Security & Trust
Confidentiality is not a feature — it is the foundational principle.
LexCodex.ai is used by lawyers and legal professionals working with confidential material. This page describes exactly what happens with your data, what rights you have, and how you control them yourself.
Summary: Your material is never stored on our servers after analysis. It is never used for AI training. You can delete your account and all data at any time — directly, without contacting us.
📊 How your data flows
Every analysis follows the same path — no step deviates, no material is stored along the way:
1. You write/upload text in the browser
│
▼ (TLS 1.3, HTTPS)
2. LexCodex.ai server in Sweden (Easywebbhotell)
│
│ ◄── No storage of your material
▼
3. Anthropic API (zero data retention, EU routing)
│
│ ◄── No model training on your data
▼
4. Response sent back to you
│
▼
5. Analysis disappears from memory after response
(Only your plan, username and counter are stored)
🗂 What we store — and for how long
| Data type | Where | How long |
|---|---|---|
| Contract texts / legal content | — | Never stored |
| AI analysis responses | — | Never stored |
| Account details (name, email, organisation) | MySQL in Sweden | Until you delete the account |
| Hashed password (bcrypt) | MySQL in Sweden | Until you delete the account |
| Usage counter (analysis count) | MySQL in Sweden | Reset monthly |
| Shared analyses (via share link) | MySQL in Sweden | Max 7 days, then auto-deleted |
| Watch profiles | MySQL in Sweden | Until you delete them |
| Feedback you have submitted | MySQL in Sweden | Until you delete the account |
| Security logs (login attempts, IP) | MySQL in Sweden | Rolling 1 h (rate-limit), 15 min (lockout) |
| Server logs (access/error) | Server in Sweden | 30 days |
⚖️ Your GDPR rights — directly in the account
Under GDPR you have several rights. Most you can use yourself without contacting us:
| Right | How |
|---|---|
| Art. 15 — Right to access | "Download my data" button on /account — JSON file with all stored data |
| Art. 16 — Rectification | Email support@lexcodex.ai |
| Art. 17 — Erasure ("right to be forgotten") | "Delete my account" button on /account — removes everything immediately |
| Art. 18 — Restriction | Contact support@lexcodex.ai |
| Art. 20 — Data portability | Same button on /account — machine-readable JSON |
| Art. 21 — Objection | Contact support@lexcodex.ai |
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY).
🛡 Zero Data Retention — the AI environment
- No storage after analysis: contract texts, questions and AI responses exist only in memory during the call — no disk write, no caching.
- AI provider: Anthropic via API. Anthropic is SOC 2 Type II, ISO 27001, ISO 42001, HIPAA-certified.
- No model training: per Anthropic's terms, API traffic is not used for model training.
- EU routing: API calls go through Anthropic's EU infrastructure where possible.
- Per-request isolation: every call is fully independent — no context shared between users or sessions.
🚫 What we never do
- Sell or share your data with third parties for marketing
- Use your contracts or analyses for AI training — neither here nor at Anthropic
- Store your contracts after analysis is complete
- Share your data between users, even within the same organisation (without your choice)
- Send spam or newsletters without your explicit consent
🔐 Technical security
- TLS 1.3 / HTTPS: all traffic encrypted in transit. HSTS with preload.
- CSP (Content Security Policy): active policy against XSS and data injection.
- CSRF protection: all sensitive calls require session-bound tokens.
- Bcrypt-hashed passwords: plaintext is never stored — not even at registration.
- MFA / TOTP: two-factor authentication supported (Google Authenticator, Authy, 1Password).
- Brute-force protection: automatic account lockout after 5 failed attempts for 15 minutes.
- Rate limiting: all sensitive endpoints are rate-limited per IP.
- Session invalidation: all active sessions terminated upon password change.
- Spam protection: reCAPTCHA v3 + honeypot + heuristics against automated registration.
- Regular security audits: internal P0–P3-classified audit system.
🧩 Sub-processors
We use the following third-party providers to operate the service. All are certified for their respective functions:
| Provider | Function | Location | Certification |
|---|---|---|---|
| Anthropic | AI analysis (Claude) | USA / EU (routing) | SOC 2 Type II, ISO 27001, ISO 42001, HIPAA |
| Easywebbhotell | Hosting (server + DB) | Sweden | GDPR-compliant, Swedish jurisdiction |
| Stripe | Payments | EU / USA | PCI DSS Level 1 |
| Google reCAPTCHA | Spam protection on registration | EU / USA | ISO 27001, 27017, 27018 |
Note: LexCodex.ai itself is not ISO 27001-certified. The service builds on standardised web technologies and third-party certified providers for critical functions. For corporate clients with strict requirements, we offer DPA, expanded documentation and an Enterprise plan.
🚨 Incident handling
In case of suspected data breach or security incident:
- Notification to affected customers within 72 hours (GDPR Art. 34)
- Notification to IMY within 72 hours (GDPR Art. 33)
- Transparent report on what happened, what data was affected, and what actions are taken
Report suspected incidents or security flaws: support@lexcodex.ai
📋 Documentation
- Privacy Policy — full personal data handling (Swedish)
- Data Processing Agreement (DPA) — per GDPR Art. 28 (Swedish)
- Security Whitepaper — technical overview (Swedish)
- Terms of Service (Swedish)