At Legora, she brings that understanding to a role that spans customer engagement, engineering, security, product, and go-to-market: in effect, the connective tissue holding data governance together across the business. She does this not as a compliance exercise but as a commitment that runs through every client relationship.

The conversation has changed

GDPR set a new benchmark for data privacy when it came into force in 2018, and enforcement has matured steadily since. Across jurisdictions, new frameworks continue to emerge. The EU AI Act being one significant example, introducing obligations around high-risk AI applications, transparency requirements, and governance standards that firms are still working through. For Legora's clients operating across global markets, the picture is complex and ever evolving.

For law firms and in-house legal departments, the data conversation comes back to two concerns above all others: confidentiality and regulatory requirements.  Getting this wrong carries severe regulatory consequences, but the exposure of highly sensitive confidential information can cause damage that runs deeper still. . Data sovereignty has moved from a compliance checkbox to a board-level consideration.

For Alex, that shift is tangible."The questions clients arrive with now are more detailed, more technical, and more jurisdiction-specific than they were a couple of years ago. Firms are asking about sub-processor arrangements, about AI-specific regulatory obligations under frameworks like the EU AI Act, NIS 2, and DORA, and about how data sovereignty can be maintained across global organizations with multiple, sometimes conflicting compliance requirements. The scrutiny isn't confined to compliance and security teams looking to ‘rubber stamp’ data privacy and security positions – it extends to what these frameworks mean in practice and exploring what the meaningful operational impact looks like.” 

Why optionality matters

Legora's approach to this challenge is deliberate and Alex is candid that it isn't the easiest path operationally: “Rather than presenting clients with a fixed model and asking them to adapt, Legora opens with a conversation: about regulatory context, the jurisdictions a client operates across, and the compliance requirements they face. From there, the options are worked through together.”

In practice, that means clients who require full EU data residency can be configured for exactly that, with both processing and hosting anchored within European regional boundaries. For those operating across multiple markets, Legora works with a range of approved sub-processors to accommodate a broader set of needs.

As Alex puts it, "there is no one-size-fits-all solution here. Our job is to meet clients where they are, not ask them to fit within the constraints where it’s easiest for us to operate."

That openness is deliberate. The questions around data sovereignty are genuinely complex, and clients who feel encouraged to ask difficult questions are better placed to make the right decisions for their organizations. 

Alex explains that “for clients where EU data residency is the priority, Legora's hosting is based primarily in Sweden, within the EU: the jurisdiction underpinned by what is widely regarded as the gold standard of data privacy regulation. For others, the configuration looks different. The point is that the choice exists, and that it's made in conversation with the client rather than handed down as a default.”

The complexity clients are actually navigating

No two clients face the same regulatory reality. A global law firm operating across 20 jurisdictions has fundamentally different requirements to a domestic firm serving a single market. Financial services clients, including global banks with strict residency obligations, face environments where non-compliance carries consequences that are clearly defined, and significant.

The drivers behind those choices are varied. For some clients, the decision is shaped by regulatory mandate, for example public authorities whose regulators require data to remain within defined geographic boundaries, or financial institutions with equivalent obligations. For others, it's a contractual obligation flowing from their own clients, who expect their data to stay within a particular jurisdiction. For firms operating across multiple markets, the question is often more nuanced still: how to configure data processing in a way that satisfies obligations in each of the regions they operate across. What connects these scenarios is that the answer is rarely obvious in advance, and that it can change. What satisfies today's compliance requirements may not satisfy tomorrow's. The EU NIS2 Directive , a cybersecurity law which came into force in 2023, placing heavy scrutiny on enterprise level businesses in critical sectors with regards to  their data supply chains, sovereignty and reporting is one example of a major shift still unfolding and there will be others. Firms need partners who are thinking about where the regulatory environment is heading, not just where it currently stands.

Alex's bridge role across Legora's client-facing and internal technical teams exists precisely because this complexity has to be navigated continuously. Data governance isn't resolved at contract signature. It runs through onboarding, product development, ongoing support, and every meaningful touchpoint in between.

Co-creating what comes next

Looking ahead, Alex's view is clear: the direction of travel is toward greater scrutiny, not less. Clients will become more sophisticated in the questions they ask, because for them, data governance isn't a feature to evaluate – it's a foundation they're building on. Providers who haven't built the infrastructure, and the internal fluency, to respond will struggle to keep pace.

Alex’s answer isn't to claim her team has every answer in advance."With the landscape evolving so rapidly, no one can claim to have the answers to problems or challenges that may exist a year from now. But we can commit to staying ahead of the problem in close collaboration with our clients - and that's what they actually need from an AI partner right now."

For legal teams evaluating AI partners, compliance today is the baseline. The harder question is whether your provider is built to keep pace as the requirements evolve.