Security

LexiReview is built with security at its core. Every layer of the platform — from data ingestion to AI analysis to contract storage — is designed to meet the security standards expected by regulated industries, government departments, and enterprise legal teams.

Infrastructure Security

  • Data residency — All data is stored on servers located in India, ensuring compliance with data localisation requirements under the DPDP Act 2023 and government data policies.
  • Encryption at rest — AES-256 encryption for all stored data, including contracts, analysis outputs, and user information.
  • Encryption in transit — TLS 1.3 for all data transmission between your browser and our servers.
  • Network security — Firewall protection, intrusion detection systems, and DDoS mitigation.
  • Isolated environments — Production, staging, and development environments are fully isolated.

Application Security

  • Authentication — Secure authentication with support for multi-factor authentication (MFA) and single sign-on (SSO) for Enterprise plans.
  • Role-based access control (RBAC) — Granular permissions ensuring users only access data relevant to their role.
  • Session management — Automatic session timeouts, secure session tokens, and concurrent session controls.
  • Input validation — All user inputs are validated and sanitised to prevent injection attacks.
  • Dependency management — Automated vulnerability scanning of all third-party dependencies.

Chain-Hashed SHA-256 Audit Trails

Every action on the LexiReview platform is recorded in a cryptographically linked audit trail using SHA-256 hashing. Each log entry includes the event data, timestamp, user attribution, and the hash of the preceding entry — creating a tamper-evident chain.

  • If any entry is altered, deleted, or inserted after the fact, the chain breaks and tampering is immediately detectable.
  • Suitable for CAG audits, CVC inquiries, and regulatory inspections.
  • On-demand chain verification and exportable audit reports.

Contract and Document Security

  • Document isolation — Each organisation's documents are logically isolated. No cross-tenant data access.
  • Processing security — Contracts are processed in isolated environments. Documents are not retained in processing queues after analysis.
  • No model training — Your contracts are never used to train our AI models. Your data remains exclusively yours.
  • Secure deletion — When you delete a contract or close your account, data is permanently removed within the retention periods specified in our Privacy Policy.

AI Model Security

  • 6 parallel engines — Each AI engine operates independently with separate processing pipelines.
  • Output validation — All AI outputs pass through validation layers before being presented to users.
  • No data leakage — AI analysis of one organisation's contracts does not influence outputs for another organisation.
  • Prompt injection protection — Safeguards against adversarial inputs that could manipulate AI outputs.

Compliance and Certifications

  • SOC 2 Type II — Compliance with SOC 2 standards for security, availability, and confidentiality.
  • DPDP Act 2023 — Full compliance with India's Digital Personal Data Protection Act. See our DPDP Compliance page.
  • ISO 27001 — Information security management aligned with ISO 27001 standards.
  • Indian regulatory alignment — Platform design accounts for RBI, SEBI, RERA, and CAG requirements for regulated entities.

Operational Security

  • Incident response — Documented incident response plan with defined escalation procedures and notification timelines.
  • Vulnerability management — Regular penetration testing by independent security firms, with prompt remediation of identified issues.
  • Employee security — Background checks, security training, and least-privilege access for all team members.
  • Business continuity — Regular backups, disaster recovery procedures, and tested recovery time objectives.
  • Vendor assessment — All third-party vendors undergo security assessment before integration.

Responsible Disclosure

We welcome responsible security researchers to report vulnerabilities. If you discover a security issue, please contact us at security@lexireview.in. We commit to acknowledging reports within 24 hours and providing regular updates on remediation progress.

Questions?

For security-related inquiries, contact our security team at security@lexireview.in or visit our Contact page.