Designed for attorney confidentiality obligations

Built around your confidentiality obligations — not ours

Every security decision we made was shaped by one question: what does an attorney need to be able to upload client files without hesitation?

Encryption in transit and at rest

All data is encrypted using TLS 1.2+ in transit and AES-256 at rest. Encryption is managed by Supabase on AWS infrastructure.

Firm-level data isolation

Every firm's documents, embeddings, and query history are stored in a completely isolated environment enforced by database row-level security. No data is ever shared between firms.

No AI training on your data

Your documents and queries are never used to train AI models — by us or by our AI providers. This is contractually enforced with OpenAI under their API Data Usage Policy. AI outputs are generated from your documents only and must be independently reviewed before reliance.

Role-based access controls

Owner, admin, and member roles restrict what actions each team member may perform. Matter-level access restrictions allow creators to limit which team members can view sensitive matters.

Data Processing Agreement (DPA)

LexVault provides a publicly available DPA covering CCPA service provider obligations, applicable state bar data handling standards, and GDPR Article 28 requirements.

Audit logging

All material actions within the Service — document uploads, deletions, matter creation, team invitations, and access grants — are recorded in a tamper-evident audit log accessible to firm owners and admins.

Infrastructure

Cloud providerSupabase (hosted on AWS)

Data regionUnited States (US East)

Uptime target99.9% monthly (excluding scheduled maintenance)

BackupsDaily automated backups with 30-day retention (managed by Supabase)

AI providerOpenAI (GPT-4o for completions; text-embedding-3-small for embeddings) — customer data is not used for model training per OpenAI's API Data Usage Policy

HostingVercel (application layer) — United States and global CDN

Email deliveryResend — transactional emails only (account confirmations, invitations)

Attorney ethics & confidentiality

LexVault is designed with attorney professional responsibility obligations in mind (ABA Model Rule 1.6 and applicable state equivalents). Documents uploaded to LexVault are stored in your firm's isolated environment and are not accessible to any other user or firm. LexVault personnel do not access your documents for any purpose other than providing the Service.

We recommend that firms review their state bar's guidance on cloud storage and AI use with client documents before uploading confidential matter files. We can provide information about our security architecture and data handling practices to assist with any required client disclosure or bar ethics review.

AI-generated outputs are research tools, not legal advice. Attorneys remain solely responsible for all work product and are required to independently verify any AI-assisted analysis before relying on it or sharing it with clients.

Request security information

Data Processing Agreement

Our publicly available DPA covers CCPA service provider obligations, applicable state bar data handling standards, and GDPR Article 28 requirements. No request needed — available to all customers.

Read the DPA