AI Procurement for Law Firms: The New Buying Conversation
March 22, 2027 · 5 min read · LeadLex Editorial
Law-firm procurement has historically been a contracts exercise. Negotiate the MSA, sign the DPA, agree the SLA, file the paperwork. AI vendors require something different — a technical and operational diligence process that most firms have not yet built. The good news is that the questions are knowable. The bad news is that "the demo went well" is not one of the answers.
Here are twelve questions every law-firm procurement function should be asking. They are ordered roughly by the cost of getting them wrong.
1. Where is the data physically stored, and under what jurisdiction?
If the answer is "AWS multi-region" or "we use OpenAI's infrastructure," the conversation is effectively over for an EU IP practice. The right answer names a specific jurisdiction, a specific cloud region, and a specific contractual commitment that data does not leave it. LeadLex is Frankfurt-hosted on EU-sovereign infrastructure. That commitment is in the DPA, not the marketing deck.
2. Is the deployment multi-tenant or per-firm siloed?
Multi-tenant means your data sits in the same database as other firms', separated by application-layer logic. Per-firm siloed means your firm has its own infrastructure, its own encryption boundary, and its own deployment. For confidential client data in a regulated practice, the answer should be the second one.
3. Is our data used to train any model, ever?
The answer must be no, without qualifications, in writing, in the DPA. "We may use anonymised data to improve service quality" is a yes dressed up as a no.
4. Who holds the encryption keys?
If the vendor holds them, the vendor can read the data. If a third-party cloud provider holds them, that provider can read the data. The firm should hold them, or at minimum should have the option to.
5. What is logged, and is the log the firm's property?
Every agent action, every data retrieval, every outbound message — logged, immutable, exportable, and owned by the firm. The vendor should not be able to delete or modify the audit trail. The firm should be able to export it in full at any time, including at termination.
6. How are existing matter-level permissions and ethical walls enforced?
The answer is not "we respect your firm's policies." The answer is a technical description of how entitlements are evaluated at query time against the firm's existing access control model. If the AI tool has its own parallel permission system that the firm has to maintain separately, you have just doubled your administrative burden and created a new class of mistake.
7. What is the scope of the agent's authority — what may it do without human review?
A serious vendor will have a clear answer with configurable thresholds. Lexi, in LeadLex, has explicit categories of action she may take autonomously, categories she queues for review, and categories she will never take. The firm controls the boundaries. The defaults are restrictive.
8. What happens when the agent makes a mistake?
There must be an undo window. There must be an audit trail. There must be a defined process for the firm to flag a class of error and have the agent constrained against repeating it. If the vendor cannot describe what happens in the first ten minutes after a mistake is detected, they have not thought about it.
9. What is the exit path?
At termination, what data does the firm get back, in what format, and on what timeline? Are there any contractual or technical lock-ins? Is the firm's data deleted from the vendor's environment, and is that deletion verifiable? The right answer is "everything, in standard formats, within thirty days, with a certificate of destruction." Anything less is a hostage situation waiting to happen.
10. What standards does the integration layer follow?
Does the system expose data via open standards like MCP so the firm can connect its own tools, or is everything locked behind proprietary APIs? Open standards are not just a technical preference — they are an insurance policy against future vendor failure.
11. Does the scope of the tool match the risk appetite?
This is the question most firms forget to ask. A BD agent and a legal-substance agent have different risk profiles. LeadLex is deliberately scoped to business development — prospecting, outreach, meeting prep, conferences, follow-ups. It does not draft opinions, respond to office actions, or touch substantive legal work. Tools like Harvey and Legora exist in the research and drafting layer and coexist with a BD platform; they are not the same product and should not be procured under the same diligence. Conflating scope is how firms end up with the wrong tool doing the wrong job.
12. Who signs the DPA, and is there one per firm?
A single boilerplate DPA shared across all customers is a tell. A serious vendor signs a DPA with each firm, reflecting that firm's specific deployment, data residency, and access requirements.
"Demo well" is not procurement evidence
Every modern AI tool demos well. The demo is the easy part. Procurement's job is to test the answers above against contractual reality, not slide decks. The vendors who give crisp, technical, written answers are the ones worth a longer conversation. The ones who pivot to "let's get you another demo" are not.
Related: AI Permissioning for Law Firms. The Model Context Protocol Explained for Legal-Tech Buyers. Managing Partner Adoption Playbook.