Security & Privacy

Built to protect what matters most.

LexMT is designed for European legal professionals who need a platform they can trust with sensitive client work. Every technical and organisational control is documented and independently reviewable.

EU Data Residency

All user data and legal queries are processed and stored exclusively on servers located in Helsinki, Finland. Your data never leaves the European Union.

End-to-End Encryption

All data in transit is protected by TLS 1.2 or higher. Data at rest is stored on Hetzner encrypted volumes. Passwords are hashed with bcrypt and never stored in plain text.

GDPR Compliant

LexMT processes only the minimum personal data necessary to operate the service. You can delete your account and all associated data at any time. Full details are in our Privacy Policy and DPA.

Your Queries Are Not Used to Train AI

Queries you submit to LexMT are processed in real time and are never used to train AI models. This applies to Anthropic and OpenAI processing under contractual data processing agreements.

ISO 27001 Aligned

LexMT operates an Information Security Management System aligned to ISO/IEC 27001:2022. A full risk register, asset inventory, and statement of applicability are maintained and reviewed annually.

No Advertising. No Data Selling.

LexMT is a subscription service. We have no advertising business model and we never sell, share, or broker personal data to third parties for commercial purposes.

Technical Controls

Security measures implemented at the infrastructure, application, and process level.

✓

TLS 1.2+ Encryption in Transit

All connections to lex.mt are encrypted. HTTP is redirected to HTTPS automatically.

✓

Encrypted Storage

User database and all application data stored on Hetzner encrypted NVMe volumes.

✓

Secure Authentication

bcrypt password hashing (cost 12), HttpOnly session cookies, 30-day expiry, secure flag enforced.

✓

Rate Limiting

API and authentication endpoints are rate limited to prevent brute force and abuse.

✓

Nightly Automated Backups

Full database backup every 24 hours with 7-day retention. Backup integrity is verified on each run.

✓

Continuous Monitoring

Health checks run every 5 minutes. Alerts are sent automatically on service failure or unexpected restarts.

✓

Patch Management

Ubuntu unattended security upgrades are enabled. Dependency vulnerabilities are reviewed on each deployment.

Standards and Compliance

The frameworks and regulations that govern how LexMT handles your data.

GDPR

Full compliance with EU Regulation 2016/679. Data minimisation, lawful basis, and subject rights all implemented.

EU AI Act

Classified as Limited Risk under the EU AI Act. Transparency obligations are met via the disclaimer displayed on every answer.

ISO 27001 Aligned

Information security controls aligned to ISO/IEC 27001:2022. ISMS policy, risk register, and SoA maintained.

Hetzner ISO 27001

Infrastructure hosted by Hetzner Online GmbH, which holds ISO 27001 certification for its data centres.

Sub-Processor Transparency

Every third party that processes personal data on behalf of LexMT is listed below, with the legal basis for each transfer.

Supplier	Role	Location	Legal Basis
Hetzner Online GmbH	Hosting and infrastructure	Finland (EU)	DPA — Art. 28 GDPR
Anthropic PBC	AI inference (legal answers)	USA (SCCs)	DPA — SCCs
OpenAI LLC	AI inference (query expansion)	USA (SCCs)	DPA — SCCs
Resend Inc	Transactional email delivery	USA (SCCs)	DPA — SCCs
Stripe Inc	Payment processing	USA (SCCs)	PCI-DSS compliant

Responsible Disclosure

If you discover a security vulnerability in LexMT, please report it by email. We aim to acknowledge all reports within 24 hours and resolve confirmed issues within 72 hours.

security@lex.mt

Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate.