Security & Trust
Confidentiality is not a feature — it is the foundational principle.
LexCodex.ai is used by lawyers and legal professionals working with confidential material. This page describes exactly what happens with your data, what rights you have, and how you control them yourself.
Summary: Your material is never stored on our servers after analysis. It is never used for AI training. You can delete your account and all data at any time — directly, without contacting us.
EU AI Act: LexCodex is classified as limited-risk system per Art. 6 (not Annex III). Meets Art. 50 transparency obligations: users are informed of AI interaction, output is marked as AI-generated.
🛡 Security testing: Security tested against OWASP Top 10 (internal Tier 1 review 2026-05-03 — Mozilla Observatory B+, 0 critical/high). Academic security review conducted Q2 2026. External penetration test available on request for enterprise customers.
📊 How your data flows
Every analysis follows the same path — no step deviates, no material is stored along the way:
- You write or upload text in the browser — transmitted over TLS / HTTPS
- LexCodex.ai server in EU data center — your material is not stored on disk or cache
- The AI provider API — zero data retention, EU routing, no model training on your data
- Response sent back to you
- Analysis disappears from memory after response — only your plan, username and counter are stored
🗂 What we store — and for how long
| Data type | Where | How long |
|---|---|---|
| Contract texts / legal content | — | Never stored |
| AI analysis responses | — | Never stored |
| Account details (name, email, organisation) | MySQL in Sweden | Until you delete the account |
| Hashed password (bcrypt) | MySQL in Sweden | Until you delete the account |
| Usage counter (analysis count) | MySQL in Sweden | Reset monthly |
| Shared analyses (via share link) | MySQL in Sweden | Max 7 days, then auto-deleted |
| Watch profiles | MySQL in Sweden | Until you delete them |
| Feedback you have submitted | MySQL in Sweden | Until you delete the account |
| Security logs (login attempts, IP) | MySQL in Sweden | Rolling 1 h (rate-limit), 15 min (lockout) |
| Server logs (access/error) | Server in Sweden | 30 days |
⚖️ Your GDPR rights — directly in the account
Under GDPR you have several rights. Most you can use yourself without contacting us:
| Right | How |
|---|---|
| Art. 15 — Right to access | "Download my data" button on /account — JSON file with all stored data |
| Art. 16 — Rectification | Email support@lexcodex.ai |
| Art. 17 — Erasure ("right to be forgotten") | "Delete my account" button on /account — removes everything immediately |
| Art. 18 — Restriction | Contact support@lexcodex.ai |
| Art. 20 — Data portability | Same button on /account — machine-readable JSON |
| Art. 21 — Objection | Contact support@lexcodex.ai |
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY).
🛡 Zero Data Retention — the AI environment
- No storage after analysis: contract texts, questions and AI responses exist only in memory during the call — no disk write, no caching.
- AI provider: the AI provider via API. The AI provider is SOC 2 Type II, ISO 27001, ISO 42001, HIPAA-certified.
- No model training: per the AI provider's terms, API traffic is not used for model training.
- EU routing: API calls go through the AI provider's EU infrastructure where possible.
- Per-request isolation: every call is fully independent — no context shared between users or sessions.
🚫 What we never do
- Sell or share your data with third parties for marketing
- Use your contracts or analyses for AI training — neither here nor at the AI provider
- Store your contracts after analysis is complete
- Share your data between users, even within the same organisation (without your choice)
- Send spam or newsletters without your explicit consent
🔐 Technical security
- TLS / HTTPS: all traffic encrypted in transit. HSTS with preload.
- CSP (Content Security Policy): active policy against XSS and data injection.
- CSRF protection: all sensitive calls require session-bound tokens.
- Bcrypt-hashed passwords: plaintext is never stored — not even at registration.
- MFA / TOTP: two-factor authentication supported (Google Authenticator, Authy, 1Password).
- Brute-force protection: automatic account lockout after 5 failed attempts for 15 minutes.
- Rate limiting: all sensitive endpoints are rate-limited per IP.
- Session invalidation: all active sessions terminated upon password change.
- Spam protection: third-party anti-bot service + honeypot + heuristics against automated registration.
- Regular security audits: internal P0–P3-classified audit system.
🧩 Sub-processors
We use certified third-party providers for AI analysis, hosting, payments and spam protection. All are certified to industry standards (SOC 2 Type II, ISO 27001, PCI DSS Level 1) and bound by data processing agreements (DPA).
🚨 Incident handling
In case of suspected data breach or security incident:
- Notification to affected customers within 72 hours (GDPR Art. 34)
- Notification to IMY within 72 hours (GDPR Art. 33)
- Transparent report on what happened, what data was affected, and what actions are taken
Report suspected incidents or security flaws: support@lexcodex.ai
📋 Documentation
- Privacy Policy — full personal data handling
- Data Processing Agreement (DPA) — per GDPR Art. 28
- Terms of Service