Security Whitepaper
Technical security overview – version 1.1 (2026-04-22)
1. Summary
LexCodex.ai is an AI-driven legal analysis platform. This whitepaper describes our security architecture, data flows, intrusion protection and GDPR mechanisms. The fundamental principle is zero data retention on legal content.
2. Architecture
Frontend: Vanilla JavaScript SPA with static HTML pages. No third-party libraries for authentication.
Backend: PHP 8 on Apache with MySQL/PDO. Hosting via Easywebbhotell (Plesk, Sweden).
AI layer: Anthropic. No contract texts or AI responses are stored, and LexCodex does not use data for model training.
3. Data flow
When a user analyses text:
- Text is sent encrypted (TLS 1.3) to our PHP proxy
- The proxy validates session, rate limit, user plan and CSRF
- The text is sent encrypted to Anthropic
- The response is returned to the user
- The text is not stored on our servers — only counts of the number of analyses and which tool was used (without content, for aggregated statistics)
4. Tenant isolation
Each user account is isolated at the database level:
- Sessions are tied to a unique user_id
- All SQL queries are filtered by user_id (prepared statements, never concatenation)
- session_version mechanism invalidates all active sessions on password change
- __Host cookie prefix prevents cross-subdomain access
- No sharing between users within the same organisation without explicit choice (share links)
5. Authentication
- Passwords hashed with bcrypt (cost 10) + unique salt
- Minimum password length: 8 characters
- Email verification with 6-digit code (valid 30 min, max 5 attempts)
- MFA / TOTP — optional two-factor authentication via Google Authenticator, Authy, 1Password, Microsoft Authenticator. Backup codes hashed with bcrypt and single-use.
- Brute force protection: 5 incorrect attempts → 15 min lockout
- Google SSO with state parameter for CSRF protection
- Session cookie: Secure, HttpOnly, SameSite=Lax, __Host prefix
- CSRF token on all authenticated POST calls (timing-safe comparison via hash_equals)
- Session is regenerated on sign-in and password change
6. Transport and storage
- TLS 1.3 with HSTS preload (max-age 1 year, includeSubDomains)
- CSP (Content Security Policy) with strict script-src and frame-src
- X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff
- Cross-Origin-Opener-Policy same-origin
- Database: MySQL with encrypted password in isolated config.local.php (not in git, chmod 600)
- No contract texts, AI responses or uploaded documents are written to disk
7. Intrusion protection
- Rate limiting: Per-IP on login (20/h), MFA verify (15/h), resend/forgot (5/h), contact (5/h), registration (5/h), account deletion (5/h), share links (20/h)
- Prompt injection protection: System prompts are server-side locked, messages are validated for role and max length
- Honeypot fields on registration and contact
- reCAPTCHA v3 (score ≥ 0.5) on registration and contact form
- Heuristics against random strings on registration (vowel/consonant ratio, case patterns)
- Blocking of free email domains on registration (business email required)
- Webhook replay protection: Stripe event ID is stored to prevent double processing
8. GDPR mechanisms (self-service)
- Art. 15 + Art. 20 (access / portability): Functional "Download my data" button at /en/account — generates a JSON file with account, shared analyses, watch profiles + reports, batch jobs (metadata), tool usage and submitted feedback. Passwords, MFA keys and backup codes are excluded.
- Art. 17 (deletion): Functional "Delete my account" button — requires password + confirmation word, immediately deletes the account and all linked tables (tool_usage, shared_analyses, studie_feedback, batch_jobs+documents, watch_profiles+reports). A confirmation email is sent to the user.
- Share links have 7-day auto-deletion
9. Incident handling
- Suspected incidents are detected via audit log (admin_actions table)
- Notification to affected customers within 72 hours (GDPR Art. 34)
- Reporting to IMY within 72 hours (GDPR Art. 33)
- Rotation of all API keys and passwords on confirmed breach
10. Audits and tests
Internal security audit conducted April 2026 (documented, covers P0–P3 threats). External pentest can be arranged on request for enterprise customers.
11. Sub-processors
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Anthropic PBC | AI (Claude API) | US / EU routing | SOC 2 Type II, ISO 27001, ISO 42001, HIPAA |
| Easywebbhotell | Hosting (server + DB) | Sweden | GDPR-compliant |
| Stripe | Payment | US / Ireland | PCI DSS Level 1 |
| reCAPTCHA, Analytics | US / EU | ISO 27001/17/18 |
12. Transparency
LexCodex.ai is not itself ISO 27001 or SOC 2 certified. We build security through standardised web platform technologies and third-party certified providers. For enterprise customers requiring own certification, contact us to discuss the roadmap.
13. Contact
Security incidents: support@lexcodex.ai
Security audit / additional documentation: support@lexcodex.ai
See also: Data Processing Agreement (DPA) · Privacy Policy · Security & Trust