Pre-launch draft — Lexboard is not yet operating as a legal entity. These documents are drafts under legal review and are not yet in effect or binding.

Legal

Security & Trust.

Effective Date: May 11, 2026. Summary of Lexboard's security controls for customer vendor reviews. For technical questions, contact security@lexboard.net.

1. Hosting and infrastructure

Application: Vercel (US-region edge + serverless).
Database + auth + object storage: Supabase (Pro plan, AWS us-east-1).
Email: Resend (transactional only).
Payments: Stripe (PCI-DSS Level 1).
AI: OpenAI + Anthropic API endpoints (no consumer tiers; no model training on customer data per their enterprise terms).

The full list of subprocessors is at /legal/subprocessors.

2. Encryption

In transit: TLS 1.2+ on every connection. HSTS (1 year, includeSubDomains, preload) forces HTTPS at the browser level.
At rest: AES-256 via Supabase (Postgres) and AWS S3 (object storage).
Backups: encrypted point-in-time recovery snapshots with 7+ day retention.
Secrets: stored in Vercel environment variables; rotated on personnel changes and quarterly otherwise.

3. Access controls

Tenant isolation: Row Level Security (RLS) policies on every firm-scoped table; cross-tenant reads are impossible at the DB level even via service-role bugs.
Authentication: Email + password with bcrypt hashing (Supabase Auth). Multi-factor authentication (TOTP) available on every account.
Session management: 7-day rolling auth token, invalidated on password change, MFA enroll, or admin lockout.
Per-user roles: admin / attorney / paralegal / case_manager / staff / read_only. Sensitive operations (finalize closing, fee splits, delete account) require admin or attorney role.
Audit log: every mutating action recorded in public.audit_log; available to firm admins for review.

4. Application security

Content-Security-Policy with per-request nonce — locks down which origins may load scripts, styles, fonts, etc. Defeats most XSS payloads at the browser level.
HTTP headers: Strict-Transport-Security, X-Frame-Options SAMEORIGIN (with CSP frame-ancestors 'self'), X-Content-Type-Options nosniff, Referrer-Policy strict-origin, Permissions-Policy (deny camera/microphone/etc.; geolocation first-party only), Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy.
Rate limiting on authentication, AI, and template-generation endpoints to mitigate brute-force, scraping, and runaway cost.
SQL: all queries via Supabase client; no string-concatenated SQL.
File uploads: 25 MB cap per file; MIME-type scanning; per-firm storage path isolation.
Webhook verification: Stripe, Supabase, and other inbound webhooks require valid signature with replay-window enforcement.

5. Logging and monitoring

Error monitoring: Sentry (all runtimes: browser, Node, Edge). Source maps uploaded server-side and deleted from public output; PII is scrubbed where feasible.
Audit log: immutable, append-only table covering 100+ business-event types. Money movements and external disclosures get richer overlay records per ABA Rules 1.15 and 1.6.
Access logs: Vercel logs HTTP requests for 30 days; longer retention available on request.

6. Backups and disaster recovery

RPO target: 24 hours.
RTO target: 4 hours.
Database: Supabase Point-in-Time Recovery (PITR), 7-day retention by default, restorable to any second within the window.
Object storage: S3 standard durability (eleven 9's).
Drills: backup-restore drill performed quarterly; results documented internally.

7. Incident response

We maintain a documented incident-response plan with severity tiers (SEV1: outage / data loss, SEV2: degraded service, SEV3: isolated bug). For SEV1:

Acknowledge within 5 minutes of first alert.
Status update within 15 minutes; updates every 15 minutes thereafter.
Customer notification within 60 minutes of any incident lasting more than one hour.
Personal Data Breach notification within 72 hours of confirmation.
Post-mortem published within 5 business days.

8. Compliance posture

GDPR / UK GDPR: we act as Data Processor; the customer firm is Controller. Standard Contractual Clauses available on request.
CCPA / CPRA: we act as Service Provider; we do not sell or share Personal Information.
HIPAA: we will sign a Business Associate Agreement (BAA) when the customer firm's case mix implicates PHI. Contact legal@lexboard.net.
SOC 2: not yet certified. Gap analysis in progress; targeting Type 1 within 12 months of first paid customer.
ABA Model Rules: platform features designed to support compliance with Rules 1.1, 1.6, 1.15, 1.18, 5.3, and 7.1 — see /legal/bar-rules.

9. Vulnerability reporting

We accept good-faith security research reports at security@lexboard.net. We commit to acknowledging within 2 business days and providing status updates every 5 business days until resolution. We won't pursue legal action against researchers who follow our coordinated-disclosure guidelines (see AUP § 9).

10. Personnel and access

All personnel sign confidentiality agreements at hire.
Production database access is restricted to the engineering lead; all access is logged.
Background checks performed for any employee with production access.
Annual security awareness training (phishing simulations, SaaS account hygiene).

11. Pen testing

We engage a third-party penetration testing firm at least annually, plus ad-hoc after major architectural changes. The most recent attestation can be shared under NDA on request to security@lexboard.net.

12. Updates

This page is reviewed quarterly and updated when material changes occur. Customers are notified by email to designated firm administrators for any change to encryption, hosting region, or sub-processor list.

Lexboard