Quick heads up! We save your preferences locally - theme, language, text size, and your explorer progress. Nothing leaves your browser, nothing gets tracked. Cookies? Your honor, we object - we're privacy first. Learn more

Accessibility
Font Size
100%
Quick Contact
Email Us support@lexaitechnologies.com
Contact Form Send us a message
Download as PDF Full sub-processor list
Link copied to clipboard!
Jump to Section
About Infrastructure Payments Communications Transfers
SUB-PROCESSOR LIST

Transparent Data Processing

LexAI publishes this list of sub-processors in accordance with Art. 28(2) GDPR. We notify you at least 30 days before engaging a new sub-processor.

GDPR Art. 28
30-Day Notice
SCC Compliant
View Sub-processors Download as PDF

Last updated: June 2025

Sub-processors
Lexi - Transparency
Full Transparency
About This document
Infrastructure Core processing
Payments Billing services
Communications Email services
Transfers International data
Controller / Operator
LexAI Technologies, s.r.o., Company ID (IČO): 23589825, registered office: Školská 660/3, Praha 1 - Nové Město, 110 00 Praha 1
Last updated
June 2025
Contact
support@lexaitechnologies.com

About This Document

LexAI Technologies, s.r.o. (hereinafter "LexAI") publishes this current list of sub-processors -third parties that process personal data of users in the course of providing the LexAI platform -in accordance with Art. 28(2) GDPR and the commitments made in the Privacy Policy and Data Processing Agreement (DPA).

Change notification: We will notify you by email at least 30 days in advance of engaging a new sub-processor or making a material change to an existing one. Controllers (enterprise customers) with a DPA in place with LexAI have the right to raise a reasoned objection within 14 days of notification.

Core Infrastructure and Data Processing

Sub-Processor Jurisdiction Data Location Purpose Data Processed Transfer Mechanism
Anthropic, PBC USA USA AI query processing (Claude API) Conversation content, documents submitted for analysis Standard Contractual Clauses (SCCs) under Art. 46 GDPR
Supabase, Inc. USA EU – Frankfurt Database and user authentication All user data (stored in encrypted form only) Standard Contractual Clauses (SCCs)
Vercel, Inc. USA USA / EU Serverless hosting and edge functions Request logs, API calls Standard Contractual Clauses (SCCs)
Hetzner Online GmbH Germany (EU) EU – Frankfurt Proprietary servers (vector database, security logs, document processing) Security logs, document processing for export/import Within EEA -SCCs not required
Qdrant EU EU – Frankfurt (self-hosted on Hetzner) Vector database for public legal sources Embeddings of public legal sources -no user data Within EEA -SCCs not required

Payments and Billing

Sub-Processor Jurisdiction Data Location Purpose Data Processed Transfer Mechanism
Stripe, Inc. USA USA (EU compliance) Payment gateway, subscription management Payment details, billing information, subscription ID Standard Contractual Clauses (SCCs); EU–U.S. Data Privacy Framework

Communications

Sub-Processor Jurisdiction Data Location Purpose Data Processed Transfer Mechanism
Twilio SendGrid USA USA Transactional email communication (notifications, account verification) Email addresses, content of notification emails Standard Contractual Clauses (SCCs)

Transfers of Personal Data Outside the EEA

Some sub-processors are located or process data outside the European Economic Area (EEA), in particular in the USA. All such transfers are safeguarded by one or more of the following mechanisms:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission under Art. 46(2)(c) GDPR;
  • EU–U.S. Data Privacy Framework (DPF) — adequacy decision of the European Commission dated 10 July 2023, where applicable.

A copy of the relevant SCCs can be provided upon request to controllers with a DPA in place with LexAI. Requests should be sent to support@lexaitechnologies.com.

Special Notes

Anthropic (AI processing): Conversation and document content is transmitted to Anthropic's AI models via a commercial API. Anthropic does not use data submitted via the API to train its models. Due to LexAI's zero-knowledge architecture, data is encrypted directly on the user's device before being sent to LexAI's servers -it is transmitted to the Anthropic API in decrypted form solely for the duration of query processing.

Qdrant: This vector database is operated as a self-hosted instance on Hetzner infrastructure (EU – Frankfurt) and contains exclusively embeddings of publicly available legal sources (Czech case law, legislation, EU sources). No user data is stored here.

Supabase: Data is stored exclusively in encrypted form in accordance with LexAI's zero-knowledge architecture. Supabase has no access to unencrypted conversation or document content.

Changelog

Version Date Change
1.0 June 2025 Initial publication

This document is updated on an ongoing basis. The date of the last update is indicated in the header. Archived versions are available upon request at support@lexaitechnologies.com.