Click for Full Transcript

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:21

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:35

Hi, I’m Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology, since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cyber security risk and when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:57

This episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com, Well, hi, I hear you have something interesting to tell me. Yes.

Justin Daniels 1:34

So for our listeners, humor. It’s getting hot in Atlanta, so when it transitions to spring, we have some uninvited ant like guests, and all the lady Daniels are scurrying for cover, and I’m been tasked with eradicating this latest code red threat.

Jodi Daniels 1:52

Bugs should live outside my home, nowhere inside my home. They want to live fine. They can go outside, not inside, not in my kitchen, not where I cook, but not nowhere, just nowhere. They should just not be inside my house. I don’t — we’re gonna move on, because this is already upsetting me. I don’t do but it’s okay. I’m happy on the Goodyear Blimp that explains this. This is why I have Asheville.

Justin Daniels 2:17

This is why I have full time employment, because I’m willing to terminate pests with extreme prejudice, yes, but now we’re going to turn about we’re going to talk about some really cool tools for AI in the legal space. So today we have the dynamic duo with us. So we have Farah Gasmi and we have Laurie Ehrlich and Farah Gasmi is the CPO of Dioptra, the accurate and customizable AI agent that drafts playbooks and consistently red lines contracts in Microsoft Word. Dioptra is trusted by some of the most innovative teams, like Y Combinator and Wilson son. Cini Laurie Ehrlich is the Chief Legal Officer of Dioptra, a cutting edge legal tech startup revolutionizing contract redlining and playbook generation with AI with a background leading legal operations and commercial contracting at Datadog and cognizant. Lori has deep expertise in scaling legal functions to drive business app impact. Welcome Dynamic Duo.

Farah Gasmi 3:19

Thank you for having thanks for having us.

Jodi Daniels 3:21

fancy with dynamic duo

Justin Daniels 3:24

Well, I had to prompt ChatGPT up here, and that’s what it came up with. Good job.

Laurie Ehrlich 3:33

Yes, I actually have thought about Farah as kind of the wonder woman in my life. When I, you know, when I was thinking about joining it was, it was her, yeah, superhero-ness that made me want to join.

Jodi Daniels 3:45

So let’s talk a little bit about background and how you got to where you are today. We always like to understand that career journey. Farah, why don’t we start with you?

Farah Gasmi 3:52

Yes, absolutely. So I like to start with saying not a lawyer. I am in the legal tech space, but I’m not a lawyer. I have been building AI products for the past decade across a different number of industries and use cases, some more regulated, some less regulated. And when we started the company, we decided actually to focus on AI applications. So the goal was not originally to focus on the legal space. The goal was really to help teams build more accurate AI systems. And then in parallel, I also started teaching at Columbia, at the Business School and AI product management class. And so there’s been a lot of work that I did in my career around the product space and then the AI applications. So when we started the company, this is a kind of an anecdote that I like to tell. We started working with a lot of the big enterprises, Fortune 100 and we were helping them build more accurate systems. So think about, you know, autonomous driving or asset protection and things like that. And. The consistent feedback was, yes, I would love to have a more, you know, so sophisticated, or, like, accurate system, but also, this is my secret sauce, right? And so they were, like, not so much interested in a software, but mostly interested in consulting. And so we got offers to be hired from every single one of those fortune 100 companies. That’s when we realized that we were actually going to use our own tech know-how to focus on one application and one use case. And then the contract space came up for a few different reasons. Some of the pain points that we were feeling ourselves and like product feedback that we had from the Y Combinator community of founders, that seemed to be a big enough pain point for a lot of those business owners, and that’s how we got into the legal space specifically.

Jodi Daniels 5:52

Laurie, what is your path?

Laurie Ehrlich 5:55

Well, I am a lawyer 25 years. I mean, 20 years plus experience. I started an IP litigation, and then moved over to IP transactional and then to outsourcing contracts. And I really learned the nitty gritty of contracting when I was at Cognizant, and I was the Chief Counsel of our insurance vertical, and spent 85% of my time negotiating contracts. And outsourcing contracts are very complex contracts. And I we had a playbook. We had a 300 page playbook to use to review these outsourcing agreements. And I thought, can’t we automate this, not the negotiation? Because that was about really understanding the, you know, the business drivers that the customer needed and that we needed to make a profit, and how could we work together, and how could we collaborate? And it was a very, you know, fun and interesting ways of figuring out how to make the deals work. But that initial turn of the 100-plus page customer paper that was based on our 300-page playbook. I thought, These are rules. Can’t we automate? But we weren’t there yet. But I was already thinking, like, how can we do things smarter, instead of just doing the same grind, day in and day out? And so I jumped from being the commercial the chief counsel for our insurance vertical into running our legal ops department, and created, did lots of km, and did lots of sorry, knowledge management, and did lots of process optimization, and really enjoyed it, but I missed being part of those business discussions that what was actually really driving the business, and so I moved to Datadog, where I could combine my process optimization passion With being close to the business and optimizing our contracting for the company. And while I was there, generative AI became a thing, and I thought, Oh, this is it. This is like, how we’re going to really have efficiency in contracting. Because with traditional AI, with machine learning, the variety of language and contracts just doesn’t lend itself to any form of automation. Because everybody says, you know, I think I would talk to one of the document management companies that told me that they found that there were 600 different ways of saying the same governing law clause. So not great for machine learning, but Jennifer, I can handle that. And so, so I, you know, diato was actually one of the tools that I was looking at, was at Datadog to try to find ways to speed the processing of customer paper agreements. Because even though they were a small percentage of our work, they were a huge percentage of our time spent reviewing contracts, and I wanted to make that faster. But I decided I was going to leave Datadog because I wanted to, you know, when you’re in a large ish public company, I mean, it’s not huge. Cognizant was 300,000 did I was only 6,000 — so much smaller. But still, the legal department is not in the center of things. And I wanted to be more in the center of things, so I was looking to for, more of a leadership role than the Chief Commercial Counsel role I was in. And so I put myself out there, which I never do on LinkedIn, and said, Hey, I’m open to work and Farah reach out to me. She said, We, you know, we like talking with you. We feel like you have a lot of you know that combination of technical and process knowledge with the legal expertise, and we’re looking for someone who can do that with us, and you want to join? And I was like, Oh, I never thought about going to, like, a small startup. This is, like, I said, you know, big law, big public company, slightly smaller public company. And here I was with this opportunity, and and I thought, I’m scared, but I’m gonna go for it, and and it’s been great because I I get to again, marry my contracting expertise with my love for a process optimization and just making that like I’m always on this quest for how can we be more efficient, and how can we drive the world to to. Efficiency and contracting, because I really believe that if we are all faster at contracts, then the whole world just makes more money.

Jodi Daniels 10:07

I like that. We all make more money.

Justin Daniels 10:09

Well, but you have a complete cost savings for your contract.

Jodi Daniels 10:15

Still even making more money, indeed.

Justin Daniels 10:18

So let’s talk about what problem is Dioptra trying to solve at the end of the day? I know it well, but can you articulate that for our audience?

Laurie Ehrlich 10:28

So like I said, for me, it started with third party paper. The problem of it takes a long time to review a third party forum because it is not your language. You’re not used to it. You have to figure out, how does it align with your current language, or your playbook or and there’s almost always something novel that you’ve never seen before. And so I was, I think one of the problems that solves is just like being able to do that initial review much faster. And then the other thing that I personally was trying to solve when I was at Datadog was, how do I get rid of the contracts that don’t matter? Not get rid of them for the company, but how do I get them off of legal split, right? Do I? Does our legal team really need to review the $2,000 restaurant contract? Is there something in there that’s going to destroy our company, that it rises to the level that someone who costs you know, even you know, anything over $100,000 a year should be spending two minutes on and so, you know, we were using checklists and giving them to the business teams to try to follow. But I don’t really trust business stakeholders to bother reading it, because to them, it’s also not that important. But a tool like draft can whether it’s your paper or Counter Party paper, if it’s something that’s not very important, but you still want to make sure it’s kind of the T’s are crossed, the eyes are done, and there’s nothing wonky in it. A tool like Dioptra can allow you to stratify your contracts and not worry about that kind of non-strategic level of contracting. But what I discovered as I was doing this is that the area that people really need a lot of help is the strategic aspect of contracting. What should actually be red light, what do we care about? And most teams that which shocking to me, most teams don’t actually have playbooks and so, so what we started building, and what’s now available is our tool can actually generate playbooks. And what that does is it allows you to see what you’ve done in the past and make strategic decisions of, do I want this or do I not want this? And one of the things that I really love in the kind of privacy security space is, you know, we contracts are not legal documents, right? They’re business documents, and they touch many different teams, finance, security, privacy, sales, marketing. There’s many, many different teams, delivery teams, Customer Success teams, that have a stake in what’s in that contract. And a lot of times the playbooks are just kind of legal, because legal knows what legal wants to do, but because we can surface everything on the contract, if we’re looking at red lines that that first red line that goes to the customer, that includes privacy and security, includes finance, etc, we see what we were able to extract, whatever their teams are doing about the contracts, and really have structured conversations now with those counterparty teams and say, like you’re doing this here and this here and this there, and what do you really want? What really matters to our company? And I think that the more we can empower those kinds of strategic level conversations, the stronger we’ll be in terms of creating kind of a homogeneous strategy for the company. So yeah.

Farah Gasmi 13:50

And I think just one thing to add to that, the fact that people think strategically about what is important when negotiating a contract also gives a lens for review in what can you accept? What can you not accept? But also even past execution, like, what, how well have we done in the last 3, 4, 5 years with our contracts? Right? That wasn’t even possible in the past, but now it’s becoming possible, because you have formalized that strategic view about what is important to you, and so that’s something that we get constant requests from our customers, which is, can we now apply that same playbook, but instead of redlining just to assess what we have done in the past from a risk management perspective? And that’s been very powerful for our customers. It’s been very compelling for them to be able to do that, and valuable for them to be able to do that.

Laurie Ehrlich 14:43

And it’s a great way of I mean, I think post obligation management, like AI has broken open the ability to extract value from your contracts. Is before it was just there was, you know, what had time to look at every contract to see what had been agreed to. So. But now that you can do it at scale, you can really, you know, you can make sure that you’re really doing those vendor security reviews on whatever time frame and whatever scope is permitted under the contract. And you can automate the kick off of that with, you know, the combination of the extraction plus plus automated workflows and and know, like, oh, you know, we have a change in security who’s on what security terms. How do you know which contracts need amendments and which contracts don’t need amendments? And now, with generative AI, the ability to extract the those prior positions you really like, you can know what needs to be done and what can be done.

Jodi Daniels 15:37

Farah, you were mentioning risk management, and a big part of risk management is evaluating vendors for any use case, including yourselves. And privacy and security are a big part of that, which I imagine are parts of the questions that you’re often receiving. So how have you built the tool to manage security? Right? You’re going to have a lot of confidential information that is being entered and stored in read, yeah?

Farah Gasmi 16:04

That’s a very good question, the question I get every single day. So there are different layers of security processes that we have implemented. The first thing, which I think is the most important for our clients, is we are not training on our customers’ data, right? That’s very important, because that goes hand in hand with the privacy aspect that you mentioned Jodi, right? And so we don’t train on our customers’ data, which means that they are not going to see their contract repair in when somebody else asks a certain prompt, and we have very strong relationships and agreements with our LLM providers. So whether it is open AI, or whether it is a topic, we have agreements with them to be able to they, you know, guarantee that they’re not going to be using our data that we send to them for training their own models. They don’t even store that data. They’re not able to retain or store that data at all, which is very important, when you think about it, when you’re working, which is the case for us with law firms, big law or big enterprises, right? It’s extremely important for them to be doing that, that’s kind of from a contractual perspective, or, like, from our obligations perspective. And then there’s more technical or engineering solutions or things that we have implemented. First of all, our customers can bring in their own models, right? So if they have their own open AI model that they want to set up. They can do that same thing with other types of model providers. And then the second thing is the self hosted so for our customers that want to be able to do that, we do provide a self hosted solution for them so that they can fully have the whole software on their Prem. And then we are SOC two type two compliant. There’s all the certifications we own. We go through a lot of pen tests on a regular basis. And there’s a bunch of, you know, more engineering best practices in terms of building the product.

Jodi Daniels 18:13

Well, thank you for sharing. I can imagine you’ll get those questions continuously as every day more and more regulations and laws requiring that, and it’s becoming more important as people are evaluating all their third parties.

Justin Daniels 18:28

And if you’re not sound you should. So I was wondering if you could talk to us a little bit like I remember when we were talking to you and learning more about the tool, you know, particular clauses. So one of the things I thought was interesting about your tool is, if I have a limitation of liability clause for a cybersecurity breach, and what the indemnity looks like, or what are the kinds of damages, talk a little bit about how your tool can say, look at that clause, or with a playbook, or maybe suggest other language, because it’s a really cool feature, because you can not only tell me, Hey, this is a problem, but you can say, you can also say, hey, let’s suggest some language that you can consider and maybe buff up a little bit, but you do that.

Farah Gasmi 19:11

Yeah, absolutely. So that’s part of you know, when we think about building the playbook for customers, the first step is always, always starting from what they do today, right? Because that is representative of their risk appetite, that is representative of how they negotiate contracts and so on and so forth. So typically, we ask our customers to give us a set of precedents that the AI should, quote, unquote, learn from, right? And they can enrich that, or they can also provide, you know, sometimes they have checklists, sometimes they have the starting point of the playbook, right? And so what our AI agent does, it goes to those contracts and finds patterns. It finds a type of provisions you typically accept, the types of positions you don’t typically accept your standard language. So is a. Often the same language that is we used again and again and again, right? And it uses all of that to build that playbook, right? And then going back to that example that you were referring to just in the AI will learn that you know liability for database should not be unlimited, right? And this is how you typically cap it in your precedent, or like the past agreements, and then you leverage the exact same language as much as possible. But why also adapting to the language that is in the contract? Because I think that’s very important, right? When lawyers are reviewing contracts, and this is, this is me, kind of from an outside perspective, looking at what lawyers are doing, right, they really use that preferred language, but also adapt it to the existing language, because you don’t want to have this rip and replacing kind of experience that is very counterproductive. And so the AI kind of learns from those tirelistic changes that humans are doing. And so all of that is what we use to indicate to instruct our AI agent to Red Line according to what is already being done.

Laurie Ehrlich 21:10

And then we surface for our users, because we think it’s important that AI is actual reasoning. So why did the AI change it? It will, you know, something like this, where you might have the security requirements in one section, and insurance in a different section, and indemnity in one section. Liability, the agent is looking across all of the sections of the contract, and then we’ll see how they relate and be able to explain, Well, you know, this change is being made, because the rule says this, and if you look at this section, this section that results in this.

Justin Daniels 21:41

Yeah, I think for the I was going to say the for the benefit of our audience, what’s really cool about your tool is, if you have a clause that’s written a certain way, the AI tool will help you figure out, hey, if you want to write it this way, we’ll conform it so it’s consistent with the other terms in your agreement. Because I’ve read plenty of agreements where they’ll make a change to a section and doesn’t realize how it ripples through five other sections and then the terms are inconsistent. But that’s another area where the AI can help you. Because what you know, I realize is, if I’m on an M&A deal, and it’s late at night and you have to go through a 200-page document, this is where AI can really help you. Because, look, we’re human. Sometimes we get tired. There’s a lot of stress and pressure, and the AI really gives you that baseline understanding of, hey, here’s the laundry list of issues, and you’re starting from a better benchmark than things that you might have missed.

Laurie Ehrlich 22:33

Yeah, I think one of the benefits of AI as a starting place lining is that consistency, not just for you and your fatigue at that moment or the volume on your plate at that moment, but also consistency across the company. Because ideally, you don’t really just want all of Laurie’s contracts to say one thing and all of Justin’s contracts to say something different when they’re representing the same entity. You want the entity’s contracts to be consistent regardless of who the reviewer is.

Jodi Daniels 23:00

I’m curious, some of the different use cases that you’ve been seeing so far you had kind of started with, you know, really large companies, but then at the same time, right? Y Combinator are going to be smaller companies. So it feels like this is a solution for any size company. And I was curious if maybe you can share maybe a case study that you have from an organization where they’ve really been able to do more. Lori, you were talking about being able to pull out additional value from contracts, so anything that you can offer just to kind of try and help paint the picture a little bit further for folks,

Farah Gasmi 23:36

yeah. So we have a few different kind of common usage patterns, right? So we see a lot of our customers working on the sell side, right? So they have, typically, if they sell in SAS, they typically have the MSA, or, like the software with a SAS agreement, they have their DPA. So it’s talking about securities, a common type of contract that we review often with our with our software, meaning NDAs, and so that kind of sell side of types of contracts is usually kind of a very common set of contracts that get negotiated. And then that’s one thing that we see often, and then I’ll give you another example. So we are working with a law firm, and they’re doing a lot of real estate agreements where they’re representing commercial entities, and that tends to be very long contracts. We’re talking about 100-plus contracts, sometimes close to 200 contracts. And like you said, Justin, it takes a significant amount of time, and, you know, focus to be able to review that. And so we’re helping them where the AI and those are mostly on their counterparty papers as well, like it’s not the paper that they’re familiar with, which makes it even more complicated. And so the way they use our agent is the agent we take a first. Has at reviewing the whole contract. And, like you said, Because AI doesn’t like machines don’t get tired, they tend to be very consistent in the way they’re doing that. Or I should say, we’ve made it so that it’s it’s fairly consistent in the way it does the reviews right to be able to achieve those accuracy numbers that we are that we’re describing, of like, when we’re talking about 90-plus percent accuracy, there’s a lot of engineering work that we’re doing in the back end to achieve that consistency. And so out of that, you know, 100-plus pages um, the AI is saving the teams more than 50% of the time in reviewing that right? They’re describing 60%, 70% of time saving on that specific contract, which is huge, right? Because they are now fairly confident that the AI picked up on the most common things, and they can start from an already revised version and feel comfortable that they’d be able to add on top of that, right? And so it’s just one of the examples that we see with our customers.

Jodi Daniels 26:08

It was really helpful. And Farah, I like how you said that then someone can start from a certain place. It didn’t completely replace the human and the knowledge that they have. And I feel like I hear many people hoping that’s where it’s going to go. The human is still really important. The years of knowledge, the experience, and you’ve taken, you’ve made it just simpler to have a better starting point.

Laurie Ehrlich 26:39

Absolutely, I think the other thing it does is it like one of the biggest time sucks for a lawyer is that task switching, like, every time you go from one thing to another thing, there is a cost in jumping from task to task, and it’s hard, I think, in this day and age, to just focus on one thing until it’s done, because there’s this email that comes in and this person walks into your office And so, because the AI is doing that first pass, and because the playbook is integrated and the clause library is integrated into the review, the person reviewing it has a starting place and has all of the information that they need in order to complete their review, right there with the document. They don’t have to go find another document to do it, or look through it, email chain or past precedents to find what they’re looking for.

Justin Daniels 27:24

Well, we always like to ask our guests is, do each one of you have a security tip that you might like to share with our audience?

Laurie Ehrlich 27:34

I have a really basic one, which is, anytime you do the setup for a new something that you’re using, check the configurations and make sure that you’re configuring it to close the door on things that you don’t want like. So for example, training on data. And most companies, there’s a way to toggle the switch off so that they’re not training on your data. So I just always check the settings.

Farah Gasmi 28:00

Yeah, so for me, it’s just having worked with data for the past 10 years, because I’ve been building AI tools for the past 10 years, and in industries like healthcare or pharma or, you know, insurance, which are heavily regulated, something that I kind of got in the habit of doing is really start from the data. What can you do with the data? What can you not do with the data? And understanding that helps you build the right product with the right security patterns in that architecture, right and so for us, it was absolutely critical not to have to train on our customers’ data. We understood that day one, right? And so we architected our whole solution to be able to do that. We’re like, nobody wants anybody to use their data for training purposes. How can we architect our solution to be able to do that, and hence enhance the playbook experience now, because instead of having to train, we’re giving instructions to the AI, right? And so I think starting like when we’re building AI systems are starting from the data is always my recommendation for product managers or engineering teams, because that is so fundamental and drives what you can and cannot do in the future.

Jodi Daniels 29:17

Now, when you are not building playbooks and AI agents, what do you like to do for fun?

Laurie Ehrlich 29:23

Two people with very young children? When I had a life, I did partner dancing.

Jodi Daniels 29:33

Tell us a little bit more about that.

Laurie Ehrlich 29:35

So I did mostly west coast swing and some fusion dancing. And what I like about both of those styles is that the focus is about connection. It’s connecting with your partner, it’s connecting with the music. And then when that connection is solid, then there’s a lot of room for creative exploration within those dance styles.

Jodi Daniels 29:58

Very fascinating. Yeah. Farah, what about you?

Farah Gasmi 30:04

Yeah, so doing a startup and being one of the founders takes pretty much all your time. That with having two kids and a three the one thing that didn’t I didn’t give up, was teaching. I’ve been teaching at Columbia for a number of years, and I just really love being in those classrooms with the students for a few reasons. It’s really a moment of exchange with the students, like it’s not about kind of just the curriculum, it’s about the that exchange moment, like they have ideas, they bring in those ideas we’re discussing and debating those ideas in a very kind of constructive way, but also like curious curiosity, right? And I love that. And every single time I teach one semester per year, and every single time I finish that class, I’m like, it’s a, it’s a, it’s a lot of fresh air, right? I’m like, so refreshed because I’m stepping back from my day to day, and it puts everything in perspective. It’s like, Oh, I forgot. It’s going back to the fundamentals a little bit, right? So you’re going back to the fundamentals. It’s like, what am I doing? Am I actually doing what I should be doing? And it’s been, I’ve loved it, and I keep enjoying it very much.

Jodi Daniels 31:23

I enjoy teaching as well, and it’s always one of those. I think anytime you’re teaching anything, it’s when you’re really crystallizing it for yourself. My daughter as a project in school, they had to film basically teaching how they would do a certain math problem, and it was brilliant, because she thinks she’s just creating a video, but actually she’s emphasizing No. Here’s actually how you do whatever the math problem steps are. So excellent, absolutely. If people would like to connect with both of you and learn more about the company, where could they go?

Farah Gasmi 31:58

Our website? Dioptra.ai, there’s a lot of information there. They can schedule time with folks from the team to learn more about the product. There’s some content also that we publish on our blog, so I think it’s a great starting point.

Jodi Daniels 32:14

Excellent. Laurie, where might they be able to connect with you?

Laurie Ehrlich 32:19

I’m on LinkedIn every day, so they can find me there, or laurie@dioptra.ai.

Jodi Daniels 32:24

Amazing. Well, thank you both. Justin any closing thoughts?

Justin Daniels 32:29

I think they are, I think they are solving a very important problem for people like me.

Jodi Daniels 32:36

Amazing. Well, thank you again. We appreciate it. Thank you so much. 

Outro 32:44

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.