Security & Compliance

Lexi AI is designed to meet the stringent security requirements of law firms of every size. From solo practitioners to AmLaw 200 firms, our team has built Lexi with enterprise-grade protections that earn the trust of general counsels, IT administrators, and managing partners.

SOC 2 Type II Certification (In Progress)

Lexi AI is actively pursuing SOC 2 Type II certification, the gold standard for demonstrating that a SaaS platform maintains rigorous security controls over an extended period. Unlike SOC 2 Type I, which evaluates controls at a single point in time, Type II verifies that controls are operating effectively over a minimum audit period — typically six months or more.

Our SOC 2 audit will cover the Trust Services Criteria for Security, Availability, Confidentiality, and Processing Integrity. For updates on our certification timeline or to discuss our current security controls, contact our team.

CASA Certification

Lexi AI is CASA (Cloud Application Security Assessment) certified. CASA is an industry framework that evaluates cloud applications against a comprehensive set of security requirements, including application security, data protection, identity management, and infrastructure hardening. CASA certification provides an additional layer of assurance beyond SOC 2, specifically focused on the security posture of cloud-native applications.

GDPR Compliance

OpenLaw AI is fully compliant with the European Union's General Data Protection Regulation (GDPR). For firms with international clients or operations in the EU, Lexi provides the data processing safeguards required under GDPR, including:

• Lawful basis for data processing with clear data processing agreements (DPAs)
• Data subject rights support including access, rectification, erasure, and portability
• 72-hour breach notification procedures
• Data minimization and purpose limitation by design

CCPA Compliance

Lexi AI complies with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). We provide California residents with the rights to know what personal information is collected, request deletion of personal data, and opt out of the sale of personal information. OpenLaw AI does not sell personal data to third parties.

Encryption

All data processed by Lexi AI is encrypted both at rest and in transit. We use industry-standard encryption protocols to ensure that client data remains protected at every stage:

• In transit: TLS 1.3 for all API traffic, webhook payloads, and user sessions. We enforce HTTPS across all endpoints with HSTS preloading.
• At rest: AES-256 encryption for all stored data, including case files, client records, documents, and conversation logs. Encryption keys are managed through a dedicated key management service with automatic rotation.

Data Retention & Deletion

Firms have full control over their data retention policies. Lexi AI retains data only for the duration necessary to provide services and comply with legal obligations. Upon termination of service, all firm data is permanently deleted within 30 days, with a certificate of destruction available upon request. Firms can also request immediate data deletion at any time through the admin dashboard or by contacting our support team.

Access Controls

Lexi AI implements role-based access control (RBAC) that mirrors the permission structures law firms already use. Firm administrators can configure access at the user, practice area, and case level. Internal access to production systems is restricted to authorized OpenLaw engineering personnel, requires multi-factor authentication (MFA), and is logged in immutable audit trails. We follow the principle of least privilege across all systems.

Infrastructure Security

Lexi AI is hosted on Google Cloud Platform (GCP), leveraging GCP's SOC 2, ISO 27001, and FedRAMP-certified infrastructure. Our architecture includes:

• Network segmentation and private VPC isolation for each customer environment
• Automated vulnerability scanning and patch management
• DDoS protection and web application firewall (WAF) at the edge
• Redundant backups with cross-region replication for disaster recovery

Penetration Testing

OpenLaw AI engages independent third-party security firms to conduct penetration testing on a quarterly basis. These assessments cover application-layer vulnerabilities, API security, authentication mechanisms, and infrastructure hardening. Findings are triaged by severity, and critical or high-severity issues are remediated within 48 hours. Summary reports are available to enterprise customers upon request.

Responsible Disclosure

We welcome security researchers to report potential vulnerabilities in Lexi AI. If you discover a security issue, please report it responsibly to security@openlaw.com. We commit to acknowledging your report within 24 hours, providing regular updates on our investigation, and crediting researchers who follow responsible disclosure practices. We do not pursue legal action against researchers who act in good faith.

AI Model Security

Lexi AI's language models are deployed within our own infrastructure — client data is never used to train or fine-tune public AI models. All AI processing occurs within our secure environment, and firm data is strictly isolated. We implement output filtering, prompt injection defenses, and continuous monitoring to ensure AI-generated content meets the standards practicing attorneys expect.

Compliance Documentation

We make the following documentation available to firms conducting security reviews and vendor assessments:

• SOC 2 Type II audit report (available upon completion)
• CASA certification documentation
• Data Processing Agreement (DPA)
• Penetration testing summary reports
• Business Continuity and Disaster Recovery (BCDR) plan
• Vendor security questionnaire responses (SIG Lite, CAIQ)

Have security questions or need compliance documentation? Contact our team or email security@openlaw.com. You can also book a demo to see how Lexi AI handles sensitive legal data in practice, or read our customer stories to learn how firms trust Lexi with their most critical work.