Law firms handle some of the most sensitive data in any industry. Privileged communications. Unfiled litigation strategy. Pre-announcement merger terms. Whistleblower identities. Witness statements in active criminal matters. Internal investigations that, if disclosed, would end careers and break companies.
For the vast majority of that work, a well-designed SaaS platform is the right answer. Strong encryption, tenant isolation, UK-region hosting, a proper contract, and an auditable processing trail solve the problem convincingly. That is how the default deployment of LegalAI Space operates today, and it is how most mid-market firms will run the product. Monthly subscription, no infrastructure to manage, fast to deploy.
But not every firm — and not every matter — fits inside a SaaS contract. Some risk committees will not approve any third-party AI cloud for live matter data, full stop. Some client engagement letters now contain clauses that explicitly rule it out. Some firms already operate a mature Azure or AWS estate with a strict "no external processors" posture they are unwilling to break for an AI vendor.
For those firms, we now offer a self-hosted deployment of LegalAI Space alongside our SaaS product.
Two deployment modes, one product
Choose the deployment that fits your firm
Monthly subscription. UK-region hosting. Per-firm tenancy. Encryption in transit and at rest. Audit logs queryable by the firm. This is how most customers run, and how most firms should start.
Annual licence. The full platform deploys inside the firm's own cloud tenancy or data centre. Matter data stays behind the firm's network boundary. Supported end to end by our team.
The product is identical on both sides. Same agents, same governance engine, same verification layer, same audit database. The difference is where the software runs and who holds the encryption keys.
When self-hosted is the right call
Self-hosted is not the right answer for every firm. It adds operational overhead, requires an IT function comfortable with running enterprise software, and costs more to deploy. It earns its place when one or more of the following conditions apply:
- The risk committee will not approve any third-party AI cloud for live matter data
- A client engagement letter requires that data never leaves the firm's infrastructure
- The firm already operates a tightly controlled Azure, AWS, or GCP tenancy with mature SecOps
- The firm has an established in-house IT function capable of deploying and maintaining enterprise software
- The firm handles regulated-sector work (financial services, defence, healthcare, whistleblowing) where a third-party processor triggers additional disclosures or contractual breaches
- The firm wants to launch a named internal AI programme as a client-facing differentiator
If none of those apply, SaaS is almost always the better choice — and we will say so directly before quoting self-hosted.
The architecture: what IT teams need to know
Self-hosted LegalAI Space is a set of containerised services that deploy inside the customer's own infrastructure. In practice, that typically means a dedicated Azure subscription, an isolated AWS account, or a private Kubernetes cluster inside the firm's data centre. The firm owns the compute, the storage, the network, and the encryption keys. Matter data, prompts, and audit logs are written to databases inside that boundary and remain there.
Six components, all inside the firm's environment
Research Agent, Contract Agent, Compliance Monitor, and Audit & Risk. Each runs as a containerised service and can be scaled independently.
Language models served from a firm-owned GPU pool, or routed through a private-link connection to a dedicated model endpoint with no public-internet path. Inference is never shared across tenants.
Our proprietary policy layer that determines what each agent may see, what it may do, and what it must log. Maps every action back to SRA principles and the firm's own acceptable-use policy.
Every citation, clause reference, and agent-produced claim is checked against source material before reaching the lawyer. Unverified claims are stopped before they become part of a live matter.
A tamper-evident audit store of every prompt, response, document touched, and decision made. Queryable on demand for regulators, clients, insurers, and internal risk reviews.
Single sign-on through Azure AD or Okta. Document access through iManage, NetDocuments, or SharePoint. Data classification alignment with Microsoft Purview. Secrets in the firm's own vault.
Everything ships as signed container images through a secure release channel. The firm's IT team applies them the way any enterprise software update is applied: staging first, production second, rollback path in place.
Connected or air-gapped
Self-hosted supports two network postures, chosen by the firm's SecOps team:
| Mode | How it works | |---|---| | Connected | Deployment runs inside the firm's tenancy with outbound-only access to our release channel for signed updates and opt-in metadata telemetry. No matter data flows outward. This is how most self-hosted customers run. | | Air-gapped | No outbound connection of any kind. Updates arrive as signed offline bundles, applied on a schedule the firm controls. Support handled through an encrypted ticketing channel with no live system access. |
The product behaves identically in both modes. The difference is purely network.
What the firm keeps. What we do.
The firm holds every meaningful asset: the data, the encryption keys, the audit logs, the user accounts, the backups, the governance database, the network boundary. Nothing of substance sits with us.
Our responsibilities are software delivery and support. We ship signed, versioned releases on a published cadence. We provide runbooks, monitoring templates, and a named contact on call. In normal operation, we do not see matter data, user activity, or document content at any point.
White-label and practice-niche customisation
Self-hosted deployments are white-labelled by default. The login screen, agent responses, and audit reports can all carry the firm's brand rather than ours. For firms launching a named internal AI programme, the engine is LegalAI Space; the name on every screen belongs to the firm.
For practice niches that mainstream tools have not addressed — specialist regulatory work, unusual jurisdictions, boutique commercial structures — we offer bespoke agent development inside the same deployment, governed by the same verification and audit layer.
Why self-hosted matters
Privacy by architecture. The network boundary is the guarantee, not a contract clause. Processing happens inside the firm's perimeter because there is no path out of it.
Regulatory clarity. SRA principles, EU AI Act obligations, UK GDPR, and client engagement-letter disclosures become easier to answer when the full processing chain is inside a single, firm-owned boundary.
Partner acceptance. Partners who will not sign off on a third-party AI cloud will sign off on software that runs inside the firm's infrastructure. The internal political case becomes winnable.
Vendor independence. If our company disappeared tomorrow, a self-hosted deployment keeps operating. Software, data, audit trail, and governance database remain in the firm's hands. Continuity is a property of the architecture, not a promise in a contract.
Where this sits in the wider market
Self-hosting is not a common posture in legal AI. Across the landscape of legal AI vendors, the majority are either explicitly cloud-only or silent on the question. A handful of vendors in the contract and document infrastructure space offer self-hosted options, but these tend to serve large enterprise or in-house legal teams rather than UK mid-market firms.
Among the UK-first, SRA-focused vendors — and the platforms a UK mid-market firm is most likely to compare against — none currently publishes a self-hosted deployment option. LegalAI Space is among the first to offer a self-hosted deployment built specifically for UK mid-market firms operating within the SRA framework.
A note from us
LegalAI Space runs as SaaS for most customers and that remains our primary deployment. Self-hosted exists because we kept meeting compliance officers, COLPs, and IT directors who could not approve any SaaS AI tool for legitimate reasons. Rather than walk away from those firms, we built the deployment they needed.
Interested in self-hosted?
If you lead compliance, risk, or technology at a UK mid-market firm and a self-hosted deployment matches how your firm thinks about data, we would welcome a conversation. Reach out at daman@legalaispace.com or join the waitlist.