The CLAUSE Sign-Off Process: What [RISK], [CLEARED], and [REDLINED] Mean

Every document, contract, and deployment artifact that passes through legal review receives one of four designations: [RISK], [CLEARED], [REDLINED], or [RECOMMEND]. These are not opinions. They are dispositions that carry specific procedural requirements. Understanding what each designation means — and what is required to move from one to another — is how you manage legal review as a process rather than an obstacle.

[CLEARED] means the document is legally sound for execution or deployment as written. No conditions. No caveats. Cleared means proceed. [REDLINED] means the document contains clauses that require modification before execution. A redlined contract is returned with specific proposed changes. The counterparty must accept, counter, or reject those changes before the document can be cleared. [RISK] means the document or deployment raises a legal concern that cannot be resolved by contract language alone — it requires a business decision about risk acceptance. A [RISK] designation goes to the board or designated risk authority. [RECOMMEND] means an alternative approach exists that reduces legal exposure. It is advisory, not a stop.

1. Step 1: Submission Package Submit the complete deployment artifact package for legal review: all vendor contracts and DPAs, the system architecture diagram showing data flows and processing locations, the EU AI Act risk classification with supporting rationale, the DPIA if applicable, and the intended use case description. Incomplete packages are returned without review. Partial submissions extend the timeline and are not the legal team's problem to solve.
2. Step 2: Initial Triage (48 hours) Legal performs initial triage to confirm the submission package is complete and to classify the deployment by regulatory risk tier. High-risk EU AI Act systems require full conformity review. GDPR high-risk processing requires DPIA validation. US-only deployments with no personal data processing receive an expedited track. Triage determines the review timeline — not the submission date.
3. Step 3: Document Review and Disposition Each document receives a [CLEARED], [REDLINED], [RISK], or [RECOMMEND] disposition with written rationale. Redlines are returned with tracked changes and a plain-language explanation of each change and why it is required. [RISK] items include a written risk summary for the business decision authority. [RECOMMEND] items include a brief comparison of the current approach versus the recommended alternative.
4. Step 4: Clearance or Escalation Once all [REDLINED] items are resolved and all [RISK] items have documented business decisions, the deployment receives a CLAUSE clearance memo. This memo is the legal gate pass. Without it, deployment does not proceed. The clearance memo specifies any ongoing compliance obligations — annual DPIA refresh, quarterly sub-processor audits, specific contract renewal review dates. The memo goes into the deployment record and is retained for the life of the system plus ten years.