Legal AI Security Checklist for Law Firms

Start here before anything else. Ask the vendor directly: where is client data stored, and under what jurisdiction?

This is not a technical question. It is a professional responsibility question. Client data held on servers outside your firm's home country may be subject to foreign government access requests, data localisation laws, or cross-border transfer restrictions that your engagement letter never anticipated.

The EU AI Act imposes penalties for lack of transparency and data control, and firms operating across borders face CFIUS and export control requirements that make vendor geography genuinely consequential (GLACIS, 2026). A vendor who cannot tell you exactly where your data sits at rest has not thought through their legal exposure, or yours.

The right answer is a specific country and a specific cloud region, ideally with contractual confirmation. Vague responses like 'secure data centres globally' are not acceptable. Demand the specifics in writing before signing anything.

For firms with the strictest requirements, on-premise or VPC (virtual private cloud) deployment options give you complete control over data location. Casero, for example, offers on-premise and VPC deployment in its Enterprise tier precisely because some firms need data that never touches shared infrastructure.

Every vendor claims their platform is 'secure.' That word is doing a lot of work and almost none of it is specific.

Ask for the encryption standard used at rest and in transit. The acceptable baseline in 2026 is AES-256 at rest and TLS 1.2 or higher in transit. Anything below that is not enterprise-grade.

Also ask whether encryption keys are managed by the vendor or by your firm. Vendor-managed keys are common and often fine, but they mean the vendor theoretically has access to your data. Customer-managed keys, where your firm holds the decryption keys, eliminate that risk entirely. This matters most for firms handling sensitive litigation, M&A transactions, or regulated industries.

A private cloud approach, as opposed to a multi-tenant SaaS environment, goes further by giving firms total data sovereignty (Purple Law, 2026). In a multi-tenant architecture, your data shares infrastructure with other customers. Tenant isolation controls should be contractually defined and technically enforced, not just described in a sales deck.

Casero operates with enterprise-grade encryption at rest and in transit, and data never leaves the user's jurisdiction. That is a contractual commitment, not a checkbox on a marketing page.

SOC 2 Type II certification is the minimum bar for enterprise software in 2026. If a vendor does not have it, that is a red flag. Full stop.

But SOC 2 compliance does not guarantee transparency into model behaviour or training data provenance (GLACIS, 2026). SOC 2 audits infrastructure controls: access management, availability, processing integrity. It does not evaluate whether the model is making decisions you can explain, whether training data was ethically sourced, or whether the model has encoded biases that could affect legal analysis.

Ask these follow-up questions after a vendor confirms SOC 2:

• What is the Type II audit date? (Type I is weaker and easier to obtain.)
• Is ISO 27001 certification also in place, or on a confirmed roadmap with a target date?
• What third-party penetration testing has been conducted, and how recently?
• Are audit reports available under NDA for your review?

Vendors who have genuinely invested in security will have answers ready. Vendors who have not will stall.

Honest disclosure matters here too. Casero is transparent that SOC 2 and ISO certifications are on their roadmap, which is the right posture for a platform still maturing. A security whitepaper covering architecture, encryption standards, and compliance roadmap is available during pilot onboarding. That transparency is more trustworthy than a vendor who claims compliance they cannot document.

This is the question that separates firms who understand AI risk from firms who are about to create a confidentiality breach they will discover later.

The question is simple: does the vendor use client data to train or improve its AI models?

The answer determines whether your firm's privileged communications, case strategies, and client documents could become part of a model that other users query. Consumer-grade AI tools frequently use interaction data for model improvement by default. Enterprise platforms like Harvey and Lexis+ AI offer contractual commitments not to train on client data (AI Vortex, 2026). That contractual commitment is what you need.

Get it in the data processing agreement, not just the sales pitch. The agreement should specify:

• No use of client data for model training or fine-tuning
• No use of client data to improve the vendor's general-purpose models
• Data deletion timelines upon contract termination
• What happens to derived data or embeddings generated from your documents

When evaluating Casero, verify the specific policy regarding the use of client data to train AI models. For the legal AI data privacy questions law firms need answered, this is the single most important contractual protection to secure.

Also ask about the training data behind the model itself. If the vendor uses a foundation model from a major AI lab, ask which version and what that lab's data use policies are. The chain of data custody matters all the way down.

Legal privilege is not just a compliance concept. It is the foundation of the attorney-client relationship, and AI systems that ignore it can waive it.

Ask vendors specifically how their system handles privilege. The risk points are:

Cross-matter contamination. Can a user querying one matter accidentally surface documents from a matter where they have no access? Any AI system that indexes documents for semantic search without respecting existing access controls creates this risk.

Ethical wall compliance. Law firms use ethical walls (also called information barriers) to prevent conflicts of interest. An AI system that bypasses those walls, even inadvertently through a search result, creates regulatory and professional responsibility exposure.

Output logging. If the AI system logs queries and responses, who has access to those logs? A paralegal's query about a privileged matter should not be readable by another partner.

Casero's approach is direct: if a lawyer cannot access a document in the connected document management system, they cannot query it in Casero. The platform inherits and enforces existing access controls from connected systems rather than creating a parallel permission layer that can drift out of sync. This is how ethical wall adherence should work.

For firms evaluating AI for litigation support teams, privilege protection at the document access layer is non-negotiable.

Regulators, courts, and clients increasingly want to know not just what conclusion an AI system reached, but how it reached it and who authorised the action.

An audit trail in a legal AI system should record:

• Who accessed which documents and when
• What queries were run and what results were returned
• What AI-generated outputs were produced and who reviewed them
• What actions were taken based on those outputs

This is different from a basic access log. Legal AI audit trails need to be legally defensible, not just operationally useful. If a matter comes into dispute, you need to show a court or bar regulator exactly what the AI did and what a human lawyer approved.

Ask vendors whether their audit trail is immutable. Logs that can be edited by administrators are not audit trails. Ask whether the trail covers the AI's reasoning process or only user interactions. Ask how long logs are retained and whether they are exportable in a standard format.

Casero records every action: who accessed what, when, and based on which source document. The platform describes this as fully explainable AI with no black boxes, and every fact in the knowledge graph traces back to the exact passage it came from. That source-linked design is what a genuine audit trail looks like for legal AI.

For a broader view of how AI governance frameworks work at law firms, audit trails are one of the four pillars alongside access control, vendor accountability, and incident response.

Some vendor responses are not just unsatisfying. They are disqualifying.

'We take security seriously.' This phrase with no specifics following it signals the vendor does not have a mature security program. Ask for the specifics. If they cannot produce them, move on.

No data processing agreement available. You need a DPA before you ingest any client data. A vendor who makes signing the DPA a post-contract process has the incentive order backwards.

Inability to name the underlying model. If a vendor cannot tell you which foundation model powers their product, or refuses to disclose it for 'competitive reasons,' you cannot assess the data policies of that model. That is an unacceptable gap in vendor due diligence.

AI that acts without human approval. Autonomous AI actions in legal contexts create liability. The model drafts, the lawyer approves. Any vendor pitching a system that takes autonomous action on legal matters without explicit human-in-the-loop controls is not ready for a professional services environment.

No breach notification timeline. Ask specifically: how many hours after a confirmed breach will you notify us? The answer should be 24 to 72 hours maximum. Anything vaguer than that leaves you exposed when you need to notify your own clients.

For firms comparing specific platforms, the Harvey AI alternatives comparison covers how several vendors position their security and data control credentials against each other.