You verify everything, except the security of your own tools

The Dutch painter Samuel van Hoogstraten was a master of trompe-l'oeil, paintings designed to deceive the eye. His 1664 work depicts letters, seals and documents so convincingly realistic that you want to reach out and lift them from the canvas. But it is paint on canvas, nothing more. The same is true of some security claims: they look entirely convincing, but look closely.

You read contracts word for word. You challenge every claim the opposing party makes. You never accept a witness statement without testing it. Yet how critically do you examine the security claims of your own legal software?

The honest answer, for most solicitors, is: not critically enough.

The rise of legaltech and the security illusion

More and more law firms are adopting AI tools for legal research, document analysis and drafting court submissions. The efficiency gains are considerable, which makes adoption a sensible choice. But with these tools comes a transfer of trust. You are entrusting your most sensitive data to a third party: case files, contracts, personal data and your clients' trade secrets.

Most legaltech providers understand that security is a selling point. That is why nearly every website displays the same reassuring badges: "ISO 27001 certified", "Enterprise-grade security", "SOC 2 compliant." It sounds robust. But what does it actually mean?

Not all certifications are equal

This is where it becomes interesting, and rather concerning.

An ISO 27001 certificate is issued by a certification body. But not every certification body operates at the same standard. The difference can be vast.

Scenario A: An internationally accredited certification body with decades of experience sends auditors to your provider's premises. They inspect systems, processes, staff and documentation on site. The audit takes weeks. The body stakes its own reputation on every certificate it issues.

Scenario B: A small, obscure certification company conducts the entire audit remotely. Nobody visits in person. The audit is quick and inexpensive. The certificate looks identical on paper.

Both providers may write "ISO 27001 certified" on their website. But the substance behind that certification is fundamentally different.

The rise of automated compliance tools

There is another trend worth knowing about. An increasing number of technology companies use automation platforms to build their compliance pages. These tools generate a professional-looking "Trust Centre" on your provider's website, complete with badges, tick marks and status dashboards.

An automated compliance dashboard, however, is not an audit. It is a tool that checks whether certain technical settings are correctly configured. It does not replace the critical eye of a human auditor who visits your provider in person, interviews staff and scrutinises processes.

ISO 42001: the new standard for AI

With the rise of AI in legal practice, a new standard has emerged: ISO/IEC 42001:2023. This standard specifically addresses the responsible management of AI systems, covering risk management, transparency, monitoring and human oversight.

This is particularly relevant for solicitors who use AI tools in their practice. The EU AI Act imposes increasingly stringent requirements on AI systems, and ISO 42001 provides a framework for meeting them.

The same caveat applies here, though. The standard is so new that many of the most reputable European certification bodies are still working through their own accreditation. They want to be certain they can assess the standard at the appropriate level before issuing certificates. Meanwhile, some providers already claim to be certified, audited by parties that may apply less rigorous scrutiny.

Ask yourself this: if the most respected auditors are not yet ready to issue this certification, how seriously should you take a certificate from a body that already does?

What to look for: a checklist

As a solicitor, you are trained to assess evidence. Apply that same discipline to your legaltech providers.

The certification

Who conducted the audit? Look for the name of the certification body on the certificate. Is it an internationally recognised organisation with a strong track record, or an unknown company? Check whether the body is accredited by a recognised accreditation authority. In the United Kingdom, that is the United Kingdom Accreditation Service (UKAS).

Was the audit conducted on site or remotely? A remote audit is not worthless by definition, but a physical audit is more thorough. On-site audits examine systems, workspaces and processes in person. Ask your provider how the audit was carried out.

What is the scope? An ISO certificate always has a defined scope. Does the certification actually cover the product you are using, or is it limited to a part of the organisation?

Is the certificate valid and verifiable? Check the expiry date. Contact the certification body to verify its authenticity. A trustworthy provider makes this straightforward.

Can you download the certificate? If a provider claims to be certified but you cannot inspect or download the certificate, treat that as a red flag.

The penetration test

Has a penetration test been conducted? An ISO certificate assesses policies and processes. A penetration test assesses the actual technical defences. Both matter. Read why we have NCC Group (Fox-IT) pentest Andri.

Who conducted the test? As with certifications, the name of the testing firm tells you everything. A penetration test by an internationally recognised cybersecurity firm carries more weight than one by an unknown party.

How long did the test take? A two-day penetration test is fundamentally different from a two-week engagement. Thorough testing takes time.

Was it a white-box or black-box test? In a white-box test, the tester receives full access to the source code and architecture. This is more comprehensive than a black-box test, where the tester works from the outside.

Day-to-day practice

Where is your data stored? Is your data processed and stored within the EEA, or does it sit on servers in the United States or elsewhere? Read how Andri handles document security.

Is your data used for training? Many AI tools use input data to improve their models. For a law firm, this is unacceptable. Ask explicitly whether your data remains isolated.

Is there vendor lock-in? Does your provider depend on a single AI model provider? If that provider encounters difficulties, what happens to your tool?

How does the provider respond to incidents? Ask about the incident response plan. How quickly are you notified in the event of a data breach? Who is your point of contact?

GDPR and the right to erasure

A point that is often overlooked: the General Data Protection Regulation gives your clients the right to have their personal data deleted. That right extends to data processed by your legaltech tools.

Ask your provider: can I have data deleted? How quickly? Is there a direct, straightforward way to do this, or will I be waiting weeks for an email response from a support department? A provider that takes privacy seriously makes this process as accessible as possible, ideally with a single click.

The anonymisation illusion

Some legaltech providers promote anonymisation as the solution to privacy concerns around AI. "Your data is anonymised before it passes through the AI model." It sounds reassuring. But think it through.

To anonymise data, the system must first read and understand it. It must recognise names, identify addresses, detect case reference numbers. That reading and understanding is itself processing within the meaning of GDPR. The data has already been processed before any anonymisation takes place.

GDPR draws no distinction based on the type of hardware on which that processing occurs, either. Article 4 GDPR defines processing as "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means." Whether your data is processed on a CPU, a GPU or a TPU, the legal position is identical. What matters is that processing takes place, not how.

The uncomfortable truth about your current tools

This is where the conversation becomes uncomfortable. Many solicitors who are cautious about AI tools on privacy grounds use services every day that do exactly the same thing.

Your email runs on Microsoft 365. Your documents sit in a cloud-based document management system. Your Teams calls pass through data centres across the globe. Your diary, your contacts, your billing: all of it runs on the same cloud infrastructure that you question when it comes to AI tools.

That is not an argument for trusting AI tools without scrutiny. It is an argument for asking the same critical questions of all the software you use, not just the new and conspicuous AI platforms. Your clients' data deserves the same protection everywhere.

The real question is not "are we using AI?" but "how does our provider handle our data?" Where is it stored? Who has access? Is it used for other purposes? Can I have it deleted? Those are the questions that matter, whether you are talking about an email client or an AI platform for legal work.

The parallel with your own work

As a solicitor, you know that the difference between winning and losing often lies in the details. A witness who was not properly examined. A contract that was not carefully read. Evidence that was not independently verified.

The same applies to the security of your tools. The difference is not in the claim on the website, but in the detail behind it. Who audited? How was the audit conducted? What was the scope? Can I verify it?

You would never accept a contract without reading it. Do not accept a security claim without checking it either.

Conclusion

The legaltech market is growing rapidly. That is a good thing, because these tools make solicitors more efficient and their services better. But rapid growth also attracts providers that treat compliance as a box to tick rather than a foundation to build on.

Your clients trust you with their most sensitive information. That trust extends to the tools you use. Take that responsibility seriously.

Ask the questions. Check the certificates. Assess the auditor. Do what you always do, but apply it to your own software as well.

Because when something goes wrong, "but they were certified" is not a defence that holds up.