The legal case for self-hosted legal AI, and the security architecture that makes it possible.
In February 2026, federal courts began defining the boundaries of attorney-client privilege and work product protection when AI tools are involved. The emerging consensus: using consumer cloud AI for legal work creates serious, potentially irreversible privilege risks.
When a client uses AI independently, privilege fails. When counsel directs AI use, the analysis changes. Judge Rakoff acknowledged that counsel-directed use of AI “might arguably function as a lawyer’s agent.”
Heppner emphasized Anthropic’s consumer Terms of Service. An on-premises AI tool with no ToS and no third-party data transmission removes the court’s central objection.
Warner and Morgan held that work product has a higher waiver bar. A self-hosted tool that discloses to no one provides the strongest possible position.
If a firm deploys AI as practice infrastructure at counsel’s direction, the tool may qualify as an agent under Kovel. This argument is far stronger on firm-owned hardware.
Every major firm analysis since February 2026 recommends enterprise or self-hosted AI with robust confidentiality protections. CounselVault satisfies every criterion identified.
| Risk Factor | Cloud AI | CounselVault |
|---|---|---|
| Data to third party | ✕ Yes, to API provider | ✓ No, runs locally |
| Provider ToS | ✕ Permits collection, training, disclosure | ✓ No provider. Apache 2.0, no data provisions |
| Confidentiality expectation | ? Depends on enterprise BAA | ✓ Firm-owned hardware, firm-controlled network |
| Privilege waiver | ✕ Potential waiver per Heppner | ✓ No disclosure occurs |
| Work product | ? Likely protected but untested | ✓ Strongest position: no disclosure |
| Attorney direction | ? Depends on firm policy | ✓ Firm deploys as practice infrastructure |
| Kovel agent argument | ✕ Weak: third-party controlled | ✓ Strong: firm-owned, analogous to in-house agent |
| Audit trail | ? Provider-controlled | ✓ Full local logs under firm control |
“This firm utilizes a self-hosted artificial intelligence tool, operating entirely on firm-owned hardware within the firm’s physical premises. No client data, prompts, or AI-generated outputs are transmitted to any third-party service or cloud provider. The firm’s use of this tool is directed by counsel as part of the provision of legal services.”
Every design decision prioritizes one principle: no data leaves the building.
Browser on firm network
Local network only
Mac Mini in your office
On-device GPU
Returns to attorney
Generated locally
Only outbound: MDM check-ins (metadata, no user data) and firmware updates (manually approved).
FileVault 2 (AES-256-XTS) enabled at provisioning. Full disk encrypted before shipping. Recovery keys escrowed to MDM.
HTTPS with TLS 1.3 and locally-issued certificate. Traffic never traverses the public internet.
Built-in auth with LDAP/Active Directory. SSO via SAML 2.0 or OAuth 2.0. Multi-factor authentication supported.
Admin, Attorney, Paralegal, Read-Only roles. Per-knowledge-base permissions for practice group isolation.
macOS firewall blocks all inbound except HTTPS on port 3000. Outbound restricted to MDM and updates only.
The LLM runs entirely on-device via Metal GPU. No API calls during inference. Can operate fully air-gapped.
Every prompt, response, upload, and modification logged with timestamps and user IDs. Exportable JSON for compliance.
MDM can remotely erase or lock the device. FileVault keys destroyed, rendering all data unrecoverable.
Connects to existing DMS via SMB 3.x or NFS v4. Read-only mounts by default. Supports PDF (with OCR), DOCX, DOC, TXT, RTF, HTML, CSV, Markdown. Documents are never modified — only vector embeddings are created locally.
This is not primarily a technology decision. It is a privilege and liability decision.
| Factor | Cloud AI | CounselVault |
|---|---|---|
| Where prompts go | Transmitted to provider servers. Subject to retention policies. | Processed on Mac Mini in your office. Never leaves local network. |
| Who can access | Provider employees, automated systems, potentially government. | Only authenticated firm users. Full audit trail. No external access path. |
| Terms of Service | Consumer: broad data rights. Enterprise: narrower, but still third-party transmission. | No ToS. Open-source Apache 2.0. Firm owns the hardware. No AI provider relationship. |
| Attorney-client privilege | Heppner: consumer not privileged. Enterprise BAA untested under Kovel. | No third-party disclosure. Deployed at counsel’s direction. Strongest privilege position. |
| Work product | Warner/Morgan suggest survival, but Heppner’s waiver creates uncertainty. | No disclosure to anyone. Work product argument is unassailable. |
| Model training | Consumer: your data may train the model. Enterprise: typically opt-out. | Never used for training. Model weights are static. No phone-home mechanism. |
| Cost structure | Per-user/month SaaS. AI features are premium add-ons. Multi-year contracts. | One-time hardware ($2,999–$7,999) + modest monthly management. Unlimited use. |
Every major law firm analysis published since Heppner recommends the same thing: enterprise or self-hosted AI with robust confidentiality protections, attorney direction, and no consumer platforms for privileged work. CounselVault is the only productized appliance that satisfies all of these recommendations out of the box.