Legal AI Procurement Governance Framework

Section 1 · Vendor Due Diligence Questionnaire

30-Question Vendor Assessment

Complete for every AI tool before approval. Score each question: Yes = 1, No = 0, Partial = 0.5. Score below 20 = Conditional. Score below 15 = Reject.

Click checkboxes to score · Score updates automatically

Current Score

0 / 30

Complete the checklist above to see your vendor assessment score and recommendation.

A — Data Protection & Privacy

Does the vendor have a Data Processing Agreement available?Mandatory

A DPA is a legal requirement under UK GDPR Article 28 before any personal data can be processed. No DPA = automatic disqualification.

UK GDPR Art 28

Does the DPA explicitly prohibit using your data to train AI models?Mandatory

Consumer/free tier AI tools typically reserve the right to use submitted data for training. Enterprise agreements should include explicit prohibition.

UK GDPR Art 28(3)(b)

Is data processing limited to the EEA/UK or countries with adequacy decisions?Mandatory

Data transfers outside UK/EEA require adequacy decision or appropriate safeguards. Many AI vendors process data in the US — confirm SCCs or UK IDTA in place.

UK GDPR Chapter V

Does the vendor have a documented data retention and deletion policy?Mandatory

Confirm maximum retention period for submitted data and process for deletion on request and at contract termination.

UK GDPR Art 5(1)(e)

Has the vendor provided its Privacy Notice and sub-processor list?Recommended

Sub-processors should be identified and assessed. Changes to sub-processors should trigger notification and review rights.

UK GDPR Art 28(2)

Does the vendor have ISO 27001 certification or equivalent?Recommended

ISO 27001 provides assurance of information security management controls. SOC 2 Type II is an acceptable alternative.

UK GDPR Art 32

B — EU AI Act Compliance

Has the vendor provided EU AI Act technical documentation (Article 11)?Mandatory

For high-risk AI systems, providers must maintain technical documentation. Request and review before deployment.

EU AI Act Art 11

Has the vendor provided a Declaration of Conformity (Article 47) if applicable?Recommended

For high-risk AI systems, providers must issue a Declaration of Conformity. Request this document before procurement.

EU AI Act Art 47

Has the vendor conducted an EU AI Act risk classification of its system?Mandatory

Request the vendor's risk classification assessment. If the system is classified as high-risk, additional obligations apply to the firm as deployer.

EU AI Act Art 6 + Annex III

Does the vendor provide transparency information required under Article 50?Mandatory

AI systems interacting with humans must disclose AI nature. Systems generating synthetic content must label outputs. Confirm vendor compliance.

EU AI Act Art 50

Is the vendor registered in the EU AI Act database if required?Recommended

High-risk AI system providers must register in the EU database. Verify registration for applicable systems.

EU AI Act Art 71

C — Security & Operational

Does the vendor have a documented security incident response procedure?Mandatory

Confirm notification timeline for security incidents affecting your data (must be within 72 hours to meet GDPR requirements).

UK GDPR Art 33

Does the vendor provide audit logs of data access and processing?Recommended

Audit logs enable you to demonstrate compliance and investigate incidents. Essential for firms subject to regulatory inspection.

EU AI Act Art 12

What is the vendor's uptime SLA and business continuity provision?Recommended

Confirm minimum uptime guarantee, planned maintenance windows, and business continuity in the event of vendor failure.

Operational Risk

Does the vendor have cyber essentials / Cyber Essentials Plus certification?Recommended

Cyber Essentials certification provides assurance of basic cybersecurity controls. Required by UK government contracts and increasingly expected by law firm procurement teams.

NCSC Guidance

D — SRA Alignment

Does the vendor's tool support human oversight of AI outputs?Mandatory

SRA requires supervising solicitors to review AI outputs. Tool must enable — not circumvent — human review of AI-generated work product.

SRA Code for Solicitors Para 3.5

Does the vendor provide training and documentation on tool limitations?Mandatory

EU AI Act Article 4 requires adequate AI literacy. Vendor must provide documentation on hallucination rates, known limitations, and recommended use cases.

EU AI Act Art 4 · SRA Code for Solicitors Para 3.2

Does the vendor have a legal sector-specific deployment guide?Recommended

Vendors with legal sector deployment guides demonstrate understanding of professional obligations and confidentiality requirements specific to law firms.

Law Society AI Notes

Has the tool been reviewed for accuracy in legal research contexts?Recommended

Request case studies, accuracy benchmarks, or independent assessments of tool performance in legal research and drafting contexts.

SRA Code for Solicitors Para 3.2

E — Commercial & Contractual

Does the contract include IP ownership clarity for firm-generated outputs?Mandatory

Confirm that AI-generated outputs based on firm submissions are owned by the firm, not the vendor. Some vendors claim ownership of outputs generated using their tools.

IP / Contract

Is the contract governed by English law with UK jurisdiction?Recommended

SRA-regulated firms should seek English law and UK jurisdiction clauses where possible to ensure regulatory obligations can be enforced.

SRA Governance

Are liability caps in the contract adequate for potential harm to the firm?Recommended

Many AI vendor contracts cap liability at annual subscription value. This is inadequate for firms where AI failures could trigger significant PI claims or regulatory fines.

Commercial Risk

Does the contract include a right to audit the vendor's data processing?Recommended

UK GDPR Article 28(3)(h) requires processor contracts to allow audits. Confirm this right is operable in practice — not just present in the contract.

UK GDPR Art 28(3)(h)

Is the vendor financially stable with an established customer base?Recommended

AI vendor landscape is volatile. Assess financial stability, funding status, and customer base before dependency on vendor infrastructure.

Operational Risk

Is there a clear exit clause and data portability/deletion on termination?Mandatory

On contract termination, all firm data must be returned or deleted. Confirm timeline, format, and deletion certification process.

UK GDPR Art 28(3)(g)

Does the vendor offer dedicated enterprise support and SLA?Recommended

Consumer-tier tools often lack enterprise support. Confirm response times, escalation paths, and dedicated account management for legal sector deployments.

Operational Risk

Has the vendor demonstrated law firm reference customers?Recommended

Reference customers in regulated legal environments provide assurance of vendor understanding of professional obligations and deployment requirements.

Due Diligence

Section 2 · AI Tool Register

Approved / Conditional / Rejected Tool Register

Maintain this register as the single source of truth for all AI tools at the firm. Update monthly. All fee earners must check this register before using any AI tool on client work.

Tool	Version	Use Cases	DPA Status	EU AI Act Class	Decision	Conditions	Review Date
Microsoft Copilot (M365)	Enterprise	Drafting, summarisation, research	✓ M365 DPA	TBC — assessment required	Conditional	Complete DPIA. Verify no training on client data. Review M365 data residency settings.	Quarterly
Harvey AI	Enterprise	Legal research, drafting	⚠ DPA not executed	TBC — legal AI, assess Annex III	Suspended	Execute DPA before reinstatement. Obtain EU AI Act technical documentation. Complete DPIA.	On DPA execution
Luminance	Enterprise	Contract review, due diligence	✓ DPA executed	TBC — likely limited high-risk	Conditional	Complete EU AI Act risk classification. Human review mandatory on all outputs.	Quarterly
ChatGPT (Personal)	Any	Any client matter use	✗ No DPA — consumer terms	General purpose — no legal classification	Rejected	Not approved for any client matter use. Personal accounts must not be used for client work under any circumstances.	Permanent
Otter.ai (or similar transcription)	Any	Meeting transcription	⚠ DPA not executed	Limited risk — but captures privileged content	Suspended	High confidentiality risk. Must not be used for client meetings until DPA executed and privilege protection confirmed. Seek alternative with explicit legal sector DPA.	On DPA execution
[New Tool]			Pending assessment	Pending classification	Pending	Complete vendor due diligence questionnaire before deployment.