§ Security Defence in depth, not compliance theatre trust.lexlegis.ai

Built for matters that cannot leak.

Security is not a deployment flag or a checkbox exercise. It is architecture, certifications, defence in depth, and responsible disclosure discipline. Everything below is audited. Everything below is live.

Visit Trust Center
§ 01 • Certifications

Five frameworks, continuously audited.

International and Indian security and privacy frameworks. Annual audit where applicable, continuous posture management always.

ISO/IEC 27001
Information Security
SOC 2
Trust Services
GDPR
EU Data Protection
CCPA
California Privacy
DPDP
India Data Protection
§ 02 • Defence In Depth

Four layers. One posture.

Every input and every output passes through all four layers. Failure of any layer opens a ticket, not a breach.

Data Layer

  • TLS 1.3 in transit, AES 256 at rest
  • Customer managed keys (BYOK) on Modes C, D, E
  • Hardware Security Modules (HSM) for key storage
  • Zero customer content in shared training
  • Matter level isolation on multi tenant SaaS

Identity Layer

  • SAML 2.0, OIDC, SCIM 2.0 provisioning
  • SSO required on all Enterprise deployments
  • Role Based Access Control with custom roles
  • MFA enforced via customer IdP policies
  • Session recording and replay on Enterprise

Network Layer

  • VPC isolation on Modes B and C
  • Private Link and Private Service Connect
  • Web Application Firewall, DDoS protection
  • IP allow listing and geo restrictions
  • No inbound traffic on Mode D and E

Model Layer

  • Prompt injection detection and sanitisation
  • Output hallucination detection, meta reasoning gate
  • Custom guardrails per tenant
  • Model poisoning defence via signed checkpoints
  • Inference audit trail, every call logged and attributable
§ 03 • Data Handling

Your data stays yours.

Five commitments that govern how customer content moves through Lexlegis.ai. These are contractual, not aspirational.

No training on your data.

Your uploaded documents, queries and outputs never enter training corpora for shared models. Fine tuning on your data, if offered, happens only under a signed DPA and only inside your deployment boundary.

Data residency by design.

Mode A data is in India. Mode B is on L&T Vyoma sovereign cloud. Mode C is in your chosen region. Modes D and E are on your premises. Residency is architecture, not a flag.

Minimum retention.

We retain customer content only as long as required to service the account. Retention windows are configurable to zero on Enterprise and on Modes D, E.

Portable on exit.

All customer data is exportable at any time in standard formats. On termination, data is returned or destroyed at customer election, with attestation.

§ 04 • Responsible Disclosure

Found something? Please tell us.

We operate a coordinated disclosure programme for security researchers. Acknowledgement within 24 hours, triage within 72, fix or mitigation within defined SLAs by severity.

How to report

Submit via our Trust Center

Report vulnerabilities through trust.lexlegis.ai. Include steps to reproduce, affected component, and your preferred credit (if any). We do not pursue researchers acting in good faith.

Our commitments

Acknowledgement, remediation, credit

We acknowledge within 24 hours, triage within 72, and close or mitigate per severity SLAs. Credit is public in our security advisories where researchers permit.

Start today

Legal AID is live. MIRA is open.

Start a free trial of Ask, Interact and Draft, no credit card required. MIRA early access is open now, request a slot and a specialist will reach out within one working day.

Start Free Trial Login Request MIRA Early Access