Personal injury law firms sit on some of the most sensitive data in the legal industry: medical records, settlement amounts, privileged attorney work product, and thousands of prospect intake records that include identifying information about injured people. When a firm evaluates a Revenue Intelligence platform, the natural first question is: what data does this thing touch, and how is it protected?
This post answers that question in practical terms. What data Revenue Intelligence actually reads, which compliance frameworks apply, what questions to ask any vendor before signing, and how to think about attorney-client privilege when a third-party platform sits between your marketing data and your case outcomes.
What Data Revenue Intelligence Actually Reads
The first clarification matters because it's often misunderstood: Revenue Intelligence does not read medical records, case file contents, or privileged work product. It reads the metadata around cases, not the cases themselves.
Specifically, Revenue Intelligence platforms ingest the following data categories:
- Marketing spend data— ad platform spend by campaign, lead vendor invoices, LSA costs, pay-per-call fees. No PII.
- Lead record metadata— source tag, date of lead, channel, matter type (auto, slip-and-fall, med mal, etc.), lead stage. Contact information is read only if the firm specifically authorizes it and usually only for call-matching.
- Case stage data— signed, in litigation, settled, withdrawn, rejected. Dates and status flags, not case file contents.
- Settlement amounts— read from the case management system's financial fields if the firm opts in. Many firms choose to mask this or share only aggregate ranges.
The platform never reads medical records, attorney notes, client communications, or anything that would qualify as privileged work product. It connects to the case management system through the CMS's API, which typically exposes metadata fields but not the full case file.
The Compliance Frameworks That Apply
Different frameworks apply to different parts of the data pipeline. The three that matter most for PI firms:
| Framework | Applies To | What to Require | |
|---|---|---|---|
| SOC 2 Type II | All vendors handling firm data | Annual audit report available on request | |
| HIPAA (indirect) | Med mal, nursing home, and any firm with direct provider intake | BAA available if the platform touches PHI-adjacent data | |
| CCPA / CPRA (California) | Any firm with California leads | Documented data deletion workflow; DPA available | |
| State Bar ethics rules | Varies by jurisdiction | Written data handling agreement; no unauthorized disclosure | |
| Attorney-client privilege | Case file contents only (not metadata) | Vendor contract must disclaim access to privileged content |
The framework that applies depends on the data type and the jurisdiction. Most PI firms need vendors that meet SOC 2 Type II at minimum, with HIPAA-adjacent handling for lead metadata tied to medical records.
The Questions Every PI Firm Should Ask Before Signing
These are the ten questions that separate vendors who take security seriously from vendors who don't. Ask all ten during evaluation.
- Are you SOC 2 Type II certified? Can I see the most recent audit report under NDA?
- Where is data stored and processed geographically? Is it all inside the US?
- What encryption is used at rest and in transit? (Expected answer: AES-256 at rest, TLS 1.2+ in transit.)
- Who at the vendor has access to customer data? Is access role-based and audit-logged?
- Do you offer a BAA (Business Associate Agreement) for firms that handle HIPAA-adjacent data?
- What is your data retention policy? How long is firm data kept after contract termination?
- What is your breach notification process and timeline?
- Do you use any customer data for machine learning or model training? Can customers opt out?
- Can we export all of our data in machine-readable format if we decide to leave?
- Do you have cyber liability insurance? What are the coverage limits?
A vendor that can answer all ten with a clean, documented response is taking security seriously. A vendor that dodges even one is telling you something.
Data Ownership and Portability
The single most important contractual clause in any Revenue Intelligence agreement is data ownership. The firm owns the data. Full stop. The vendor processes it, stores it, and delivers intelligence on top of it, but the raw marketing, intake, and settlement data remains property of the firm.
Related: exportability. A good vendor makes it easy to leave. Revenue Intelligence data should be exportable to CSV or via API at any time, including after contract termination. If a vendor won't commit to this in writing, treat it as a red flag.
SOC 2 Type II
Annual audit
Current audit report available under NDA during evaluation
Encryption
AES-256 / TLS 1.2+
Industry standard at rest and in transit
US-Based Storage
100%
All customer data stored and processed inside US borders
Data Portability
Full export
CSV or API export of all firm data on demand, including post-termination
A Revenue Intelligence vendor worth buying meets all four of these baseline standards. Anything less is a warning sign.
The Privilege Question
Several state bar ethics opinions have addressed cloud-based legal technology, and the consensus is that firms can use third-party platforms for operational and business intelligence purposes as long as (a) reasonable security measures are in place, (b) the vendor does not access privileged content, and (c) a written agreement defines data handling obligations.
Revenue Intelligence is comfortably inside these boundaries because it operates on metadata, not privileged content. But the contract needs to say so explicitly. The vendor agreement should disclaim vendor access to case file contents, attorney work product, and client communications. Any reputable vendor will agree to this language because it protects them too.
A Practical Takeaway
For most PI firms, the compliance conversation around Revenue Intelligence is simpler than it initially sounds. The platform reads marketing and case metadata, not the case files themselves. The vendor needs to be SOC 2 Type II certified, US-based, and willing to sign a data handling agreement that disclaims access to privileged content. If all of that is in place, the platform is on solid ground both legally and operationally.
Skip the ten-question checklist and you're taking on risk you don't need to. Walk through it carefully and the platform becomes another secure piece of infrastructure in your firm's stack — like the case management system itself, which handles far more sensitive data and which every firm already trusts.
Related guide: For the full evaluation framework, including the Three Enemies of Revenue Intelligence and the buyer's checklist, see Revenue Intelligence for Personal Injury Law Firms: The Definitive Guide.