Back to blog
Legaltechconfidentialitystorage

Legaltech and attorney-client privilege: what vendors forget when storing acts

Published on 2026-04-164 min readCleanIssue

> TL;DR: Attorney-client privilege requires access controls few tools actually apply. What to verify in legal products.

Privilege is not just another GDPR checkbox

Attorney-client privilege is not one compliance item among others — it's a criminal-law obligation. Yet many legal tools treat legal acts as plain client files.

What causes problems

  • vendor support staff reading acts in clear to "help";
  • application logs containing excerpts of acts;
  • engineering team querying the DB in clear for debug;
  • unencrypted backups or stored at an unvetted sub-processor.
  • The line to hold

    A confidential act must be unreadable to the vendor. Encryption, access separation, access proof. Without that, the commercial promise doesn't hold when an incident happens.

    Key Takeaways

  • Identify and test your exposed attack surfaces before a third party does.
  • Client-side security controls never replace server-side validation.
  • Regular audits are more effective than one-time checks — vulnerabilities appear with every deployment.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Sources

    Written by CleanIssue
    Reviewed on 2026-04-16

    Editorial analysis based on official vendor, project, and regulator documentation.

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit