Security & Trust
Attorneys doing due diligence before putting client data in any cloud tool need clear, factual answers about security controls. This page provides the technical details — not marketing language — about how Loxmetis protects your data.
1. Encryption
Data in transit:
- All connections use TLS 1.2 or higher — there is no unencrypted HTTP access path
- TLS certificates are managed via Cloudflare (automatic renewal, OCSP stapling)
- HSTS headers enforce HTTPS on all subsequent connections after first visit
- Database connections between the application and PostgreSQL use SSL encryption
Data at rest:
- Case documents are stored in object storage with AES-256 encryption at rest (encryption keys are managed by the storage provider, not customer-managed)
- The PostgreSQL database is hosted on encrypted storage volumes
- Document embeddings (search vectors) are stored in the same encrypted database
2. Organization Isolation
Loxmetis uses a strict multi-tenant architecture. Every law firm's data is isolated at the database level, not just the application level.
- Case, document, and financial queries include an
organization_idfilter scoped to your firm - Requests that attempt to access another organization's data receive HTTP 403 Forbidden
- Document vector search is scoped to your organization's documents only
- AI answers are checked to ensure they only draw on documents in the case you are actively working in — cross-case references are blocked
- Case membership is verified per-request, not just at login time
- Organization isolation is enforced in automated tests that run on every code change
No firm-level user or administrator can query or view another law firm's case content. Cross-org access by a firm admin or ordinary user is rejected at the application layer before any database query runs. (Loxmetis platform operators retain break-glass cross-organization access for support and billing, same as any SaaS vendor's own staff.)
3. Authentication & Access Control
- Signed sessions — Session tokens are cryptographically signed and verified server-side, and are short-lived. Staying signed in requires a separate, revocable refresh credential, and an administrator can revoke all of a user's sessions at once.
- httpOnly cookies — Tokens are stored in httpOnly cookies, not in localStorage. JavaScript running in the page cannot read the token, eliminating the most common XSS token-theft vector.
- Optional multi-factor authentication — Accounts can enable authenticator-app (TOTP) multi-factor sign-in, backed by recovery codes.
- Brute-force protection — Repeated failed logins trigger escalating temporary lockouts that clear automatically on a successful sign-in or password reset.
- Rate limiting — Login is rate-limited per source to slow automated guessing.
- Secure cookie flags — Session cookies are set with
Secure,HttpOnly, andSameSite=Laxflags. - Case-level access controls — Each case has owners and members with distinct permission levels. Users can only access cases they have been explicitly added to.
4. AI Provider
Loxmetis uses Google Gemini for all AI processing:
- Chat and analysis — Google Gemini 2.5 Flash (model:
gemini-2.5-flash) - Document search vectors — Google Gemini embedding-001 (3072-dimensional embeddings)
Per Google's API Terms of Service, data submitted via API calls is not used to train or improve Google's AI models. Google processes Loxmetis data as a data processor under their Data Processing Agreement.
Google Gemini is our large-language-model provider. We do not send your data to consumer AI products, and we do not share it with any AI vendor for model training.
Beyond our AI provider, Loxmetis relies on a small set of infrastructure and service providers (hosting, document storage, email, billing). The full list — and exactly what data each one receives — is on our Subprocessors page.
5. HIPAA & Compliance Posture
Law firms are not HIPAA covered entities. Personal injury practices handle medical records under attorney work product privilege and state bar rules, not HIPAA. Loxmetis is a tool for attorneys, not a covered entity or business associate under 45 CFR Part 164.
Medical bills, treatment records, and other health information you upload to Loxmetis are handled securely under attorney work product privilege. We apply strong technical and administrative safeguards aligned with ABA Rule 1.6 ethical requirements.
We maintain security controls consistent with industry best practices for legal software: encryption at rest and in transit, org-level data isolation, access logging, and a 90-day auto-archive policy for closed cases.
6. Data Retention & Deletion
- Active cases — Accessible during your active subscription
- Closed cases — Automatically archived 90 days after you mark a case closed
- Archived cases — Locked from broad access and placed into our manual deletion queue until our Phase 2 automated S3 cloud shredder process is deployed
- On-demand deletion — You can request deletion of any data at any time by contacting privacy@loxmetis.com. We will complete manual hard deletion within 30 days.
- Post-termination — Data remains available for export for 30 days after account termination, then is permanently deleted
7. Incident Response
In the event of a security incident affecting your organization's data:
- We aim to notify affected organizations promptly — generally within 72 hours — of confirming a breach that affects their data
- Notification will include: what data was affected, when the incident occurred, what we are doing to address it, and recommended actions for you
- We maintain incident response procedures and test them periodically
- To report a suspected security issue: security@loxmetis.com
8. Audit Logging
Loxmetis maintains logs of significant user actions for security and compliance purposes:
- Login events (successful and failed), with timestamp and IP address
- Document uploads and downloads
- Case creation, state changes (open, active, closed, archived)
- Case member changes (invitations, role updates, removals)
- Admin actions (organization creation, user provisioning)
Audit logs are retained for compliance review and are not deleted by the 90-day case shredder. Logs contain user identity (user ID, email), action type, affected resource, and timestamp. Log contents are not accessible to end users through the UI but are available to your organization upon request for compliance purposes.
9. Infrastructure
- Hosting & database — US-based cloud infrastructure (PostgreSQL + pgvector)
- Document storage — S3-compatible object storage, data stored in the US
- Container — Docker, running as a non-root container user
- Dependency scanning — Automated weekly CVE scanning in CI (pip-audit, npm audit, Trivy)
- Security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options on all responses
A complete list of our infrastructure and service providers, and what data each receives, is on our Subprocessors page.
Questions about security controls or to request a security review: security@loxmetis.com