For UK firms with on-premise or private-cloud requirements

Legal AI that deploys inside your firm's tenant. Not ours.

LegalAI Space Self-Hosted runs in your Azure, AWS, or on-premise Kubernetes environment, uses your own model keys (Azure OpenAI, Anthropic, Mistral), and emits a cryptographically tamper-evident audit trail into a database your security team controls.

Runs entirely inside your tenant
BYOK for every LLM provider
Air-gap-capable on Professional tier
UK DPA & Supplier SAQ pre-delivered

Book a security & architecture call See the reference architecture

3 spots · 90-day pilot · 25% off Year 1

Book your security & architecture call

30 minutes. Technical, not sales. We'll send the SAQ, DPA, and reference architecture before the call so your team can come ready.

Full name

Work email

Firm name

Your role

Firm size

Deployment target

When do you need to be live?

I'd like Daman or a member of the LegalAI Space engineering team to contact me to schedule the security & architecture call.

30 minutes · Technical, not sales · SAQ & DPA attached to the confirmation email

Deploys against Microsoft Azure, AWS, and any Kubernetes cluster. BYOK for OpenAI, Anthropic, Mistral, or a local endpoint.

Why self-host

Three reasons UK firms pick self-hosted over cloud AI.

Data never crosses your boundary.

Matter content, prompts, model responses, and audit evidence are written to a Postgres instance inside your tenant. No copy, no telemetry, no shadow store on a vendor platform. Your DPO can point at the database.

Your model contracts, not ours.

Bring your own Azure OpenAI resource, Anthropic enterprise agreement, or Mistral deployment. Your commercial terms with the model provider stay yours. We're infrastructure, not a middleman.

Procurement works the way your firm already works.

Annual flat-fee licence. Unlimited seats. No per-user billing surprises. Our DPA, SLA, and supplier SAQ are written for SRA-regulated firms and are available before the first call.

Reference architecture

What gets deployed inside your tenant.

Every arrow that carries matter content stays inside zones 1 and 2. The only traffic that crosses the boundary is an outbound daily licence heartbeat — no prompt content, no user identifiers, no matter data, no usage telemetry.

Identity perimeter

Your identity provider

Microsoft Entra · Okta · Google Workspace

SSO + SCIM provisioning

User and group sync into the platform

Your cloud or on-prem tenant

App tier

Next.js 16 containers (Docker)

Worker tier

pg-boss job workers (Docker)

Postgres 16+

Azure DB · AWS RDS · your cluster

Object storage

Azure Blob · S3 · MinIO

Governance layer

Signed audit chain · evidence tables

Your boundary · all data stays here

Your model providers (BYOK)

Azure OpenAI

Your resource · your keys

Anthropic

Your enterprise agreement

Mistral / local endpoint

vLLM · Ollama · any OpenAI-compatible

Out of scope

LegalAI Space HQ

Daily licence heartbeat · cryptographically signed · no payload data

No prompt · no user · no matter data

What's in the installation

A short, deliberate stack. Your engineers will recognise it.

Application layer

Next.js 16 application server (Node 20+)
tRPC API layer
React 19 frontend
Better Auth — plugs into your SSO

Data & queue

PostgreSQL 16+ (managed or self-operated)
Drizzle ORM migrations (versioned, reversible)
pg-boss queue (runs in the same Postgres — no extra broker)

AI & storage

AI SDK (provider-agnostic, BYOK)
Azure Blob · S3 · MinIO — your bucket, your lifecycle
Local endpoint support: vLLM · Ollama · any OpenAI-compatible

Governance — this is the part that matters

Append-only audit_event table with SHA-256 row-hash chain
HMAC signatures, rotatable via GOVERNANCE_SIGNING_KEY_ID
Postgres row-level triggers block UPDATE and DELETE
Daily integrity re-walk job
Typed evidence tables: verification_check, verification_result, policy_evaluation, compliance_certificate

Docker-deployed. Horizontal scaling on app and worker tiers. Runs on a single VM for 1–50 fee-earners, or orchestrated on AKS/EKS for larger firms. Full deployment runbook and Terraform modules are shipped with every tier.

Pricing — upfront

Three plans. Flat annual. Unlimited seats on every tier.

Essentials

Single-site, <50 FE

£15,000

£11,250/ year

Founding Firm · Year 1 · unlimited seats

90-day pilot at zero licence fee

Professional

Multi-site, air-gap option

£40,000

£30,000/ year

Founding Firm · Year 1 · unlimited seats

90-day pilot at zero licence fee

Enterprise

Top-100, multi-jurisdiction

from £90,000

Custom/ year

Founding Firm · Year 1 · unlimited seats

90-day pilot at zero licence fee

What's included	Essentials	Professional	Enterprise
Seats	Unlimited	Unlimited	Unlimited
Credits included	600k / year	2.4M / year	Typically unlimited
Agents	All 9 (as they ship)	All 9	All 9 + custom
Model providers	BYOK — any supported	BYOK — any supported	BYOK + private endpoints + custom models
Deployment target	Your cloud tenant	Cloud or air-gapped	Cloud, air-gapped, or dedicated
Governance pipeline	Full Verify/Comply/Prove	Full + custom policies	Full + custom rule engine
Integrations	iManage · NetDocuments · SharePoint	+ Westlaw · LexisNexis · practice management	+ SI-led · any MCP connector
Support	Business hours UK	24×5 · 4h SLA	24×7 · 1h SLA · named engineer
Source escrow			On request
Dedicated onboarding engineer		1 week	4 weeks

All tiers include the DPA, supplier SAQ, SLA, vulnerability disclosure policy, and deployment runbook. Procurement-ready from the first call.

Security & sovereignty

The answers your security team asks for on call two.

Published here to save everyone a month.

Data residency

Every byte of matter content, prompts, model responses, and audit evidence is stored in the Postgres instance and object store you control. You pick the region. We never copy it out.

Model-provider keys

You bring your own Azure OpenAI resource, Anthropic enterprise key, or Mistral deployment. Your commercial relationship with the model provider is direct.

Identity & access

SSO via Microsoft Entra, Okta, or Google Workspace. SCIM 2.0 provisioning. RBAC down to agent, skill, and dataset scope. Ethical walls enforced at query time.

Encryption

TLS 1.3 in transit. AES-256 at rest with your managed keys on Azure Key Vault / AWS KMS. Secrets via envelope encryption — never in application memory beyond a single request.

Audit & integrity

Append-only audit log with SHA-256 hash chaining and HMAC signatures. Row-level Postgres triggers block UPDATE and DELETE. Daily chain re-walk with anomaly alerts. Exportable signed evidence ZIP.

Compliance posture

GDPR by design. SRA Code of Conduct rule mapping built in (2.1, 2.2, 2.5, 4.2, 4.3, 6.3–6.5). EU AI Act Article 50 from Aug 2026; Article 26 from Dec 2027. Cyber Essentials targeted H2 2026.

The 90-day pilot

How onboarding works. Weeks one to thirteen, plain English.

1Weeks 1–2

Security & architecture alignment

A 30-min call with Daman and our infrastructure lead. Your security team brings their questionnaire; we answer live and return the completed SAQ the same day. You get the reference architecture, DPA, deployment runbook, and a proposed tenant topology sized to your firm.

2Weeks 3–4

Deploy into your tenant

Our engineering team pairs with yours to stand up the platform inside your Azure, AWS, or on-premise environment. Terraform modules run against your account. SSO wiring tested end-to-end. First agents configured. Zero licence fee through this phase.

3Weeks 5–10

Pilot with a nominated practice group

5–15 fee-earners run real matters through the agents. Your COLP watches the governance dashboards fill with evidence. Weekly 30-min check-ins with the founding team. Shared Slack or Teams channel direct to engineering — not ticketed.

4Weeks 11–13

Review, report, decide

Written pilot report: matter volumes, verification catch-rate, policy evaluation outcomes, time-saved estimates. You decide whether to proceed at 25% off Year 1, or walk away with no residual commitment and your data exportable on request.

No licence fee during the 90-day pilot. You pay only your own infrastructure costs — typically £200–£800 per month for Essentials-scale workloads, depending on tenant sizing.

Decision matrix

Not sure if self-hosted is right for your firm?

	Cloud SaaS	Self-hosted
Best for	5–200 FE firms	50+ FE, Top-100, regulated-industry clients
Deployment	UK or EU region, our managed infra	Your Azure / AWS / on-premise tenant
Pricing	Per seat, monthly, from £49	Annual flat licence, from £15k
Time to live	Same week	2–4 weeks pilot, 6–12 weeks full production
Model keys	Managed by us (enterprise contracts)	BYOK — your contracts
Air-gap support	No	Yes (Professional and Enterprise)
Typical buyer	COLP, Innovation Director	IT Director, Security, Procurement
Starts with	Signup form	Security & architecture call

Most firms start on Cloud and migrate to Self-Hosted at the point their data-sovereignty posture requires it. We support that migration with a documented data-export and re-deployment path. See the Cloud Founding Firm Programme

Leadership

Built by someone who's shipped enterprise software at scale

Daman Kaur

Founder

Connect

Ex-Microsoft & HPE — a decade building cloud and AI infrastructure for Fortune 500 enterprises. Engineering from BITS Pilani, Executive Product Management from IIM Lucknow, and co-author of “Implementing Hybrid Cloud with Azure Arc” (Packt Publishing). Built MarkdownConverters and PaperAI before founding LegalAI Space to bring enterprise-grade governance to legal AI.

Advised by

Amit Malik

Tech Advisor

Connect

COO at Spektra Systems, where he has built and scaled 3 commercial SaaS products. Ex-Microsoft, 15+ years in cloud & AI infrastructure, and co-author of “Implementing Hybrid Cloud with Azure Arc” (Packt Publishing). Advises on platform architecture, AI infrastructure, and scalable governance systems.

Region-specific hosting — UK data in UK, EU data in EU

GDPR compliant by design

Built specifically for regulated legal services

Immutable, cryptographically verified audit trails

Commercial terms

Our commercial terms, on one screen.

Annual licence, annual payment.

No monthly bills to reconcile. Invoice-based, NET 30.

No per-seat surprises.

Seats are unlimited on every tier. Your fee-earner headcount can double without triggering a renegotiation.

Data exit on demand.

Signed commitment to full data export within 14 days of written notice, in standard Postgres and object-store formats.

No training on your data.

Contractual guarantee that your prompts, matter content, and audit evidence are never used to train any model — ours or any third party's.

SLA tied to credits.

If we breach SLA on Professional or Enterprise, you receive credit rebates at agreed rates — documented in the contract, not in a portal you argue with.

Source escrow on Enterprise.

For buyers with business-continuity concerns, source code can be held in escrow with a UK-based agent, released on defined triggers (insolvency, discontinuation, extended SLA breach).

Procurement & security FAQ

Answers focused on conversion quality, team workflows, and roadmap clarity.

Yes, on Professional and Enterprise tiers. The air-gapped configuration uses a local model endpoint (vLLM, Ollama, or any OpenAI-compatible endpoint), removes all outbound calls except the cryptographically signed daily licence heartbeat, and runs governance evidence entirely locally. Air-gapped deployments are documented and tested as part of our release pipeline.

Limited — 3 Self-hosted Founding Firm spots

Book a 30-minute call with our founding engineering team.

We'll walk your security questionnaire live, run through the reference architecture, and tell you honestly whether self-hosted is the right fit. If it is, we'll scope a 90-day pilot. If it isn't, we'll point you at the Cloud path.

Book the security & architecture call Or send the questionnaire now

LegalAI Space is a technology platform, not a law firm. Some product features described represent planned or in-development capabilities — the 90-day pilot includes a scoped implementation plan aligned to your firm's requirements. Pricing shown is ex-VAT. All tiers auto-renew annually unless cancelled in writing with 60 days' notice.