Trust & Security

Enterprise-grade security, built for Indian law.

SOC 2 Type II in progress. ISO 27001 planned. DPDP-compliant by design. Data residency in India. Reviewed by CertIn-empanelled auditors.

Request Security PackView Controls

Certifications & Compliance

Our security posture is designed for enterprise legal teams, regulated institutions, and government buyers.

In progress

SOC 2 Type II

Independent audit of our security controls (availability, security, confidentiality). Scoped for Q4 2026 completion with Prescient Assurance.

Planned

ISO 27001:2022

Information Security Management System certification. Gap assessment complete; certification targeted for Q1 2027.

Compliant

DPDP Act 2023

Designed ground-up for India's data protection framework. Data Principal rights, consent management, breach notification, processor agreements.

Ongoing

OWASP ASVS Level 2

Application security verification against OWASP standards. Quarterly penetration testing by CertIn-empanelled auditor.

Security Controls

Data residency in India

All customer data stored in Mumbai (AWS ap-south-1) and Hyderabad. Explicit opt-in required for cross-border processing. DPDP Section 16 compliant.

Encryption at rest and in transit

AES-256 at rest via AWS KMS with customer-managed keys (enterprise). TLS 1.3 in transit. Field-level encryption for high-sensitivity contract clauses.

Role-based access (RBAC)

Matter-level access controls. Ethical walls for conflict matters. SCIM provisioning for enterprise. Just-in-time access for LexiReview support with audit trail.

Audit logging

SHA-256 chained audit logs (CAG-compliant). Tamper-evident. 7-year retention. Export-ready for client audits, regulatory inquiries, and LODR reporting.

Single Sign-On

SAML 2.0 + OIDC. Integrations with Okta, Azure AD, Google Workspace, OneLogin. MFA enforced for admin access.

Incident response

24×7 security operations. 60-minute acknowledgement SLA for enterprise. Breach notification framework aligned with DPDP Section 8(6) rule draft.

Compliance Documents

Available for enterprise buyers under mutual NDA.

Data Processing Agreement (DPA)

Standard DPA covering DPDP Act obligations as a Data Processor. Auto-populated with customer's data categories.

Security whitepaper

Detailed technical architecture, threat model, and security controls. Available under NDA.

Penetration test summary

Latest CertIn-empanelled pen test executive summary. NDA required for full report.

Sub-processor list

Current list of sub-processors (AWS, Anthropic, Cloudflare, Resend, Razorpay). Updated as changes occur.

Business Continuity Plan

99.9% uptime SLA for enterprise. Multi-region failover. RPO ≤ 1 hour, RTO ≤ 4 hours.

Your data stays in India.

Primary: AWS Mumbai (ap-south-1). DR: AWS Hyderabad. No cross-border processing without explicit consent. DPDP Section 16 ready.

By the numbers

  • Primary regionMumbai
  • DR regionHyderabad
  • EncryptionAES-256 / TLS 1.3
  • Uptime SLA99.9%
  • RPO / RTO≤1h / ≤4h

Security questions?

Our security team responds to enterprise buyer questions within 1 business day.

security@lexireview.inDPO Contact