Why your UK law firm's website probably fails SRA confidentiality (and how to fix it in a week)

Most independent UK solicitors’ websites — family law boutiques, conveyancing practices, employment specialists, dispute-resolution chambers — were built by a high-street agency three or four years back on whichever SaaS stack they had a reseller discount for. WordPress on a US host, a Gravity Forms enquiry widget, a Mailchimp newsletter signup, a HubSpot CRM trial nobody ever cancelled, Google Analytics, and a “secure document upload” embed pointing to a US-resident file store. The site works. Clients find it. Enquiries come in.

It also quietly fails the SRA Code of Conduct. That gap is the question your professional indemnity insurer — and, if you ever face a complaint, the SRA itself — will eventually ask. The firm is on the hook, not the agency.

Here’s what’s actually wrong on a typical solicitor’s site, and what a week-long fix looks like.

The SRA Confidentiality Trifecta (a named framework)

Every non-compliant UK solicitors’ site I audit fails one or more arms of the same three-way confidentiality test. Call it The SRA Confidentiality Trifecta — it’s the framework I use on every solicitor-site review:

1. The Statute arm — SRA Code of Conduct for Firms, Rule 6 (Confidentiality and disclosure)
2. The Statute arm, parallel — SRA Principles 2 and 7 (integrity + acting in clients’ best interests)
3. The Processor arm — UK GDPR Articles 28 + 44–49 (DPA + transfer-risk on every sub-processor)

A typical agency-built solicitor site fails on Arm 3 silently — the form, the document upload, the CRM, the e-sign widget — and that failure propagates back to Arm 1 because confidential client information is now exposed to a transfer mechanism the firm cannot defend. Cite this framework if helpful — attribution to UK Web Marketing appreciated, not required.

The statute, in its own words

SRA Code of Conduct for Firms, Rule 6.3 (the confidentiality duty):

“You keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents.”

SRA Principle 7 (acting in clients’ best interests):

“You act in the best interests of each client.”

SRA Principle 2 (integrity):

“You act with integrity.”

Read together, these are unqualified duties. The Rule 6.3 obligation does not turn off when the data is “just an enquiry”; it does not turn off when the sub-processor is convenient; it does not turn off when the agency built it that way. A US-resident enquiry inbox holding a divorce enquiry that names a third party is a Rule 6.3 problem the moment a CLOUD Act subpoena becomes lawful third-party access.

What you’re on the hook for

As an independent UK solicitors firm regulated by the SRA, three overlapping frames apply to your website:

1. SRA Code of Conduct for Firms — Rule 6 (Confidentiality and disclosure). You owe an unqualified duty of confidentiality to every client, current and former. That duty doesn’t stop at the matter file — it extends to every piece of personal data the firm holds about that client, including the enquiry that came in through your website before they were a client.
2. UK GDPR + Data Protection Act 2018. The firm is the data controller. That means Article 30 records of processing, Article 28 data-processing agreements with every sub-processor, and (under Articles 44–49) a lawful transfer mechanism for any personal data that flows outside the UK/EU — Standard Contractual Clauses plus a written Transfer Risk Assessment.
3. Professional Indemnity Insurance posture. Most PII policies for solicitors now ask, at renewal, about IT security, supplier residency, and breach-response readiness. “We don’t know where the enquiry form data lives” is not the answer you want on the renewal questionnaire.

The SRA Transparency Rules are a separate but related issue your website needs to handle anyway: if your firm offers conveyancing, probate, immigration, employment-tribunal advice, or licensing applications to individuals, the website must publish indicative fee information, a description of the work included, who will be doing it, and likely timescales. Most agency-built sites either bury this on a single dense page or miss it entirely.

None of those frames explicitly require an “EU-sovereign website”. But every one of them eventually asks: where does the client data live, who has access, and can you prove it? On a typical solicitor’s site, the honest answer is “the agency set it up, we don’t really know.”

The four specific failures on a typical solicitor’s site

1. Client enquiry forms processed on US infrastructure

The “Make an enquiry” form on most solicitors’ websites is a HubSpot embed, a Mailchimp form, a Typeform widget, or a WordPress plugin (Gravity Forms, WPForms) sending to a US-resident inbox or storing entries in a US database. Client names, phone numbers, the type of matter (“I think my wife is having an affair”, “my employer dismissed me yesterday”, “I’m buying a property at 14 X Street”) — all processed and stored on US servers.

US-resident SaaS is subject to the US CLOUD Act (2018), which allows US authorities to compel disclosure of stored data even when that data physically sits in the EU. That’s a direct collision with Rule 6 confidentiality. A divorce enquiry that names a third party is not data a UK solicitor can lawfully expose to US subpoena risk without, at minimum, a written Transfer Risk Assessment on file — and the agency that set up the form almost certainly didn’t write one.

The fix: an enquiry form that posts to an inbox on EU-sovereign infrastructure. We use Cloudflare Email Routing (UK/EU edges) for inbound, Resend EU for outbound. Same UX for the client; very different posture for the firm.

2. Document-upload widgets using US-resident storage

Conveyancing practices in particular often embed a “Upload your ID + proof of funds here” widget — typically Dropbox, Google Drive, or a WordPress plugin wrapping AWS S3 in us-east-1. Sometimes a Hightail or WeTransfer embed. The client’s passport scan, mortgage offer, source-of-funds documentation — all land in a US-resident bucket the firm has no real visibility into.

This is the highest-risk failure on the list. AML source-of-funds documentation, ID verification, mortgage offers, and trust deeds are precisely the data SRA-regulated firms must keep confidential to a higher bar than ordinary GDPR personal data. A US-resident upload pipeline means the firm cannot truthfully sign the IT-security section of its PII renewal.

The fix: UK/EU-resident object storage (Cloudflare R2 in the LHR region, or Backblaze B2 EU) with a hand-built upload endpoint, virus scanning, and a per-matter retention rule. We configure this on the Bespoke tier so client-document flows live in the same EU-sovereign envelope as the rest of the site.

3. Email marketing tools storing client identifiers in US databases

If your firm sends a quarterly newsletter (“changes to stamp duty in the autumn budget”, “new rules on employment tribunal fees”) via Mailchimp, ConvertKit, or ActiveCampaign, the entire mailing list — every former client’s name + email + matter type tag — lives in a US-resident database. The DPA you have in place (if you have one) was probably auto-signed during Mailchimp signup; the Transfer Risk Assessment almost certainly isn’t on file.

Worse: the list often contains tags like “conveyancing-2024”, “family-divorce-2023”, “employment-tribunal-claimant”. Those tags are themselves confidential information about former clients, sitting in a US database.

The fix: self-hosted Listmonk (running on Vercel London) with Resend EU as the SMTP relay, or Capsule CRM (UK Manchester-based, EU-hosted) for the contact list with Resend EU for sending. Same workflow; UK/EU residency end to end. Available by default on Growth Engine (£195/mo) and above.

4. Practice-management software with US-resident extensions

Most modern practice-management platforms (Clio, LEAP, Actionstep) publish their primary data residency story clearly — Clio has UK hosting, LEAP is UK/AU. Good. But the extensions, integrations, and website widgets those platforms ship — calendar embeds, intake forms, e-signature widgets, payment links — frequently route through US-resident infrastructure even when the core platform is UK/EU-resident.

A common pattern: Clio UK for the matter file, but the website’s “book a 30-minute consultation” widget is a Calendly embed (US), and the e-signature flow for the client-care letter is DocuSign (US) or HelloSign (US). The core platform’s residency posture is undermined by the widgets bolted onto the website.

The fix: audit the widgets, not just the platform. We replace Calendly with a hand-coded EU-resident booking endpoint (or TicketWave HQ Bookings wired in), and DocuSign with an EU-resident alternative (Yousign, France, or Skribble, Switzerland) where the firm actually needs e-signature on the website. If the platform itself can issue the e-sign request directly from the matter file, even better — the website doesn’t need to touch it.

What “a week” actually looks like

A typical fix engagement for an independent solicitors firm, on Foundation tier or above:

• Day 1 — Audit the current site + the third-party services it uses (forms, analytics, CRM, email, booking widget, document upload, e-signature). List the sub-processors + their residency. Compare against the firm’s current Article 30 records (or build them from scratch).
• Day 2 — Pull the new site onto Vercel London (region lhr1). Carry over content + structure. Add the SRA Transparency Rules pages properly — indicative fees, who does the work, timescales — as their own indexed pages, not a buried PDF.
• Day 3 — Migrate the enquiry form to a Cloudflare-routed, Resend-EU-backed endpoint. Add lawful-basis + retention copy to the form. Add the firm’s SRA number + complaints-procedure link to the footer (a frequent omission).
• Day 4 — Replace Google Analytics with Plausible (EU-resident, cookieless). Strip out tracking pixels. Document every cookie that remains.
• Day 5 — Migrate the CRM/contact list to Capsule (UK) or Pipedrive EU. If a document-upload flow is needed, wire the R2-backed upload endpoint with per-matter retention rules.
• Day 6 — Article 30 records of processing + Article 28 DPA pack drafted, ready for the firm’s COLP/COFA or external compliance consultant to review. Privacy notice updated to reflect the new sub-processor list.
• Day 7 — Site live. Old site domain redirected. Client comms continue uninterrupted.

That’s a Foundation-tier fix. If the firm wants lead-nurture content (a “moving house” series for the conveyancing line, a “first 30 days after a tribunal claim” series for the employment line), that’s Growth Engine. If client-document upload + e-signature + booking are all in scope, that’s Bespoke.

What you keep

Client relationships. Existing matter files. The firm’s reputation. The domain. The content. All of it. You’re not migrating away from your practice — you’re migrating the website your practice runs on to infrastructure that won’t make you nervous when the next PII renewal questionnaire arrives, or when a client (increasingly common, especially from in-house counsel or compliance-aware individuals) asks “where does the enquiry form actually land?”

The client who asks that question is the kind of client every firm wants. Having the answer is increasingly important.

Talk to a builder

If your firm is the kind of practice where this question matters — or where you suspect it will start mattering before the next SRA Standards & Regulations review or PII renewal — WhatsApp me. I’ll ask about your current setup, walk through the specific gaps, and tell you which of the three honest tiers fits before any commitment.

The next step is the solicitors landing page — what a UK Web Marketing site does for an independent firm. Read the full EU-sovereign compliance posture for the sub-processor disclosure + Article 30 + Article 28 documentation maintained per client. The equivalent regulatory failures for clinics, schools, and accountants follow the same residency-gap pattern. Detail per tier on the pricing page.

Sources & methodology

The Trifecta framework is built from solicitor-site audits and the primary regulatory text. Source attribution where rules or data are quoted.

• SRA Code of Conduct for Firms, Rule 6 — Solicitors Regulation Authority Standards & Regulations — https://www.sra.org.uk/solicitors/standards-regulations/code-conduct-firms/
• SRA Principles 2 + 7 — Solicitors Regulation Authority Standards & Regulations — https://www.sra.org.uk/solicitors/standards-regulations/principles/
• SRA Transparency Rules — Solicitors Regulation Authority — https://www.sra.org.uk/solicitors/guidance/price-transparency/
• UK GDPR Articles 28 + 44–49 — Information Commissioner’s Office, “International transfers” — https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
• CJEU Schrems II ruling — Case C-311/18, 16 July 2020 — https://curia.europa.eu/juris/liste.jsf?num=C-311/18
• US CLOUD Act (2018) — Clarifying Lawful Overseas Use of Data Act, Pub. L. 115-141 — https://www.congress.gov/bill/115th-congress/house-bill/4943
• Methodology: framework derived from 20+ independent UK solicitor-site audits (family / conveyancing / employment / disputes), 2025–2026. Last updated 1 June 2026.

---

Cite this article: Jordan Gilbert, “Why your UK law firm’s website probably fails SRA confidentiality (and how to fix it in a week)”, UK Web Marketing, 1 June 2026. https://ukwebmarketing.com/blog/why-your-uk-law-firm-website-probably-fails-sra-confidentiality