UK-Hosted Conveyancing Data: Why Region Matters Under SRA Principle 2 and the CLC Code of Conduct

Last updated: 5 May 2026

Quick answer

Conveyancing transactions involve large volumes of personal data — names, dates of birth, financial information, source-of-funds evidence, sometimes special-category data on TA disclosures. UK GDPR Article 44 restricts transfers of personal data outside the UK without an appropriate safeguard (adequacy decision, standard contractual clauses, or binding corporate rules). For most conveyancing firms the cleanest position is UK-hosted document tools — data stays within UK borders, no Article 44 transfer issue arises, no separate transfer impact assessment is needed. SRA Principle 2 (act in a way that upholds public trust and confidence in the solicitors' profession) supported by the SRA Code of Conduct paragraph 6.3 (confidentiality of client information), and the CLC's confidentiality obligations under its Code of Conduct and the Acting in the Best Interests of Clients Code, all reinforce a duty to think about data location, not just data security. Choose a tool that confirms its data-region in writing before you start sending TA forms through it.

---

Why data-region matters in conveyancing specifically

Conveyancing data is unusually sensitive. A single transaction file contains:

• Names, dates of birth, marital status of the parties
• Property address (sometimes a vulnerable person's home address)
• Buyer's source of wealth and source of funds — bank statements, employment evidence, gift letters
• Seller's TA6 disclosures including neighbour disputes, insurance claims, alterations
• Financial figures — purchase price, deposit, mortgage advance
• Sometimes special-category data on disability adaptations, mental health on neighbour disputes, age-related information

A data breach in conveyancing is high-impact: the data identifies real people, real addresses, real money, and supports identity theft if leaked.

UK GDPR Article 5(1)(f) requires "appropriate security" — and what counts as appropriate scales with risk. For conveyancing data, that is a high bar.

For conveyancing firms, the cleanest position is no separate Transfer Risk Assessment is needed because the data does not leave the UK at all — UK-hosted, no transfer.

---

The Article 44 transfer rule

UK GDPR Article 44 prohibits transfer of personal data to a third country (any country outside the UK) unless one of the safeguards in Articles 45-49 applies:

1. Adequacy regulations — the UK Government has made adequacy regulations covering the EEA (currently extended until 27 December 2027 and subject to ongoing review), and a number of other jurisdictions including Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, Uruguay, and certain Canadian commercial organisations. The UK-US Data Bridge (effective 12 October 2023) extends UK adequacy to US organisations certified under the EU-US Data Privacy Framework with the UK Extension

2. Appropriate safeguard — Standard Contractual Clauses, the UK International Data Transfer Agreement (IDTA), or Binding Corporate Rules

3. Specific derogation — explicit consent, contract necessity, public interest, etc.

A document tool hosted in the United States, India, Singapore, or Australia involves an international transfer of any personal data uploaded to it. For US-hosted tools, the Data Bridge for Personal Data Transfers between the UK and US (effective October 2023) provides one route — but it requires the US provider to be certified under the EU-US Data Privacy Framework with the UK Extension. Not every US-hosted SaaS product is.

For conveyancing firms, the cleanest position is: UK-hosted, no transfer.

---

What "UK-hosted" actually means

Not every cloud product that says "UK-hosted" actually keeps your data in the UK at all times. Three distinctions to check:

1. Storage location

The primary location where your data sits at rest. UK-hosted means UK data centres — typically in London, Manchester, Cardiff, or Edinburgh. The major cloud providers all offer UK regions: AWS London (eu-west-2), Azure UK South / UK West, Google Cloud London (europe-west2).

2. Backup location

Where backups are stored. Some products store primary data in the UK but back up to the US or EU. UK GDPR treats backups as a separate transfer point — if a backup leaves the UK, it engages Article 44 even if the primary is local.

3. Processing location

Where the data is processed. A UK-hosted tool with US-based machine-learning services processes UK data in the US during certain operations. This too is a transfer.

The right question to ask a vendor is: "Where does my data live, where does it back up, and where is it processed?" The answer should be UK for all three.

---

What the SRA and CLC expect

Neither the SRA nor the CLC mandates UK-only hosting. Both require firms to consider data location as part of overall information governance.

SRA Principle 2 and Code of Conduct paragraph 6.3

SRA Principle 2 requires solicitors to act in a way that upholds public trust and confidence in the solicitors' profession and in legal services provided by authorised persons. Code of Conduct paragraph 6.3 requires firms to keep affairs of current and former clients confidential unless disclosure is permitted by law or the client consents (which interlocks with UK GDPR confidentiality obligations).

Practical effect: if you choose a US-hosted tool for conveyancing, you should be able to demonstrate:

• The transfer mechanism (adequacy / IDTA / SCCs)
• A transfer risk assessment
• Continuing oversight of the third country's surveillance regime — particularly relevant for US providers not certified under the Data Bridge, where transfers rely on the UK IDTA or SCCs and a Transfer Risk Assessment is required (the assessment must engage with FISA Section 702, Executive Order 14086 safeguards, and Executive Order 12333). For Data-Bridge-certified US providers, the adequacy regulations carry much of this assessment load
• Client awareness of cross-border processing where consent is the basis

That is a substantial compliance overhead for a sole practitioner. UK-hosting removes the overhead.

CLC Code of Conduct and Acting in the Best Interests of Clients Code

The CLC Handbook is built around the CLC Code of Conduct (six overarching principles for individuals and entities) supplemented by a series of separate Codes — including the Acting in the Best Interests of Clients Code, the Information and Disclosure Code, and the CLC Accounts Code. Confidentiality of client information is dealt with under the Acting in the Best Interests of Clients Code and Principle 4 of the overarching Code of Conduct ("act in the best interests of each client"). The CLC's confidentiality obligations are principle-based — they don't say "use a UK-hosted tool" — but the reasoning of why a tool's location matters tracks the same logic.

Cyber Essentials and Cyber Essentials Plus

Larger lender panels increasingly require Cyber Essentials Plus accreditation. Cyber Essentials does not specifically mandate UK hosting, but it does require evidence of the security controls applied to data — which scales with the geographic location of processing.

---

What a UK-hosted document tool looks like

A document tool you can confidently use for conveyancing data should publish (or be able to confirm in writing):

A vendor that cannot answer those questions or that has subprocessors in jurisdictions that worry you is not the right tool for conveyancing personal data.

---

What about consumer cloud services?

Sole practitioners sometimes use Dropbox, Google Drive, OneDrive, or WeTransfer for ad-hoc file sharing. These are consumer or small-business cloud services with default storage in non-UK regions.

The risks:

• Default region is usually US unless you upgrade to Business / Enterprise
• Subprocessors in multiple jurisdictions — Dropbox, for example, uses AWS in multiple regions
• Audit logging is limited or absent on lower tiers
• Data Processing Addendum may be absent on consumer plans

For one-off internal file storage of non-personal data, these are fine. For sharing TA forms with a buyer's solicitor, they are below par. The right answer is either a paid Business / Enterprise tier with a UK region option, or a purpose-built secure-share tool with UK hosting.

---

A worked compliance example

You are a sole practitioner SRA-regulated firm. You are choosing a document tool to assemble completion packs and share them with the buyer's solicitor.

Option A — A US-hosted SaaS tool

To use this tool compliantly with UK GDPR for conveyancing data, you need to:

1. Sign a Data Processing Addendum that includes the UK IDTA (or rely on the US Data Bridge if the vendor is certified)
2. Conduct a Transfer Risk Assessment (using the ICO's TRA tool) evaluating US surveillance laws and the safeguards relied on
3. Document the assessment for your file
4. Update your client privacy notice to disclose the cross-border transfer
5. Train any other staff on the chosen safeguard
6. Re-assess if the vendor changes subprocessors

Option B — A UK-hosted tool

To use this tool compliantly, you need to:

1. Sign the Data Processing Addendum
2. (Optionally) include the tool in your standard privacy notice as a UK-region processor
3. Maintain it in your record of processing activities

Option B is cheaper in compliance overhead. Both can be lawful — but Option A requires substantial ongoing work.

---

Frequently asked questions

Are EEA-hosted tools acceptable?

Yes. Following the UK's adequacy decision in respect of the EEA, transfers to EEA countries are treated as if they were within the UK. A tool hosted in Dublin, Frankfurt, or Stockholm is compliant under UK GDPR Article 45.

What about US-hosted tools certified under the Data Bridge?

Lawful but with conditions. The vendor must be certified under the EU-US Data Privacy Framework with the UK Extension. Certification is verifiable on the Data Privacy Framework site. The certification can be revoked, in which case your firm needs to switch quickly.

Do I need to tell my clients where their data is processed?

Best practice yes — it is good privacy hygiene and most firms include it in their client engagement letter or privacy notice. Where the location is UK, the disclosure is straightforward. Where the location is outside the UK, the disclosure is more substantive (jurisdictions involved, safeguards relied on, recipient's rights).

What if my case management is US-hosted but my document tool is UK?

That works — you have made a deliberate choice to host the documents in the UK while using a US-hosted case management. The compliance overhead applies to the case management tool, not to the document tool.

Does Cyber Essentials Plus mandate UK hosting?

No. Cyber Essentials Plus is a security certification, not a data-region certification. But it interacts with hosting choices because some controls (particularly around incident response and legal hold) are easier to demonstrate with UK-hosted infrastructure.

What about backup tapes and disaster recovery?

The same rules apply to backups as to live data. UK-hosted backups are simplest. Backups in another country engage Article 44 even if the live data does not.

Is on-premises hosting (firm-owned servers) better than UK cloud?

Not necessarily. On-premises gives you full control but the compliance burden falls on you (encryption, backup, incident response, hardware refresh). UK cloud transfers most of that to the vendor and often delivers better security than a single-handed firm can manage in-house.

---

How BundleCreator helps

BundleCreator's data infrastructure is fully UK-hosted:

• Primary data location: Google Cloud London region (europe-west2)
• Backup location: UK only
• Processing location: UK only
• Encryption at rest: AES-256
• Encryption in transit: TLS 1.3
• Access control: Role-based, audit-logged
• MFA: Available for all users
• Data Processing Addendum: Available on request

For conveyancing firms, this means TA forms, source-of-funds evidence, and completion packs do not cross UK borders during processing. No transfer risk assessment, no IDTA paperwork, no ongoing assessment of foreign surveillance regimes.

---

Further reading

• UK GDPR — Articles 44-49 on international transfers
• ICO — International transfers guidance
• SRA Principles — Principle 2
• SRA Code of Conduct — paragraph 6.3
• CLC Handbook — Code of Conduct and supporting Codes
• Conveyancing Document Tools for Sole Practitioners and Licensed Conveyancers
• Redacting Personal Data from TA Forms: UK GDPR Compliance