Attorney-client privilege, BRAO, M365 hardening — security-disciplined.
TL;DR. Law firms and tax advisors have their own protection classes — BRAO §43a, BORA, GoBD. We understand why these professions reject classical cloud consultants — and deliver architecture that upholds attorney-client privilege.
What this sector typically struggles with
BRAO §43a is non-negotiable: confidentiality obligation, no third-country access to client data. That means: cloud standards from the tech sector don't work. A cloud provider with data centers in the USA? For law firms, a no-go. BORA (bar association rules) specifies further — technical security measures aren't optional.
At the same time, nearly all firms today are on Microsoft stack: M365 (Word, Excel, Teams, SharePoint, OneDrive) is standard. The challenge: M365 client data protection isn't trivial. Information barriers, customer lockbox, sensitivity labels, encryption — many firms don't deploy this and end up with a hybrid solution (on-prem + cloud) that's maintenance-intensive.
Cyber insurers specifically ask about client-data-protection architecture. Ransomware at a law firm is a double catastrophe: trade-secret theft + client data exfiltration. And staffing shortage is acute — many firms have a single IT person who simultaneously manages servers, provides user support and documents data-protection compliance.
How we typically help
We build M365 client-data-protection architecture so client files stay secure — but firms don't suffocate in infrastructure maintenance. Information barriers separate client data: attorney A can't access client-B file. Customer lockbox secures access even on governance escalation (Microsoft support can't just look in). Sensitivity labels automate classification — new file in "client files" folder → automatically "confidential + encrypted" label.
BYOK (bring-your-own-key) encrypts data with your key — Microsoft never sees plaintext. Endpoint agents sit on attorney laptops and firm terminals with local tool processing: client data don't go to cloud LLM without explicit gateway approval and DLP filters. Knowledge base stores BRAO §43a requirements and M365 hardening checklists. Business agents automate client data protection audits: monthly check — are all client files correctly labeled?
Ongoing operation is the crux. We don't build and disappear — we deliver a cloneable engagement that your firm IT can run after we're gone.
Where it usually pays to start
Law firms should start with M365 client-data protection — it's quick-acting and immediately adds insurer value.
- M365 client-data protection hardening: Configure information barriers, customer lockbox, sensitivity labels, BYOK encryption, not just "default M365 with hope."
- Information-barriers configuration: Client segmentation per firm structure, attorneys can't work cross-client, audit log is watertight.
- Sensitivity-label schema: Classification (public, internal, confidential, client file). Auto-labeling for new files in critical folders.
- BYOK encryption setup: Azure Key Vault with firm-own key, Microsoft and all third countries have no access to client data.
- Client-file classification workflow: Automated daily scans — are all client files correctly labeled? Reports for compliance audit.
- BRAO-compliant AI usage concept: Which LLMs are permitted for which work? Default: no client data to LLM. Explicitly approved only with DLP filter."
What you can hand off
-
M365 client-data protection hardening
Configure information barriers, customer lockbox, sensitivity labels fully and test.
-
Information-barriers configuration
Client segmentation per firm structure, prevent cross-client access, establish audit logs.
-
Sensitivity-label schema
Classification framework (public, internal, confidential, client file) with auto-labeling for critical folders.
-
BYOK encryption setup
Azure Key Vault with firm-own keys, client data encrypted under firm control.
-
Client-file classification workflow
Automated daily scans for labeling conformity, reports for compliance audits and insurers.
-
BRAO-compliant AI usage concept
Policy for which LLMs permitted for which work. Default: no client-data send without DLP filter.
Obligations we address
Legal and tax advisory are 2026 multiply-protected professions — BRAO §43a and tax advisor §57 with absolute confidentiality obligation, BORA and BOStB as professional rules, GDPR as foundation, GoBD for tax-relevant data and EU AI Act for AI use in client work.
-
BRAO §43aBRAO · §43a confidentiality obligation and protection from prosecution
Absolute confidentiality over all client information — no third-country access, no uncontrolled data transmission, no auto-training sharing. We build the architecture that holds it: BYOK encryption, information barriers in M365, EU cloud with BaFin-accepted subprocessor setup and audit trail for every client action.
-
BRAO §53BRAO · §53 file access and retention obligations
Prescribes how and how long client files must be retained — typically 6 years, in individual cases longer. We build retention-compliant archival stack with encrypted long-term storage and auditable access.
-
BORABORA · bar association rules (§§6–13, 19–30)
Specifies BRAO with technical and organizational obligations — access controls, authorization concepts, data classification, audit capability. We deliver BORA-compliant implementation stack with firm-specific hardening profiles and training programs for entire firm.
-
StBerG §57StBerG · §57 tax advisor professional secret
Analogous to BRAO §43a for tax advisors — absolute confidentiality, no third-country access, diligence in IT selection. We build architecture holding both BRAO/StBerG, with shared client-data protection layer for mixed firms.
-
BOStBBOStB · tax advisor professional rules
Specifies §57 with technical and organizational obligations — encryption, access controls, audit capability, data backup with restore tests. We build BOStB-compliant IT stack and continuously document conformity for professional chamber audits.
-
GoBDGoBD · principles of orderly bookkeeping in digital form
For tax-relevant data (accounting, receipts, tax files): immutability, traceability, completeness, 10-year retention. We build GoBD-compliant archival stack with WORM characteristics and audit trail for each data change.
-
GDPR Art. 9GDPR · Art. 9 special categories (client data)
Client data often contain special categories (health, sexual life, ethnicity, political opinion, religious belief) — processing ban with narrow exceptions. We build privacy-by-design (minimization, pseudonymization) and document legal basis per processing action.
-
GDPR Art. 32GDPR · Art. 32 technical and organizational measures
Obligation to appropriate TOMs — encryption, pseudonymization, recoverability, vulnerability management. We deliver the TOMs catalog in supervisory format, document measure implementation and conduct annual effectiveness reviews.
-
AI ActEU AI Act · Art. 6 AI use in client work
AI tools for contract analysis, client classification or automated motion generation may fall under high-risk AI — governance, transparency, human oversight mandatory. We build the BRAO-compliant AI stack with DLP filtering against client-data leaks, audit trail and explicit approval logic.
Sector facts
| Typical engagement size | 10–500 attorneys/tax advisors per firm (solos to large firms) |
|---|---|
| Most common triggers | Cyber-insurance audit, BRAO complaint after data breach, client data-protection inquiry, audit readiness |
| Typical deployment model | EU cloud (M365 with BYOK + information barriers) hardened · Optional on-prem for high-risk clients (with very sensitive data: inheritances, protected witnesses, etc.) |
| Core regulation | BRAO §43a, BORA (attorneys), §57 (tax advisors), GDPR Art. 32, GoBD (for tax advisors) |
| Nova9 modules in use | Business agents (M365 client-data protection automation), endpoint agents (attorney-laptop control), LLM gateway (DLP for client data), knowledge base (BRAO/StBerG requirements) |
| Typical onboarding | 14–30 days (M365 audit, information-barriers setup, label schema, BYOK configuration, training) |
| Audit mirror | Fully in EU · Retention: 30 years (BRAO/StBerG file retention for client matters) |
| Clone handover | Available — critical for continuity after agent exit (law firms often 1-person IT) |
Asked before the briefing
-
Can client data go to cloud — or only on-prem?
With BYOK, information barriers and customer lockbox: yes, cloud is BRAO-compliant. Your data encrypted under your control, Microsoft never sees plaintext. If you want even stricter (e.g., high-risk clients): on-prem options available too. Cloud with BYOK is the standard. -
Which LLMs are BRAO-capable?
With local processing or gateway with DLP filter: many. Default is no-send for client data without explicit approval. Business agents can run on local models — even offline. That's the safest path. -
Can we drop Microsoft — is another cloud suite better?
Rarely worth the effort. M365 is standard for law firms, and with BYOK + information barriers it's robustly hardened. Alternatives (Nextcloud, OpenStack) require more operation and have fewer features. We harden M365 instead — that's more effective. -
When does the engagement pay off?
At 10+ attorneys/tax advisors. Solo firms (1–3 people) can take simpler solutions. Large firms (50+) need full automation — benefit is immediately clear. 10–50: sweet spot.
How do we make your firm IT BRAO-compliant?
The industry briefing analyzes your M365 configuration (if present), shows client-data protection gaps and sketches a BYOK + information-barriers plan — with realistic timelines and without production disruption.