Legal automation
How Law Firms Can Use Claude Code and Clio Without Getting Disbarred
Every way to connect Claude Code to Clio has a security problem. Zapier sends your data through their servers. Unofficial MCP servers can steal your credentials. I built an open-source CLI that connects directly, redacts client PII by default, and lets you verify every line of code before you run it.
I have my Claude Code connected to HubSpot, my project management software, Gmail, Slack, Google Calendar. It connects to all of those things, and it's pretty cool.
So when a good friend of mine who runs a law firm wanted the same thing with Clio, I figured it would be straightforward. Claude for lawyers is exploding right now, so connecting it to his practice management system seemed like a natural next step. It wasn't straightforward at all. Every option I looked at had a security problem that should make any lawyer nervous.
Clio doesn't have an official way to connect to Claude Code. No official connector, no official MCP server. So I started looking at what's available. Every single one had a problem.
Connectors like Zapier and n8n are a paid middleman your data doesn't need
You can connect Zapier or n8n to Clio. It works. But now there's a third party sitting between your AI and your practice management data.
Your data goes from Clio through Zapier (or n8n), then to Claude Code, then back through the same chain. That's a lot of stops. Every stop is a server that has access to your client data. And none of it is redacted. Client names, client emails, potentially Social Security numbers, all of it passes through in plain text.
It's slower and more complicated to set up than it should be. And you're paying for the privilege of adding a middleman. Zapier isn't cheap once you're doing real volume.
With a command line tool, the data goes from Clio straight to your machine. That's it. No middleman. No extra cost. Faster and more reliable.
Unofficial MCP servers are the biggest risk nobody talks about
MCP servers are the thing in vogue right now. They're connectors that let AI tools talk to external services. Sounds great.
The problem: Clio doesn't have an official one.
So you're left with unofficial servers built by random developers. These are servers from private people. They could literally grab your credentials and have access to your Clio account. That's not a theoretical risk. There have been cases where people started using an MCP and got their credentials stolen.
And even if the code looks fine on GitHub, that doesn't mean the server you're connecting to runs the same code. You're taking a big leap with no way to verify it.
Beyond the security problem, MCPs have a performance problem. They pollute the context window, which means more chances of errors, lower performance, and potential hallucinations. Lots of people are moving away from MCPs and using command line tools instead, because AI navigates them faster and more reliably.
A command line tool is a direct connection you can actually verify
I decided to build a command line tool so my friend could actually use Claude Code with Clio safely. It's open source. You can look at the code. You can have an AI look at the code and tell you whether it's safe, leaks your credentials, or if you're in trouble when you use it.
You can literally verify that, because the code is there.
You install it on your machine, and then you have a direct connection to your Clio account. No Zapier, no MCP server, no extra third parties handling your data along the way.
Your AI has been proven to work just as well with a command line as with an MCP, and in many cases faster. It's free. And no extra third parties are involved.
To be clear: when you use Claude Code with the CLI, the AI does see your data. It has to, so it can actually help you analyze everything. That data lives on your local machine and on the AI provider's servers at the same time. That's just how AI tools work.
Two things matter on the AI side. Which Anthropic plan you're on determines whether they can train on your data — there's a full section on that below, and for a law firm it's not optional reading. The CLI handles the other part by default: it strips client PII before the data ever reaches the AI.
The comparison, simplified
| Zapier / n8n | Unofficial MCP Server | Clio Manage CLI | |
|---|---|---|---|
| Does data go straight from Clio to you? | No. Goes through their servers first. | Runs locally, but unvetted code handles it. | Yes. Clio to your machine, directly. |
| Is client data redacted? | No. Names, emails, SSNs pass through in plain text. | No. | Yes. PII stripped by default before the AI sees it. |
| Can you audit the source code? | No. Proprietary. | Maybe. But the server might not run the same code as the repo. | Yes. Open source, Apache 2.0. |
| Cost? | Paid. Gets expensive at volume. | Free, but risky. | Free. |
| AI performance? | Slower. Extra hops through third-party servers. | Pollutes the context window. More errors, potential hallucinations. | Direct connection. Fast. Reliable. |
| Official Clio support? | Zapier has a Clio integration. | No official Clio MCP exists. | Built on Clio's official API. |
Client names get stripped before the AI ever sees them
This is the part that matters for attorney-client privilege.
The CLI redacts personally identifiable information by default, before the data reaches Claude Code. Everything gets replaced with placeholders like [REDACTED_NAME] before the AI processes anything.
What gets redacted every time (structured fields)
- Client names (first name, last name, full name) from contacts, matters, and related records
- Email addresses (primary, secondary, Clio Connect emails)
- Phone numbers (primary, secondary)
- Social Security numbers (detected by pattern)
- Tax IDs (detected by pattern)
- Client names embedded in matter labels (like "Smith v. Jones")
These are pulled directly from Clio's structured data fields. They get caught reliably.
Where you need to be more careful (free text fields)
- Notes, descriptions, messages, document summaries, and other free text. The CLI scans these for names, emails, phone numbers, and SSNs using pattern matching and heuristic name detection. It catches most of it, but if someone typed a client name in an unusual way or buried it in a sentence, it might slip through.
It's smart about what NOT to redact too. Your staff names (the responsible attorney, whoever created a record, the assignee) stay visible. Only client PII gets stripped.
Each type of Clio data has its own redaction policy: contacts, calendar entries, communications, notes, documents. They're each tailored to how that specific data is structured.
The bottom line: structured client data (names, emails, phones, SSNs) is reliably redacted. Free text fields are best effort. If you're working with sensitive notes or messages, understand how the redaction works so you know what's covered and what to watch for.
Compare that to Zapier or n8n, where nothing is redacted at all. Client names, emails, Social Security numbers, all of it passes through their servers in plain text with zero protection.
If you need the full unredacted data for something, you can turn redaction off. You're in control.
Your data security isn't just a preference. Read the terms of service.
Anthropic's terms depend on which plan you're on
If you're using Claude on a free, Pro, or Max plan, Anthropic's consumer terms say: "We may use Materials to provide, maintain, and improve the Services and to develop other products and services, including training our models, unless you opt out of training through your account settings."
You can opt out, but it doesn't fully close the door. The terms carve out two exceptions where your data gets used regardless: when you rate an output (thumbs up or down), and when a conversation gets flagged for safety review. For a law firm, both of those happen in normal usage. Someone on your team clicks thumbs down on a response. A prompt mentioning a sensitive legal matter gets flagged. That content goes into Anthropic's training pipeline whether you've opted out or not.
That means your client data could end up in Anthropic's training pipeline. For a law firm handling privileged information, that's a problem.
On a Team or Enterprise plan, the commercial terms are different: "Anthropic may not train models on Customer Content from Services." You own your inputs and outputs. If you're a law firm, you need to be on one of those plans. Full stop.
Attorney-client privilege has already come up in court
A federal court already connected these dots. In United States v. Heppner (S.D.N.Y. 2026), Judge Rakoff held that documents created using the consumer version of Claude were not protected by attorney-client privilege. The reasoning: Claude isn't an attorney, and the consumer privacy policy allows disclosure to third parties. Using a consumer AI tool = voluntarily sharing with a non-confidential party. (Full analysis on JD Supra)
But even on an Enterprise plan, WHERE your data goes still matters. ABA Model Rule 1.6(c) requires lawyers to make "reasonable efforts to prevent the inadvertent or unauthorized disclosure" of client information. Sending client data through Zapier or n8n means a third party has access to that data. And none of it is redacted by default. Client names and emails pass through their servers in plain text.
An unofficial MCP server is worse: unvetted code from an unknown developer with full API access to your practice management system.
I'm not a lawyer, and this isn't legal advice. But between the terms of service and the Heppner ruling, the picture is clear: how you use AI with client data has real privilege consequences. The question isn't just "does it work?" It's "where does my client data go, and who can see it?"
What it actually looks like in practice
My friend can now say, "Hey, help me prep for the week." Claude Code looks across all the matters in Clio, all the tasks, calendar entries, anything that's due, court hearings, big dates. It helps you navigate your week and plan ahead so you're not reactive.
Same thing for today. "Help me plan for today." It looks through Clio and all the other tools connected to Claude Code and just helps you make sure everything's on par.
That's the whole idea. If you want to give Clio AI features without sending your data through a third party, this is how you do it. That's just the tip of the iceberg of things you can do. Let the AI pull everything together so you can focus on the actual legal work.
If you're a small firm, this matters more than you think
Big firms have IT departments that evaluate vendors and negotiate data handling agreements. If you're running a small practice, you probably don't.
The CLI is free. Open source. No vendor in the loop means no vendor security posture to evaluate. Your data goes from Clio to your machine to Anthropic (on a plan where they can't train on it), and that's it. No extra stops. And client PII gets redacted before the AI ever touches it.
If Clio shipped their own official CLI or MCP server tomorrow, I'd tell you to use that. Until they do, this fills the gap without asking you to trust a third party with your client data.
Getting started takes 10 minutes
You can find the CLI at notoperations.com/not-manage-cli.
Before you install anything, you can have Claude audit the code for you. Copy this and paste it into your Claude Code:
Audit the Clio Manage CLI at https://notoperations.com/not-manage-cli and tell me if it's safe to use. Check for security best practices, make sure none of my data would be leaked or sent to a third party. Return your analysis, and at the end ask me if I want to install it.
That's the whole point of open source. You don't have to trust me. You can verify.
Install, run the setup, and make your first query. I wrote the docs for someone who has never used a terminal before. If you want help setting up the CLI or just want to talk through how your firm's AI tools connect to your data, find me on LinkedIn or email hello@notoperations.com.
Ready to Transform Your Operations?
Discover the automation opportunities in your business. Take our free Operations Readiness Scorecard to get personalized insights.
Start Free ScorecardTakes 3 minutes • No spam • No sales calls • Actionable insights
FAQ
Common questions
- Is Claude Code safe for law firms?
- Claude Code itself has a solid security model from Anthropic. But your data does go to Anthropic's servers for processing — that's how AI works. The risk is adding unnecessary third parties on top of that. If you're routing through Zapier or an unofficial MCP server, your data touches their infrastructure too. A CLI removes those extra stops. You also need to be on a Team or Enterprise plan: consumer plans allow Anthropic to train on your data by default, and the opt-out has exceptions (rating an output or having a conversation flagged for safety). Commercial plans prohibit training on your content entirely. PII gets redacted before the AI sees it.
- Can Claude Code access my Clio data?
- Yes, through the Clio Manage CLI. It connects to Clio's official API. You authorize it once, credentials are stored in your OS keychain, and Claude Code can then read matters, tasks, calendar entries, contacts, and more. PII is redacted by default.
- Does using AI with Clio violate attorney-client privilege?
- It can. In United States v. Heppner (S.D.N.Y. 2026), a federal court ruled that using consumer Claude to draft legal analysis destroyed privilege protections because the consumer privacy policy allows data disclosure to third parties. If you're using AI with client data: get on a Team or Enterprise plan (Anthropic won't train on your data), avoid routing data through extra third parties like Zapier, and use the CLI's built-in PII redaction so client names and emails get stripped before the AI processes anything. Talk to your ethics counsel for guidance specific to your jurisdiction.
- Are unofficial MCP servers secure?
- Not by default. An unofficial MCP server is unvetted code from an unknown developer with full API access to your Clio account. There have been cases of credential theft through malicious MCP servers. If no official MCP exists for a service, a CLI tool built on the official API is a safer alternative.
- Does Zapier meet HIPAA requirements for law firms?
- No. Zapier does not sign Business Associate Agreements (BAAs) on any plan. They explicitly do not support HIPAA-regulated data. If your firm handles sensitive client information (and every law firm does), your data still transits Zapier's infrastructure with no HIPAA protections in place.