Lex ProtocolLex Protocol™
AboutContactBlogPrivacy & Safety
Sign UpLogin
Product OverviewTeamsAboutContactBlogPrivacy & Safety
Sign UpLogin

Security Policy

How we protect your legal data with industry-leading security measures

Effective Date: 24 April 2026  |  Last Updated: 07 July 2026
CCPACompliant
GDPRAligned

1. Overview

Lex Protocol is built for legal professionals who handle sensitive client information. Security is foundational, not an afterthought. This policy describes the technical and organizational measures we implement to protect your data.

Company: Avci Technologies Pty Ltd (ABN: 69 688 146 581), Melbourne, VIC, Australia.

2. Encryption

At Rest

All note content, titles, and sensitive data are encrypted with AES-256-GCM (Galois/Counter Mode) with authenticated encryption. Each record uses a unique random 16-byte initialization vector (IV) and a GCM authentication tag verified on every decryption. Encryption keys are 256-bit (32 bytes), managed via Google Cloud Secret Manager — never stored in source code or public repositories.

In Transit

All data is transmitted over TLS 1.2+ (HTTPS enforced on all endpoints). WebSocket connections for audio transcription also use secure WSS protocol.

3. Authentication & Access Control

  • Firebase Authentication — passwordless email one-time code (no passwords stored)
  • Two-Factor Authentication (2FA): TOTP-based with authenticator apps (Google Authenticator, Authy, etc.). Backup codes provided on setup.
  • Biometric Authentication: Fingerprint and Face ID on mobile devices, with credentials stored in the device's Secure Store (not on our servers).

Session Management

  • Mobile: 12-hour session timeout, or 7 days with biometric unlock enabled, with a 15-minute re-authentication grace period
  • Desktop: automatic sign-out after 7 days of inactivity, with an on-screen warning before logout

Role-Based Access Control

Organization workspaces support Owner, Admin, and Member roles. Permissions are enforced at the database level via Firestore Security Rules. Administrative operations (role changes, data deletion) are restricted to Cloud Functions — no direct client-side writes to sensitive collections.

4. Infrastructure & Data Residency

  • Cloud Provider: Google Cloud Platform (Firebase)
  • Region: australia-southeast1 (Sydney, Australia)
  • All Firestore data and Cloud Functions hosted in Australia

AI Processing Note: Audio transcription (Deepgram) and AI features (OpenAI) route through US-based servers. Audio is deleted from our servers immediately after the transcript is returned. We opt out of Deepgram's Model Improvement Program on every request; under Deepgram's published terms, opted-out request data is retained only for the duration necessary to process the request. We set store: false on all OpenAI requests, and our OpenAI traffic is covered by a Zero Data Retention amendment: the text we submit is not persisted and is not logged for abuse monitoring. Attachments shared with the Ask Lexi assistant (images and scanned documents) are the exception and may be retained by OpenAI for up to 30 days for safety screening. Neither provider trains on user content.

5. Third-Party Services

The following table summarizes the third-party services we use, what data they receive, and their data handling practices:

ServicePurposeData RegionData RetainedTraining Opt-out
Google FirebaseAuthentication, database, file storageAustraliaYes (primary store)N/A
OpenAIAI chat (Ask Lexi), note summarizationUSNone for text (zero data retention); Ask Lexi attachments up to 30dYes
DeepgramAudio transcriptionUSProcessing duration only (MIP opt-out on every request)Yes (mip_opt_out)
StripePayment processingUS/AUBilling data onlyN/A
RevenueCatMobile subscription managementUSSubscription status onlyN/A
SentryError monitoringUSError traces only (no PII)N/A
ResendTransactional email (login codes, account notifications)Japan (Tokyo; US-based provider)Email delivery logsN/A
DiscordInternal error & event monitoring (ops alerts)USOperational alerts only (account identifiers; no legal content)N/A

6. Input Validation & Application Security

  • Schema Validation: All Cloud Function inputs validated with Zod schemas (field-level type checking, length limits, format validation).
  • File Upload Restrictions: 10MB max for documents (PDF, DOCX, TXT), 5MB max for profile images. MIME type whitelist enforced at both client and server.
  • HTML Sanitization: Whitelist of allowed tags and attributes to prevent injection in rich-text and third-party content.
  • OAuth CSRF Protection: Cryptographic state tokens with 10-minute TTL, single-use enforcement.
  • Cross-Site Scripting (XSS): Output encoding applied in all server-rendered HTML (OAuth callback pages).
  • CORS: Firebase ID token required on all API endpoints regardless of origin.

7. Rate Limiting

  • Encryption/decryption operations: 60 requests per minute per user
  • AI features (Ask Lexi): 10 requests per 2 minutes per user
  • OAuth initiations: 20 per hour per user
  • File uploads: 10 per hour per user

Implementation: Firestore-backed sliding windows with automatic TTL expiry.

8. Audio & Voice Data

  • Voice recordings are processed in real-time via streaming transcription.
  • Audio is not retained on our servers. In the real-time flow it is streamed directly to Deepgram over an encrypted connection; where audio is briefly buffered to complete a transcription, it is held only in ephemeral storage and deleted immediately after the transcript is returned.
  • Voice Activity Detection (VAD) gates audio on-device before transmission, reducing unnecessary data transfer.
  • Temporary Deepgram tokens are issued per-session (not full API keys).

9. Vulnerability Management

We commit to the following remediation timelines from the moment a vulnerability is confirmed (whether discovered internally or reported by a researcher):

  • Critical severity: Patch within 24 hours. Includes actively exploited vulnerabilities and any flaw appearing on the CISA Known Exploited Vulnerabilities (KEV) catalog.
  • High severity: Patch within 7 days.
  • Medium severity: Patch within 30 days.
  • Low severity: Patch within 90 days.

We publish security advisories for any Critical or High severity fix that affects user data or authentication, with the root cause and mitigation, in the release notes for the affected version.

Report security issues to: security@lex-protocol.com (see also our security.txt).

Safe harbor: We will not pursue or support legal action against security researchers who act in good faith — accessing only their own test data, avoiding privacy violations, service degradation and data destruction, and giving us a reasonable opportunity to remediate before any public disclosure. If you are unsure whether a specific test is authorized, contact us first at security@lex-protocol.com and we will work with you.

We use automated dependency scanning and keep all dependencies up to date.

10. Data Retention & Deletion

  • Ask Lexi chat histories: Automatically deleted after 90 days of inactivity.
  • Audio recordings: Never retained — streamed in real time, and any briefly staged upload is deleted immediately after transcription.
  • Account deletion: All user data permanently removed after the 30-day recovery window below, including encrypted notes, folders, and associated metadata.
  • Soft-delete: 30-day recovery window for accidental deletions.

11. Monitoring & Incident Detection

  • Error monitoring via Sentry with real-time alerting
  • Discord webhook alerts for critical backend errors
  • Firebase Cloud Logging for all Cloud Function executions
  • Rate limit monitoring for abuse detection

See our Incident Response Plan at lex-protocol.com/incident-response.

12. Compliance

  • Applicable privacy law
  • Applicable data-breach notification laws
  • General Data Protection Regulation (GDPR) — aligned practices for EU users, with processor commitments in our Data Processing Agreement
  • Applicable consumer protection law

13. Contact

Security & General Inquiries

Security concerns: security@lex-protocol.com

General inquiries: support@lex-protocol.com

Avci Technologies Pty Ltd, Melbourne, VIC, Australia

ABN: 69 688 146 581

This security policy is reviewed and updated regularly. Our most recent internal security review was completed in April 2026. Lex Protocol has not yet obtained an independent third-party certification such as ISO 27001 or SOC 2.

Lex Protocol™

Your Legal Co-Pilot™

© 2026 Avci Technologies Pty Ltd. All rights reserved.

ContactPrivacy PolicyPrivacy Rights RequestTerms of ServiceUsage PolicyData Processing AgreementYour Privacy ChoicesPrivacy & SafetyProductBlog