Isolation
Per-client isolation in internal tools
Ownership filters and access rules per matter / engagement / account. We verify the database query carries the right WHERE, not just the UI.
0 cross-client leaks
Service · AI code audit · Professional services
AI code audit for firms and consultancies handling client data.
Your team built a client portal, a contract-review assistant or an intake bot with Cursor, v0 or Lovable. We audit it before one client reads another client's code.
What we solve
What looks like ‘internal productivity’ is also privileged information.
Law firms, consultancies, accounting practices and marketing agencies have leaned on AI tools to build internal assistants: contract review, billing automation, client portals, intake bots, draft generation. The speed is attractive. The problem shows up when two clients share the same codebase and a sloppy ownership filter gives client A’s documents to client B’s team.
We audit what your team built with the sector lens on: professional secrecy, audit trails for regulators, custody of privileged material, and the spots where the AI accepted as ‘good enough’ a layer of security that a professional bar wouldn’t accept on review.
What we build for this sector
Use cases that ship to production.
Audit trail
Trail of every AI assistant action
Logs of which document was opened, which query ran, which draft was generated and who approved it. Ready for a bar review or a data protection audit.
100% actions traceable
Confidentiality
Privileged material in prompts and logs
We look for sensitive context being sent to the model, retention in platform logs, and names / IDs / matter numbers in console.log statements that survived the build.
Zero PII in platform logs
Integrations
Connectors to legal CRM, DMS and billing
Read/write permissions of the AI agent on iManage, NetDocuments, Clio, QuickBooks, Xero and similar — what it can touch, what it must never touch, with explicit deny rules.
Permissions audited piece by piece
A real scenario
A 35-lawyer firm.
Corporate law firm with an AI assistant built in six weeks on Cursor and Supabase for contract review and historical-matter search. Audit done before rolling access out to the litigation team.
Before the audit
The assistant worked for partners and associates. The UI filtered matters by user; the SQL queries didn't. Any authenticated lawyer could request ‘matter id 4729’ via the API and get a reply, whether it was theirs or not. Debug console.log statements — including names and matter IDs — were streaming to the platform's log viewer.
After the audit
12 findings. 4 criticals resolved before the wider rollout: ownership filter added at the SQL layer, PII stripped from logs, RLS policies on the matters table, rotation of keys that had been living in the client bundle. Remaining findings documented with a fix order and timeline.
4 criticals fixed before extending access to 35 lawyers
We connect to your stack
Integrations that matter in this sector
CRM
HubSpot
Mid-market CRM with broad APIs — a natural fit for sales agents and lead enrichment.
CRM
Salesforce
Enterprise CRM with fine-grained permissions — AI workflows that respect the data model.
CRM
Zoho CRM
CRM with strong adoption among Spanish SMBs — automations and agents at a contained cost.
CRM
Microsoft Dynamics 365
Enterprise CRM/ERP suite in the Microsoft ecosystem — native fit with 365 and Power Platform.
ERP
Holded
Spanish cloud ERP widely adopted by SMBs — invoicing, expenses and reconciliation automation.
ERP
Odoo
Modular open-source ERP — AI agents and workflows on top of sales, inventory and project modules.
COMMS
Microsoft 365 / Outlook
Email, calendar and SharePoint as channel and context — triage, drafting and RAG over your inbox and files.
Frequently asked
What clients ask us
- 01
We handle privileged data. How do you access our code?
Under NDA, with read-only repository access. We don't clone to personal devices, we don't train models on your code and we don't subcontract. If you need stricter access (VPN, secure room), we'll set it up.
- 02
Does the audit help in front of a professional bar or data protection authority?
The report documents findings, severity, what was fixed and what remains — useful evidence of due diligence. It doesn't replace a legal audit if your bar or regulator requires one specifically, but the two complement each other.
- 03
Our AI assistant uses privileged material as context. Is that a risk?
Depends how. If documents flow into the prompt and the conversation stays in platform logs, yes. We audit what reaches the logs, what's retained by the model provider and what deletion policy you have contractually.
- 04
Do you cover integrations with specific legal/professional systems?
Yes. We audit the connectors your team built — what permissions they asked for, what they can modify, how they handle errors. If your integration isn't standard, we read it the same way we read any other code.
Same sector, other services
Trust
Safe, traceable AI,
enterprise-ready.
We design for privacy from the start, human control, traceability, usage limits, permissioning and documentation. For sensitive processes, we help assess risk and applicable obligations under GDPR and the EU AI Act.
- 01We never train models on your data without explicit authorization.
- 02Human review built-in for processes where risk demands it.
- 03Traceability: prompts, sources, permissions, errors and metrics — documented.
- 04Privacy, security and control integrated from day one.
- 05Solutions engineered to be maintained, audited and improved over time.
GDPREU AI ActAEPDISO 27001 readyEU data residency
Personal diagnosis
We work with
few clients.
Every engagement is led personally by one of the partners. If there's a fit, you get a personal first read of your case within one business day — not a canned demo.
How we work
- 01Tell us which process eats your time
- 02Personal reply within one business day
- 0320-minute call — no demo, no pitch