Monitoring for Legal Tech: Professional Secrecy (§ 203 German Criminal Code) and Data-Sovereignty Requirements
Under § 203 German Criminal Code and § 43e BRAO, law firms pass secrecy duties to legal tech vendors — and to every sub-provider. Mapping table inside.
Since Germany’s 2017 professional-secrecy reform, lawyers, tax advisors, and auditors may explicitly bring in external IT providers: § 203(3) sentence 2 of the German Criminal Code (Strafgesetzbuch, StGB) permits disclosure to “participating persons” to the extent necessary for their services. The trade-off: the provider becomes criminally liable in their own right (§ 203(4) sentence 1 StGB), and the firm must formally obligate them to confidentiality under § 43e of the Federal Lawyers’ Act (BRAO).
If you sell legal tech or SaaS to German law firms, tax advisory practices, or audit firms, your customers pass these obligations to you contractually — and you must pass them on to every sub-provider you use, from your hosting company to your uptime monitoring tool. This article explains how the chain works and which contract and evidence artifacts satisfy it. It is orientation, not legal advice.
What is § 203 StGB — and why does it reach software vendors?
§ 203(1) StGB criminalizes the unauthorized disclosure of another person’s secrets entrusted to a professional: up to one year of imprisonment or a fine, up to two years in the aggravated cases of § 203(6) (acting for payment, or with intent to enrich or harm). The protected professions (“Berufsgeheimnisträger” — bearers of professional secrets) include doctors and health professionals (no. 1) as well as lawyers, notaries, auditors (Wirtschaftsprüfer), and tax advisors (Steuerberater) (no. 3).
For decades this bound only the professionals themselves. Since 2017, it binds their vendors too: § 203(4) sentence 1 StGB makes the “participating person” criminally liable themselves if they disclose, without authorization, a secret that became known to them in the course of their work — and “participating person” explicitly covers the external IT provider. That is you.
The chain does not stop with you either. Under § 203(4) sentence 2 no. 2 StGB, participating persons who engage further persons — i.e., use sub-providers — carry the same duty to obligate those persons to confidentiality. Your hosting provider, your email service, your monitoring vendor: each is a link in the same criminally backed chain.
What did the 2017 reform actually change?
Before 2017, IT outsourcing put German firms in a gray zone: even the possibility that an external administrator could access client data risked qualifying as unauthorized disclosure. The Act on the Protection of Secrets in the Involvement of Third Parties of 30 October 2017 (Federal Law Gazette I p. 3618) resolved this with a clear bargain:
- Permission: § 203(3) sentence 2 StGB allows disclosure to “other persons … participating in their professional or official activity, to the extent this is necessary for using the services of those participating persons” — expressly including the sub-provider chain.
- The price: the participating person becomes criminally liable themselves (subsection 4 sentence 1), and the professional must obligate them to confidentiality. Failing to do so is punishable under subsection 4 sentence 2 no. 1 — but only if the non-obligated person then actually discloses a secret without authorization. Not an abstract organizational offence, but a criminal-liability risk no law firm is willing to carry.
The consequence for vendors: German firms may hire you — but only with a formal confidentiality obligation in place. You will find exactly that clause in every contract draft your law-firm customers send you.
Which duties does § 43e BRAO pass down to you?
Where the criminal code sets the frame, professional law fills in the detail. § 43e BRAO governs how German lawyers may use service providers:
- Subsection 1: access to secrets only “to the extent this is necessary for using the service.”
- Subsection 2: careful selection of the provider, and termination without undue delay if confidentiality is not upheld.
- Subsection 3: a contract in text form (“Textform” — a lower bar than written form; email suffices) containing: a confidentiality obligation with instruction on the criminal consequences of a breach (no. 1), notice of secrets only to the extent necessary (no. 2), and further persons only if obligated in the same way (no. 3).
- Subsection 4: providers abroad only if professional-secrecy protection there is comparable to Germany’s.
- Subsection 5: services relating to an individual client matter additionally require the client’s consent.
Tax advisors and auditors face structurally identical rules in § 62a StBerG and § 50a WPO. On top sits § 2(2) of the lawyers’ code of conduct (BORA) (as of 1 December 2025): lawyers must take the “necessary organizational and technical measures” to protect client confidentiality — “risk-adequate” and in line with the “state of the art.” In practice, that arrives on your desk as availability and incident-response questions in procurement questionnaires.
The pivotal point: § 43e(3) no. 3 BRAO and § 203(4) sentence 2 no. 2 StGB make you a relay. Whatever the firm imposes on you, you must mirror onto each of your sub-providers — otherwise you cannot fulfil your own contract with the firm.
How do you translate the statutes into contract and evidence artifacts?
This is the table to keep next to every vendor questionnaire — for what firms ask of you, and for how you manage your own chain:
| Requirement along the provider chain | Legal basis | Your contract / evidence artifact |
|---|---|---|
| Confidentiality obligation in text form, with instruction on criminal consequences | § 43e(3) no. 1 BRAO | Confidentiality clause with every sub-provider (text form suffices — e.g., an annex to the DPA) |
| Notice of secrets only to the extent necessary | § 43e(3) no. 2 BRAO | Tool selection by data minimization — e.g., monitoring that sees only endpoints, response times, and status codes, never client content |
| Further persons only if obligated in the same way | § 43e(3) no. 3 BRAO; § 203(4) sentence 2 no. 2 StGB | Maintained, published sub-processor list plus proof of obligation for each link |
| Careful selection; termination on non-compliance | § 43e(2) BRAO | Documented vendor due diligence with review dates and exit criteria |
| Foreign providers only with comparable secrecy protection | § 43e(4) BRAO | Documented legal jurisdiction of each provider; EU/German hosting avoids the open comparability question |
| Data processing agreement | Art. 28 GDPR | DPA with every sub-provider, including technical and organizational measures — ideally an instant download, not gated behind sales |
| Risk-adequate technical measures, state of the art | § 2(2) BORA | Availability and incident evidence: monitoring history, public status page, documented response times |
For the GDPR row, How to check a SaaS vendor for GDPR in 5 minutes shows how to verify the DPA, sub-processor list, and jurisdiction of any provider — including yourself, before your customers do it for you.
What does the US CLOUD Act mean for your sub-provider selection?
§ 43e(4) BRAO’s foreign-provider rule collides with an uncomfortable reality. The US CLOUD Act (18 U.S.C. § 2713, inserted by Pub. L. 115-141 of 23 March 2018) obliges US providers to disclose data “regardless of whether such communication, record, or other information is located within or outside of the United States.” A US-incorporated provider with a Frankfurt datacenter remains subject to production orders — the server location changes nothing. We break down the mechanics in US CLOUD Act & SaaS monitoring.
Precision matters here: this is not a ban on US services for German legal tech. Whether a US provider can offer the “comparable” secrecy protection required by § 43e(4) BRAO is an open legal question. The German Federal Bar (BRAK) puts it carefully in its guidance on AI use (December 2024, IT-outsourcing section): for US providers it is “not conclusively resolved” whether the data-protection level can be relied upon, “so that — where possible — at least providers with server locations in Germany or Europe should be preferred.”
Schrems II (CJEU, 16 July 2020, C-311/18) adds the GDPR layer: the EU-US Privacy Shield is invalid, and third-country transfers need documented safeguards. The pragmatic takeaway: every sub-provider with an EU legal entity and EU hosting is one less discussion — in the firm’s questionnaire, in your DPA, and in the comparability assessment. The EU Jurisdiction Database maps over 60 SaaS tools by legal jurisdiction, hosting, and CLOUD Act exposure so you can document this per provider.
Is a monitoring tool really part of your § 203 chain?
Yes — and, chosen correctly, it is the most harmless link in it. An uptime monitoring service is a sub-provider: it processes your monitor URLs, response times, status codes, and the email addresses of your alert recipients. It belongs on your sub-processor list, gets a DPA, and gets the text-form confidentiality clause. What it does not get: access to client, case, or document data. Monitoring checks from the outside whether an endpoint responds — it does not read content. That is § 43e(3) no. 2 BRAO (“notice only to the extent necessary”) in its simplest form: the necessary extent of client-data access is zero.
At the same time, monitoring produces exactly the evidence your law-firm customers demand: demonstrated availability, automatic incident detection with timestamps, and a public status page as a transparent uptime record — building blocks for the “risk-adequate technical measures” of § 2(2) BORA. To be clear about the limits: a monitoring tool does not make you or your customers § 203-compliant. The selection, obligation, and termination duties stay with the firm and with you as the vendor. A data-minimal tool simply makes the chain shorter and the comparability assessment unnecessary.
The same logic applies to a second profession protected by § 203(1) no. 1 StGB: doctors and health professionals. If your software also serves medical practices, see our healthcare page.
What role does FoundersDeck play — and which one doesn’t it?
FoundersDeck is a German sole-proprietorship business with infrastructure exclusively at Netcup in Nuremberg, Germany — no US parent company, no CLOUD Act exposure, no third-country transfers for monitoring data. The DPA is available for instant download, no sales call required. And by architecture: uptime checks, heartbeat monitoring, and cookie-free status pages observe only endpoints, response times, and status codes — access to client or case data inside your application does not happen and is not technically provided for.
What FoundersDeck does not do: fulfil your § 43e duties for you. Obligating your sub-providers in text form, maintaining the sub-processor list, documenting due diligence — that remains your job as the vendor. FoundersDeck is one link in your chain designed to make those checks short: German jurisdiction, German hosting, instant DPA, no client data in play.
Frequently Asked Questions
What is § 203 StGB and why does it matter for legal tech vendors?
§ 203 of the German Criminal Code criminalizes the unauthorized disclosure of secrets entrusted to professionals such as lawyers, notaries, auditors, tax advisors, and doctors — up to one year of imprisonment or a fine, up to two years in aggravated cases under § 203(6). Since the 2017 reform, § 203(4) sentence 1 extends criminal liability to any “participating person,” explicitly including external IT providers. If your customers are German professional firms, their secrecy obligations flow contractually into your vendor agreements and your sub-provider chain.
Can German law firms legally use cloud software and external IT providers?
Yes — explicitly, since the reform act of 30 October 2017: § 203(3) sentence 2 StGB permits disclosure to participating persons to the extent necessary for their services, including down the sub-provider chain. The counterpart is § 43e BRAO: careful selection, a contract in text form (not written form — email suffices), a confidentiality obligation with instruction on criminal consequences, and the duty to bind further persons in the same way. Parallel rules apply to tax advisors (§ 62a StBerG) and auditors (§ 50a WPO).
Does the US CLOUD Act disqualify US providers for German legal tech stacks?
It is not a prohibition — it is an unresolved legal question. § 43e(4) BRAO allows foreign providers only with comparable secrecy protection, while 18 U.S.C. § 2713 obliges US providers to produce data regardless of storage location, so an EU region alone does not resolve the tension. The BRAK considers it “not conclusively resolved” whether US providers can meet the comparability bar and recommends preferring providers with server locations in Germany or Europe where possible.
Does an uptime monitoring tool count as a sub-provider under § 203 StGB — and does it need access to client files?
It counts as a sub-provider, but it needs no access to client files: monitoring observes endpoints, response times, and HTTP status codes from the outside and never reads case content — the simplest case of the “notice only to the extent necessary” rule in § 43e(3) no. 2 BRAO. It still belongs on your sub-processor list with a GDPR Article 28 DPA, a text-form confidentiality clause, and a documented jurisdiction. Data minimization makes the obligation easy to justify; it does not replace it.
This article is intended as orientation, not legal advice — the drafting of your contracts and the assessment of your individual case belong in the hands of qualified counsel. Sources: § 203 StGB, § 43e BRAO, § 62a StBerG, § 50a WPO, BORA as of 01.12.2025, legislative materials on the 2017 reform, 18 U.S.C. § 2713, BRAK guidance on AI use, 12/2024, CJEU C-311/18 (Schrems II). Last updated: July 2026.
Engin Yildirim
Founder of FoundersDeck. 13+ years in software engineering. Building EU-first tools for founders.
Read more about me →