May I as a lawyer use AI under §43e BRAO?

Yes, via a provider bound to confidentiality in text form - with local processing in the cleanest form, because the data never leaves the firm.

Is a DPA with OpenAI or Microsoft enough?

No. The DPA only governs data protection under Art. 28 GDPR. §43a BRAO (criminally sanctioned via §203 StGB) and §43e BRAO apply additionally - both layers must be satisfied.

Do I need the client's consent?

For directly mandate-related services §43e (5) BRAO requires consent. With local, firm-owned AI the circle of people involved is small and consent is cleanly documentable.

How long does setup take?

The AI Cube as an appliance is ready quickly. An integrated on-premise build with RAG and professional-software connection takes a few days to a few weeks depending on scope - we define the exact scope in the initial consultation.

Which models and hardware are used?

Common open-source LLMs (e.g. Llama, Qwen, Mistral, Gemma) on NVIDIA RTX hardware - from the AI Cube for a single practice to a GPU server for larger institutions. No vendor lock-in; model choice follows your hardware.

Are you jointly liable under §203?

Yes. As a contributing person obliged in text form under §203, we are ourselves included in liability (§203 (4) s. 2 StGB) - your „skin in the game“. We also carry Hiscox IT liability insurance.

What does it cost to get started?

Entry runs via the AI Cube at a fixed price; a project-individual build for larger institutions is quoted by effort. Recurring costs only for optional maintenance/RAG upkeep - no cloud subscription. The initial consultation is free.

Can we operate the AI ourselves later?

Yes. We hand over with documentation and train your team - you can operate fully yourself. Maintenance, updates, model upgrades and RAG upkeep are available optionally as a contract, but are not mandatory.

DE EN

[email protected]

DE EN

§43a BRAO · §43e BRAO

AI for Law Firms - without case data in the US cloud

Case-law research, draft pleadings, case knowledge: highly sensitive and protected by §43a BRAO/§203 StGB. We bring AI into your firm that never releases this data.

Case data does not leave the firmIntegration into firm software and DMSNo ongoing API/token costs

Explore the AI Cube

Leading companies worldwide trust WZ-IT

KI Confidentiality professionalsLaw Firm

The situation

Why cloud AI becomes a risk here

Client emails, pleadings and research cost hours - but putting case data into ChatGPT or Copilot breaches attorney confidentiality.

A DPA under Art. 28 GDPR does not cover §43e BRAO and §203 StGB - these are two separate, criminally sanctioned layers.

US cloud AI is subject to the CLOUD Act; the German Federal Bar considers transmitting case data to public AI regularly unnecessary.

Legal framework

§203 StGB & AI: the full mechanics

Most providers only say „§203 = no cloud“. What matters is the mechanics behind it - and how to fulfil them cleanly by contract and technically.

What §203 StGB prohibits

§203 StGB criminalises the unauthorised disclosure of others' secrets by professionals bound to secrecy - client, patient and party data, trade secrets. „Unauthorised“ means: without consent of the secret-holder and without legal authority. Penalty: up to one year imprisonment or a fine (subs. 1), up to two years for acting for payment (subs. 5). Offence prosecuted on application (§205 StGB), plus professional-law consequences up to withdrawal of the licence.

Why cloud AI is the problem

Inputs to ChatGPT, Copilot & co. are processed on third-party servers (often in the US). This transmission can already be a disclosure within the meaning of §203 StGB - regardless of whether the provider actively uses the data. A DPA under Art. 28 GDPR changes nothing: §203 goes beyond data-protection law and prohibits disclosure to third parties additionally and independently. A DPA is not §203 - both are required.

What the 2017 reform allows

Since the reform an IT service provider, as a „contributing person“ (§203 (3) s. 2 StGB), may receive access to protected information WITHOUT this being a punishable disclosure - if three conditions are met: (1) necessity for the service, (2) obligation in text form with instruction on the criminal consequences (§126b BGB), (3) careful selection, supervision and immediate termination on breach.

The flip side - your risk

Whoever does NOT oblige the contributing person becomes liable themselves under §203 (4) no. 1 StGB. Not the employee who enters data into a tool bears responsibility - but the professional (firm/practice owner). What is punishable is not the input into a secured system, but the missing contractual safeguard.

Skin in the game

With the reform, the contributing person is itself included in liability under §203 (4) s. 2 StGB. As your obliged service provider we are jointly liable - that is not a risk for you, but your safeguard.

The subcontractor chain

If a provider brings in subcontractors (Azure, AWS, Vercel), THESE must also be obliged in text form. With US hyperscalers this is practically not feasible - and the US CLOUD Act applies, enabling access by US authorities; EU residency does not protect against that. On-premise on your hardware has no such chain: the data does not leave your building. Our remote-maintenance access still makes us a contributing person - which is why we commit contractually, for the build and maintenance phase.

Your professional-law layer

Base norm: §43a (2) BRAO + §2 BORA (lawyer confidentiality)
Provider norm: §43e BRAO
Particularity: §43e (3) BRAO - contract in text form with confidentiality obligation + criminal warning; (4): foreign providers only with comparable secrecy protection.

Our §203 compliance package

Standard part of every build / AI Cube contract - for build and maintenance phase:

AVV (Art. 28 DSGVO)

Data-protection layer

Secrecy obligation

Text form + criminal instruction (§203/§126b)

Subcontractor proof

short chain / on-prem

This content is general information and not legal or tax advice. The specific obligation of contributing persons under §203 StGB and the respective professional-law requirements must be reviewed by a lawyer/tax advisor on a case-by-case basis.

Use cases

What the local AI handles for you

All local on your hardware - no data outflow.

Case-law and precedent research via semantic search (RAG)

Draft pleadings and opinions from your templates

RAG over case files and DMS with access control and client separation

Contract analysis and clause review

Internal knowledge base: new staff find answers to typical cases

Deadline and inquiry triage

Our approach

Advise. Build. Operate. From one team.

Sovereign AI is a lifecycle, not a device purchase - and everything stays on your infrastructure.

Advise & design

Workshop, sizing, data classification and §203 contract framework. We understand your stack, professional software and compliance requirements before we recommend.

Build & integrate

On-premise build on your hardware, RAG on your documents with access control, integration into your professional software, secrecy obligation + DPA.

Operate & maintain (optional)

Updates, monitoring, model upgrades and RAG maintenance as a service contract - or you operate fully yourself. Handover and knowledge transfer included.

From one house

The full service range for your local AI

From hardware and inference through RAG and integration to operations and security - no interface ping-pong between advice, build and operations.

Local AI infrastructure

Knowledge & RAG

Integration & development

Operations & security

To the full AI hub

Frequently asked questions

Blog & Tutorials

Let's Talk About Your Idea

Whether a specific IT challenge or just an idea - we look forward to the exchange. In a brief conversation, we'll evaluate together if and how your project fits with WZ-IT.

E-Mail

[email protected]

Leading companies trust WZ-IT