Information Matters - UK Digital Sovereignty

Digital Sovereignty: what it means for UK businesses, the public sector and policy makers.

Home » Digital Sovereignty Front Page » Who controls the technology behind a UK law firm?

Who controls the technology behind a UK law firm?

by

A plain-English Sovereignty Exposure Profile for a UK mid-size law firm (roughly 50–250 fee earners).

Download PDF version

What this is

A law firm’s most valuable and most confidential asset is its client work: privileged advice, case files, and years of matter history. Most firms now keep all of it in software and cloud services rented from a small number of large suppliers. This report asks, for a typical UK mid-size firm: who ultimately controls that technology, where do the privileged files physically sit, and who could be compelled to hand them over?

It describes a typical firm of this size, not any one named practice. It uses exactly the same method as our financial-services profile, so the two can be compared.

How we worked it out

We broke the firm’s technology into its everyday building blocks — the cloud it runs on, its office software and document store, its practice-management and billing system, its legal-AI tools, and the system that logs staff in — plus its banking. For each, we checked four things against the suppliers’ own public documents and company filings:

  1. How few real alternatives are there?
  2. Whose laws can reach the data? A British supplier answers to UK law. A US supplier — even one storing data in Britain — can be compelled under the US CLOUD Act (the Clarifying Lawful Overseas Use of Data Act 2018, which lets US authorities require a US company to hand over data it controls, wherever stored) and under Section 702 of the US Foreign Intelligence Surveillance Act, a surveillance power. For a law firm this is sharper than a data-location question: it touches legal professional privilege and the firm’s duties under the Solicitors Regulation Authority (SRA), the body that regulates solicitors in England and Wales.
  3. How hard would it be to leave?
  4. Can you see inside and control it, or is it a closed “black box”?

We then judged two harms for each block, 1 (low) to 5 (high): if access were cut off, could the firm keep working? (the continuity risk) and if the data were read or legally demanded, how bad would that be? (the confidentiality risk). The overall rating is the worse of the two. These are our analysts’ considered judgments, informed by verified facts — not precise measurements.

The headline

For this typical firm, five of the six building blocks are High exposure, and they cluster around one thing: the firm’s privileged client documents sit with US-controlled suppliers, under US legal reach. The one clear exception is payments, which is low-risk for a law firm — the single biggest difference from a bank or insurer.

The building blocks

digital sovereignty exposure legal services

Building blockWhat it doesMain supplier (where it’s controlled from)Exposure
CloudThe computers everything runs onMicrosoft / Amazon — United StatesHigh
Office software + document storeEmail, documents, and the firm’s matter filesMicrosoft 365 + a document-management system (iManage or NetDocuments) — all United StatesHigh (the defining risk)
Practice management / billingRunning matters and invoicingAderant / Thomson Reuters Elite — United StatesHigh
Legal-AI toolsDrafting and research assistantsHarvey / CoCounsel — United States (CoCounsel’s owner is Canadian)High
Staff log-inControls who can sign inMicrosoft Entra / Okta — United StatesHigh
Payments / bankingThe firm’s own banking and client accountUK banks — UK lawLow

(“Document-management system” is the specialist software law firms use to store and organise case files — the two market leaders are iManage and NetDocuments.)

The defining risk: privileged files under foreign law

software concentration map legal services firms

The firm’s lifeblood — privileged client work product and decades of matter files — lives in Microsoft 365 and a US document-management system. All of these suppliers are US-controlled (we confirmed each from company filings and their own legal agreements). So the most confidential material a law firm holds is reachable under US law, and it is also the hardest thing to move: shifting decades of files out of a document-management system is the single deepest migration on any profile we have done.

There is a concentration twist worth knowing. The leading document system, iManage, itself runs on Microsoft’s cloud — so a firm using Microsoft 365, iManage, Microsoft’s log-in and Microsoft’s cloud has its documents, its email, its log-in and its computers all ultimately with one company, Microsoft. The main alternative, NetDocuments, is the off-Microsoft option — it runs its own data centres plus Amazon’s cloud — though that is still a US supplier.

The legal-AI tools carry the sharpest confidentiality risk

The newest building block is also the most sensitive: legal-AI assistants (such as Harvey) send privileged client content through a US-controlled, closed AI system. It is the layer with the highest confidentiality concern — but, helpfully, also the cheapest and fastest to make safer.

What happens if a supplier is switched off

  • The document store and office software would be the deepest problem to recover from — moving decades of privileged files off a US system could take well over a year.
  • Staff log-in fails fastest — an instant lockout.
  • The cloud propagates quickly if an account is suspended.
  • Billing and the AI tools have more runway, and the AI tools are the easiest to replace.
  • Payments is not a crisis layer for a law firm — the clearest contrast with financial services.

What a firm can realistically do

There is no fully-British answer today, but the exposure can be lowered, and the order matters. By building block:

  • The document store — plan the exit, and watch what it sits on. Be able to export matter files in open formats, and prefer a system that keeps files in the UK or off Microsoft’s infrastructure. The two leaders differ in a way that matters here: iManage runs on Microsoft’s cloud, while NetDocuments runs its own data centres plus Amazon — so a firm wanting to avoid putting everything on one supplier has a real choice to weigh.
  • Legal-AI — the quickest win, and the most sensitive. Rather than send privileged content to a US AI service, prefer tools you can run privately or that are UK-controlled. UK legal-AI options worth weighing include Luminance (Cambridge), Robin AI, Genie AI and Definely; for the most sensitive work, open models such as Mistral (France) or Llama, run on the firm’s own infrastructure, keep privileged material in-house.
  • Cloud and log-in — reduce the Microsoft concentration. Moving the cloud and/or the staff log-in off Microsoft stops one problem taking down documents, email, log-in and computers together. UK and European cloud options include OVHcloud or Scaleway (France), IONOS (Germany) and Civo (UK); the open-source log-in system Keycloak, self-hosted, reduces reliance on a single US provider.
  • Practice management and billing. Prefer a UK-controlled supplier at renewal — UK-built options include Osprey Approach, Insight Legal, Linetime and Peppermint; long cycles mean the renewal is the moment to choose.
  • Payments and banking. Already low-risk — accept and monitor.

A practical sequence: make the legal-AI layer safe first (cheap, fast, and it carries the sharpest confidentiality risk), plan the document-store exit route, and treat reducing the Microsoft concentration as the longer structural project.

(Each alternative should be checked against the same four questions before relying on it — some “European” options still host on US clouds or carry foreign investors. These are options to weigh, not recommendations.)

Where the data come from

Every statement about who controls a supplier and where data sits is taken from primary sources — company filings, UK Companies House records, and the suppliers’ own legal and security pages (for example, Harvey’s own agreement names it as a Delaware-incorporated company; iManage’s trust pages confirm it runs on Microsoft’s cloud) — and is listed in the evidence ledger in the full analyst version. The judgments about how hard things are to leave, and how critical each block is, are our reasoned view of a typical firm, stated as such.

How to read this

This is a sector picture, meant to help a firm see where it is exposed and what its options are — not a scorecard of good and bad suppliers. Ratings rank exposure rather than measuring it precisely, so read them as broad bands. As with all Information Matters work, this reflects the opinions of our team — human and AI — and is not a statement of fact.

About Martin De Saulles

Dr Martin De Saulles is a technology analyst, writer and Principal Analyst at Information Matters. He has 20+ years experience of researching and writing about technology and innovation across a number of publications as well as several books on data and AI.
LinkedIn

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap