Security Whitepaper

Technical security overview – version 1.2 (2026-05-03)

This is the public version of our Security Whitepaper. For deeper technical documentation (server configurations, diagrams, pentest summaries), contact support@lexcodex.ai — NDA may be required.

1. Summary

LexCodex.ai is an AI-driven legal analysis platform. This whitepaper describes our security architecture, data flows, intrusion protection and GDPR mechanisms. The fundamental principle is zero data retention on legal content.

2. Architecture

Frontend: Vanilla JavaScript SPA with static HTML pages. No third-party libraries for authentication.

Backend: PHP 8 on Apache with MySQL/PDO. Hosting in certified EU data center.

AI layer: the AI provider. No contract texts or AI responses are stored, and LexCodex does not use data for model training.

3. Data flow

When a user analyses text:

Text is sent encrypted (TLS 1.3) to our PHP proxy
The proxy validates session, rate limit, user plan and CSRF
The text is sent encrypted to the AI provider
The response is returned to the user
The text is not stored on our servers — only counts of the number of analyses and which tool was used (without content, for aggregated statistics)

4. Tenant isolation

Each user account is isolated at the database level:

Sessions are tied to a unique user_id
All SQL queries are filtered by user_id (prepared statements, never concatenation)
session_version mechanism invalidates all active sessions on password change
__Host cookie prefix prevents cross-subdomain access
No sharing between users within the same organisation without explicit choice (share links)

5. Authentication

Passwords hashed with bcrypt (cost 10) + unique salt
Minimum password length: 8 characters
Email verification with 6-digit code (valid 30 min, max 5 attempts)
MFA / TOTP — optional two-factor authentication via Google Authenticator, Authy, 1Password, Microsoft Authenticator. Backup codes hashed with bcrypt and single-use.
Brute force protection: 5 incorrect attempts → 15 min lockout
Google SSO with state parameter for CSRF protection
Session cookie: Secure, HttpOnly, SameSite=Lax, __Host prefix
CSRF token on all authenticated POST calls (timing-safe comparison via hash_equals)
Session is regenerated on sign-in and password change

6. Transport and storage

TLS 1.3 with HSTS preload (max-age 1 year, includeSubDomains)
CSP (Content Security Policy) with strict script-src and frame-src
X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff
Cross-Origin-Opener-Policy same-origin
Database: MySQL with encrypted password in isolated config.local.php (not in git, chmod 600)
No contract texts, AI responses or uploaded documents are written to disk

7. Intrusion protection

Rate limiting: Per-IP on login (20/h), MFA verify (15/h), resend/forgot (5/h), contact (5/h), registration (5/h), account deletion (5/h), share links (20/h)
Prompt injection protection: System prompts are server-side locked, messages are validated for role and max length
Honeypot fields on registration and contact
Third-party anti-bot service on registration and contact form
Heuristics against random strings on registration (vowel/consonant ratio, case patterns)
Blocking of free email domains on registration (business email required)
Webhook replay protection: the payment processor event ID is stored to prevent double processing

8. GDPR mechanisms (self-service)

Art. 15 + Art. 20 (access / portability): Functional "Download my data" button at /en/account — generates a JSON file with account, shared analyses, watch profiles + reports, batch jobs (metadata), tool usage and submitted feedback. Passwords, MFA keys and backup codes are excluded.
Art. 17 (deletion): Functional "Delete my account" button — requires password + confirmation word, immediately deletes the account and all linked tables (tool_usage, shared_analyses, studie_feedback, batch_jobs+documents, watch_profiles+reports). A confirmation email is sent to the user.
Share links have 7-day auto-deletion

9. Incident handling

Suspected incidents are detected via audit log (admin_actions table)
Notification to affected customers within 72 hours (GDPR Art. 34)
Reporting to IMY within 72 hours (GDPR Art. 33)
Rotation of all API keys and passwords on confirmed breach

10. AI/LLM security

LexCodex applies controls based on OWASP Top 10 for LLM Applications:

LLM01 Prompt Injection — server-side lex_detect_injection() blocks 6 pattern classes (instruction override, role hijack, system impersonation, delimiter injection, instruction extraction, data exfiltration). System prompts contain explicit instruction-immunity directives. Per-message limit 50 KB, per-request limit 200 KB.
LLM02 Insecure Output Handling — all LLM output passed through escapeHtml() before markdown rendering. Only https:// links allowed. AI is instructed not to produce executable HTML/JS.
LLM06 Sensitive Information Disclosure — Zero Data Retention via the AI provider's enterprise terms. No logging of prompt/output content. AI instructed never to reveal system prompts, other users' data, or internal infrastructure.
LLM10 Model Theft — not applicable (we don't host our own models).

Hallucination control: every claim is bound to a verified primary source across Swedish, Norwegian, Danish or EU law with second-pass verification. The AI is instructed to prefer "I'm uncertain, please consult primary sources" over fabricated references.

11. Audits and tests

Internal security audit April 2026 — documented, covers P0–P3 threats.
Tier 1 testing 2026-05-03 — Mozilla Observatory B+ (80/100), securityheaders.com, OWASP Top 10 walkthrough, dependency audit, hidden-file probe. Result: 0 critical/high, 2 medium fixed same day.
Academic security review Q2 2026 — security tested against OWASP Top 10. Details available on request under NDA.
External penetration test — can be arranged on request for enterprise customers. Standard providers: Truesec, Sentor, Cure53.

12. Sub-processors

LexCodex.ai uses certified third-party providers for AI analysis, hosting (EU), payments and spam protection. All are certified to industry standards (SOC 2 Type II, ISO 27001, PCI DSS Level 1) and bound by data processing agreements (DPA). Enterprise customers receive the full vendor list under NDA as part of onboarding.

13. Reporting a vulnerability (Responsible Disclosure)

If you find a security issue, please email support@lexcodex.ai with:

A clear description of the issue
Steps to reproduce
Affected URL or endpoint
Your contact details (for follow-up)

We acknowledge your report within 2 business days and provide a remediation plan within 7 business days for confirmed issues. We thank reporters in writing if a fix is shipped, and credit you publicly with your permission once the issue is resolved.

No bug bounty programme at this time. Out of scope: denial-of-service testing, social engineering of staff, physical attacks, automated scanner output without manual verification.

14. Contact

Security incidents and responsible disclosure: support@lexcodex.ai

Security audit / additional documentation: support@lexcodex.ai