Law firms are bound by professional conduct rules when selecting third-party software. Using a SaaS platform for client data processing without adequate due diligence is a professional conduct risk. This post provides a due diligence framework and addresses the data continuity question that most firms ignore: what happens to your clients' data if the vendor goes out of business?
Key Analysis
Law firm professional conduct obligations extend to third-party software vendors: inadequate due diligence on a vendor that causes a data breach creates professional liability for the firm.
GDPR Article 28 requires a written Data Processing Agreement with any processor — this applies to legal SaaS vendors.
Vendor insolvency is a real risk in the SaaS market — law firms need a documented data exit plan for every vendor they use for client data.
Risk Signals
No written Data Processing Agreement with the legal SaaS vendor.
No assessment of the vendor's security certifications (ISO 27001, SOC 2) before contract signature.
No documented plan for retrieving client data if the vendor shuts down or is acquired.
Action Items
Require ISO 27001 certification or SOC 2 Type II report from any vendor processing client data.
Insist on a written DPA that includes sub-processor disclosure, audit rights, and breach notification timelines.
Negotiate a data escrow clause in the service agreement: if the vendor shuts down, client data must be returned in a portable format within 30 days.