Pandektes is now BRAO-compliant for the German legal market

As we expand into the German market, one of our top priorities has been ensuring that Pandektes meets the strict requirements that German lawyers face when using external service providers. Today, we're proud to share that Pandektes is fully compliant with the Bundesrechtsanwaltsordnung (BRAO) the Federal Lawyers' Act that governs the professional practice of all lawyers admitted in Germany.

This is an important milestone for us, and we want to explain what it means in practice for the law firms we work with.

Why BRAO compliance matters

German lawyers are bound by some of the most stringent professional secrecy obligations in Europe. Under § 43a(2) BRAO, the duty of confidentiality (Verschwiegenheitspflicht) covers everything a lawyer learns in the course of their professional activity from the moment a potential client first makes contact, and continuing even after the mandate ends.

When a law firm uses an external service provider, whether that's a cloud platform, an IT service, or an AI-powered legal research tool like Pandektes, § 43e BRAO sets out specific requirements that must be met. The lawyer must carefully select the service provider, enter into a written agreement in text form and ensure that the provider is contractually bound to maintain confidentiality with full awareness of the criminal consequences of any breach.

What we've done

To meet these requirements, we've implemented the following:

§ 43e-compliant service provider agreements. Pandektes offers a dedicated confidentiality agreement (Verschwiegenheitsvereinbarung) that satisfies all requirements of § 43e(3) BRAO. This includes the obligation to maintain confidentiality under instruction about criminal law consequences (§ 43e(3) no. 1), the limitation of access to client secrets to what is strictly necessary for contract fulfilment (§ 43e(3) no. 2), and clear provisions governing any sub-processors we engage (§ 43e(3) no. 3).

EU-sovereign infrastructure. All customer data is stored and processed exclusively within the EU. By hosting entirely within the EU where the legislator presumes an equivalent level of protection we eliminate this concern for our customers.

Strict tenant isolation. Each organisation's data is logically isolated at the database level using row-level security, encrypted at rest and in transit, and subject to role-based access controls. This directly supports the principle that service providers may only access client secrets to the extent necessary for contract fulfilment.

No model training on customer data. Pandektes never uses customer data to train or fine-tune AI models. This is essential for BRAO compliance: the confidentiality obligation requires that client information is not used beyond the scope of the agreed service, and model training would constitute an impermissible broader use.

Customer-managed encryption keys (CMEK). For firms requiring additional control, we offer customer-managed encryption keys, giving organisations full authority over key rotation and revocation.

What this means for German law firms

If you're a German law firm evaluating Pandektes, this means you can use our platform without compromising your professional obligations. We provide the contractual framework required by § 43e BRAO out of the box, and our infrastructure choices were made with precisely these requirements in mind.

Our existing ISO 27001:2022 certification and GDPR compliance provide the technical and organisational foundation. The BRAO-specific measures build on top of this with the additional contractual and procedural safeguards that German professional law demands.