Due diligence takes time. In M&A transactions, financing rounds, or corporate acquisitions, hundreds of contracts, licenses, and corporate documents quickly accumulate in a virtual data room – and someone has to read all of them. AI due diligence legal refers to the use of AI-powered tools to accelerate exactly this process: not by shortcutting the legal review, but by systematically extracting, prioritizing, and structuring the relevant information.
This article explains what happens technically, where the limits are, and how Swiss legal teams can put the approach to work today – including the Swiss legal framework and the regulatory developments of 2024/2025 that matter most.
What AI due diligence actually means
Traditionally, due diligence means lawyers reading document by document, noting issues in Excel or Word, and producing a report at the end. That works – but an experienced team manually handles roughly 50 to 100 documents per hour. AI-powered systems can process over 3,000 documents per hour (He Wang & You Zhou, BCP Business & Management, Vol. 39, 2023).
The difference is less about the quality of any individual analysis and more about capacity for structured patterns across large document sets. What used to take a week can now be captured in hours – provided the right fields are defined and the results are validated by lawyers.
Typical workflow of an AI-assisted review
The technical process tends to follow a similar pattern: documents are uploaded and, where necessary, made readable via OCR. The system then extracts relevant clauses and content based on predefined fields – for example liability caps, notice periods, change-of-control provisions, or data protection clauses. Anomalies and deviations are flagged and prioritized by risk. The output is a structured table that forms the basis for the legal report.
None of these steps replace legal judgment. But the distance from "document received" to "structured overview of all critical clauses" becomes much shorter.
The real risks that do not go away
AI tools in due diligence are good at finding standard clauses and making patterns visible across many documents. They also have measurable weaknesses that anyone working in Swiss transactions will recognize.
One pattern comes up repeatedly in Swiss practice: change-of-control clauses in GmbH shareholder agreements are frequently not in a standalone section. They are buried in the Zustimmungsvorbehalte – the consent reservation provisions that govern which decisions require shareholder approval. Current extraction models tend to classify these passages as governance boilerplate rather than as material transfer restrictions. A team that does not explicitly name this field in its extraction prompt will get a silent risk in the output – one that can cost CHF 500,000 or more in renegotiation if the buyer discovers the consent requirement only after signing.
A second practical issue specific to Swiss virtual data rooms: in cross-border transactions, it is common to find the same framework contract in both German and French versions, alongside hand-signed cantonal notarial documents uploaded as scanned PDFs without searchable text. These documents produce either empty extraction fields or unreliable results, usually without any system-generated warning. A short manual check of document quality before upload belongs in every serious workflow.
Where AI reaches its limits
Unusual phrasing: what a model has not seen frequently during training is more likely to be missed.
Contextual judgment: whether a liability exclusion under Art. 100 OR is materially relevant, or whether Art. 199 OR legitimizes a warranty disclaimer, depends on the overall transaction picture – a model cannot assess that without context.
"Soft" factors: management quality, market reputation, and cultural nuances in cross-border deals remain outside the analytical scope.
Hand-signed or poorly scanned documents: notarially certified cantonal contracts (for example real estate transfers in Zurich or Zug) often arrive as hand-signed PDFs without a text layer and require manual OCR preparation before any AI tool can work with them reliably.
This does not mean AI-assisted due diligence is unsafe. It means the results need qualified human interpretation.
The Swiss legal framework: what board members and lawyers need to know
In Switzerland, the board of directors bears a duty of care under Art. 717 OR that extends to the quality of the due diligence process – including the verification of AI-generated findings. A board that approves a due diligence report without understanding the methodology behind it exposes itself to liability under Art. 754 OR if a material risk later turns out to have been overlooked. This is not hypothetical: in M&A transactions above CHF 10 million, board minutes documenting the due diligence process regularly become exhibits in post-closing disputes.
For data protection, the revised Swiss Federal Act on Data Protection (revFADP, known in German as revDSG) has been in force since 1 September 2023. Art. 5 revFADP sets out the core principles for data processing. When a due diligence review involves personal data of employees at the target company – for example in payroll records, HR contracts, or shareholder lists – the processing must rest on a sufficient legal basis and meet the data security requirements of Art. 8 revFADP. Breaches trigger the notification duty under Art. 24 revFADP. This applies even when processing is delegated to an AI service provider: responsibility stays with the data controller.
For cross-border transactions with EU exposure, Art. 28 GDPR additionally requires a written data processing agreement with the AI provider. Swiss law firms acting for EU-regulated counterparties need to address this point explicitly when selecting tools.
The EU AI Act, which began its phased entry into force in early 2025, is also relevant for Swiss practitioners. Art. 6 EU AI Act potentially classifies AI systems used to evaluate natural persons in legal contexts as high-risk. Swiss law firms operating in EU-regulated markets or acting for EU-regulated counterparties should ask their AI vendors whether and how this classification applies to the tools they use. Separately, FINMA's outsourcing circular (Rundschreiben 2018/3) has clarified that delegating activities to cloud-based AI providers must meet the requirements for data security and auditability that apply to regulated financial institutions.
How CASUS's AI Data Room structures the process
CASUS, a Swiss legal AI platform, offers the AI Data Room as a workflow for analyzing many documents in parallel. The core idea: whoever is running a due diligence defines which information should be extracted from which documents – each table column is driven by its own prompt.
The output is a tabular overview that can be processed directly in Excel. Typical fields in M&A reviews include liability caps, SLA terms, IP ownership, notice periods, and data protection clauses – each in its own column per document.
What the AI Data Room specifically does
Upload dozens or hundreds of documents in one batch
Extract content based on user-defined fields and clause topics
Flag anomalies, for example liability without a cap or notice periods exceeding 12 months
Prioritize risks across all documents
Data protection use case: detect personal data such as names, email addresses, and bank details, with support for anonymization in line with revFADP requirements
One important point: the system extracts what is specified. A complete automatic capture of all possible clauses without defining the relevant fields is not what the tool promises.
Concrete workflow: how a Zurich M&A team reviewed 340 contracts in 6 hours
A boutique law firm in Zurich specializing in corporate transactions faced a typical challenge: 340 supplier and customer contracts belonging to a target company needed to be reviewed for change-of-control clauses, liability caps, and data protection provisions. Based on prior experience, the manual first-pass review by two junior associates would have taken four working days.
Using the CASUS AI Data Room, the 340 documents were uploaded in one batch. The team defined six extraction fields: change-of-control clauses (with an explicit note to capture provisions embedded in Zustimmungsvorbehalte sections of GmbH agreements), liability cap (amount and reference base), notice period, IP ownership, data protection clause (yes / no / incomplete), and contract duration. The result was a complete extraction table within six hours, which served directly as the foundation for the due diligence report. Eighteen contracts were flagged as high priority – four for missing liability caps and three for ambiguous change-of-control language in consent reservation provisions. Those eighteen contracts went to senior associates for detailed manual review. The remainder was documented in the table and classified as requiring no immediate action.
The time saving was concrete: six hours to a prioritized overview instead of four days of first-pass review. The time spent on the deep review of the eighteen flagged contracts remained unchanged – that is the part AI does not replace.
Data security in the Swiss context
In M&A transactions, data security is non-negotiable. CASUS hosts exclusively in Switzerland and the EU, transfers no data to the US, offers Zero Data Retention, and does not use Human Review (with an opt-out for abuse monitoring). For Swiss law firms and in-house teams working with sensitive transaction data, this is a meaningful difference from US-based alternatives – and a prerequisite for compliance with Art. 8 revFADP and FINMA outsourcing requirements. Full details are available at /security.
When AI-assisted due diligence is not the right choice
Not every transaction benefits equally from AI involvement. An honest assessment:
Scenario | AI use sensible? | Reason |
|---|---|---|
Asset deal under CHF 2M, 10-20 documents | Generally no | Setup time exceeds the time saving |
Single-document review | No | Risk & Quality Review is the right tool |
Transactions dominated by hand-signed cantonal notarial documents | Conditionally | OCR preparation needed; extraction quality limited |
Mixed language versions (DE/FR) without consistent structure | Conditionally | Define extraction fields separately per language version |
50+ standard contracts of the same type | Yes | Ideal use case; patterns visible across many documents |
Compliance screening across an existing contract portfolio | Yes | Targeted search for revFADP or GDPR gaps |
M&A above 100 documents, mixed contract types | Yes | Largest efficiency gain; prioritizes deep manual review |
This table is not an absolute rule. But it helps set realistic expectations – and prevents AI tools from being deployed as a universal solution in situations where careful manual work gets there faster.
Practical applications for Swiss legal teams
M&A and corporate acquisitions
The most common application is contract review in the context of share purchase agreements (SPAs) or asset deals. Under Art. 717 OR, the board of directors retains the duty of care for the due diligence process – including responsibility for validating AI-generated outputs. Instead of reading every supplier contract individually, a team can upload the entire contract base, define the relevant clauses, and receive an overview of all critical points. Deviations from standard – such as missing liability caps or change-of-control gaps – are flagged directly.
For the subsequent individual review of flagged contracts, CASUS's Risk & Quality Review is well suited: it analyzes a single document from each party's perspective, prioritizes findings by severity, and provides concrete improvement suggestions that can be applied directly in Word.
Compliance screening across large contract portfolios
The AI Data Room is not limited to transactions. In ongoing compliance reviews, it can scan a contract portfolio for compliance with the revFADP – specifically checking for the data processing agreements required under Art. 30 revFADP, information duty provisions under Art. 19 revFADP, and the data security measures mandated by Art. 8 revFADP. This is more efficient than manual review and produces a documented basis for the compliance assessment.
How CASUS modules work together
The strength of the approach is in how the modules connect. The AI Data Room provides the overview across many documents. For deeper questions about a single contract or a legal assessment – for example whether a clause can be interpreted in the buyer's favor under Art. 18 OR – the AI Chat with Legal Research is available: source-based, structured, and traceable, with access to over 660,000 decisions from Swiss courts across all cantons and the Federal Supreme Court. Before a document is sent out, the Proofread workflow checks language, consistency, and formal errors – including Swiss spelling conventions and correct cross-references.
Human and AI: the hybrid review as the standard
The debate about whether AI replaces lawyers is not a practical one in transaction work. What is practical: legal teams that continue without AI assistance are spending capacity that could be better used elsewhere. And those who rely entirely on AI output risk exactly the errors described in the example above.
The hybrid approach is not a compromise. AI handles the initial capture, extraction, and prioritization. Lawyers review the results, assess materiality in the context of the transaction, and make the legal judgments – including which findings need to be communicated to the board under Art. 717 OR.
One Swiss M&A partner described the split well: "AI tells me where to look. What I see when I get there, I still have to understand myself."
Try CASUS
Legal teams that want to test AI-assisted due diligence in practice can start with CASUS without any commitment at app.getcasus.com/signup. The platform runs directly in Microsoft Word and as a web app – no separate tool, no lengthy onboarding. All data stays in Switzerland or the EU. More on the security and data protection approach at /security and about CASUS at /about.
FAQ
What is AI due diligence legal?
AI due diligence legal refers to the use of AI tools to support legal review in corporate transactions, financing rounds, or compliance assessments. AI handles the extraction, structuring, and prioritization of information from large document sets, while legal judgment remains with the lawyers. In Switzerland, the board of directors retains the duty of care for the overall process under Art. 717 OR, including responsibility for verifying AI-generated findings.
How many documents can an AI system process in due diligence?
According to a 2023 study (He Wang & You Zhou, BCP Business & Management, Vol. 39), AI-powered systems can process over 3,000 documents per hour, compared to 50 to 100 documents per hour with manual review. In practice – as in the Zurich M&A workflow described above with 340 contracts – this translates to reducing first-pass review time from four days to six hours.
Which clauses are typically reviewed in AI due diligence?
Common extraction fields include liability caps (amount and reference base under Swiss OR), notice periods, change-of-control provisions, IP ownership, SLA terms, and data protection clauses under revFADP. In GmbH transactions specifically, Zustimmungsvorbehalte sections should be defined as an explicit extraction field, since change-of-control restrictions are frequently embedded there and missed by standard extraction models.
Can AI identify all risks in due diligence?
No. AI systems can miss unusually phrased or atypical clauses. They cannot assess contextual or "soft" factors such as market reputation or management quality. Hand-signed or poorly scanned documents – common with cantonal notarial instruments in Switzerland – require manual OCR preparation before any AI tool can work with them reliably. Human validation of results remains necessary in every case.
How secure is AI for confidential transaction data?
It depends on the platform. CASUS hosts exclusively in Switzerland and the EU, transfers no data to the US, has Zero Data Retention, and no Human Review. This meets the data security requirements of Art. 8 revFADP and is compatible with FINMA outsourcing requirements (Rundschreiben 2018/3). For US-based platforms, additional contractual safeguards under Art. 28 GDPR and Art. 30 revFADP need to be checked. Full details at /security.
When should I not use AI-assisted due diligence?
For asset deals under CHF 2 million with fewer than 20 documents, the setup time typically exceeds the time saving. The same applies to single-document reviews – the Risk & Quality Review is the right tool there. Transactions where most documents are hand-signed cantonal notarial instruments without a text layer are also a poor fit without prior OCR preparation. For mixed-language portfolios (German/French), extraction fields need to be defined separately per language version to avoid incomplete outputs.
What does the EU AI Act mean for Swiss law firms using AI in due diligence?
The EU AI Act, phasing in from early 2025, potentially classifies under Art. 6 any AI system used to evaluate natural persons in legally relevant contexts as high-risk. Swiss law firms acting for EU-regulated counterparties or operating in EU-regulated markets should ask their AI vendors how this classification applies to the tools they use. CASUS, as a Swiss platform, is not directly subject to the EU AI Act, but structures its extraction and analysis processes to be auditable and traceable.
What is the difference between an AI Data Room and a standard virtual data room?
A traditional virtual data room (VDR) is a secure repository for storing and accessing documents. CASUS's AI Data Room is an analysis workflow: it extracts information from documents, structures it in a table, and flags anomalies by risk priority. It does not replace a VDR – it analyzes the contents of one.
Does AI due diligence apply outside of M&A?
Yes. The approach is also used in compliance reviews across large contract portfolios (for example checking for revFADP compliance across a supplier contract base), data protection audits, regulatory screenings, and supplier contract reviews. The AI Data Room is suited to any situation where structured information needs to be extracted from many documents in parallel.
