What is legal file noting?

Legal file noting is the practice of recording detailed notes about client interactions, court appearances, meetings, and other legal activities. These notes form a critical part of the legal record and are essential for maintaining accurate case histories, meeting professional obligations, and protecting against potential disputes.

How does Lex Protocol's voice-to-text work?

Simply speak naturally about what happened during your client interaction, court appearance, or meeting. Our AI processes your recording using advanced speech recognition trained on legal terminology, then structures it into a professional file note with proper formatting, legal citations, and organised sections.

Is my client data secure with Lex Protocol?

Absolutely. We use AES-256-GCM encryption for all stored data and end-to-end encryption for data in transit. Your voice recordings are processed and immediately deleted. We never sell your data and we never use your content to train AI models.

Ask Lexi is your AI legal research assistant built into Lex Protocol. Ask questions about your matters, get cited answers from your own file notes, and never miss a critical detail. Available on Premium and Gold plans.

Is there a free plan?

Yes! Our Starter plan is completely free and includes 12 notes per month with PDF export. No credit card required. Compare that to competitors like Smokeball ($49/user/month) or Clio ($49/user/month).

Security Policy | Lex Protocol

Effective Date: 24 April 2026 | Last Updated: 24 April 2026

APPCompliant

GDPRCompliant

CCPACompliant

1. Overview

Lex Protocol is built for legal professionals who handle sensitive client information. Security is foundational, not an afterthought. This policy describes the technical and organizational measures we implement to protect your data.

Company: Avci Technologies (ABN: 69688146581), Melbourne, VIC, Australia.

2. Encryption

At Rest

All note content, titles, and sensitive data are encrypted with AES-256-GCM (Galois/Counter Mode) with authenticated encryption. Each record uses a unique random 16-byte initialization vector (IV) and HMAC authentication tag. Encryption keys are 256-bit (32 bytes), managed via Google Cloud Secret Manager — never stored in source code or public repositories.

In Transit

All data is transmitted over TLS 1.2+ (HTTPS enforced on all endpoints). WebSocket connections for audio transcription also use secure WSS protocol.

Clio Integration

OAuth tokens are stored AES-256-GCM encrypted in Firestore. Tokens are decrypted only at the moment of use and never logged.

3. Authentication & Access Control

Firebase Authentication — passwordless email one-time code (no passwords stored)
Two-Factor Authentication (2FA): TOTP-based with authenticator apps (Google Authenticator, Authy, etc.). Backup codes provided on setup.
Biometric Authentication: Fingerprint and Face ID on mobile devices, with credentials stored in the device's Secure Store (not on our servers).

Session Management

12-hour session timeout (without biometric)
7-day session with biometric enabled
15-minute grace period for biometric re-authentication

Role-Based Access Control

Organization workspaces support Owner, Admin, and Member roles. Permissions are enforced at the database level via Firestore Security Rules. Administrative operations (role changes, data deletion) are restricted to Cloud Functions — no direct client-side writes to sensitive collections.

4. Infrastructure & Data Residency

Cloud Provider: Google Cloud Platform (Firebase)
Region: australia-southeast1 (Sydney, Australia)
All Firestore data and Cloud Functions hosted in Australia

AI Processing Note: Audio transcription (Deepgram) and AI features (OpenAI) route through US-based servers. Deepgram does not retain audio after transcription, and we set store: false on all OpenAI requests so inputs and outputs are not persisted. Neither provider trains on user content (Deepgram: mip_opt_out enabled; OpenAI: not used for training per API terms). OpenAI may keep transient request logs for up to 30 days for abuse monitoring before deletion.

5. Third-Party Services

The following table summarizes the third-party services we use, what data they receive, and their data handling practices:

Service	Purpose	Data Region	Data Retained	Training Opt-out
Google Firebase	Authentication, database, file storage	Australia	Yes (primary store)	N/A
OpenAI	AI chat (Ask Lexi), note summarization	US	Transient (30d max)	Yes
Deepgram	Audio transcription	US	No	Yes (mip_opt_out)
Stripe	Payment processing	US/AU	Billing data only	N/A
RevenueCat	Mobile subscription management	US	Subscription status only	N/A
Clio Manage	Legal CRM sync (user-initiated)	User's Clio region	Per Clio's policies	N/A
Sentry	Error monitoring	US	Error traces only (no PII)	N/A
Google (Gmail SMTP)	Transactional email (login codes, account restoration confirmations)	US	Email delivery logs	N/A

6. Input Validation & Application Security

Schema Validation: All Cloud Function inputs validated with Zod schemas (field-level type checking, length limits, format validation).
File Upload Restrictions: 10MB max for documents (PDF, DOCX, TXT), 5MB max for profile images. MIME type whitelist enforced at both client and server.
HTML Sanitization: For third-party sync (Clio) — whitelist of allowed tags and attributes to prevent injection.
OAuth CSRF Protection: Cryptographic state tokens with 10-minute TTL, single-use enforcement.
Cross-Site Scripting (XSS): Output encoding applied in all server-rendered HTML (OAuth callback pages).
CORS: Firebase ID token required on all API endpoints regardless of origin.

7. Rate Limiting

Encryption/decryption operations: 60 requests per minute per user
AI features (Ask Lexi): 10 requests per 2 minutes per user
OAuth initiations: 20 per hour per user
File uploads: 10 per hour per user

Implementation: Firestore-backed sliding windows with automatic TTL expiry.

8. Audio & Voice Data

Voice recordings are processed in real-time via streaming transcription.
No audio is stored on our servers — audio is streamed directly to Deepgram for transcription and immediately discarded.
Voice Activity Detection (VAD) gates audio on-device before transmission, reducing unnecessary data transfer.
Temporary Deepgram tokens are issued per-session (not full API keys).

9. Vulnerability Management

We commit to the following remediation timelines from the moment a vulnerability is confirmed (whether discovered internally or reported by a researcher):

Critical severity: Patch within 24 hours. Includes actively exploited vulnerabilities and any flaw appearing on the CISA Known Exploited Vulnerabilities (KEV) catalog.
High severity: Patch within 7 days.
Medium severity: Patch within 30 days.
Low severity: Patch within 90 days.

We publish security advisories for any Critical or High severity fix that affects user data or authentication, with the root cause and mitigation, in the release notes for the affected version.

Report security issues to: security@lexprotocol.co (see also our security.txt).

Safe harbor: We will not pursue or support legal action against security researchers who act in good faith — accessing only their own test data, avoiding privacy violations, service degradation and data destruction, and giving us a reasonable opportunity to remediate before any public disclosure. If you are unsure whether a specific test is authorized, contact us first at security@lexprotocol.co and we will work with you.

We use automated dependency scanning and keep all dependencies up to date.

10. Data Retention & Deletion

Ask Lexi chat histories: Automatically deleted after 90 days of inactivity.
Audio recordings: Never stored (streaming only).
Account deletion: All user data permanently removed upon request, including encrypted notes, folders, and associated metadata. Clio tokens revoked and deleted.
Soft-delete: 30-day recovery window for accidental deletions.

11. Monitoring & Incident Detection

Error monitoring via Sentry with real-time alerting
Discord webhook alerts for critical backend errors
Firebase Cloud Logging for all Cloud Function executions
Rate limit monitoring for abuse detection

See our Incident Response Plan at lex-protocol.com/incident-response.

12. Compliance

Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth)
Notifiable Data Breaches (NDB) scheme
General Data Protection Regulation (GDPR) awareness for EU users
Australian Consumer Law (ACL)

13. Contact

Security & General Inquiries

Security concerns: security@lexprotocol.co

General inquiries: support@lexprotocol.co

Avci Technologies, Melbourne, VIC, Australia

ABN: 69688146581

This security policy is reviewed and updated regularly. Last comprehensive security audit: April 2026.