For decision-makers

Running an LLM on client trade secrets, without losing the secret.

An options assessment for putting a private AI assistant in front of confidential client material — what "legally covered" actually requires, the three ways to deploy it, what each costs, and a clear recommendation.

Prepared for a founder / decision-maker Holder Portugal (EU) Clients EU · UK · Canada · elsewhere Date 26 May 2026

See the recommendation Read the technical build →

The short answer

You can run a capable AI assistant over your clients' trade secrets and stay on the right side of the law — but "legally covered" is not a product you buy. It is a set of reasonable measures you take and can prove.

The strongest, simplest position for a small team is to run an open-weight model on hardware you own, on your own premises, with the data never leaving the building. It gives the best legal story and the most convincing answer when a client asks "who can see our data?" — the honest answer becomes "nobody but us, and here's why."

Renting a single-tenant server (no shared neighbours) under a data-processing contract is a solid second choice when you outgrow one machine or prefer a monthly bill to an upfront purchase. A managed private AI service (e.g. AWS Bedrock) is acceptable only when a client has explicitly signed off on it — it trades physical control for a contract.

What "legally covered" really means

The law asks one question, and it's the same question everywhere your clients are.

A trade secret only stays a protected trade secret if its holder took reasonable steps to keep it secret. Lose the secrecy through careless handling and you can lose the legal protection itself — there is nothing left to enforce.

Your clients sit in different countries, but the standard barely moves between them. The global baseline (the TRIPS treaty, which the EU, UK, Canada and the US all sit under) and every regime built on it use almost identical wording:

Information subject to reasonable steps under the circumstances … to keep it secret.

Two consequences matter for your decision:

One bar clears them all. Build to the strictest reasonable reading and the same controls hold up whether a dispute lands in Lisbon, London or Toronto.
It's proportionate. A small firm is not expected to spend like a multinational. "Reasonable" scales with the value of the secret and the size of your business — so a tidy, well-documented setup is genuinely enough.

The wording is convergent by design: TRIPS Art. 39(2) is the shared root.
Where the client is	What governs the secret	The test
Portugal (you)	Código da Propriedade Industrial (DL 110/2018), arts. 313–315 — transposes EU Directive 2016/943	"reasonable steps"
EU clients	Trade Secrets Directive (EU) 2016/943, Art. 2	"reasonable steps"
UK clients	Trade Secrets Regs 2018 + breach of confidence	"reasonable steps"
Canada clients	Common law / contract; CUSMA & TRIPS baseline	"reasonable measures"
Elsewhere	TRIPS Art. 39(2) — the worldwide floor	"reasonable steps"

What counts as "reasonable steps"? Restricting who can access the information, securing files with access controls and encryption, and confidentiality agreements (NDAs) — backed by written policy and an audit trail. The infrastructure choice in this report is one pillar of that; contracts and internal policy are the others.

Scope note. This report covers trade secrets (commercial confidentiality). If client material also contains personal data, GDPR / UK GDPR add a separate processor-contract and data-residency layer — flag it early, because it can rule out some options.

The three ways to deploy

Every option comes down to: who can technically read the data?

The shorter and more controllable that list, the stronger your legal position and the easier it is to reassure a client. Here is that list for each option.

Option A · Recommended

Own the hardware, on-prem

You buy a GPU workstation, it lives in your office, the model runs on it, and the data never touches the internet.

Who can read the data: only you. No third party is involved at all — arguably the secret is never even disclosed outside your trusted circle.

Option B · Scale / OPEX path

Rent a single-tenant server

A dedicated machine (e.g. Hetzner in the EU) that only you use — no shared neighbours — under a signed data-processing agreement.

Who can read the data: you, plus one named hosting provider bound by contract. No other tenants share the hardware.

Option C · Only with client sign-off

Managed private AI service

A cloud AI endpoint (e.g. AWS Bedrock, Azure OpenAI) with enterprise terms: no training on your data, EU region, private networking.

Who can read the data: you and the cloud provider's service, governed by a contract. Data leaves your runtime; you rely on promises and certifications, not physical control.

Side by side

The decision matrix

Criterion	A · Own hardware, on-prem	B · Rented single-tenant	C · Managed private service
Legal defensibility ("reasonable steps")	Strongest No external disclosure	Strong With DPA + hardening	Workable Contract-dependent
Client-trust story	"Never leaves our building"	"One vetted EU host, under contract"	"Big-cloud terms & certifications"
Control of the data	Full physical control	You trust the host physically	Leaves your runtime
Ops burden on your team	You run the box	Host covers hardware	Lowest — fully managed
Upfront cost	~€8k–12k one workstation	~€80 setup	€0
Monthly cost	≈ power only + amortised hardware	€184–€840 by GPU class	Usage-based scales with use
Scales to many users	Add boxes	Add / resize servers	Elastic
Time to live	~1–2 weeks (buy + set up)	Days	Days

Costs are indicative for a small-team assistant (see the cost section). "Single-tenant" is the line that separates a defensible rental from a risky one — a normal shared cloud VM, and especially an anonymous GPU marketplace, put unknown parties between you and the secret.

The cost reality

What you actually pay

Option A · Own hardware

~€8k–€12k once

A workstation with a professional 48 GB GPU (the GPU alone is ≈ €6.8k) runs a strong assistant for a small team. Add electricity and a few hours of your time to set up and maintain.

Spread over a 3-year life, that's roughly €230–€350 / month equivalent — and it's yours, off the internet, with no recurring vendor.

Option B · Rented single-tenant

€184–€840 / mo

Hetzner dedicated GPU servers in the EU: an entry box (20 GB GPU) at €184/mo, or a 48 GB-class box at ~€840/mo, each with a one-off ~€80 setup fee. Cancel when you want.

No capital outlay; the provider owns and maintains the hardware. You sign their data-processing agreement and harden the box.

Option C · Managed service

Pay per use

Billed by volume of text processed. For a small team this can be modest, but it climbs with usage and the data is handled by the provider's service.

Lowest setup effort and fully elastic — but the weakest control story, so reserve it for client-approved cases.

The honest comparison: for a small, steady team, owning the hardware is usually the cheapest over a 2–3 year horizon and the strongest legal posture. Renting wins when you want zero capex, fast setup, or need to scale up and down. Per-use managed pricing only stays cheap at low volume.

The recommendation

Start with your own hardware. Keep the other two as named, deliberate fallbacks.

Best legal posture Best client-trust story Lowest long-run cost for a small team Tractable to run

Primary

Own GPU workstation, on-prem

One machine, an open-weight model, a private chat interface on your office network, no internet path for the data. This is the default and it covers a small team comfortably.

When you outgrow it

Rented single-tenant EU server

Move to OPEX or more horsepower without giving up single-tenancy. Sign the provider's data-processing agreement and apply the same hardening. Still defensible.

Only if a client asks

Managed private endpoint

Use a no-training, EU-region enterprise service when ops simplicity or scale dominates and the client has signed off in writing on processor-based handling.

Making clients feel safe

Turn the controls into a one-page assurance you can hand over.

"Legally covered" and "clients feel safe" are two different jobs. The first is satisfied by the measures; the second is satisfied by showing them. The same setup that protects you in court is also your sales asset — package it.

Keep a short, client-facing assurance pack that maps your setup to the standard they care about:

Where the data lives — "on hardware we own, in our office; it never leaves." (Or the EU region / provider, for B and C.)
Who can access it — named people, individual logins, multi-factor, an access log.
That the AI model is private — open-weight, self-hosted; nothing is sent to OpenAI/Google/etc. and nothing trains on their data.
The paperwork — your NDA, an access policy, encryption in place, and a deletion/wipe procedure when an engagement ends.

The closer: most competitors quietly paste client material into a consumer chatbot. "We run a private model on hardware we control, and your data never leaves it" is a differentiator you can charge for.

Residency as a trust lever

Trade-secret law doesn't force a location the way data-protection law can — but clients feel it. You can offer:

Client	Reassuring posture
EU	On-prem in Portugal, or EU-region host — squarely "at home".
UK	On-prem or EU/UK host; identical legal test applies.
Canada / other	On-prem is the universal answer; otherwise offer their preferred region.

Owning the hardware sidesteps the whole "where is it hosted / who is the sub-processor" conversation — there is no host and no sub-processor. That simplicity is itself the reassurance.

What could still go wrong

The residual risks to manage

No setup is risk-free. These are the ones that actually bite, with the simple mitigation for each — the engineering report details the controls.

Leaks through the back door

The AI tooling quietly phones home, logs every prompt, or a "helper" feature sends text to a cloud API. Mitigation: block outbound traffic, turn off logging — verified in the technical build.

The human layer

Strong tech, weak habits: shared passwords, no NDA, an ex-employee keeps access. Mitigation: individual logins + MFA, signed NDAs, an offboarding checklist.

Lost or stolen hardware (Option A)

The box or a backup drive walks out. Mitigation: full-disk encryption and physical security — a stolen encrypted disk is unreadable.

Trusting the wrong rental (B/C)

A shared VM, or worse an anonymous GPU marketplace, puts unknown parties next to the secret. Mitigation: single-tenant only, named provider, signed DPA — never a marketplace box.

If you green-light this

A realistic path to live

Week 1 — Decide & buy. Confirm Option A, order the workstation, and put the NDA + access-policy templates in place.
Week 2 — Build. Your technical person follows the reference architecture: install the model, the private chat UI, encrypt the disk, lock down the network.
Week 3 — Prove it. Produce the client assurance one-pager and the internal evidence pack. Now you can sell the capability, not just use it.
Later — Scale. If demand grows, add a box or move the heavy workload to a single-tenant EU server, reusing the same controls.

See exactly how it gets built →

Sources

EU Trade Secrets Directive (EU) 2016/943, Art. 2 — eur-lex.europa.eu/eli/dir/2016/943
Portugal, Código da Propriedade Industrial, DL 110/2018 (arts. 313–315) — WIPO Lex 18804
UK Trade Secrets (Enforcement, etc.) Regulations 2018 — legislation.gov.uk/uksi/2018/597
TRIPS Art. 39(2) & Canada / WIPO trade-secret guidance — WIPO trade-secret FAQ
"Reasonable steps" analysis — Winston & Strawn; WIPO Magazine
AWS Bedrock data handling — aws.amazon.com/bedrock/security-privacy
Hetzner dedicated GPU pricing (GEX44 / GEX130) — hetzner.com GPU matrix

Not legal advice. This is a business-decision briefing synthesising publicly available legal and technical sources as of May 2026. Trade-secret protection depends on the specific facts of each engagement and each client's jurisdiction. Confirm your NDAs, data-processing agreements and policies with a qualified lawyer before relying on them. If any client material includes personal data, separate data-protection (GDPR / UK GDPR / PIPEDA) obligations apply.