Security & Trust

Built for clarity, scalability, and modern compliance workflows  

Security is a priority, not an afterthought

Security is central to how Lexa Shield is designed and operated. The platform uses a security-first architecture aligned with the control principles of frameworks such as SOC 2 and ISO 27001. Content is processed only for the duration of each scan. Only the specific text snippets flagged during analysis are retained for client review; full documents are not stored, and all other content is deleted immediately afterward. No customer text is reused or fed into automated learning systems. Lexa Shield does not rely on black-box or probabilistic models; every detection is explainable and auditable.

Lexa Shield is built to make every step transparent, controlled, and verifiable.

Data Handling & Privacy Controls

Lexa Shield follows strict data-minimization and privacy-by-design principles. User-submitted content is processed in isolated, short-lived memory solely for the purpose of detecting potential compliance or policy risks. Once the scan is complete, full documents are permanently deleted. Only the minimal text snippets required to present flagged findings are retained for client review. Content is not stored, indexed, profiled, repurposed, or used for any secondary purpose, and there is no persistent retention of client documents.

What we retain

The only piece of content preserved is:

  • The single, minimal snippet that directly triggered a risk flag inside the client’s own report

This snippet is shown only to that client and is stripped of profanity or illegal content. All other submitted material is discarded immediately after scanning.   

To support high-level research, reliability, and continuous platform improvement, we generate operational metrics based on anonymized and aggregated usage data.

Crucially, these metrics cannot be linked to any individual, company, document, or account.

Our Anonymized Analytics Focus Areas

We analyze aggregate data to generate the following categories of insights:  

Platform Reliability & Risk

Metrics focused on system-wide health and trend spotting. Includes aggregate risk frequencies and general benchmarks. 

High-level observation of behavior across the entire user base. Includes anonymized trend curves, category-level distributions, insights based on term-frequency/category patterns, and anonymized or synthetic examples.

Contextualizing usage and performance against broad industry groups. Includes industry-level comparisons, sector-level slices, and high-level regional (not company-level) global maps.

Data used by our internal teams to identify areas for development. Includes quarter-over-quarter changes and usage trends that cannot be traced back to any client or document.

Combining quantitative data with expert interpretation. Includes heatmaps built from aggregated metadata, qualitative expert analysis of aggregated trends, and synthetic case studies.
All operational analytics are generated only after identifying information has been permanently removed and the data has been combined with usage from multiple clients to prevent any possibility of re-identification.
We maintain a strict boundary between your proprietary data and our operations. Our commitments ensure that your content is used solely to provide and secure your service. We never:
  • Train, tune, or improve our AI/machine learning models using your client content, documents, or data.
  • Engage in behavioral profiling of individuals, employees, or organizations based on content usage.
  • Attempt inference or deduction about individuals' or users' intentions, beyond what is necessary to deliver the immediate service.
  • Blend or mix data across separate client accounts (cross-tenant data blending).
  • Store full text, complete documents, images, or user-submitted materials outside of what is required for core service delivery and security.

Lexa Shield never sells customer data, nor do we use customer content for marketing, advertising, or promotional purposes. 

Ethical AI & Explainability

Lexa Shield does not generate predictions, interpretations, or decisions. The platform is deterministic and rule-based, designed for environments where explainability and auditability are essential.

Each result includes:

  • The exact text snippet that triggered it
  • The specific rule or condition that matched
  • The reasoning behind the flag
  • The engine version used

There are no autonomous, self-learning, or probabilistic components. All rules are authored, reviewed, and version-controlled by humans. The platform aligns with responsible-AI principles such as transparency, human oversight, and fairness.

Users always know what the system identified, why it identified it, and how to verify it. 

For more information ACCESS ETHICAL AI STATEMENT

Security, Compliance & Certifications

Lexa Shield is built on a security-first architecture designed to align with recognized global standards for privacy, security, and responsible data handling. While Lexa Shield does not currently hold formal SOC 2 or ISO 27001 certifications, the platform is engineered with the same rigor and expectations these frameworks promote.  

Processing takes place within isolated, encrypted environments that follow the principles found in GDPR, LGPD, and HIPAA regarding data minimization, purpose limitation, and non-retention. Content is processed only for the duration of the scan and is deleted immediately afterward, ensuring no persistent footprint. 

Our internal controls include:

  • Access governance and strict role-based permissions
  • MFA enforcement for all administrative access
  • Continuous monitoring of core systems
  • Encryption standards for data in transit and at rest
  • Documented incident-response procedures, including timely client notification where required
  • Regular internal reviews of security posture, privacy practices, and operational integrity

Lexa Shield also maintains alignment with leading frameworks and regulatory principles, including:

  • SOC 2 trust service criteria (security, availability, confidentiality)
  • ISO 27001 information security controls
  • GDPR, LGPD, and HIPAA requirements for responsible data handling
  • NIST AI Risk Management Framework
  • OECD AI Principles
  • EU AI Act standards for transparency, oversight, and explainability

Clients retain full control over their data. Customer content is never shared with third parties except where required for security, legal compliance, or at the client’s explicit instruction.

As Lexa Shield completes formal certifications, they will be added to this roadmap and published openly. Clients receive clear documentation, version histories, control summaries, and accountability notes to support their own compliance evaluation, audit processes, and procurement requirements. 

Advanced Security Measures

Lexa Shield maintains a security program that follows industry best practices for protecting client data. Our approach includes: 

Comprehensive Audit Logging

We maintain audit trails designed to support accountability and security monitoring across core systems.

Operational Resilience

We maintain secure, redundant systems with processes designed to support continuity and rapid recovery under a range of conditions.

Secure Software Development Lifecycle

We follow a controlled release process that includes code review, validation steps, and safeguards intended to protect against supply-chain tampering and unauthorized modifications.

Scroll to Top