Security

At Lexifina, your data privacy is paramount. We operate under zero data retention agreements with all AI foundation model providers. Your documents and client information never leave our secure environment, or contribute to external model training. We implement user data isolation and maintain complete data sovereignty. Your confidential work remains confidential.

All data stored within Lexifina is protected using AES-256 encryption. Communication between your browser and our servers is secured using TLS 1.2+ encryption protocols, utilising full encryption at rest and in transit. We implement comprehensive role-based access control (RBAC) systems based on least-privilege access principles, ensuring only authorized personnel can access specific data. Our systems include real-time threat flagging and response capabilities, continuous monitoring with detailed audit logs, and complete data segregation with storage partitions. All database credentials and environment variables are isolated to further prevent unauthorized access from internal systems.

Lexifina utilises architecture certified in accordance with DIN ISO/IEC 27001 standards for information security management systems. We maintain EU data residency with full GDPR compliance. On request, we can manage and migrate your data residency within our systems. Our infrastructure providers are SOC 2 Type II certified. We are able to configure additional security controls tailored to your organization's specific requirements.

Our database authentication systems utilize multiple security protocols including SCRAM, x509 certificates for secure client-server communication. Our implementation includes Client-Side Field Level Encryption (CSFLE) and Queryable Encryption, allowing us to perform operations on encrypted data without exposing sensitive information, even during processing.

Our systems maintain always-on cloud user action and database authentication tracking, providing complete visibility into every access attempt and user interaction with your data. Granular system activity tracking captures all database operations including DDL (Data Definition Language), DML (Data Manipulation Language), and DCL (Data Control Language) commands. This comprehensive audit trail ensures complete accountability and supports forensic analysis when required for legal compliance or security investigations.

To deliver Lexifina's intelligent legal document processing features, we make AI requests to our secure infrastructure. These requests occur when you use our document analysis tools, request clause changes, or when our system performs background analysis to identify inconsistencies and related clauses between documents.

Each AI request includes relevant context such as your document content, previous interactions within the current session, and specific legal document structures based on our specialized legal language processing. All data is transmitted to our certified infrastructure, and then securely routed to our specific AI model providers (OpenAI, Anthropic, Google). Every request passes through our infrastructure to ensure consistent security protocols and data protection, even when using custom API configurations. We are able to develop additional self-hosted deployment options for enterprise clients with specific infrastructure requirements on request.

You maintain complete control over your Lexifina account and can request account deletion at any time through your Settings dashboard. Simply navigate to "Settings" and select "Delete Account" to initiate the process. This action will permanently delete all data associated with your account, including your legal documents, document analyses, workflow automations, and any indexed legal databases.

We guarantee complete removal of your data within 30 days of your deletion request. While we immediately delete your data from our active systems, our backup infrastructure and cloud storage maintain copies for disaster recovery purposes for a maximum of 30 days. After this period, all traces of your data are permanently and irretrievably removed from our systems, ensuring complete data sovereignty and compliance with legal data retention requirements.