Product

AI Legal Chat
Document Analysis
Legal Research
Security
Pricing

Solutions

Law Firms
Corporate Legal
Legal Students
Small Business
Enterprise

Resources

Documentation
Training
Academy
FAQ
Support
Contact Us

Company

Our Story
Careers
Privacy Policy
Terms of Service

Quick heads up! We save your dark/light mode preference locally. Nothing leaves your browser, nothing gets monitored. Cookies? Your honor, we object - we're privacy first. Learn more

Accessibility
Font Size
100%
Quick Contact
Security Teamsecurity@lexaitechnologies.com
Security InquiryAsk about our security practices
Link copied to clipboard!
Jump to Section
TopZero-KnowledgeEncryptionData PrivacyPrivilegeWhy DifferentFAQContact
SECURITY & PRIVACY

Your Data. Your Control.

Bank-level security meets zero-knowledge architecture. We built LexAI so that even we cannot access your confidential legal data.

Zero-Knowledge Encryption
No User Tracking
EU Data Residency
Learn How We Protect You Security Inquiry
AES-256Encryption
0Data Breaches
100%Your Ownership
Security First
Lexi AI Assistant
Protected & Encrypted
Zero-Knowledge True privacy
Encryption AES-256 protection
Data Privacy Your data, your control
Privilege Legal compliance
Why Different What sets us apart
Authentication Secure login
FAQ Common questions
Contact Get in touch
ZERO-KNOWLEDGE ARCHITECTURE

We Can't See Your Data. By Design.

Unlike traditional cloud services, LexAI uses zero-knowledge architecture inspired by Proton Mail. Your data is encrypted before it ever leaves your device, using keys that only you control. Even our own engineers cannot access your confidential legal information.

Client-side encryption - Data encrypted before upload
No server-side access - We never see unencrypted data
Mathematical proof - Cryptographically guaranteed privacy

End-to-End Encryption

Your data is encrypted on your device before transmission. Only you have the decryption keys.

Attorney-Client Privilege

Architecture designed to maintain privilege. No third-party access to your confidential communications.

Proton-Inspired Security

Same security principles used by Proton Mail, trusted by journalists and activists worldwide.

Open Architecture

Our security model is documented and can be independently verified by security researchers.

ENCRYPTION & ACCESS

Your Master Key. Your Only Access.

A single master key that only you possess unlocks your encrypted vault. Without it, your data remains permanently inaccessible—even to us.

Master Key Encryption

Your master password generates a unique cryptographic key using PBKDF2 with 600,000+ iterations. This key never leaves your device and is never transmitted to our servers.

AES-256-GCM

Military-grade encryption standard used by governments worldwide. The same encryption protecting classified information now protects your legal work.

Key Derivation

Each document has unique encryption keys derived from your master key. Compromising one document doesn't compromise others.

No Backdoors

If you lose your master key, we cannot recover your data. This is a feature, not a bug—it proves no one else can access your data either.

Perfect Forward Secrecy

Session keys are ephemeral and rotated regularly. Even if a key is compromised, past and future sessions remain protected.

Hardware Security

Support for hardware security keys (YubiKey, etc.) for additional authentication layer and protection against phishing attacks.

ADVANCED AUTHENTICATION

Multiple Layers of Protection

Flexible authentication options from simple 2FA to hardware-backed biometrics

Two-Factor Authentication

TOTP authenticator apps (Google Authenticator, Authy) with encrypted secrets and replay protection for an extra layer of security.

Biometric Login

Face ID, Touch ID, Windows Hello - passwordless login via WebAuthn with phishing resistance and hardware-backed credentials.

Session Timeout

Automatic logout after inactivity with 2-minute warning, desktop notifications, and configurable duration for enterprise control.

Backup Codes

8 single-use recovery codes, SHA-256 hashed, for account recovery when your 2FA device is unavailable.

Security Keys

FIDO2 hardware keys (YubiKey) for maximum protection against credential theft and phishing attacks.

Login Alerts

Instant notifications of new logins with device and location info so you always know when your account is accessed.

SESSION MANAGEMENT

Enterprise-Grade Session Security

Complete control over session lifecycle with advanced timeout warnings, secure cleanup procedures, and comprehensive activity monitoring.

Configurable timeout - 15 minutes to 8 hours based on your security policy
2-minute warning modal - Never lose work to unexpected logouts
Desktop notifications - Alerts even when tab is in background
Secure cleanup - WebWorker termination and token invalidation

Quick Re-auth

Stay logged in with password or biometric re-verification without losing your work.

Secure Logout

Complete session cleanup with token invalidation, cache clearing, and worker termination.

Multi-Device Mgmt

View and revoke sessions across all devices from your security dashboard.

Activity Detection

Smart activity monitoring resets timeout on keyboard, mouse, and touch interactions.

DATA PRIVACY COMMITMENT

We Don't Sell Your Data. Period.

Your Data Is Not Our Product

Many "free" AI services monetize user data through advertising, training AI models, or selling to third parties. LexAI is different. We're a subscription business—our only revenue comes from providing you excellent service, not from exploiting your confidential legal information.

No Data Selling

We never sell, license, or share your data with any third party. Your data stays yours.

No AI Training

Your documents are never used to train our AI or any third-party models. Ever.

No Advertising

Zero ads. Zero tracking for ad purposes. We make money from subscriptions, not surveillance.

Data Minimization

We collect only what's necessary to provide service. Less data = less risk.

ATTORNEY-CLIENT PRIVILEGE

Built for Legal Confidentiality

Zero-knowledge architecture isn't just a security feature—it's a guarantee that attorney-client privilege remains intact.

We Can't Share Your Data

Even if we wanted to—which we don't—we technically cannot access your encrypted conversations and documents. Your privilege stays protected.

Zero Access

GDPR Compliant

Full compliance with EU data protection regulations. Data stored in Supabase's Frankfurt data center, processed on Hetzner servers—both in Germany. No data leaves the EU.

EU Data Only

Minimal Data Collection

We don't verify your identity. No IP logging for regular use. Payments via Stripe—we never see your card. We know almost nothing about you.

Privacy First
WHY WE'RE DIFFERENT

The Problem with Most AI Services

Most cloud AI services weren't built with legal confidentiality in mind. Here's what typically happens—and why we do things differently.

Typical Cloud AI

Your data trains their models. Every query you send may be used to improve their AI—including your confidential legal questions.
US servers, US laws. Data stored in the US is subject to CLOUD Act, FISA, and government requests—even for EU citizens.
Full access to your conversations. Employees can read your chats for "safety review," abuse detection, or model improvement.
Extensive logging. IP addresses, usage patterns, device info, and behavioral data are collected and stored.
Third-party API wrappers. Many "legal AI" tools just forward your data to big tech AI APIs—adding another party with access.

The LexAI Approach

Zero training on your data. Your conversations are encrypted and never used for any purpose beyond serving you.
EU servers, EU laws. All data stays in Germany (Frankfurt). GDPR protection. No CLOUD Act exposure.
Zero-knowledge encryption. We mathematically cannot read your data. Not "we promise not to"—we literally can't.
Minimal logging. No IP tracking for normal use. No identity verification. We know almost nothing about you.
Self-hosted AI. We run our own model on our own servers. Your queries never touch third-party AI providers.

We built LexAI because we believe lawyers deserve AI tools that respect the same confidentiality standards they uphold with their clients. Our business model is simple: you pay for a subscription, and we provide a private, secure service. We have no incentive to monetize your data—and our architecture makes it impossible anyway.

INFRASTRUCTURE

EU-Based, Privacy-Focused Stack

Your data is stored in Supabase's Frankfurt data center—a trusted, SOC 2 compliant database provider. AI processing happens on our own Hetzner GPU servers, also in Germany. No sensitive data ever leaves the EU.

Supabase (Frankfurt)Your conversations and documents are stored in Supabase's Frankfurt data center—SOC 2 Type II certified with enterprise-grade security.
Hetzner AI ProcessingAll AI and backend processing runs on our own GPU servers at Hetzner in Germany. Your queries never leave our infrastructure.
Vercel FrontendOnly the client-side interface runs on Vercel. No sensitive data is processed there—just the UI you interact with.
No Third-Party AI APIsUnlike ChatGPT wrappers, we run our own AI. Your legal queries are never sent to OpenAI, Anthropic, or any external provider.
Your Browser
Vercel (UI only)
Hetzner Germany
AI & Backend
Supabase Frankfurt
Encrypted Storage
100% EU Infrastructure
FAQ

Security Questions

Honest answers about how we protect your data and what we can (and can't) access.

View all FAQs
Lexi - LexAI Mascot
Encryption

Can LexAI employees access my data?

No. Due to our zero-knowledge architecture, your data is encrypted with keys that only you possess. Even with physical access to our servers, our employees cannot decrypt your data. This is mathematically guaranteed by our encryption design—we literally cannot access your information.

Recovery

What happens if I lose my master key?

If you lose your master key without a backup, your data cannot be recovered—by you or by us. This is intentional: it proves no one else can access your data either. We strongly recommend using our secure recovery key feature and storing backups in a safe location.

Legal

What happens if authorities request my data?

Here's exactly what we could provide: encrypted data we cannot decrypt, plus the username you chose during signup (which we don't verify—it could be fake). That's it. We don't log IP addresses during normal use, we don't verify identities, and payments go through Stripe so we don't have your card details. Even if compelled by law, we simply don't have useful information to hand over.

Breach

What if LexAI gets hacked?

Even in a breach scenario, attackers would only obtain encrypted data. Without your master key (which is never transmitted to us), your data remains protected. This is the core benefit of zero-knowledge architecture—it protects you even if we fail.

Tracking

Do you track my IP address or activity?

No tracking during normal use. We only log IP addresses when our security systems detect potential threats—like brute force attacks or suspicious activity. Legitimate users going about their work will never have their IP logged. We don't use analytics trackers, we don't build user profiles, and we don't monitor what you do in the app.

SECURITY INQUIRY

Questions About Security?

Our security team is here to answer your questions and provide documentation for your compliance reviews.

Security WhitepapersDetailed technical documentation
Architecture DetailsZero-knowledge & GDPR documentation
Direct SupportSpeak with our security team

For urgent security concerns, email security@lexaitechnologies.com directly.

Security Inquiry

English or Czech / Anglicky nebo česky

Select a topic...
Compliance Documentation
Technical Security Questions
Security Audit Request
Report a Vulnerability
General Security Inquiry