A law firm's confidentiality duty is older and stricter than any data protection statute: privileged material, undertakings, embargoed transactions, client identities. The modern firm honours that duty while spreading matter files across Microsoft's cloud, a US e-signature platform and per-user practice tools — each one a third party your client never chose, and each seat another monthly fee.
The per-seat maths for a small firm
For a ten-person firm, Microsoft 365 Business Standard lists at about £11.55 per user per month (rising from July 2026) — roughly £115 a month before a single legal tool. E-signing adds around $20 per user per month plus per-completion API fees if your systems send documents automatically. Per-seat practice and CRM tools start around $15 per user per month at the entry tier. Every trainee intake raises every line.
| Capability | Per-seat stack | On Node (flat) |
|---|---|---|
| Files & matter documents | M365 Business Standard: ~£115 | Nextcloud (Large): £75 |
| E-signing engagement letters | ~$20/user x 4 senders + API fees: ~£63+ | DocuSeal (Medium): £45 |
| Client intake & referral tracking | Entry CRM at ~$15/user: ~£118 | EspoCRM (Medium): £45 |
| Time recording | Per-user timesheet tools | Kimai (Small): £25 |
| Identity, SSO & audit | Spread across the above | Platform plan (Team): £75 |
| Indicative total | ~£300+ rising per hire | £265 flat to 25 users |
These are list prices, not a quote — the honest headline is not the day-one saving but that the Node column does not move when you hire. Your practice management system (LEAP, Clio, or similar) stays; this replaces the general stack around it, where the per-seat fees and the scattered client data live. Ask for a like-for-like figure for your firm.
What a firm runs on Node
Matter files — Nextcloud (self-serve): matter folders with access per team or per matter, client shares that replace email attachments, versioning, and activity logs that show who touched what and when. Runs under your own domain.
Engagement letters and deeds — DocuSeal (self-serve): legally binding e-signatures with no per-envelope economics, and executed documents stored in your tenant, not a vendor's cloud. Documenso is available as managed setup if you prefer it.
Client intake — EspoCRM (self-serve): enquiries, referrals, conflicts-of-interest notes and engagement status in one place instead of a partner's inbox.
Workflow — n8n (self-serve): route signed letters into matter folders, open a matter checklist when intake completes, nudge for undertakings falling due.
Managed setup: Kimai time recording, Paperless-ngx for scanned correspondence with OCR and full-text search, Zammad as a shared enquiries inbox, BookStack for precedents and know-how, and more.
Built for the questions the SRA expects you to ask
The SRA's position on outsourcing and client confidentiality is, in essence, that the duty stays with the firm: you should know where client data is held, who can access it, and be able to evidence both. We are not your compliance adviser and this page makes no regulatory promises — but the platform is shaped to give that assessment good answers:
Where is it? On hardware we own in UK data centres, under UK jurisdiction, in a tenant isolated at the network level from every other customer. How the platform works.
Who can reach it? The people you authorise, through your own single sign-on realm — a leaver is removed from every app in one action — plus the named Node engineers who operate the service, whose actions are logged. Our visibility stops at your tenant boundary.
Can you evidence it? Sign-ins, permission changes and administrative actions are centrally logged and auditable, and the processing relationship is documented in a UK GDPR Article 28 DPA with a published sub-processor list — you can generate a completed copy before you ever email us.
What if you leave? Every app is open source and your data stays in open formats. Departure is an export, not a negotiation.
AI drafting that respects privilege
The risk with public AI tools is structural: privileged text pasted into someone else's cloud. The AI gateway draws the line clearly: UK-hosted models run on GPUs we own in our UK data centre, so prompt content never leaves our infrastructure — usable for first drafts, summaries and internal notes on sensitive material, subject to your own policy. Partner-routed models are labelled as such, per model, so a firm can permit them for non-privileged work and exclude them for the rest. Every request is metered, attributable and billed in GBP on the same invoice.
Put the platform through your own assessment
Generate the DPA, read the compliance page, then deploy a first app self-serve with £15 of free credit — or put your questions to an engineer directly.
Frequently asked questions
Where are our matter files and client correspondence held?
Inside your own tenant: an isolated private network on hardware Node owns and operates in UK data centres, under UK jurisdiction. No other customer's workloads or users can reach it, and access on your side is enforced through your own single sign-on realm. A UK GDPR Article 28 data processing agreement is provided as standard.
Does this satisfy the SRA's outsourcing requirements?
That judgement is your firm's to make, and we will not claim otherwise. What we provide is what that assessment needs: a named UK processor, a signed Article 28 DPA, a published sub-processor list, UK data residency, per-tenant isolation and a full audit trail. It is infrastructure designed to support your obligations, not a compliance certificate.
Can Node staff read privileged material in our tenant?
Access to your tenant is limited to the people you authorise and the named Node engineers who operate the service, whose administrative actions are logged and auditable. We do not monitor inside your applications, and our own compliance page describes where our visibility deliberately stops. For matters requiring further assurance, talk to us about the controls available.
How does e-signing compare with DocuSign for engagement letters?
DocuSign-style platforms charge per user per month, around 20 dollars, with envelope allowances and per-completion API fees. DocuSeal on Node is a flat 45 pounds per month for the firm: unlimited senders and no per-document fees, with signed documents landing in your own tenant rather than a US vendor's cloud.
Can fee earners record time against matters?
Yes. Kimai provides time recording against clients, projects and activities with exportable timesheets, as a managed setup from 25 pounds per month flat, rather than per fee earner.
Is AI usable on privileged material?
That is a call for each firm, and often for each matter. What the gateway gives you is a clean line to draw it along: UK-hosted models run on GPUs we own in our UK data centre and prompt content never leaves our infrastructure, while partner-routed models are clearly labelled as processed by a third party. Every request is metered and attributable.