Data sovereignty for law firms is the principle that client data should remain under the legal and physical jurisdiction of the firm's home country, with the firm retaining full control over where that data is stored, who can access it, and what processing occurs. For UK solicitors, this means client matter data should not transit overseas infrastructure without explicit authorisation and adequate legal safeguards.
The shift to cloud-based legal software over the past decade has brought genuine productivity gains. But it has also introduced a category of risk that many UK law firms have not fully assessed: the transfer of client confidential data to third-party cloud infrastructure — often located outside the UK, and often with sub-processors the firm has never heard of.
This is not a theoretical risk. It is an active compliance issue under the SRA Standards and Regulations, the UK GDPR, and the professional duty of confidentiality that every UK solicitor owes their clients.
The SRA's Position on Third-Party Data Processing
The SRA Standards and Regulations place two directly relevant obligations on law firms using cloud software:
- Principle 7 — You must act in the best interests of each client, which includes protecting the confidentiality of their information.
- Outcome 7.10 — You must establish and maintain proper arrangements for the management of your practice, including when outsourcing work involving client data to third parties.
When a law firm subscribes to a cloud-based practice management system, it is — in legal terms — outsourcing the processing of client data to a third party. The SRA expects firms to understand who that third party is, where data is held, what security standards apply, and what happens if that third party suffers a breach.
Important: "The vendor is ISO 27001 certified" is not sufficient due diligence. The SRA expects firms to understand the specific data flows relevant to their client data, not just to rely on generic security certifications.
Cloud Legal Software: Where the Data Sovereignty Risk Comes From
Data sovereignty risk in cloud legal software arises from four sources:
1. Server location
Many cloud legal software vendors, particularly US-headquartered ones, process data in US data centres by default. Even where a "UK region" is offered, it may not be contractually guaranteed, and AI processing features often route data to wherever compute capacity is cheapest.
2. Sub-processors
Your cloud legal software vendor almost certainly uses sub-processors: third-party services for storage, AI inference, email, analytics, and support. Each of these sub-processors may be in a different jurisdiction. A complete DPA from your primary vendor should list all sub-processors — but many do not.
3. AI model training
Some AI-powered legal tools use client data to improve their AI models. Unless your contract explicitly prohibits this, client matter data may be used as training data for AI systems that serve other firms. This is a direct breach of client confidentiality.
4. Support access
Vendor support staff — potentially in other countries — may have access to client files as part of troubleshooting. This access is often undocumented and unconstrained by contractual limits on jurisdiction.
Cloud vs On-Premises: Data Sovereignty Comparison
| Risk Factor | Cloud Software | On-Premises Software |
|---|---|---|
| Data location | Vendor-controlled, often overseas | Your own servers, your premises |
| Sub-processor access | Multiple, often unknown | None — no third-party processors |
| AI training data use | Depends on contract terms | Not applicable — AI runs locally |
| Support access to client files | Possible without audit trail | Your control — no remote access by default |
| Vendor breach impact | All firm data potentially exposed | Isolated to your own network |
| UK GDPR compliance | Requires active DPA management | Straightforward — no international transfers |
| SRA Outcome 7.10 | Requires outsourcing due diligence | No outsourcing — no due diligence required |
What a Robust Data Processing Agreement Must Cover
If you use cloud legal software, your DPA should specify:
- Exact data storage locations — country and named data centre, not just "UK region"
- Complete sub-processor list — every third party that touches your data, with their locations
- AI training prohibition — an explicit clause preventing use of your data to train AI models
- Breach notification timelines — 72-hour notification required under UK GDPR
- Data deletion on termination — certified deletion of all client data within a specified period
- Access controls — which vendor staff can access your data, under what conditions, with what audit trail
- International transfer mechanisms — the legal basis for any data transferred outside the UK
Why Many UK Law Firms Are Returning to On-Premises
The compliance burden of managing cloud data sovereignty has led a growing number of UK law firms — particularly small to mid-size firms in conveyancing, family, and employment — to reconsider on-premises deployment.
The argument is straightforward: if client data never leaves your servers, you have no third-party data processing to audit, no sub-processor agreements to review, no overseas transfer mechanisms to document, and no vendor breach to worry about. Your data sovereignty risk is zero.
Modern on-premises systems — including Susan by VantagePoint Networks — deliver the same AI-powered features as cloud alternatives: automated time recording, document generation, matter management, and compliance tracking. The difference is that all processing happens on your own infrastructure, under your direct control.
Frequently Asked Questions
The SRA does not specifically mandate on-premises software, but its Standards and Regulations require firms to protect client confidentiality (Principle 7) and exercise proper oversight when outsourcing data processing (Outcome 7.10). On-premises deployment is the most straightforward way to satisfy these obligations because client data never leaves the firm's own infrastructure.
Cloud legal software creates data sovereignty risk through overseas server locations, use of unknown sub-processors, AI model training on client data, and support staff access to client files without adequate audit trails. These risks require active management through DPAs, vendor audits, and ongoing due diligence.
It depends on the vendor's infrastructure and contracts. UK client data is safest when kept on infrastructure within the UK or EEA, with a formal DPA in place, regular security audits, and clear data residency guarantees. On-premises software eliminates the cloud risk entirely — data never leaves your own servers.
A DPA for cloud legal software should specify exact data storage locations (country and data centre), a complete list of sub-processors, a prohibition on using firm data to train AI models, breach notification procedures, data deletion timelines on contract termination, and the legal basis for any international data transfers.
Yes. Modern on-premises legal software, including Susan by VantagePoint Networks, delivers AI-powered time recording, document generation, matter management, and compliance tracking with the same functionality as leading cloud systems — with the added benefit that all data processing stays on your own infrastructure.
No Cloud. No Data Sovereignty Risk.
Susan runs entirely on your own servers. Your client data stays in your building, under your control, with zero third-party data processing. Book a demo to see how it works.
Book a Free Demo →