Lawyers have an ethical duty of confidentiality that predates the internet by several centuries. Adopting AI doesn't loosen that duty — it raises the bar for how seriously a firm has to take its data infrastructure.
When we evaluate any tool, the first question isn't "is it useful?" — it's "where does the data go?" If a vendor can't give a clear, contractual answer, the conversation is over.
The Default Question
We require zero-retention agreements, region-locked processing, and the ability to revoke access at the matter level. Anything less is incompatible with privilege.
Isolation by Matter
Each matter at BauHaus runs in an isolated context. Documents, prompts, and intermediate outputs are scoped to a single engagement and cannot cross-contaminate other clients' work.
This is more restrictive than a typical law firm document management system, which often exposes the entire firm's work product to anyone with a login. Isolation is a feature we built deliberately, even though it's invisible to most clients.
Audit and Provenance
Every action our system takes against client data is logged, hashed, and retained for the life of the matter plus seven years. If a client ever asks who saw what document, when, and why — we can answer in under a minute.
Provenance also matters for the work itself. When AI is used in drafting, the relevant prompts and source material are stored alongside the final output, so the basis of the work is reconstructible.
What This Means for You
If you're a client evaluating an AI-powered firm, ask the questions you'd ask of a cybersecurity vendor: where is data processed, who can access it, how long is it retained, and what happens at the end of the engagement?
If the firm can't answer in writing, you're hearing marketing — not security.
