Security

How LEXTEUR protects your data and your clients' data

Security by Design Architecture

LEXTEUR is built on the principle of privacy by design (Article 25 GDPR). All document processing takes place locally on your workstation. No sensitive data from your cases passes through our servers.

100% Local Processing

Text extraction via embedded optical recognition, named entity detection via proprietary NER engine, and anonymization through tokenization are performed entirely on your machine. Only anonymized text is transmitted to the analysis service.

Data Encryption

All communications between the application and our servers are encrypted via TLS 1.3. Data at rest (user accounts, configurations) is encrypted with AES-256. Passwords are hashed with bcrypt and are never stored in plaintext.

Secure Authentication

Authentication is managed by Supabase using the PKCE (Proof Key for Code Exchange) protocol, providing protection against interception attacks. Sessions are secured with JWT tokens with automatic expiration.

Payment Security

Payments are processed by Stripe, PCI-DSS Level 1 certified (the highest certification level). LEXTEUR does not collect, store, or have access to your credit card data.

Secure AI Processing

AI analyses are performed via a third-party AI provider with exclusively pseudonymized data (within the meaning of Article 4.5 of the GDPR). This provider does not retain transmitted data and does not use it to train its models. Lexteur reserves the right to change its AI provider at any time, subject to maintaining GDPR compliance.

No Training on Your Data

LEXTEUR NEVER uses the content of your documents, your analyses, or your data to train artificial intelligence models, directly or through third parties. This guarantee is enshrined in our contractual terms with all subprocessors.

Infrastructure and Subprocessors

Our infrastructure relies on trusted providers: Vercel (web hosting), Supabase (database, EU Frankfurt region), Stripe (payments). All subprocessors are bound by contractual clauses compliant with GDPR. The full list of subprocessors is available upon request at contact@lexteur.com.

Access Control

Access to production infrastructure is limited according to the principle of least privilege. Multi-factor authentication (MFA) is required for all administrative access. Access is audited and reviewed regularly.

Incident Management

In the event of a security incident affecting your personal data, LEXTEUR commits to notifying the relevant supervisory authority within 72 hours in accordance with Article 33 of the GDPR, and informing affected users without undue delay in accordance with Article 34.

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly to security@lexteur.com. We commit to acknowledging receipt within 5 business days and treating the report with the highest priority.

Regulatory Compliance

LEXTEUR is designed to comply with the GDPR (EU Regulation 2016/679), the French Data Protection Act (Law No. 78-17), the ePrivacy Directive (2002/58/EC), and respects obligations related to attorney-client privilege. We are working toward SOC 2 Type II certification.