|--------|---------|
| Identity | [Name, Email] | [Source] | [Purpose] |
| [Continue for all categories] |

**Third Parties With Whom Data Was Shared:**
- [List recipients and purposes]

**Your Rights:**
You have the right to:
- Request correction of inaccurate data
- Request deletion (subject to legal retention requirements)
- Object to processing for certain purposes
- Data portability in machine-readable format

**How to Exercise Additional Rights:**
Contact our Privacy Team at [[email protected]]

We must retain certain data for [legal/regulatory reasons].
Please see attached schedule for applicable retention periods.

If you have concerns about our handling of your data, you may
contact [relevant supervisory authority].

Sincerely,
[Company Name] Privacy Team

---

**Internal Notes** (Do not include in response):
- Verify identity before sending
- Log request in DSAR tracker
- 30-day response deadline: [Date]
- Fees applicable: No (first request)

~/.claude/legal-playbook.json

{
  "version": "1.0",
  "organization": "Your Firm Name",
  "default_role": "customer",
 
  "positions": {
    "liability_cap": {
      "standard": "12 months fees",
      "minimum": "contract value",
      "carve_outs": [
        "indemnification",
        "data breach",
        "IP infringement",
        "confidentiality",
        "gross negligence",
        "willful misconduct"
      ]
    },
    "indemnification": {
      "required_from_vendor": [
        "IP infringement",
        "data breach",
        "gross negligence"
      ],
      "required_mutual": [
        "third party claims from breach"
      ],
      "unacceptable": [
        "customer indemnifies for vendor negligence"
      ]
    },
    "data_rights": {
      "ownership": "customer owns all customer data",
      "vendor_usage": "service delivery only",
      "prohibited_uses": ["AI training", "analytics", "marketing"],
      "deletion_timeline": "30 days",
      "breach_notification": "72 hours"
    },
    "termination": {
      "preferred": "annual with 30 days TFC",
      "acceptable": "60-90 days notice",
      "unacceptable": "no TFC, >90 day notice"
    }
  },
 
  "risk_thresholds": {
    "red": [
      "uncapped customer liability",
      "no vendor indemnity",
      "data used for training"
    ],
    "yellow": [
      "liability cap below 12 months",
      "limited indemnity carve-outs"
    ]
  },
 
  "approval_matrix": {
    "associate": { "max_score": 2, "max_value": 50000 },
    "senior_associate": { "max_score": 5, "max_value": 250000 },
    "partner": { "max_score": 9, "max_value": 1000000 },
    "managing_partner": { "min_score": 10 }
  },
 
  "counterparty_overrides": {
    "Amazon Web Services": {
      "accept_standard_liability": true,
      "focus_areas": ["data processing terms", "SLA credits"]
    },
    "Salesforce": {
      "standard_dpa_acceptable": true
    }
  }
}

mkdir -p ~/.claude
touch ~/.claude/legal-playbook.json

/review-contract
[Upload test contract]

/review-contract
[Contract references California law]

"I notice this contract is governed by California law.
Let me verify the current enforceability standards for
the non-compete provisions..."

[Claude queries Midpage for relevant California case law]

"Based on California Business and Professions Code Section
16600 and recent case law, the non-compete clause in
Section 12 is likely unenforceable in California..."

1. Receive contract from business team

2. Initial triage:
   /triage-nda (if NDA)
   OR
   Upload contract to Contract Review Project

3. Full review:
   /review-contract

4. Review output:
   - Check risk ratings
   - Review suggested redlines
   - Verify against your judgment

5. Generate response:
   /respond [type]
   OR
   Manual drafting based on suggestions

6. Document in matter management:
   /vendor-check [vendor] (to log)

Day starts: 15 NDAs in queue

1. Batch triage:
   For each NDA:
   /triage-nda

2. Sort results:
   GREEN STANDARD (6): Send to paralegal for execution
   YELLOW COUNSEL (7): Quick 10-min reviews
   RED FULL REVIEW (2): Schedule detailed analysis

3. Process YELLOW queue:
   Quick review flagged items
   Accept or request changes

4. Process RED queue:
   /review-contract for full analysis
   Draft redlines
   Negotiate as needed

Total time: ~2 hours vs. 6+ hours manually

1. Incident reported (potential data breach)

2. Generate immediate briefing:
   /brief incident data-breach

3. Review notification requirements:
   - Federal requirements
   - State-by-state deadlines
   - Industry-specific rules

4. Prepare communications:
   /respond [various notification types]

5. Document privileged analysis:
   All work within privileged Project

6. Generate status updates:
   /brief daily [incident matters]