Security Overview

Every database query is filtered by tenant_id. A query from Firm A cannot return data belonging to Firm B — this is enforced at the ORM layer on every route.

PostgreSQL Row Level Security (RLS) policies are applied to all tenant-scoped tables as a second enforcement layer. Even if an application bug skips the ORM filter, the database itself will only return rows for the current tenant.

No table that contains firm data is shared across tenants without an enforced tenant_id predicate. Cross-tenant data leaks are structurally impossible in normal operation.

All connections to Lexitio are protected by TLS 1.2 or higher. Unencrypted HTTP connections are redirected to HTTPS. API connections use TLS with strong cipher suites.

All uploaded documents, case files, and evidence are stored in Amazon S3 with server-side AES-256 encryption (SSE-S3). Database volumes are encrypted at the infrastructure level.

Passwords are hashed using bcrypt with per-user salts. We never store plaintext passwords, and password hashes are never transmitted or logged.

Every user is assigned a role (admin, attorney, paralegal, staff). Permissions are enforced at the API layer on every endpoint — there is no UI-only permission check.

Authentication uses signed JWT tokens. Logged-out tokens are stored in a blocklist and rejected on every subsequent request, even before expiry.

Programmatic access uses API keys (sk-lex_ prefix) with per-key permission scopes. Keys are hashed before storage.

Login attempts are rate-limited. Accounts are locked after repeated failed attempts. Session tokens expire automatically.

MFA via TOTP (Google Authenticator, Authy) is available for all accounts and strongly recommended for admin users.

Every matter creation, document upload, AI query, user login, permission change, and data export is logged with user_id, tenant_id, timestamp, IP address, and action details.

Audit logs are retained for a minimum of 7 years to support legal and regulatory requirements. Logs are append-only and cannot be deleted or modified.

Firm administrators can view their own audit log at any time from the Settings dashboard without contacting support.

Lexitio runs on dedicated cloud infrastructure in the United States. No data is stored in consumer-grade or shared hosting environments.

PostgreSQL is backed up daily via automated pg_dump. Backups are compressed, encrypted, and shipped to Backblaze B2 (offsite object storage) with 30-day retention.

Backup integrity is verified by periodic restore tests. If a backup cannot be restored, we treat it as if no backup exists.

All services run in isolated Docker containers with no unnecessary network exposure. The database port is not publicly accessible.

AI queries are processed via Anthropic's API under their zero-data-retention API agreement. Anthropic is contractually prohibited from using API input/output for model training.

AI conversations are stateless. No chat history is retained on third-party AI infrastructure between sessions.

Each AI request is scoped to the current matter's data only. The AI cannot access data from other matters or other firms.

System logs, error monitoring (Sentry), and alerting are active 24/7. Anomalous access patterns trigger automated alerts.

On confirmed breach: affected tenant access is isolated within 1 hour. The database row-level security layer limits blast radius to the affected tenant.

Affected firms are notified within 72 hours of a confirmed breach that affects their data, consistent with GDPR and applicable US state law notification requirements.

Every security incident is documented in a post-mortem report with root cause analysis, timeline, and remediation steps.