Lexlegis.ai – Security and Confidentiality Measures FAQs

At Lexlegis.ai, we understand that data security, client confidentiality, and regulatory compliance are of paramount importance, especially within the legal industry. This FAQ has been curated to provide transparent, detailed insights into the safeguards, certifications, protocols, and internal policies we have in place to protect client information. From encryption standards and access controls to privacy law compliance and infrastructure security, this document addresses the most critical concerns legal professionals and enterprise clients may have when evaluating our platform. We encourage all stakeholders to review these measures carefully as part of their due diligence and onboarding processes.

Certifications & Compliance

1. Is Lexlegis.ai ISO 27001 certified? If so, please share the scope and validity of the certification.

   Yes, we are ISO 270001 and 200001 certified. Validity of the same is 12 months post which, we will undergo the audit once again as is the routine procedure with the same. Accessible here. 

2. Has Lexlegis completed SOC 2 Type I or Type II audits? If not, is it in the process of obtaining these?

   The SOC 2 Type 2 certification for Lexlegis.ai demonstrates that our security controls are not only well-designed but have been effectively operated over time, ensuring sustained protection and reliability in handling sensitive client information. Accessible here.  

3. How does Lexlegis ensure compliance with Indian privacy regulations such as the Digital Personal Data Protection Act, 2023 (DPDPA)?

   Lexlegis.ai is fully committed to data privacy and is aligned with the principles set out in India’s Digital Personal Data Protection Act (DPDPA), 2023. We collect only minimal personal data strictly necessary for account setup and access control, with explicit user consent and clear purpose limitation. Lexlegis does not train on user data or documents, ensuring no secondary usage or profiling occurs without consent. All data flows through secure HTTPS (port 443), and our backend systems incorporate privacy-by-design principles, including data minimisation, audit trails, and user rights management.

4. Is the platform compliant with international data protection laws such as the GDPR and HIPAA, particularly for clients with cross-border operations?

   Yes, Lexlegis.ai is designed with a global data compliance framework and adheres to key principles of international data protection laws such as the GDPR (EU/UK) and HIPAA (US) where applicable. We ensure explicit user consent, purpose limitation, data minimisation, and user control over personal data. Lexlegis.ai does not access or use client documents for model training, and offers end-to-end encryption during data transit and storage. For cross-border operations, we enable custom Data Processing Agreements (DPAs) and support data residency and transfer safeguards, including on-premise or region-specific deployment options where required. While Lexlegis does not process health data by default, HIPAA-aligned safeguards can be discussed based on the client’s intended use.

    

Data Handling & Storage

1. Where is client data stored — within India or on foreign servers? Please specify the hosting provider(s) and location(s).

   The client data is stored on our servers which are all in-house (India based) as is mandated by the DPDPA and no information on this is divulged with any third-parties.

2. Does Lexlegis support client-hosted deployment or on-premises installations as an alternative to cloud storage?

   Lexlegis.ai currently operates as a secure cloud-based platform and on-premises or client-hosted deployment options are available as part of our enterprise solutions.

3. Are uploaded documents encrypted at rest and in transit? If so, what encryption protocols are used (e.g., AES-256, TLS 1.2+)?

   Lexlegis encrypts passwords at rest using SHA-256 hashing. Lexlegis reiterates its commitment to ensuring the confidentiality and integrity of the data uploaded by the clients. Lexlegis encrypts data at rest using AES 256.

   Lexlegis encrypts data in-transit since we use SSL pipes (TLS 1.2). Lexlegis reiterates its commitment to ensuring the confidentiality and integrity of the data uploaded by the clients.

4. What is Lexlegis’ policy on data retention and deletion? Can clients request permanent deletion of all data, including logs and backups?

   Yes, clients can request complete deletion of their data at any time. However, system logs may be retained for audit and legal compliance purposes. These logs do not contain any client content—only metadata such as the number of queries processed. Once data is deleted, no identifiable or substantive client information is stored or retained in any form.

Access Controls & Confidentiality

1. What internal access controls are in place to ensure that Lexlegis personnel (including developers, support staff, or third-party vendors) cannot access client data without explicit permission?

   Lexlegis.ai has implemented stringent internal access controls to ensure that no personnel including developers, support staff, or third-party vendors can access client data without explicit, case-specific authorisation. Access to systems is governed by multi-layered authentication protocols, including:

   Password hashing using SHA-256 to prevent password visibility or interception,

   Mandatory Multi-Factor Authentication (MFA) for all internal users to add an extra layer of security, and

   Role-based access controls (RBAC) that authorise access strictly based on designated job functions.

   All access is logged and monitored, and no data is accessed without prior written client consent. These controls ensure maximum protection of client confidentiality and compliance with industry best practices.

2. Are detailed access logs maintained for all document interactions and administrative actions?

   Lexlegis maintains detailed system logs strictly for audit, compliance, and administrative oversight. These logs help ensure platform integrity and traceability but do not contain any client data or document content. They are limited to metadata such as access timestamps, user activity patterns, and system performance indicators.

3. Is multi-factor authentication (MFA) mandatory for all user accounts, especially for admin-level access?

   No, multi-factor authentication is an optional feature. It serves as an alternative to two-factor authentication via OTPs and can be enabled based on client preference for enhanced security.

Confidentiality & Usage of Data

1. Does Lexlegis use client-uploaded documents or queries to train or improve its AI models?

   No. Lexlegis does not use any client data to train or fine-tune its models. Our models are trained solely on authentic, authoritative legal sources. Using client data would risk compromising both data confidentiality and model accuracy—something we strictly avoid. All client data remains private, encrypted, and governed by robust confidentiality agreements.

2. Are data anonymisation and masking procedures in place to handle sensitive data used for diagnostics or performance tuning?

   No. Lexlegis does not use any client data for diagnostics, performance tuning, or error analysis. All such processes are conducted exclusively using internal or synthetic datasets. As a result, there is no need for data anonymisation or masking—client data remains untouched and fully confidential at all times.

3.  What contractual warranties or indemnities are offered in relation to data confidentiality breaches?

   Lexlegis enters into robust Non-Disclosure Agreements (NDAs) and comprehensive Licensing Agreements with all clients, which include clear clauses around data confidentiality, protection, and breach responsibilities. These contractual documents are designed to safeguard client data and outline our obligations and liabilities in the event of any breach. Such agreements are tailored to meet client expectations and ensure mutual accountability regarding data security and confidentiality.

Infrastructure Security & Business Continuity

1. Is Lexlegis hosted on a secure, audited infrastructure (e.g., AWS, Azure, GCP)? Are vulnerability scans and penetration tests conducted regularly?

   Our models are hosted on AWS cloud infrastructure, with regional deployment options based on client location and compliance needs. We follow strict security protocols, including regular vulnerability scans, patch management, and continuous monitoring to ensure a secure and compliant environment.

2. What is the documented uptime SLA for the platform? Are there redundancies built in to mitigate downtime risks?

   Yes. Lexlegis has built-in redundancies across its infrastructure to mitigate downtime risks. Our uptime Service Level Agreements (SLAs) are flexible and can be tailored to meet specific client requirements.

The infrastructure can also be better understood by the images below:

Client-Facing Documentation

1. Will Lexlegis provide a Data Processing Agreement (DPA) or an Information Security Addendum (ISA) upon request?

   We can consider the same upon a prior written request.

2. Are client organisations permitted to conduct their own security audits or questionnaires prior to onboarding?

   We understand the importance of due diligence in vendor onboarding; however, we are currently unable to permit client-led security audits or questionnaires as they often require the disclosure of confidential and proprietary infrastructure details. Lexlegis.ai maintains stringent internal security standards and is compliant with relevant data protection regulations. Upon request, we are happy to provide a comprehensive security overview document that outlines our measures, certifications, and controls to support your internal evaluation process.

Lexlegis.ai remains committed to maintaining the highest standards of data security, confidentiality, and compliance. Our infrastructure, policies, and practices are continuously evaluated and enhanced to meet the evolving needs of our clients and the legal industry at large. Should you require further information, customized assurances, or formal documentation such as a Data Processing Agreement (DPA), please feel free to contact us.