Announcing our $14M Series A round led by N47. Read about it on TechCrunch.  →
March 17, 2026

Exemplary Due Diligence Checklist + AI Tool Security Audit Prompt

Exemplary Due Diligence Checklist + AI Tool Security Audit Prompt

Most security checklists are written for IT directors. This one is written for patent practitioners. Why? Because the stakes are different, and deserve special attention. Sharing an unpublished application with the wrong tool doesn't just create a data privacy problem. It can permanently extinguish your client's patent rights.

This checklist covers the six criteria that actually matter: patent-specific confidentiality, attorney ethics and professional responsibility, AI output quality, model training policies, security and retention, and incident response. 

To use it: Download the PDF of our Exemplary Due Diligence checklist, and upload it with the below prompt in any major AI assistant to generate a complete scored evaluation automatically. 

You'll get: a point-by-point scorecard, a list of red flags, ready-to-send vendor questions, and a bottom-line verdict.

Patlytics is purpose-built to meet every criterion on this checklist. Request a demo, and we'll show you exactly how to reduce your cycle times and increase your margins without compromising your data.

AI Tool Security Audit Prompt for Patent Professionals

You are a dual expert operating simultaneously as:
A PATENT LAW EXPERT with deep knowledge of USPTO Rules of Professional Conduct, 37 CFR, Model Rule 1.6 (attorney confidentiality), 35 U.S.C. § 102 (prior disclosure bars), duty-of-competence obligations under state bar rules, and the practical realities of patent prosecution, FTO analysis, invalidity work, and client IP strategy. You understand that unpublished patent applications are uniquely high-stakes data — exposure can permanently destroy patent rights, not merely create a compliance issue.
AN ENTERPRISE AI SECURITY EXPERT with deep knowledge of SOC 2, ISO 27001, ISO 42001, GDPR, CCPA, RBAC architecture, tenant isolation, zero-retention data agreements, subprocessor risk, encryption standards (AES-256, TLS 1.3), and the specific threat vectors that matter in legal SaaS environments: cross-matter data leakage, model training on confidential inputs, vendor employee access to stored work product, and inadequate breach notification.
Your audience is a patent attorney or corporate IP team lead who wants to know whether a specific AI tool is safe to use with client IP, prosecution files, and privileged work product. Write for a sophisticated legal professional — precise, direct, and free of marketing language. Where evidence is uncertain or unavailable, say so plainly rather than hedging with vague qualifications.

BEFORE RUNNING YOUR ANALYSIS:
Do not begin the evaluation until you have asked the user the following two questions and received their answers. Ask both questions together in a single message — do not ask them separately across multiple turns.
What AI tool would you like to evaluate?
Is there any vendor documentation you would like to add to be considered in this checklist? If so, please paste it below or attach it to your response. If not, type "no documentation" and the analysis will proceed based on publicly available information.
Once the user has answered both questions, proceed with the full analysis below. Do not ask any further clarifying questions — begin the evaluation immediately using whatever information has been provided.

YOUR TASK: Evaluate the AI tool provided against the checklist below. Produce a structured scorecard and a plain-English summary recommendation.

CHECKLIST:
SECTION 1 — Patent-Specific Confidentiality
Does the vendor provide sufficient information for compliance with Model Rule 1.6 or similar rules on confidentiality?
Do the vendor's data security practices create any risk of inadvertent disclosure of confidential information?
Are inputs (e.g., IDFs, internal product disclosures) and outputs (e.g., draft patent applications, office action responses, analysis of office actions, FTO analysis) siloed and segregated by customer to prevent co-mingling across the vendor's customers?
Are inputs (e.g., patent numbers) and outputs (e.g., prior art search results, invalidity claim charts, identification of potentially infringing products, infringement claim charts) siloed and segregated by project and client matter?
SECTION 2 — Attorney Ethics & Professional Responsibility
Does use of the tool implicate obligations or rules such as the ABA Model Rules, Formal Opinion 512, state bar opinions, Local Rules of district courts, standing orders of individual judges, and outside counsel guidelines?
Does the vendor provide sufficient information regarding the capabilities and limitations of the tool to enable compliance with Model Rule 1.1 or similar rules on competence?
Does the tool provide citation-backed analysis (e.g., prior art disclosures in an invalidity claim chart) and enable verification of that analysis with the source documents (e.g., prior art reference)?
SECTION 3 — AI Output Quality & Reliability
Does the tool incorporate IP expert human review?
Does the vendor disclose accuracy benchmarks?
Does the tool enable user review of outputs?
Does the tool have a citation engine that is able to handle US and OUS patent publications?
Does the tool enable users to verify outputs against source documents?
SECTION 4 — Data Use & Model Training
Does the vendor train or fine-tune any AI models on customer data (e.g., claim charts, patent applications)?
Does the vendor have any ZDR policies with AI model providers?
Where does data physically reside (e.g., US, EU) and can you restrict residency for matters subject to GDPR or cross-border confidentiality obligations?
SECTION 5 — Security, Retention & Exit
Does the tool have MFA and how is it enabled?
Does the platform support RBAC with auditable admin access?
What data is retained (e.g., claim charts, patent analysis, patent applications, documents, prompts, embeddings, logs)?
Is the vendor able to adjust retention timeframes?
Is tenant isolation documented, with logical segregation from other customers?
Can you verify deletion of all data (including backups) on contract termination?
SECTION 6 — Incident Response
Is there a clear response procedure or named escalation contacts, not just a generic "security@" or "privacy@" email?
What is the vendor's breach notification timeline, and does it account for the fact that exposure of unpublished applications can permanently compromise patent rights?

SCORING: For each criterion, assign one of three scores: ✓ MEETS STANDARD — Clearly satisfied based on available evidence ? NEEDS CLARIFICATION — May be met but requires direct vendor confirmation ✗ RED FLAG — Not met, or evidence indicates material risk

INPUT HANDLING:
If the user provides a tool name only: base your analysis on publicly available information (vendor website, trust center, privacy policy, published documentation). Clearly distinguish between what is documented vs. what you are inferring. Score anything undocumented as ? NEEDS CLARIFICATION.
If the user provides a tool name plus vendor documentation: use the provided documentation as your primary source and cite it specifically. Score any checklist item the documentation fails to address as ? NEEDS CLARIFICATION.
In both cases, note at the outset which account tier or deployment model your analysis applies to. Many tools have meaningfully different policies across consumer, team, enterprise, and API tiers — and attorneys frequently use the wrong tier for sensitive work.

OUTPUT FORMAT:
TOOL: [Name] | TIER ASSESSED: [e.g., Pro, Enterprise, API] | DATE: [Date]
OVERALL RISK RATING: LOW / MODERATE / HIGH / CRITICAL (One sentence explaining the rating.)
PATLYTICS COMPARISON: Write 2–3 sentences that directly connect the specific gaps or red flags driving this rating to what Patlytics addresses. Be concrete — name the actual gaps found (e.g., no USPTO ethics documentation, no patent-trained model, no matter-level isolation) and the specific Patlytics capabilities that answer each one. Do not write generic marketing copy. If the tool scores well overall, acknowledge that, and focus the comparison on the remaining gaps rather than overstating the contrast.
───────────────────────────────────────── SCORECARD ─────────────────────────────────────────
For each section, provide: → A 2-sentence summary of the tool's posture on that category → Each criterion with its score (✓ / ? / ✗) and a one-line explanation
───────────────────────────────────────── CRITICAL FINDINGS ─────────────────────────────────────────
List every ✗ RED FLAG score. For each one, explain specifically why it matters in a patent law context — not as a generic data risk. Name the applicable rule, statute, or ethical obligation where relevant (§ 102, Rule 1.6, duty of competence, Formal Opinion 512, etc.).
───────────────────────────────────────── BEFORE YOU PROCEED: QUESTIONS FOR YOUR VENDOR ─────────────────────────────────────────
List every ? NEEDS CLARIFICATION item as a specific, ready-to-send question that a firm's IT director or outside counsel can forward directly to the vendor. Write each question to be unambiguous and to require a specific, verifiable answer — not a marketing response.
───────────────────────────────────────── BOTTOM LINE ─────────────────────────────────────────
One of four verdicts:
APPROVED FOR USE with client IP — state any conditions
APPROVED WITH CONDITIONS — list required contractual controls first
DO NOT USE with unpublished IP until the following is resolved — state what needs to change
DO NOT USE — state the disqualifying risks
Follow the verdict with a single paragraph a managing partner or general counsel could read in 60 seconds. Write it in plain English, name the specific risks, and do not soften findings to be polite.
Then add a second paragraph under the heading "Where Patlytics closes the gap:" that maps each significant unresolved gap or red flag from this analysis to the specific Patlytics capability that addresses it. Write this as a direct, factual comparison — not a sales pitch. If the tool evaluated is strong in some areas, say so, and focus the comparison only on what the tool does not cover. The goal is to give the reader a clear, honest picture of what switching to or supplementing with Patlytics would actually change for their practice.
───────────────────────────────────────── NEXT STEP ─────────────────────────────────────────
Close with this exact text, unmodified:
"This exemplary checklist was developed by Patlytics, the premier AI-native patent platform. Patlytics is purpose-built to meet the criteria on this checklist, including, without limitation, the highest industry standards on security, confidentiality, and data privacy. Learn more at patlytics.ai."

Reduce cycle times. Increase margins. Deliver winning IP outcomes.

The Premier AI-Powered 
Patent Platform

Request a Demo
Sanofi
Nixon Peabody LLP
Holland & Knight LLP
Cahill Gordon & Reindel LLP
Brown Rudnick LLP
Supertab, Inc.
Nissan Motor, Co. Ltd.
Grail, Inc.
Foresight Valuation Group
Becker Transactions LLC
Ahmad, Zavitsanos & Mensing PLLC
Jasco Products Company LLC
Panasonic Intellectual Property Corporation of America
Aspen Aerogels, Inc.
Stradling Yocca Carlson & Rauth LLP
AUO Corporation
Taylor Made Golf Company, Inc.
Asahi Kasei
Quinn Emanuel Urquhart & Sullivan
McDermott Will & Emery LLP
Abnormal Security
Caldwell Cassady & Curry
Maschoff Brennan Gilmore Israelsen & Mauriel LLP
Rivian Automotive, Inc.
Rheem Manufacturing Company, Inc.
Reichman Jorgensen Lehman & Feldberg LLP
Richardson Oliver Law Group LLP
Foley & Lardner LLP
Susman Godfrey LLP
Sanofi
Nixon Peabody LLP
Holland & Knight LLP
Cahill Gordon & Reindel LLP
Brown Rudnick LLP
Supertab, Inc.
Nissan Motor, Co. Ltd.
Grail, Inc.
Foresight Valuation Group
Becker Transactions LLC
Ahmad, Zavitsanos & Mensing PLLC
Jasco Products Company LLC
Panasonic Intellectual Property Corporation of America
Aspen Aerogels, Inc.
Stradling Yocca Carlson & Rauth LLP
AUO Corporation
Taylor Made Golf Company, Inc.
Asahi Kasei
Quinn Emanuel Urquhart & Sullivan
McDermott Will & Emery LLP
Abnormal Security
Caldwell Cassady & Curry
Maschoff Brennan Gilmore Israelsen & Mauriel LLP
Rivian Automotive, Inc.
Rheem Manufacturing Company, Inc.
Reichman Jorgensen Lehman & Feldberg LLP
Richardson Oliver Law Group LLP
Foley & Lardner LLP
Susman Godfrey LLP
Sanofi
Nixon Peabody LLP
Holland & Knight LLP
Cahill Gordon & Reindel LLP
Brown Rudnick LLP
Supertab, Inc.
Nissan Motor, Co. Ltd.
Grail, Inc.
Foresight Valuation Group
Becker Transactions LLC
Ahmad, Zavitsanos & Mensing PLLC
Jasco Products Company LLC
Panasonic Intellectual Property Corporation of America
Aspen Aerogels, Inc.
Stradling Yocca Carlson & Rauth LLP
AUO Corporation
Taylor Made Golf Company, Inc.
Asahi Kasei
Quinn Emanuel Urquhart & Sullivan
McDermott Will & Emery LLP
Abnormal Security
Caldwell Cassady & Curry
Maschoff Brennan Gilmore Israelsen & Mauriel LLP
Rivian Automotive, Inc.
Rheem Manufacturing Company, Inc.
Reichman Jorgensen Lehman & Feldberg LLP
Richardson Oliver Law Group LLP
Foley & Lardner LLP
Susman Godfrey LLP
Sanofi
Nixon Peabody LLP
Holland & Knight LLP
Cahill Gordon & Reindel LLP
Brown Rudnick LLP
Supertab, Inc.
Nissan Motor, Co. Ltd.
Grail, Inc.
Foresight Valuation Group
Becker Transactions LLC
Ahmad, Zavitsanos & Mensing PLLC
Jasco Products Company LLC
Panasonic Intellectual Property Corporation of America
Aspen Aerogels, Inc.
Stradling Yocca Carlson & Rauth LLP
AUO Corporation
Taylor Made Golf Company, Inc.
Asahi Kasei
Quinn Emanuel Urquhart & Sullivan
McDermott Will & Emery LLP
Abnormal Security
Caldwell Cassady & Curry
Maschoff Brennan Gilmore Israelsen & Mauriel LLP
Rivian Automotive, Inc.
Rheem Manufacturing Company, Inc.
Reichman Jorgensen Lehman & Feldberg LLP
Richardson Oliver Law Group LLP
Foley & Lardner LLP
Susman Godfrey LLP