Legal Advisor Pro

An autonomous agent that provides legal guidance for technology companies — reviewing contracts, advising on compliance frameworks (GDPR, SOC 2, HIPAA), drafting privacy policies, and identifying legal risks in product decisions.

When to Use This Agent

Choose Legal Advisor Pro when:

• You need to review or draft technology contracts (SaaS agreements, NDAs, DPAs)
• You want compliance guidance for GDPR, CCPA, SOC 2, or HIPAA requirements
• You need a privacy policy or terms of service drafted or reviewed
• Product decisions have legal implications (data handling, AI usage, user consent)

Consider alternatives when:

• You need binding legal advice for specific situations (consult a licensed attorney)
• You need tax or accounting guidance (use a financial advisor)
• You need HR or employment law guidance (use an HR specialist)

Quick Start

Copy
# .claude/agents/legal-advisor.yml
name: legal-advisor-pro
description: Provide legal guidance for technology companies
agent_prompt: |
  You are a Legal Advisor for tech companies. Provide guidance on:

  1. Contract review and risk identification
  2. Privacy and data protection compliance
  3. Terms of service and privacy policy drafting
  4. Regulatory compliance frameworks
  5. Intellectual property considerations
  6. AI and data usage legal implications

  IMPORTANT: Always include the disclaimer that this is informational
  guidance, not legal advice, and recommend consulting a licensed
  attorney for binding decisions.

  Focus on identifying risks and providing actionable recommendations.

Example invocation:

Copy
claude "Review our SaaS agreement template and flag any risky clauses for a B2B enterprise customer"

Sample review output:

Contract Review — SaaS Agreement Template
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

⚠️ This is informational guidance, not legal advice.
Consult a licensed attorney before finalizing agreements.

Findings: 2 High Risk, 3 Medium Risk, 2 Low Risk

[HIGH] Section 8.2: Unlimited liability for data breaches
  Current: "Provider shall be liable for all damages..."
  Risk: Uncapped liability exposure for data incidents
  Recommendation: Cap liability at 12 months of fees paid,
  carve out exceptions for willful misconduct and IP infringement

[HIGH] Section 12.1: No data portability clause
  Risk: Enterprise customers will push back; may violate GDPR Art. 20
  Recommendation: Add data export in standard format within 30 days
  of termination, with 90-day data retention post-termination

[MEDIUM] Section 5.3: Auto-renewal without notice
  Risk: Customers may challenge enforceability in some jurisdictions
  Recommendation: Add 30-day renewal notice requirement

[MEDIUM] Section 9.1: Broad IP assignment clause
  Current: "All customizations become Provider's IP"
  Risk: Enterprise customers will object; may include their proprietary logic
  Recommendation: Narrow to platform improvements only; customer
  retains IP in their configurations and data

Core Concepts

Compliance Framework Overview

Framework	Scope	Key Requirements	Applicability
GDPR	EU personal data	Consent, data rights, DPA, breach notification	Any EU users
CCPA/CPRA	California consumers	Disclosure, opt-out, deletion rights	CA consumers
SOC 2	Service organizations	Security, availability, confidentiality	Enterprise SaaS
HIPAA	Health information	PHI protection, BAA, security safeguards	Healthcare
PCI DSS	Payment card data	Encryption, access control, monitoring	Payment processing

Contract Risk Assessment Matrix

Risk Level   Description                    Action
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CRITICAL     Unlimited liability, no         Revise before
             indemnification cap             signing

HIGH         Missing data protection         Negotiate
             clauses, broad IP assignment     changes

MEDIUM       Auto-renewal without notice,    Flag for
             restrictive non-compete          awareness

LOW          Minor formatting issues,        Note for
             unclear definitions              future revision

INFO         Best practice suggestions,      Consider for
             optional additions               next version

Privacy Policy Requirements

Copy
## Required Sections (GDPR + CCPA Compliant)

1. **Data Controller Identity**
   - Company name, address, contact
   - Data Protection Officer (if applicable)

2. **Data Collected**
   - Categories of personal data
   - Sources of data
   - Purpose for each data category
   - Legal basis for processing (GDPR)

3. **Data Usage**
   - How data is processed
   - Automated decision-making disclosure
   - Profiling activities

4. **Data Sharing**
   - Third-party recipients
   - International transfers
   - Safeguards for transfers

5. **Data Rights**
   - Access, rectification, deletion
   - Portability, restriction, objection
   - How to exercise rights
   - Response timeframe (30 days GDPR)

6. **Data Retention**
   - Retention periods by data type
   - Criteria for determining retention
   - Deletion procedures

7. **Security Measures**
   - Technical safeguards
   - Organizational measures
   - Breach notification procedures

8. **Cookies and Tracking**
   - Types of cookies used
   - Purpose of each cookie
   - Opt-out mechanisms

9. **Children's Privacy**
   - Age restrictions
   - Parental consent mechanisms (if applicable)

10. **Changes to Policy**
    - Notification procedures
    - Effective date

Configuration

Option	Type	Default	Description
jurisdictions	string[]	["us", "eu"]	Applicable legal jurisdictions
frameworks	string[]	["gdpr", "ccpa"]	Compliance frameworks
contractType	string	"saas"	Contract type: saas, nda, dpa, terms
riskTolerance	string	"moderate"	Risk tolerance: conservative, moderate, aggressive
includeDisclaimer	boolean	true	Always include legal disclaimer
generateChecklist	boolean	true	Output compliance checklist

Best Practices

1. Always include a liability cap in SaaS agreements — Uncapped liability exposes your company to unlimited financial risk. Standard practice is to cap total liability at 12 months of fees paid, with carve-outs for willful misconduct, IP infringement, and data breaches. Enterprise customers will negotiate the cap amount, but having one is non-negotiable.

2. Draft privacy policies for your actual data practices — Do not copy a generic privacy policy template. Map your actual data flows (what you collect, why, who you share with, how long you keep it) and write the policy to match reality. A privacy policy that does not match your practices is both legally risky and trust-damaging.

3. Implement Data Processing Agreements before they are requested — Enterprise customers will require a DPA before signing. Have a pre-approved DPA template ready that covers GDPR Article 28 requirements. Offering it proactively shows maturity and speeds up the sales cycle.

4. Version and date every legal document — Every contract, policy, and terms update should have a version number and effective date. Maintain an archive of all previous versions. This is essential for demonstrating compliance and resolving disputes about which terms were in effect at a given time.

5. Review AI usage for legal implications early — Using AI to make decisions about people (hiring, lending, content moderation) creates legal obligations under the EU AI Act, EEOC guidelines, and state-level AI laws. Review AI usage for bias, transparency, and consent requirements before deployment, not after a complaint.

Common Issues

Enterprise customers demand contract changes your legal team has not approved — The sales team agrees to custom contract terms that have not been reviewed by legal, creating risk. Create a pre-approved negotiation playbook with acceptable ranges for key terms (liability cap, SLA, data handling). Sales can negotiate within the playbook without legal review for each deal.

Privacy policy does not reflect new features — A new feature collects analytics data, but the privacy policy still says "we do not track user behavior." Update the privacy policy review process: every feature that touches user data should trigger a privacy policy review before launch. Add a privacy impact assessment to the feature development checklist.

GDPR data subject requests have no process — A user exercises their "right to be forgotten," but no one knows how to delete their data across all systems. Build a data subject request process: documented steps for data access, export, and deletion across all systems (database, backups, third-party integrations, analytics). Test the process quarterly to ensure it works end-to-end.