For law firms and solicitors

Built to the SRA standard.

Custodiance runs your firm's web and email estate as a managed service — kept in UK and EU jurisdiction, built to the standard your SRA obligations require, and held by a named senior engineer who is personally accountable for it. Your confidentiality duty does not stop at the matter file; neither does the way we run your infrastructure.

The risk

What the SRA requires of your website — and where agency builds silently fail

A typical independent solicitor's site was built three or four years ago on whichever SaaS stack carried a reseller discount: a US host, a US enquiry form, a US newsletter tool, a "secure" document-upload widget pointing at a US bucket. The site works and enquiries arrive. It also quietly fails the obligations the firm — not the agency — is accountable for. Four are worth naming precisely.

Rule 6 confidentiality

The SRA Code of Conduct for Firms, Rule 6.3, owes an unqualified duty of confidentiality to every client, current and former. That duty extends to every piece of personal data the firm holds — including the enquiry that arrived through the website before the person became a client. A US-resident enquiry inbox or document-upload bucket exposes that data to lawful third-party access the firm cannot defend.

Principles 2 and 7

Principle 2 (integrity) and Principle 7 (acting in each client's best interests) are unqualified duties read alongside Rule 6. They do not turn off because a sub-processor was convenient or because the agency built the form that way. An estate the firm cannot account for is difficult to square with either principle when a complaint or a PII renewal questionnaire arrives.

The Transparency Rules

A firm offering conveyancing, probate, motoring, immigration, employment-tribunal, debt-recovery, or licensing work to individuals must publish indicative fees, the basis of charge, disbursements, VAT treatment, key stages, timescales, and who does the work — plus a complaints procedure and the firm's SRA number. The SRA reads these against the public website. Most agency-built sites bury them in a PDF or miss clauses entirely.

UK GDPR transfer risk

The firm is the data controller. That means Article 30 records of processing, Article 28 data-processing agreements with every sub-processor, and — under Articles 44 to 49 — a lawful transfer mechanism with Standard Contractual Clauses and a written Transfer Risk Assessment for any personal data flowing outside the UK and EU. The agency that wired the enquiry form to a US host almost certainly wrote none of these.

None of these obligations explicitly requires an "EU-sovereign website". Each, however, eventually asks the same question: where does the client data live, who has access, and can the firm prove it? On a typical agency-built site the honest answer is "we do not really know."

How Custodiance answers it

An estate held to your regulator's standard

The work that puts a solicitor's site right is not a one-off remediation. It is the work the estate carries continuously, mapped to the SRA obligations a firm is accountable for.

A managed estate, not a finished project

Your web and email infrastructure is run as an estate we hold continuously — audited, monitored, and changed on your behalf — not handed over once and left to decay. Enquiry intake, document upload, the contact list, analytics, and the Transparency Rules pages are kept correct as the regime and your practice evolve.

In-jurisdiction by design

Hosting is pinned to a London region, enquiry forms post to Cloudflare-routed inboxes on UK and EU edges, document upload runs through in-jurisdiction object storage, and analytics move to Plausible (EU-resident, cookieless). When a client, an insurer, or the SRA asks where the data lives and who can reach it, the answer is engineered, not assumed.

Built to a published methodology

The standard each estate is built to is written down and applied consistently, so the way your firm is built is the way the next one is — auditable, repeatable, and defensible rather than improvised per project. The posture is set out in the Custodiance framework.

A named accountable engineer

A single senior technical partner is personally accountable for your estate — a name and a direct line, not a ticket queue. For a practice too small to justify a full-time chief technology officer, this is the fractional equivalent: someone who understands your SRA obligations, carries the work between requests, and answers for it.

Engage

Two ways to run the estate

Growth

£1,495 per month

For an established practice that wants its web and email estate run properly — in-jurisdiction, with a named partner on call.

  • Managed web + email infrastructure
  • Built to your regulator's standard
  • EU/UK-sovereign hosting
  • A named technical partner
  • Continuous monitoring + changes

Embedded

From £6,000 per month · bespoke

For a practice that wants a fractional CTO embedded — owning the roadmap, the compliance posture, and the build.

  • Everything in Growth
  • Fractional-CTO engagement
  • Compliance + DPIA support
  • Bespoke build + integrations
  • Board-level reporting

Custody, not marketing.

Have a senior partner review your estate against the SRA standard

A scoping call is a measured conversation about your obligations, your current setup, and what it would take to run it properly. Each of the SRA arms above is reviewed against your live site and marked pass, partial, or fail, with the specific remediation for each. No obligation, and no pressure.