Security & Trust

Your clients trust you. We take that seriously.

LexMotus is built for firms handling sensitive client data every day. Here's exactly what we do — and don't do — to protect it.

Last updated: April 2026
76
B
OWASP Top 10
Web application security
2021 standard
64.5
B
OWASP API Top 10
API security assessment
2023 standard
70.3
B
Composite Score
Combined security posture
actively improving

Access Control & Tenant Isolation

Every firm on LexMotus gets a completely isolated data environment. Your matters, clients, documents, and communications are never mixed with another firm's data — not in the database, not in the application layer.

Role-Based Access Control

56 granular permissions mapped to roles you define. An intake coordinator can create matters without touching billing. A paralegal can review a file without being able to delete it. Access is explicit, not assumed.

Row-Level Security

Database-level tenant isolation using PostgreSQL Row Level Security. Even if application code had a bug, a query cannot return another firm’s records — the database enforces it.

Session & Token Security

JWT session tokens with automatic expiry and forced re-authentication. Optional TOTP two-factor authentication for every user. No permanent API keys floating around.

Audit Trail

Over 50 action types — matter updates, document access, permission changes, settlement events — are recorded with user, timestamp, IP, and context, and surfaced in an admin audit view.

Data Protection & Encryption

Client data is encrypted in transit and at rest. We use AWS infrastructure with enterprise-grade storage and database services — the same ones used by banks, hospital systems, and federal agencies.

Encryption in Transit

All communication between your browser and LexMotus uses TLS 1.2 or higher. Database connections verify certificate authority, not just encrypt opportunistically.

Encryption at Rest

Documents in AWS S3 with server-side AES-256 encryption and a policy that rejects any upload without encryption. Database runs on AWS Aurora PostgreSQL with storage-layer encryption enabled.

Data Classification

Our Data Management Policy classifies data into Confidential (client PII, matter details), Restricted (operational data), and Public (marketing materials). Confidential data gets the strictest handling, owners, and controls.

No Data Sharing

We do not sell your data or your clients’ data. We do not use client matter data to train third-party AI models. Retrieval-augmented AI answers are grounded in your firm’s own documents — scoped to your tenant.

Application Security

We test LexMotus against the OWASP Top 10 (the industry standard checklist of web application vulnerabilities) and the OWASP API Top 10. Our current composite score is 70.3 / 100 — Grade B. That's solid for an early-stage platform, and we're actively working toward an A.

What OWASP testing means for you: The OWASP Top 10 covers the most common and dangerous ways web applications get compromised — injection attacks, broken authentication, insecure data exposure, and more. Scoring against it gives us (and you) a measurable benchmark, not just a “we take security seriously” promise.
Injection Prevention

Parameterized queries throughout the application. User input is never concatenated directly into SQL, and UUIDs on URL parameters are validated before any database call.

Authentication Security

Bcrypt password hashing (cost 12), brute-force rate limiting on login, optional TOTP 2FA with forced enrollment available for firms that require it, and cryptographically-signed session cookies with HttpOnly, Secure, and SameSite flags.

Secure Development Policy

We follow a written Secure Development Policy aligned with OWASP Secure-by-Design principles. Every code change is reviewed against the same checklist we use to score ourselves.

API Security

All API endpoints require authentication and enforce tenant context on every request — not just at login. Login endpoints are rate-limited today; we’re expanding rate limits across all endpoints in 2026 Q2.

Incident Response

If something goes wrong, we have a plan — written down, not improvised. We maintain two formal incident response playbooks:

Data Breach Response Plan
Malware Outbreak Response Plan

Each plan defines who owns the response, what steps to take in what order, how affected customers are notified, and how we recover. In the event of a confirmed data breach affecting your firm, we will notify you promptly with the specifics of what happened, what data was involved, and what we've done to contain it.

Availability & Business Continuity

We run on AWS infrastructure with automated backups and redundancy built in. Our Business Continuity and Disaster Recovery policy defines recovery objectives and procedures so that a hardware failure or infrastructure event doesn't mean your firm loses access to its files.

Automated Database Backups

Aurora PostgreSQL automated backups with point-in-time recovery. Your data is backed up continuously, not just nightly.

Document Storage Redundancy

AWS S3 stores documents with 99.999999999% (eleven nines) durability by automatically replicating data across multiple availability zones.

Recovery Objectives

Our documented BC/DR policy sets defined recovery time and recovery point objectives — not a vague promise to “restore as quickly as possible.”

Security Policies

We operate with a documented security policy framework. These aren't checkbox documents — they define what we actually do, who's responsible, and how we handle exceptions.

Information Security Policy
Secure Development Policy
Data Management Policy
Business Continuity & Disaster Recovery Policy
Enterprise Resilience & Availability Policy
Data Breach Incident Response Plan
Malware Outbreak Incident Response Plan

Compliance & Certification Roadmap

We believe in being honest about where we are. LexMotus is an early-stage platform. We don't have SOC 2 certification yet — but we're building toward it methodically, not just checking boxes.

  1. Security policy framework established

    Complete

    Seven formal policies and incident response plans written and in effect. Data classification, access control, and secure development standards documented.

  2. OWASP assessment completed

    Complete

    Scored against OWASP Top 10 (2021) and OWASP API Top 10 (2023). Composite Grade B. Active remediation underway on the highest-leverage items.

  3. SOC 2 Type 1

    Planned

    SOC 2 Type 1 audit is on our roadmap and will be initiated when revenue supports the investment. Type 1 verifies that our security controls are designed correctly as of a point in time.

  4. SOC 2 Type 2

    Planned

    Approximately six months after Type 1, we’ll pursue Type 2 — which tests that those controls operated effectively over time. Type 2 is the gold standard, and it’s our target.

  5. CCPA data retention policy (public)

    Planned

    A public-facing data retention schedule for California clients, covering how long we retain different categories of data and how deletion requests are handled.

We'll be direct: If SOC 2 certification is a non-negotiable requirement for your firm today, we'll tell you that up front rather than overpromise. What we can offer now is demonstrated security practices, measurable OWASP scores, documented policies, and a clear timeline to certification. Many charter firms find that's enough to move forward while we build toward it together.

Have a security question?

We respond to all security inquiries directly — not through a ticketing system. If you have a question about our security practices, want to report a vulnerability, or need to discuss data handling specifics before signing on, reach out.

security@lexmotus.comGeneral contact