Running Ollama, Whisper, and Kokoro on premises means conversation data never leaves your infrastructure. For a legal practice handling privileged communications, this is a meaningful data protection advantage. But self-hosting is not a compliance certificate.
Key Analysis
Local inference eliminates the cloud LLM provider from your data processing chain — but it does not eliminate GDPR obligations or professional conduct requirements.
A Raspberry Pi running Ollama is a data processor: it must be secured, audited, and included in your Records of Processing Activities (Article 30).
ISO 27001 and SOC 2 certifications are not available for a self-hosted Raspberry Pi — law firms must rely on their own documented security controls instead.
Risk Signals
Treating local inference as a privacy guarantee without implementing at rest encryption and access logging.
No documentation of the self-hosted AI stack in the law firm's data processing records.
No incident response plan for when the self-hosted AI server is compromised, stolen, or fails.
Action Items
Document the self-hosted AI stack as a data processing system in your GDPR Article 30 records.
Encrypt all data at rest on the AI server (OS-level encryption).
Implement access logging for all AI service calls and review logs monthly.