Industries → Legal IT
PSA for MSPs serving law firms
Per-tenant database isolation that matches attorney-client privilege boundaries. CIPP for Microsoft 365 compliance. Granular RBAC for matter-restricted access. Audit log on every action. The defenses you need when your customer is the firm's bar license.
Why legal IT is different
Law firms don't just want IT support. They want IT support that understands attorney-client privilege, malpractice exposure, retention policy, and the bar association's position on third-party data processors. The PSA you run on the MSP side has to match that mindset — not just for marketing, but in the actual architecture.
The four things that matter most
Cross-firm data leak is a malpractice event
Generic PSAs use shared-schema multi-tenancy with row-level tenant_id filters. One misaimed query in the platform's code leaks Firm A's matters into Firm B's view. OriginPSA's per-tenant MySQL database makes that mistake impossible — the connection is bound to one tenant per session, period.
Matter-level access controls inside one firm
Junior associates shouldn't see every partner's ticket. OriginPSA's 300+ granular permissions + per-contact portal role scoping let the firm's IT admin restrict visibility down to the matter/customer level — including in the customer-facing portal.
M365 + Bar-mandated retention
Most state bar associations require email + matter retention windows. The CIPP integration surfaces M365 retention policies + licensing on each customer record. Plug it into your retention review workflow.
Compliance audits at firm renewal time
Every state-changing action is audit-logged with user + IP + timestamp. Audit log is decrypt-on-read so even DB-level access doesn't expose PII without the encryption key. When the firm's compliance auditor asks "who touched this matter's IT records", the answer's one query away.
How MSPs in this space typically run OriginPSA
- Set per-firm SLAs. Each firm gets its own SLA policy. Litigation-heavy firms might want a 15-min response on outages; transactional shops can run on 1-hour. Multi-tier escalation routes the page to the right tech.
- Lock customer portals to firm domain. Per-tenant SAML SSO via Entra ID — the firm's IdP authenticates, OriginPSA accepts only signed assertions from that domain. Bar-mandated MFA satisfied via SAML.
- Project-track e-discovery + migrations. Big legal IT projects (e-discovery indexing, M365 migrations, document-management cutovers) get a real project record with phases, milestones, signed change orders, and customer-portal status visibility.
- Time-and-materials with caps. Mixed billing modes per project. T&M for ongoing support; fixed-fee for the litigation-discovery work. Signed change orders stack into the authorized budget so the firm CFO sees the current authorized amount, not the stale original quote.
Compliance posture
Data Processing Addendum at /legal/dpa. Sub-processor list at /legal/subprocessors. AES-256-GCM encryption at rest, TLS 1.3 in transit. Per-tenant database isolation. See the full security model for the controls list.
SOC 2 / ISO 27001 attestations are not in scope today; the controls equivalent to those frameworks are documented and verifiable. For firms that need a formal audit before procurement, contact us.