Any Swiss law firm or in-house legal team using an AI platform for contract work will eventually face a straightforward question: where does the data actually go? That question is not a formality. It has direct consequences for compliance with Swiss data protection law, for professional duties, and for client trust.
Legal AI data residency in Switzerland is not a niche topic for IT departments. It is a baseline requirement for using modern legal tech tools in a legally defensible way.
What data residency means – and why it matters in legal practice
Data residency describes the country in which data is stored and processed. For legal AI platforms, that covers everything generated during use: uploaded contract documents, prompts, responses, extracted clauses and similar inputs.
For lawyers and companies with internal legal teams, this matters because mandates frequently contain information covered by professional secrecy or contractual confidentiality. An M&A transaction agreement, an NDA covering undisclosed technology plans, or a dispute resolution file – these documents cannot be processed across borders without clear controls.
The problem is compounded by the fact that many well-known AI platforms do not clearly specify whether data is transferred to the United States. US law – in particular the CLOUD Act – allows US authorities to request data held by US companies under certain conditions, even if that data is physically stored in Europe.
The legal starting point in Switzerland
The revised Swiss Federal Act on Data Protection (revFADP) came into force on 1 September 2023. It is technology-neutral and therefore applies explicitly to AI-based data processing, as the Federal Data Protection and Information Commissioner (FDPIC) has confirmed on multiple occasions.
The revFADP requires a data protection impact assessment when processing sensitive personal data in high-risk contexts. Organizations transferring personal data abroad must ensure either that the recipient country offers an adequate level of protection, or that appropriate safeguards are in place.
Law firms are additionally bound by attorney-client privilege under Art. 13 of the Swiss Lawyers Act (BGFA). Client data may not be disclosed to third parties without consent – and that includes external technology providers who might have access to that data.
The grey area with US-based AI providers
Several well-known legal AI providers – including Harvey, Spellbook, and Legora – are US companies. Even where they offer European server locations, they remain subject to US law. The CLOUD Act can compel US companies to hand over data to US authorities regardless of where that data is physically stored.
This creates a structural risk for Swiss law firms: even with technical data localization in Europe or Switzerland, legal control over the data remains with a US entity. For sensitive client information, that is a genuine problem.
What Swiss law firms should check
When evaluating a legal AI platform, the following points are relevant:
Hosting location: Is data processed and stored exclusively in Switzerland, or is it transferred abroad?
Zero data retention: Does the provider store prompts and documents after processing? Is that data used to train models?
Human review: Do provider employees have access to uploaded documents? Can inputs be read by humans?
Legal jurisdiction of the provider: Is the provider subject to US law that could require it to disclose customer data?
These points should be governed contractually and, where possible, verifiable in technical terms.
How CASUS approaches data residency
CASUS is a Swiss legal AI platform built specifically for Swiss law firms and in-house legal teams. All data and documents are stored exclusively on secure, ISO 27001 certified servers in Switzerland – no data is transferred abroad.
CASUS also operates with zero data retention at the LLM provider level: uploaded documents and prompts are not stored in the LLM or by the LLM provider, and are not used for model training. CASUS itself stores data and documents securely on Swiss servers, but nothing remains with the AI model. There is no human review – inputs are not accessed by provider staff. That combination of Swiss hosting, zero data retention at the LLM provider, and the absence of human access is not standard across the market.
Several modules are available for document work: AI Contract Review for structured risk analysis, AI Data Room for processing large volumes of documents in parallel, and Legal Research and AI Chat for targeted research and document navigation. All of these workflows run within the same data protection architecture.
Full details on the security setup are documented on the security page.
What zero data retention means in practice
Zero data retention means that neither uploaded documents, nor prompts, nor generated responses are stored in the LLM or by the LLM provider. No data is used for training AI models, and there is no logging database at the LLM provider that could be accessed later.
CASUS itself does store data and documents – but exclusively on secure, ISO 27001 certified servers in Switzerland. This way, client data remains protected under Swiss law at all times, without ever reaching the AI provider or leaving the country.
Practical implications for legal teams
In-house teams at Swiss companies face the same questions as law firms: internal contracts, supplier agreements, M&A documents, and compliance materials often contain sensitive information. Knowing which provider has access to that data and where it is processed is part of a sound vendor due diligence process.
In regulated industries – financial services, healthcare, infrastructure – requirements around data processing are often stricter still. In those contexts, a provider without clear Swiss or EU hosting is frequently not an option on regulatory grounds alone.
The FDPIC has explicitly noted that transparency obligations apply to AI-based systems: users have the right to know whether and how their data is being processed. In B2B contexts, the same logic applies – companies need to be able to account for how their clients' and employees' data is handled.
Why Swiss hosting is a compliance requirement, not a marketing claim
Data residency is sometimes treated as a marketing feature. In reality, it is a compliance requirement – and for certain mandates, a non-negotiable one.
Swiss or EU-based hosting does not guarantee absolute security. But it does provide legal clarity: you know which law applies, which authorities could request access, and what guarantees the provider owes. With a US-based provider, that picture is structurally less clear.
For Swiss law firms handling international mandates, this is not a theoretical concern. It is a practical question of professional obligation.
Try CASUS
Law firms and legal teams looking for a legal AI platform hosted exclusively in Switzerland on ISO 27001 certified servers, with no human review and zero data retention at the LLM provider, can test CASUS directly. Getting started is possible without commitment at app.getcasus.com/signup. The technical and legal details on data handling are documented on the security page.
FAQ
What does data residency mean for a legal AI platform?
Data residency refers to the country in which data is stored and processed. For legal AI platforms, that includes uploaded contract documents, prompts, and generated outputs. For Swiss law firms, the key questions are whether that data leaves Switzerland, and whether US law applies to the provider.
Does the revFADP apply to AI tools?
Yes. The revised Swiss Federal Act on Data Protection, in force since 1 September 2023, is technology-neutral and applies to AI-based data processing. The Federal Data Protection and Information Commissioner has confirmed this on multiple occasions.
What is zero data retention?
Zero data retention means that prompts, documents, and generated responses are not stored in the LLM or by the LLM provider, and are not used for model training. CASUS itself stores data and documents securely on ISO 27001 certified servers in Switzerland – but nothing remains with the AI model.
Why is the CLOUD Act relevant for Swiss law firms?
The CLOUD Act allows US authorities to request data from US companies under certain conditions – even where that data is physically stored in Europe. For law firms using US-based AI providers, this risk persists even with a European server location.
Does CASUS have access to uploaded documents?
No. CASUS operates with no human review: documents and prompts are not accessed by provider staff. Combined with zero data retention, this means client data does not remain with the provider.
Where is CASUS data hosted?
CASUS stores all data exclusively on ISO 27001 certified servers in Switzerland. No data is transferred abroad.
What should law firms check when selecting a legal AI provider?
The key criteria are: hosting location (exclusively Switzerland), zero data retention at the LLM provider (no storage by the AI model), human review (no provider staff access), and the legal jurisdiction of the provider (whether US law could apply). These points should be contractually documented and, where possible, technically verifiable.
Does attorney-client privilege apply when using AI tools?
Yes. Attorney-client privilege under Art. 13 of the Swiss Lawyers Act protects client data from disclosure to external technology providers. Law firms must ensure that an AI provider does not have permanent access to client content and does not store or further process it.
