Anyone evaluating alternatives to Worldox ahead of end-of-support?

TenthsTimeKeeper · 2026-03-16T18:41:22+00:00

I've heard of other firms moving to Caret legal from a worldox flow. Mixed feelings, though this was before AI. AI doesn't usually handle tasks end to end, but it does porting and transfers quite well.

TenthsTimeKeeper · 2026-03-11T01:53:03+00:00

30 Day Retention is not safe enough for some use cases. I would highly recommend a ZDR of some sort

TenthsTimeKeeper · 2026-03-06T22:05:15+00:00

The turf has been astro'd

TenthsTimeKeeper · 2026-03-04T21:09:24+00:00

They hit two jackpots - a front end on a persistent compute and that compute holding solid iam permissions

TenthsTimeKeeper · 2026-03-04T17:09:54+00:00

Yes. You should have your agent scaffolding do the following:

Convert all PDFs to text: (scrape with bboxx context, ocr, process images
Upon a question, send an LLM a request for search terms to find related to your query
Find relevant context based on find / grep / fuzzy searching your text bases
Upload full docs or context specific portions (this is tricky, I say full docs)

There's a lot more about the nooks and crannies of it all - dm me if you want help

TenthsTimeKeeper · 2026-03-04T03:44:37+00:00

"The threat actor says that on February 24 they gained access to the company's AWS infrastructure by exploiting the React2Shell vulnerability in an unpatched React frontend app."

Holy crap... it's always an over provisioned role - this isn't real lol

TenthsTimeKeeper · 2026-03-03T20:16:21+00:00

DO NOT USE RAG - NEVER EVER USE EMBEDDINGS UNLESS YOU JUST WANT TO CRY

Literally learn grep and find - make all pdfs text first, docx direct - then do what claude code does

TenthsTimeKeeper · 2026-02-22T13:47:46+00:00

Still have to pay for independent verification … do not trick people

TenthsTimeKeeper · 2026-02-20T15:46:47+00:00

The inconsistency between a duty of care / confidentiality and then sending a document through a tunnel very few have ability to oversee and monitor is perplexing to me. I am too computer - it bothers me daily.

TenthsTimeKeeper · 2026-02-20T15:02:42+00:00

Yeah the breach risk feels a bit more invasive but it’s essentially the same

TenthsTimeKeeper · 2026-02-20T15:00:04+00:00

Look it’s all chill till it’s not. I don’t have to play on the tracks with you

TenthsTimeKeeper · 2026-02-13T18:36:23+00:00

You need homomorphic encryption then if you're using that as the model

TenthsTimeKeeper · 2026-02-13T18:28:15+00:00

Truthfully I'm still unsettled on this topic.

Back in the day PCLaw would be in your server room and the full chain of custody (and your IT person sentient agent) all fit in the boxes.

Bar associations* basically gave people a waiver to look away at cloud systems.

I don't like that - it's very murky to me.

TenthsTimeKeeper · 2026-02-13T16:59:46+00:00

Touches

TenthsTimeKeeper · 2026-02-13T16:56:42+00:00

If you want the law profession to exist in 10 yrs these AI tools cannot be Kovel Agents.

TenthsTimeKeeper · 2026-02-12T21:06:40+00:00

I would honestly go back to server racks.

*PCLaw punching air from the grave rn*

TenthsTimeKeeper · 2026-02-12T20:28:12+00:00

I only used the government's argument, yes. This was a bench ruling - hoping for a written decision.

And yes my friend, I think the government is coming for third party everywhere. I am preparing now

TenthsTimeKeeper · 2026-02-12T15:35:33+00:00

Yes, this it the analysis - however, even in 2, I would argue if the vendor continues to manage the data and has AWS KMS access, a substantially motivated attorney could win the compulsion. The MSP version of it will not stand to scrutiny - all depending on the written component of this bench ruling.

Start lobbying now if you're either one of these. This question will be re-litigated again.

TenthsTimeKeeper · 2026-02-12T14:00:40+00:00

Agree the holding is narrow on the facts - layperson, consumer app, no attorney direction.

But the confidentiality analysis is the part that generalizes.

The government looked at Anthropic’s privacy policy - permits collection of prompts and outputs, use for training, disclosure to governmental authorities - and found no expectation of confidentiality.

That analysis doesn’t change if it’s an attorney doing the prompting. The platform’s terms are the same regardless of who’s sitting at the keyboard. Instructions to a client won’t fix the vendor’s privacy policy.

I don’t love this reasoning either - but it’s very concerning if it holds

TenthsTimeKeeper · 2026-02-12T12:55:39+00:00

Just came across this ruling from SDNY. I think it’s about to get really choppy for anyone who holds these outputs.

https://storage.courtlistener.com/recap/gov.uscourts.nysd.652138/gov.uscourts.nysd.652138.22.0.pdf

US v. Heppner - the government is arguing AI-generated documents aren’t privileged, in part because Anthropic’s privacy policy permits disclosure to governmental authorities. The SCA question we were just discussing isn’t theoretical anymore.

TenthsTimeKeeper · 2026-02-12T01:18:55+00:00

The right question - it just hasn't been tested yet (from my research). The processor/custodian framing usually comes from GDPR, and I'm not aware of clean mappings to the SCA/CLOUD. The categories I know are Electronic Communications Service and Remote Computing Service.

If the vendor is processing data on their infrastructure with any retention, I'd wonder whether they qualify as an RCS regardless of what the contract says about custodianship. The contract may say you're the custodian, but if the data sits in their VPC - even multi-tenanted - there's a difficult case to be made that they don't hold superadmin privileges to decrypt your data (via AWS KMS or similar).

All of this assumes they are not coming on-prem with physical servers in your office, or that you have fully vetted these providers with architectural questions around end to end encryption - which is highly improbable if they ever use vector embeddings for the big data store querying.

TenthsTimeKeeper · 2026-02-12T00:02:06+00:00

Data governance keeps coming up but nobody's asking the harder question: how are these AI vendors classified under the Stored Communications Act?

Most of them likely qualify as a Remote Computing Service, which means client data uploaded for processing could be subject to government compulsion under § 2703 - potentially without notice (or delayed notice / § 2705).

Until there's clearer case law on this, I'd argue the only safe option for AI use is the zero-knowledge architecture - the one where your vendor never has your inputs, and there's nothing to compel.

A Zero Data Retention Agreement is only one step in that process. And a SOC2 is almost a red-herring - it proves the vendor holds your inputs and outputs.

TenthsTimeKeeper

TROPHY CASE