What the Law Society of Ontario's Cloud Guidance Actually Requires From Your AI Vendor

Law firms across Ontario are adopting AI tools for drafting, research, and document review at a rapid pace. The efficiency gains are real. So is the compliance exposure — and most firms have not fully worked through what the Law Society of Ontario actually requires before putting client data into an AI system.

This post works through the LSO's Practice Management Guidelines on cloud computing, applies them to AI tools specifically, and identifies the three questions every firm should be able to answer before using any AI vendor for client matters.

The LSO's Framework: Three Core Obligations

The Law Society of Ontario's guidelines on cloud computing and technology apply directly to AI tools that process client information. The LSO does not prohibit cloud or AI use — it requires lawyers to conduct meaningful due diligence. Synthesizing the relevant guidance, that due diligence centres on three questions:

• Where is the data processed and stored? Not just "which country" in a marketing sense, but which legal jurisdiction governs the servers and the company operating them.
• Who has access to the data? Including the vendor's own employees, subcontractors, affiliated entities, and any third-party integrations.
• What happens if the vendor is compelled by law enforcement or a court? This is the question most firms skip, and it is the most important one.

How Most AI Tools Fail Question Three

Consider the major consumer and enterprise AI tools currently being used in Ontario law firms: OpenAI (ChatGPT, GPT-4 API), Microsoft Copilot, Google Gemini, and Anthropic's Claude. All of these are operated by US corporations headquartered in the United States.

The US CLOUD Act (18 U.S.C. § 2713) requires US companies to produce electronic communications and records in their custody or control in response to a US government order — regardless of where those records are stored. This means a US government agency can issue a warrant or National Security Letter to OpenAI, Microsoft, or Google, and those companies are legally required to produce client communications that Ontario lawyers believed were confidential.

This is not a remote or theoretical risk for firms working on matters with US nexus — regulatory proceedings, cross-border transactions, mergers involving US parties, or any matter where a US government agency might have an interest in the underlying facts.

The "Canadian Data Centre" Misconception

Several vendors now market "Canadian data residency" as a compliance feature. Microsoft Azure Canada, AWS Canada, and similar offerings store data on servers in Canadian cities. This sounds like it addresses the problem. It does not.

The CLOUD Act reaches US companies operating data centres in Canada. The physical location of the server is irrelevant — what matters is the legal jurisdiction of the company controlling the server. Microsoft and Amazon are US companies. Canadian storage locations do not insulate them from US law enforcement requests.

The LSO's due diligence requirements look through marketing representations to the actual legal reality. "Data stays in Canada" as a marketing claim is not the same as "no foreign government can access this data."

What LSO-Compliant AI Use Actually Looks Like

To use an AI tool for client matters in compliance with LSO obligations, a firm needs to be able to answer all three core questions affirmatively:

• Data location: Processed and stored on infrastructure governed exclusively by Ontario and Canadian law — not a US company with Canadian servers.
• Access controls: The vendor should have documented, contractually binding access restrictions. No US employees or affiliates in the data path. No US-based subprocessors.
• Compelled disclosure: The vendor should be legally incapable of complying with a US government order — because it is not subject to US jurisdiction. A Canadian CCPC with no US parent is the clearest path to this outcome.

A data processing agreement (DPA) with a US vendor promising not to disclose client data does not satisfy this framework. A contractual promise does not override a court order. The LSO's guidance requires lawyers to select vendors who genuinely cannot produce client data under foreign law — not vendors who promise they will not.

Practical Steps for Your Firm

If your firm is currently using or evaluating AI tools for client work, a practical compliance review should include:

• Identify every AI tool in use across the firm, including tools lawyers are using on their own without IT approval.
• For each tool, determine the corporate structure of the vendor — country of incorporation, US parent relationships, applicable law enforcement frameworks.
• Review vendor contracts for governing law clauses, law enforcement disclosure provisions, and subprocessor lists.
• Assess whether client consent or retainer agreement language adequately addresses AI use — most standard Ontario retainer agreements do not.
• Implement a firm policy distinguishing between AI tools approved for client matters (requires Canadian sovereignty) and tools permitted only for internal, non-client work.

Sovereign AI Gateway was built specifically for this use case. As an Ontario CCPC, we are not subject to the CLOUD Act. Client data processed through our API never touches US infrastructure and cannot be produced under US law. We can supply the contractual documentation, attestation records, and compliance call your firm needs to satisfy LSO due diligence requirements.