Choosing an eDiscovery vendor used to be an operations decision. After Morgan v. V2X and Jeffries v. Harcros, it is a privilege decision. This guide walks through the six-step vetting process I use before any privileged material leaves the firm. If you want the legal background, see the companion article on the 5 vendor questions and the prior commentary on Morgan and Jeffries.
Inputs you need before vetting
- • The operative protective order or the proposed order in the case.
- • An honest estimate of the volume of privileged material in the production.
- • The categories of regulated data in scope (PII, PHI, financial, trade-secret).
- • The production deadline and any rolling-production obligations.
- • A clear answer to whether opposing counsel is likely to challenge the AI architecture.
Mistakes to avoid
- • Treating the marketing page as the contract.
- • Signing without reading the data processing addendum and sub-processor list.
- • Assuming privilege protection because the vendor calls itself “secure.”
- • Skipping the protective-order affidavit conversation before upload.
- • Ignoring the migration path until you need it.
Step 1: Map the privilege exposure before you shop
Before talking to any vendor, write down the categories of material that will be uploaded and the categories that will receive AI processing. If those overlap, the vendor selection is a privilege decision and should be treated as such. If they do not overlap, you have more room on vendor choice but should still address the architecture.
Step 2: Run the 5 vendor questions
The framework: where do the documents physically live and who has access; does any generative AI process them and on whose infrastructure; what does the standard contract say about training, retention, and deletion; can the vendor produce an affidavit that satisfies the protective order; and what does the mid-case migration path look like. Ask all 5. Record the answers in writing. Use them as the source document for vendor comparison.
Step 3: Read the three documents together
Pull the master services agreement, the data processing addendum, and the privacy policy at the same time. The privilege answer rarely lives in any single document; it emerges from the combination. Pay particular attention to (a) the training prohibition, (b) the sub-processor list and how it can be updated, (c) the deletion certification, and (d) the carve-outs that permit aggregated analytics or service-improvement uses.
Step 4: Test the affidavit posture
Send the vendor a copy of the protective order — or the proposed order — and ask in writing whether they can sign a sworn affidavit confirming compliance with each material restriction. Pay attention to which restrictions they want to qualify and which they want to negotiate in a side agreement. A vendor that cannot affirm the order in plain English is telling you the platform was not built for the case.
Step 5: Negotiate the contract before the upload, not after
The training prohibition, the sub-processor notice requirement, the deletion certification, and the affidavit obligation all belong in the engagement contract. Each one is significantly cheaper to negotiate before the documents are uploaded than after. If the vendor pushes back, you have two answers: change the architecture you upload to the platform, or change the vendor.
Step 6: Build the migration path into the engagement
The migration path is not pessimism, it is hygiene. Define the export format, the time frame, the cost, and the deletion certification before signing. Confirm that the format preserves coding work and metadata. Confirm that the deletion certification covers backup systems. The cost of negotiating these terms at engagement is small; the cost of negotiating them under deadline pressure is enormous.
When attorney help is worth it
Solo and small-firm litigators are doing this work without the structural support a large firm takes for granted. A brief outside consult before vendor selection is often the highest-leverage hour you can spend on a matter. The firm's eDiscovery service runs on firm-owned hardware in Jacksonville, Florida, and engagements include the vendor migration step where another platform is already in place. Service details are at /ediscovery.