BRAO compliance for a CRM means the software fully safeguards attorney confidentiality (§ 43a BRAO) – both technically and contractually – from how client data is stored to how AI is used.

A CRM processes exactly the information covered by professional secrecy: names, mandate references, networks, correspondence. Choosing the wrong system here risks not just a data-protection breach but a violation of professional duty. The following checklist sums up what matters.

1. Secure confidentiality contractually

Confidentiality does not stop at your software provider. Check:

Contractual confidentiality obligation. The provider must commit – under penalty of law – to attorney confidentiality, not merely to general data protection.
Data processing agreement (DPA) under GDPR Art. 28. A DPA is mandatory and governs the purpose, scope, and instruction-bound nature of the processing.
No uncontrolled subprocessors. Subcontractors may only be involved with a clearly regulated chain of confidentiality.

2. Check server location and infrastructure

Where client data resides determines whether it is professionally permissible:

Processing in the EU. Data should be processed exclusively on European servers – without third-country access risk.
Trusted infrastructure. Ideally the same environment your firm already trusts – such as European Microsoft Azure servers, which also run Office 365.
Encryption. Data must be encrypted in transit and at rest.

Doraly runs on European Microsoft Azure servers – the same infrastructure as Office 365 – and the provider is contractually bound, under penalty of law, to attorney confidentiality.

3. Scrutinize the use of AI

Modern CRM systems use AI for contact capture and network analysis. That is only professionally acceptable when:

Client data is never used to train AI models. This is the single most important checkpoint.
No data is passed to external AI providers without corresponding contractual and technical safeguards.
There is transparency about which data the AI processes and for what purpose.

4. Control access rights granularly

Confidentiality is also a question of internal visibility:

Per-user privacy. Every person should decide for themselves which contacts stay private and which are shared with the team.
Roles and permissions. Not everyone in the firm needs to see every mandate.
Traceability. Access and synchronization – for example via Outlook sync – should remain transparent.

5. Ensure deletion and data control

Compliance does not end at capture but at the close of a mandate:

Defined deletion periods. Personal data must be deletable once its purpose has lapsed.
Data portability. You must be able to export your data and control it – for example via an API.
No lock-in trap. Data sovereignty stays with the firm.

6. Built with legal expertise

Software that considers professional-law specifics from the start protects better than standard tools adapted after the fact:

Developed with IT lawyers. Was the solution designed together with IT-law expertise?
Privacy and compliance by design. Are privacy-friendly defaults the norm rather than the exception?

Further reading: GDPR- and BRAO-compliant CRM and CRM for law firms.

Conclusion

BRAO compliance is not a checkbox but an end-to-end concept: from server location to AI usage to contractual confidentiality. Doraly was developed in collaboration with IT lawyers, runs on European Microsoft Azure servers, and never uses client data to train AI models. What is confidential stays confidential.