Skip to main content
LexNav
Find Paths
Enterprise Security

Built for the Standards Law Firms Require

Your client data stays yours. We never use it to train models, we isolate every tenant, and we are on the path to SOC 2 Type II certification.

Our Security Commitments

Zero Training Guarantee

LexNav contractually prohibits model providers from training on your data. Your queries, documents, and results are never used to improve any AI model.

Encryption Everywhere

All data in transit is protected by TLS 1.3 via Cloudflare. Data at rest is stored on encrypted volumes with AES-256. No plaintext data leaves your session.

Strict Tenant Isolation

Every database query is scoped to your organization's tenant ID. BOLA-protected endpoints ensure no user can access another firm's data, even with a valid session.

Role-Based Access Controls

Owner, Member, and Developer roles with granular API key scoping (NAV-1, NAV-2, NAV-3, or Enterprise). API keys are SHA-256 hashed — never stored in plaintext.

Audit Logs

Every session, API key event, and navigate request is logged with timestamps. Your team can review access history at any time from the portal.

SOC 2 Type II — In Progress

We are on the path to SOC 2 Type II certification, expected Q4 2026. Our controls framework follows AICPA Trust Services Criteria. Penetration testing is planned for Q3 2026.

How We Handle Your Data

Where is my data stored?

All data is stored in the United States on dedicated hardware behind Cloudflare Tunnel. We do not use multi-tenant cloud databases — your data is never co-mingled with other organizations at the storage layer.

Do you share data with AI providers?

We use OpenRouter to route LLM requests. Requests are processed to generate your legal paths and documents — they are not retained by model providers or used for training. This is contractually guaranteed.

What happens to my data if I cancel?

Upon request, we will delete all your organization's data within 30 days of cancellation. We can provide a written confirmation of deletion.

Do you have a Data Processing Agreement (DPA)?

Yes. You can read and sign our DPA at lexnav.ai/legal/dpa. It covers GDPR Article 28 obligations — one click, no PDF upload required.

When will you have SOC 2 Type II?

We are targeting SOC 2 Type II certification by Q4 2026. We are currently implementing controls and evaluating audit partners. Customers can request our current security posture documentation.

Questions About Our Security Posture?

Our team responds to security inquiries within one business day.

Contact Security Team