Security-First Architecture: How We Protect Your Data

When you trust a service with your knowledge base, you're trusting them with your professional memory—notes about clients, strategies, decisions, and insights that could be sensitive or proprietary.

At Lexic, security isn't a feature we added. It's the foundation we built on.

The Trust Equation

Most productivity tools treat security as a checklist: encrypt data, add SSO, publish a privacy policy. Check the boxes, move on.

We think differently. Your notes contain:

• Client information and business strategies
• Personal reflections and half-formed ideas
• Meeting notes with confidential content
• Intellectual property in development

This isn't data that should be protected by minimum viable security. It demands architecture designed for sensitive information from the ground up.

Multi-Tenant Isolation

Lexic is a multi-tenant system—multiple organizations share infrastructure. This is standard for SaaS, but the implementation matters enormously.

Row-Level Security

Every database query in Lexic runs through row-level security policies. It's not possible to write a query that returns another organization's data—the database itself enforces isolation.

This isn't application-level filtering that could be bypassed with a bug. It's database-enforced policy that operates below the application layer.

Workspace Boundaries

Even within an organization, workspaces maintain boundaries. A user in Workspace A cannot query Workspace B's data, even within the same organization, unless explicitly granted access.

Service Isolation

Background services (entity extraction, search indexing, etc.) process only data they're explicitly granted access to. A bug in one service cannot cascade into unauthorized data access.

Encryption Layers

Your data is encrypted at multiple layers:

In transit: All connections use TLS 1.3. There's no unencrypted path to our services.

At rest: Database storage is encrypted using AES-256. Your notes are never stored in plaintext on disk.

Application layer: Sensitive fields (API keys, connection strings) are encrypted before database storage with keys managed separately from the database.

What This Means

Even if an attacker gained database access, they would find encrypted data. Even if they obtained encrypted data, they would lack the keys. Defense in depth means no single breach is catastrophic.

Authentication & Access

Identity Management

Lexic supports multiple authentication methods:

• Email/password with enforced complexity requirements
• OAuth providers (Google, Microsoft) with SSO support
• SAML integration for enterprise identity providers

Session Security

Sessions are short-lived and bound to device fingerprints. Suspicious activity (new device, unusual location) triggers additional verification.

Permission Model

Role-based access control governs what users can do. Permissions are denied by default—users have access only to what's explicitly granted.

Audit Trail

Every significant action in Lexic is logged:

• Who accessed what data, when
• What changes were made to notes, workspaces, permissions
• All administrative actions and configuration changes

Audit logs are append-only and retained according to your organization's policy. They're designed for compliance review and security investigation.

AI Processing Security

When AI processes your notes, additional protections apply:

Ephemeral processing: Content sent for AI processing is not retained by the AI provider after the request completes.

Data minimization: We send only the necessary content—not your entire knowledge base for context.

Provider agreements: Our AI providers are contractually bound regarding data handling and retention.

Transparency on Processing

You see exactly what's being processed before it happens. No hidden background analysis, no surprise AI operations on your data.

Infrastructure Security

Our infrastructure follows security best practices:

• Isolated VPCs: Production workloads run in isolated virtual private clouds
• Minimal exposure: Only necessary ports and services are publicly accessible
• Regular rotation: Credentials and secrets rotate on schedule
• Automated patching: Infrastructure receives security updates automatically

Incident Response

We maintain an incident response plan including:

• 24/7 monitoring for anomalous activity
• Defined escalation procedures
• Communication protocols for affected users
• Post-incident review process

We haven't had a security incident, but we're prepared if one occurs.

Compliance Path

Lexic is designed with compliance in mind. Our architecture supports:

• SOC 2: We're pursuing SOC 2 Type II certification
• GDPR: Data residency options and deletion capabilities
• HIPAA: Architecture supports BAA requirements for healthcare use cases

What We Ask of You

Security is a partnership. We provide secure infrastructure; you maintain secure practices:

• Use strong, unique passwords (or SSO)
• Enable two-factor authentication
• Review access permissions periodically
• Report suspected security issues promptly

The Security Commitment

Your knowledge base is among your most valuable professional assets. We treat protecting it as our most important job.

Questions about our security practices? Contact security@lexic.io. We're happy to provide additional detail or discuss specific compliance requirements.