This policy describes how Obsidia (Client Plus Solutions Pty Ltd) understands and supports the obligations of solicitor-client privilege, legal professional privilege, and the confidentiality of legal advice in the Australian context. It is distinct from our Privacy Management Policy, which covers the Australian Privacy Principles.
Solicitor-client privilege (also called legal professional privilege, or LPP) is a common-law right, codified in the Evidence Act 1995 (Cth) ss 118–119, that protects confidential communications between a lawyer and their client where the dominant purpose is the obtaining of legal advice or the preparation for litigation. In Australia it is reinforced by professional conduct obligations under the Legal Profession Uniform Law Australian Solicitors' Conduct Rules 2015 — in particular rules 9 and 10, which impose an absolute duty of confidentiality on solicitors independent of privilege doctrine.
Privilege is a right of the client, not the lawyer. Only the client can waive it. It survives the end of the retainer and is not defeated by the passage of time. Unlike the protections in the Privacy Act 1988 (Cth), which permit many uses of personal information with consent or for a primary purpose, privilege admits almost none of those uses — disclosure of privileged material without the client's consent is a breach regardless of intent.
Three forms of privilege are relevant to Obsidia's customer base:
Obsidia is designed to hold privileged material. Customer firms retain all privilege rights; Obsidia asserts no rights over customer content that would be inconsistent with that posture. The following controls operate in combination to maintain this commitment.
The fact of a client-matter relationship is itself privileged, independent of the content of any communication. A query such as "summarise the litigation risk for Matter 4421" reveals the existence of a matter, the identity of a client, and the firm's legal position — all of which may carry privilege — even if no privileged document is attached.
Obsidia treats workspace titles, matter identifiers, query text, and workflow run metadata with the same technical protections as document content. This posture is documented in ADR-002 (Metadata Sensitivity), which classifies metadata at the same sensitivity level as the content it describes and enforces the same access controls.
Practically, this means:
Customer content passes through a small number of third-party sub-processors to deliver the platform. Each has been assessed for privilege-compatibility — specifically whether the processor's terms assert any rights over content, whether staff at the processor could access customer content, and whether a subpoena directed at the processor could surface content without notice to the customer firm.
A summary of the privilege posture for each processor is listed on the Sub-Processor Register. The key points:
If Obsidia receives a subpoena or other legal process directed at a specific customer's data held by a third-party processor, Obsidia will take reasonable steps to notify the affected customer before producing any content, to the extent legally permitted. See Section 06 for the full compelled-production response policy.
The realistic privilege risk for a SaaS platform is not malicious exfiltration — it is inadvertent disclosure through routine product behaviours: a support engineer attaching a workflow output to a support ticket, an error report including a document excerpt, a misconfigured integration surfacing content to an unintended recipient.
Obsidia maintains a written Inadvertent Disclosure Playbook (distinct from the NDB Playbook, which covers the Privacy Act) that sets out the response procedure for these events. The playbook is held at client/docs/inadvertent-disclosure-playbook.md and is rehearsed at least annually via a tabletop exercise.
The response phases are:
If Obsidia receives a subpoena, court order, search warrant, or other legal process requiring production of customer content, the following policy applies.
Obsidia will take reasonable steps to notify the affected customer firm of the compelled-production request before producing any content, to the extent legally permitted. If a gag order or non-disclosure obligation prevents advance notice, Obsidia will notify the firm as soon as that obligation lifts.
Obsidia will produce only the minimum content required by the order. We will not voluntarily expand the scope of production beyond the express terms of the legal process.
Obsidia does not waive privilege on behalf of a customer firm. If a production order encompasses content that may be privileged, Obsidia will notify the firm and allow the firm to assert privilege before any production occurs. Obsidia will not resist a valid legal order but will facilitate the firm's privilege assertion to the extent possible within the timeline of the order.
Every compelled-production request is escalated to the Privacy Officer and external legal counsel before any action is taken. No staff member may respond to a legal process directed at customer content without Privacy Officer authorisation.
All compelled-production matters should be directed to legal@obsidia.com.au. This inbox is monitored and will be escalated to external counsel within one business day.
Obsidia publishes an annual transparency report covering legal process received in respect of customer data. The report includes:
The report does not identify specific customers, specific orders, or the content of any production. The first report covering the period from platform launch to 31 December 2026 will be published in Q1 2027.
To receive the report when published, email legal@obsidia.com.au with the subject line "Transparency report — subscribe".
The following documents provide additional detail on the controls described in this policy.