Data Encryption
Encryption at Rest
All file notes, folder names, and client contact information stored in Lex Protocol are encrypted using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode). This is an authenticated encryption scheme that provides both confidentiality and tamper detection.
- Each encryption operation uses a cryptographically random 16-byte initialisation vector (IV), ensuring that identical plaintext produces different ciphertext every time.
- The GCM authentication tag is verified on every decryption, so any tampering with stored data is detected and rejected.
- Encryption keys are stored in Google Cloud Secret Manager and are never exposed to client applications or included in source code.
- Encrypted fields include: note titles, note content, folder names, and client contact details (name, email, address).
In addition, Google Cloud Firestore automatically encrypts all data at rest using AES-256, providing a second layer of encryption at the infrastructure level.
Encryption in Transit
All data transmitted between your device and our servers is protected by TLS 1.2+ (Transport Layer Security). This applies to:
- All Firebase Cloud Function calls (HTTPS-only endpoints)
- Real-time audio streaming via secure WebSocket (WSS) connections
- All communication with third-party services (OpenAI, Deepgram, Stripe)
- Firebase Authentication token exchange
Authentication & Access
Passwordless Login
Lex Protocol uses a secure one-time passcode (OTP) login system rather than traditional passwords. When you log in, a 6-digit code is sent to your registered email address. Codes expire after 10 minutes and are limited to 5 verification attempts. All codes are hashed with SHA-256 before storage and verified using timing-safe comparison to prevent timing attacks.
Two-Factor Authentication (2FA)
Lex Protocol supports optional TOTP-based two-factor authentication compatible with standard authenticator apps such as Google Authenticator, Authy, and Microsoft Authenticator. When enabled:
- You must enter a 6-digit authenticator code before an email OTP is sent, adding a second layer of verification.
- Eight single-use backup codes are generated during setup for account recovery. Backup codes are hashed with SHA-256 before storage.
- 2FA verification is rate-limited to 5 attempts per 5 minutes per account to protect against brute-force attacks.
Rate Limiting
All authentication endpoints are protected by progressive rate limiting. After repeated login attempts, increasing cooldown periods are enforced, culminating in a one-hour lockout to protect against brute-force and credential-stuffing attacks.
Data Residency
Lex Protocol is designed with Australian data sovereignty in mind:
- Cloud Functions: All server-side processing runs in the australia-southeast1 (Sydney) Google Cloud region.
- Firestore Database: User data is stored in our Firebase project hosted in Australia.
- Authentication: Firebase Authentication services are managed within the same Google Cloud project.
- Encryption Keys: Stored in Google Cloud Secret Manager, colocated with the application infrastructure.
Audio transcription and AI formatting are processed by Deepgram and OpenAI respectively. These services may process data in their own infrastructure regions (primarily the United States). However, audio is never stored on our servers, transcripts are encrypted before storage, and both providers are contractually prohibited from using your data for model training.
Access Controls
Workspace Isolation
Lex Protocol enforces strict workspace isolation between personal and organisation workspaces. Personal folders and notes are accessible only by the account owner. Organisation data is accessible only by verified organisation members. These boundaries are enforced at the database level through Firestore security rules, not just in the application layer.
Role-Based Access
Organisation accounts support a three-tier role hierarchy:
- Owner — Full control including ownership transfer, billing, and member management.
- Admin — Can invite new members and manage team settings. Cannot promote others to admin without owner approval.
- Member — Can access shared organisation folders and notes. Cannot manage team membership.
All role changes, member additions, and team management actions are performed through server-side Cloud Functions with fresh permission checks on every request. Role assignments are never trusted from the client.
Audit Trail
Privileged actions within organisations (role changes, member removals, ownership transfers, invitation activity) are logged in a tamper-resistant audit trail. Audit entries are written atomically alongside the actions they record, and can only be created by the server — never by client applications.
Subprocessors
Lex Protocol uses the following third-party services to deliver its functionality. We minimise the data shared with each provider to only what is necessary for the service.
| Provider | Purpose | Data Shared | Training Opt-Out |
|---|---|---|---|
| Google Cloud / Firebase | Hosting, database, authentication, file storage | Encrypted user data, authentication credentials | N/A — infrastructure provider |
| Deepgram | Audio transcription (speech-to-text) | Audio stream (not stored after transcription) | Yes — mip_opt_out enabled on all requests |
| OpenAI | AI note formatting, Ask Lexi chat assistant | Transcripts and chat context (for processing only) | Yes — API data is not used for model training by default |
| Stripe | Desktop/web payment processing | Email, billing information, subscription status | N/A — payment processor |
| RevenueCat | Mobile subscription management (App Store / Google Play) | Anonymous user ID, subscription entitlements | N/A — billing infrastructure |
| Sentry | Error monitoring and crash reporting | Error data only — personal information (names, emails, addresses) is automatically scrubbed before transmission | N/A — no user content processed |
We do not sell, share, or provide user data to any third party for advertising, profiling, or any purpose unrelated to delivering the Lex Protocol service.
Data Retention & Deletion
Audio Recordings
Audio is processed in memory and on temporary storage during transcription. Temporary files are deleted immediately after the transcript is generated. No audio recordings are stored on our servers beyond the duration of a single transcription request.
Notes & Folders
Notes and folders are retained for as long as your account is active. When you delete a note or folder, it is soft-deleted and permanently purged after 30 days. This grace period allows for accidental deletion recovery.
Chat History
Conversations with the Ask Lexi assistant are automatically deleted after 90 days.
Account Deletion
You can request full account deletion from the Settings screen at any time. When you delete your account:
- Your account is immediately deactivated and all active sessions are revoked.
- Active Stripe subscriptions are cancelled immediately.
- After a 30-day grace period, all data is permanently and irreversibly deleted, including: notes, folders, chat history, tasks, export settings, profile information, and your Firebase authentication record.
- Profile images are removed from cloud storage.
For mobile (App Store / Google Play) subscriptions, billing is managed by the respective app store. You must cancel your subscription directly through the App Store or Google Play to stop future charges.
Incident Response
In the event of a confirmed data breach that affects your personal information, we will:
- Notify affected users by email within 72 hours of confirmation, in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988.
- Notify the Office of the Australian Information Commissioner (OAIC) where required.
- Provide clear details of what data was affected, what steps we are taking, and what actions you should consider.
Our engineering team monitors error alerts and system health continuously. Automated alerting is in place for server errors and anomalous activity.
Compliance
Lex Protocol is operated by Avci Technologies (ABN: 69688146581) and is designed to comply with the following frameworks:
- Australian Privacy Act 1988 (Cth) — We adhere to the Australian Privacy Principles (APPs) governing the collection, use, storage, and disclosure of personal information.
- Notifiable Data Breaches (NDB) Scheme — We have processes in place to assess and report eligible data breaches as required.
- GDPR Awareness — While our primary user base is in Australia, we apply data minimisation and privacy-by-design principles that align with the General Data Protection Regulation for any users in the European Economic Area.
Our approach is built on the principles of data minimisation (we only collect what is necessary), purpose limitation (data is used only to provide the service), and storage limitation (data is deleted when no longer needed).
Questions or Concerns
If you have any questions about our security practices or would like to report a security concern, please contact us at support@lexprotocol.co.
For full details on how we collect and use your information, see our Privacy Policy. For the terms governing your use of the service, see our Terms of Service.