A legal AI procurement checklist helps law firms and in-house teams evaluate AI vendors in a structured way. The key areas to assess are data hosting and residency, zero data retention, DSG and GDPR compliance, contract terms on model training, and the actual feature set. Anyone working in Switzerland should also confirm whether data is transferred to the US – and if so, on what legal basis.
Why selecting legal AI tools requires more diligence than other software
Legal work is confidential. Contract documents, due diligence findings, client data – all of it ends up inside a legal AI tool the moment it goes live. Unlike a project management tool or accounting software, a failed evaluation of legal AI carries real consequences: data protection breaches, professional liability risks, breach of confidentiality obligations toward clients.
At the same time, the market is growing fast. International platforms like Harvey and Spellbook are actively targeting European law firms. Swiss legal teams face the question of which offerings genuinely fit local requirements – and which were simply built for the US market.
This guide structures the evaluation process. It covers the technical, legal, and functional checkpoints that need to be resolved before any purchasing decision.
Where does a serious evaluation start?
Before the first vendor call, an internal stock-take pays off. What tasks should the tool handle? What document types will be processed? What data categories are involved – only internal drafts, or also personal data belonging to clients?
These questions define the risk profile. A tool that processes only anonymized contract templates needs a different compliance framework than one analyzing due diligence documents from an M&A transaction.
With a clear internal profile, vendor evaluation can be focused and purposeful – rather than following a generic feature catalog.
The legal AI procurement checklist: eight areas to assess
1. Data hosting and residency
Where is data processed and stored? Concrete answers to this question are not a given. Many vendors name a European server location while running sub-processors in the US.
Law firms in Switzerland are subject to the revised Swiss Federal Act on Data Protection (DSG); in-house teams at EU-headquartered companies also fall under the GDPR. Both frameworks require that data transfers to third countries are covered by standard contractual clauses or other recognized mechanisms.
Questions to ask: Is data transferred to the US? If so, on what legal basis? Who are the sub-processors, and where are they located?
2. Zero data retention and model training
Many large language models improve on user data – as long as the terms of service permit it. For legal content, that is not acceptable.
The relevant questions are: Is processed content used for model training? Is content retained after processing?
Zero data retention means that once a session ends, no content remains with the vendor. That is not the default – but it is what legal users should demand.
3. Human review and vendor staff access
Even without model training, vendor employees may access content – for quality control or support escalation purposes. In most client mandates, that is not permissible.
The vendor should be able to confirm clearly whether – and under what circumstances – employees can access processed content. Many platforms offer an opt-out from so-called abuse monitoring; whether this actually applies should be anchored in the contract.
4. Certifications and compliance documentation
SOC 2 Type II is today the minimum standard for SaaS vendors in professional environments. ISO 27001 signals a formalized information security management system. Neither certification says anything about how a vendor handles AI-specific risks.
Since the EU AI Act came into force, vendors serving European clients must be able to classify their system under the regulation's risk-based framework. A vendor unable to answer this question may not have fully worked through the requirements.
Documents to request: the current SOC 2 Type II report, a Data Processing Agreement (DPA) with sub-processor list, ISO 27001 certificate if applicable, and – for EU-law-relevant mandates – EU AI Act classification documentation.
5. Feature depth, not just breadth
Marketing materials often describe legal AI tools generically as "AI-powered contract analysis." What that means in practice varies considerably.
A structured risk analysis workflow that assigns findings to a specific contract party and prioritizes them by severity (low/medium/high) is different from a generic summary. A benchmark workflow that checks a document against an internal playbook and flags missing clauses with an insert option is different from a simple compliance screen.
When requesting a demo, bring concrete scenarios – not just questions about what the tool "can do," but how it handles a real document.
6. Word integration and workflow compatibility
Legal AI that only runs inside a proprietary web interface demands a context switch. Suggested edits have to be copied across, formatting adjusted manually. That takes time and introduces errors.
A tool that works directly inside Microsoft Word is operationally preferable for most law firms and in-house teams. Improvement suggestions can be applied directly, without copy-paste and without formatting loss.
The question for the vendor: where does the work happen – in the browser, in Word, or both? How are changes transferred back to the original document?
7. Contract terms and liability
Standard SaaS contracts often exclude liability for incorrect outputs entirely. For other software categories, that may be acceptable; for legal AI that assesses contract risks or drafts clauses, a complete liability exclusion is more problematic.
Areas to review: IP ownership of generated content, confidentiality obligations of the vendor, liability provisions for incorrect outputs, and whether the vendor is willing to sign a negotiated DPA.
8. References and market positioning
Which law firms or in-house teams already use the tool? Are there verifiable use cases from a comparable legal context – not just generic testimonials?
A vendor primarily focused on the US market may be unfamiliar with the specific requirements of Swiss law: Swiss spelling conventions, cantonal case law, DSG-specific requirements.
Teams that want to run a structured evaluation can test CASUS, the Swiss legal AI platform, free of charge. The platform processes data exclusively in Switzerland and the EU, transfers no data to the US, and provides zero data retention with no human review as standard. An account can be created in a few minutes.
What legal AI can do in practice – and what it cannot
AI-assisted contract analysis does not replace legal review. What it does: it accelerates the identification of risk areas, structures findings, and reduces the effort involved in routine tasks like cross-reference checks or spotting missing standard clauses.
An AI Data Room can scan dozens of contracts in parallel during a due diligence process, extracting defined fields – liability caps, notice periods, IP clauses. What it does not replace: the legal assessment of those findings.
A benchmark workflow shows whether an NDA deviates from a playbook and which clauses are missing. It does not determine whether that deviation is strategically acceptable. That judgment stays with the lawyer.
A realistic picture of a tool's scope avoids both disappointment and over-reliance – and allows legal AI to be deployed where it genuinely adds value.
FAQ
What is a legal AI procurement checklist?
A legal AI procurement checklist is a structured set of questions that law firms and in-house teams use to evaluate AI vendors for legal applications. It typically covers data protection, hosting, contract terms, feature set, and compliance certifications.
What data protection requirements apply when using legal AI in Switzerland?
The revised Swiss Federal Act on Data Protection (DSG) requires that data transfers to third countries rest on a recognized legal basis. For firms also serving EU clients, the GDPR applies in addition. Legal AI vendors should be able to demonstrate hosting in Switzerland or the EU, no US data transfers, and a signed DPA with a sub-processor list.
What does zero data retention mean in legal AI?
Zero data retention means the vendor does not store any user content after a processing session ends. Documents, queries, and responses do not remain with the vendor. This matters for legal users because contract documents and client data should not permanently reside with a third party.
Should legal AI integrate directly with Microsoft Word?
For most law firms and in-house teams, Word integration makes sense because the majority of document work happens in Word. A browser-only interface requires additional steps to transfer changes back into the original document. Tools with native Word integration can apply suggested edits directly, correctly formatted, without any copy-paste.
What is the difference between a risk review and a benchmark workflow?
A risk review analyzes a document for weaknesses and risks from the perspective of a specific contract party. A benchmark workflow compares a document against a reference standard – such as an internal playbook or established best practices for an NDA, SPA, or DPA – and shows deviations and missing clauses. Both workflows serve different purposes and complement each other.
How can I verify that a vendor is genuinely not using my data for model training?
This cannot be verified technically, but it can be secured contractually. The DPA should explicitly exclude the use of user data for training or fine-tuning models. A credible vendor will state this clearly in the contract – a vendor who deflects the question is already giving an answer.
What certifications should a legal AI vendor be able to demonstrate?
The minimum standard for professional SaaS environments is SOC 2 Type II. ISO 27001 is a further positive signal. Vendors serving European clients should also have an assessment of their EU AI Act classification. A signed DPA with sub-processor list is not a certification, but it is a non-negotiable document.
Is legal AI relevant for smaller law firms in Switzerland?
Yes. Smaller firms often benefit most, because the time cost of routine tasks – proofreading, cross-reference checks, first assessments of clauses – carries disproportionate weight. The prerequisite is that the evaluation of data protection and security requirements is conducted with the same rigor as it would be in a larger organization.
How CASUS fits into this framework
CASUS is a Swiss legal AI platform built specifically for Swiss law firms and in-house legal teams. All data is processed in Switzerland and the EU; there is no data transfer to the US. Zero data retention and no human review are defaults, not optional add-ons.
The platform works directly in Microsoft Word and in the browser. The Risk & Quality Review analyzes contract risks from the perspective of a specific party; the benchmark workflow checks documents against a reference standard. For legal research, the Legal Research mode draws on more than 660,000 decisions from cantonal and federal courts.
Teams evaluating legal AI under Swiss conditions will find technical details on hosting, data protection, and certifications on the CASUS security page.
