The choice between self-hosted and SaaS legal AI is not a contest between control and convenience. Either model can be operated well or badly. The useful question is which allocation of responsibilities fits the organization’s information, skills, deadlines, integrations, threat model, and capacity to keep the system secure over time.
Use the NIST Cloud Computing Standards Roadmap, NIST Cybersecurity Framework, ISO/IEC 27001, and current CERT-In material to organize evidence. These references do not declare one deployment safer, prove certification scope, or decide an organization’s legal obligations.
What do self-hosted and SaaS mean in this decision?
Define the options precisely. “Self-hosted” may mean customer-operated software in its own cloud account, a private data centre, or infrastructure managed by a service partner. “SaaS” may range from a shared application with logical tenant isolation to a dedicated environment. Model inference may still occur through an external API in either design.
For each candidate, map who operates the application, database, object store, retrieval index, model, identity integration, keys, network, monitoring, backups, updates, and support. Mark data locations and every administrative access path.
| Component | Customer question | Evidence |
|---|---|---|
| Application | Who patches and approves releases? | Responsibility matrix |
| Model | Where does inference occur? | Data-flow diagram |
| Storage | Who configures encryption and backup? | Architecture and settings |
| Identity | Which system is authoritative? | SSO and role test |
| Monitoring | Who sees and responds to alerts? | Runbook and exercise |
| Recovery | Who restores each dependency? | Recovery test record |
Avoid deciding from labels until this matrix is complete. A privately hosted application with an unrestricted external model route may disclose more than a tightly configured SaaS service.
Which data-control requirements truly need isolation?
Classify the expected content and contractual constraints. Consider privileged files, personal data, regulated records, ethical walls, client-specific restrictions, encryption-key expectations, residency, deletion, and support access. Then translate each constraint into a testable requirement.
Ask whether isolation must apply to compute, storage, encryption keys, administrators, networks, model endpoints, or all of them. Dedicated resources can narrow some exposure, but they also create operational duties. Logical multi-tenancy may be acceptable for a defined use if authorization, tenant separation, monitoring, and contract evidence meet the organization’s standard.
Map prompt, upload, OCR, embedding, generated output, feedback, telemetry, support, and backup data separately. Use the legal AI DPIA workflow for risks to people and the DPA checklist for processing terms.
How does the security responsibility model change?
In SaaS, the provider commonly operates more of the stack, but the customer still owns users, data classification, approved use, connector permissions, and many settings. In a self-hosted deployment, the customer or its operator may inherit patching, secrets, network rules, databases, backups, monitoring, and incident response.
Self-hosted security questions:
- Can the team monitor and patch every component promptly?
- Are hardened deployment patterns maintained across environments?
- Who reviews model, container, library, and parser supply chains?
- Are secrets, keys, service identities, and administrator paths governed?
- Can the team investigate prompt and connector abuse?
- Is recovery exercised after upgrades?
SaaS security questions:
- How are tenants and matters isolated and tested?
- Which employees and subprocessors can access content?
- What settings restrict retention, models, sharing, and connectors?
- What evidence supports secure development and vulnerability response?
- How are material changes and incidents communicated?
- Can customers export useful audit events?
Apply the legal AI security questionnaire to both. Self-hosting should not receive automatic credit merely because the server is under customer control.
Which model gives better privacy and confidentiality control?
Self-hosting may support local storage, customer-controlled keys, tailored retention, and constrained networks. Those benefits depend on the complete inference path and competent operation. Administrators, backups, logs, model downloads, observability tools, and support channels can still create exposure.
SaaS may offer mature access operations, rapid security updates, standardized deletion, and independent assurance. It may also introduce additional recipients, less flexible retention, cross-border routes, or opaque support access. Review the specific service and configuration.
Test both options with the same lifecycle questions: What is collected? Where is it copied? Is it used for training or improvement? Who can read it? How is it logged? When is it deleted? Can deletion be demonstrated in indexes and backups? What changes without customer action?
Read vendor pages such as Gotham’s privacy information as orientation, then confirm facts in architecture, settings, contracts, and tests.
How should performance, reliability, and model quality be compared?
Do not assume local means slow or SaaS means scalable. Benchmark representative document sizes, OCR quality, concurrency, network conditions, retrieval volumes, and model tasks. Measure end-to-end workflow time, not only token speed.
Run the same labelled evaluation set in both configurations. Check legal citations, proposition support, extraction coverage, omissions, conflicting sources, permissions, and abstention. The legal AI accuracy evaluation guide provides a reproducible approach.
For resilience, document dependencies and failure modes. SaaS needs provider status, support, export, and local fallback. Self-hosted systems need tested database, storage, index, model, queue, and key recovery. Both need clear behavior for partially completed actions. Ask what happens if a connector writes output twice after retry.
What does total cost include beyond the license?
Compare three-year scenarios with transparent assumptions. SaaS costs may include users, usage, storage, premium models, connectors, environments, support, egress, and implementation. Self-hosted costs may include compute, accelerators, storage, networking, observability, backups, security tooling, engineering, on-call response, upgrades, testing, and recovery exercises.
Add the cost of governance and qualified review to both. A cheaper system that makes sources hard to inspect can increase lawyer time and risk. Include migration and exit, idle capacity, usage peaks, and the opportunity cost of scarce platform staff.
Use ranges rather than a single forecast:
| Scenario | Volume | Availability | Staffing | Change rate |
|---|---|---|---|---|
| Pilot | Bounded sample | Business hours | Named pilot team | Controlled |
| Expected | Normal matters | Defined service target | Operational rota | Regular |
| Stress | Peak review or filing | Urgent recovery | Escalation coverage | Vendor or model change |
The relevant output is not the lowest sticker price. It is cost per acceptable, reviewed workflow outcome under realistic demand.
How do integrations and updates affect the choice?
Inventory document systems, identity, office tools, email, billing, matter management, legal research, and security monitoring. Decide whether each connection is read-only, writes data, or can trigger an action. Limit service identities and test matter permissions end to end.
SaaS may deliver connectors and model improvements faster. That speed can reduce internal maintenance but may introduce change-control pressure. Self-hosting can provide timing and customization control, while creating responsibility for compatibility, migrations, vulnerabilities, and rollback.
Require a release process for both options. Define validation tests, maintenance windows, model-change notice, rollback, schema migration, and business approval. Keep a stable acceptance suite so an upgrade does not silently alter research or extraction behavior.
What scorecard supports a defensible decision?
Set minimum gates first: authorized data path, workable access model, acceptable training and retention terms, critical vulnerability response, incident cooperation, recovery, and export. Then weight factors for the defined use.
A sample 100-point scorecard assigns information control 20, security operations 20, quality and review 15, resilience 15, implementation fit 10, integrations 10, and total cost and exit 10. Score evidence from zero to four: missing, asserted, documented, independently assessed, or customer-tested.
Record uncertainty and owner beside each score. Conduct a bounded pilot, red-team permission and prompt boundaries, exercise an incident, restore from backup, and export work product. Reassess if the model, architecture, operator, region, subprocessor, terms, use, or risk changes.
Use the legal AI RFP template to compare suppliers consistently. Teams can also explore Gotham’s practice solutions, review legal workflows, see its security approach, or contact Gotham. The best deployment is the one whose responsibilities your organization can understand, evidence, fund, and operate throughout the system’s life.



