DRAFT — NOT FOR PUBLICATION — Content under legal review (2026-04-14). Remediation in progress.
LoxMetis — Settlement Intelligence Platform
Security Controls Active

Attorneys doing due diligence before putting client data in any cloud tool need clear, factual answers about security controls. This page provides the technical details — not marketing language — about how Loxmetis protects your data.

1. Encryption

Data in transit:

Data at rest:

2. Organization Isolation

Loxmetis uses a strict multi-tenant architecture. Every law firm's data is isolated at the database level, not just the application level.

No firm-level user or administrator can query or view another law firm's case content. Cross-org access by a firm admin or ordinary user is rejected at the application layer before any database query runs. (Loxmetis platform operators retain break-glass cross-organization access for support and billing, same as any SaaS vendor's own staff.)

3. Authentication & Access Control

4. AI Provider

Loxmetis uses Google Gemini for all AI processing:

Per Google's API Terms of Service, data submitted via API calls is not used to train or improve Google's AI models. Google processes Loxmetis data as a data processor under their Data Processing Agreement.

Google Gemini is our large-language-model provider. We do not send your data to consumer AI products, and we do not share it with any AI vendor for model training.

Beyond our AI provider, Loxmetis relies on a small set of infrastructure and service providers (hosting, document storage, email, billing). The full list — and exactly what data each one receives — is on our Subprocessors page.

5. HIPAA & Compliance Posture

Law firms are not HIPAA covered entities. Personal injury practices handle medical records under attorney work product privilege and state bar rules, not HIPAA. Loxmetis is a tool for attorneys, not a covered entity or business associate under 45 CFR Part 164.

Medical bills, treatment records, and other health information you upload to Loxmetis are handled securely under attorney work product privilege. We apply strong technical and administrative safeguards aligned with ABA Rule 1.6 ethical requirements.

We maintain security controls consistent with industry best practices for legal software: encryption at rest and in transit, org-level data isolation, access logging, and a 90-day auto-archive policy for closed cases.

6. Data Retention & Deletion

7. Incident Response

In the event of a security incident affecting your organization's data:

8. Audit Logging

Loxmetis maintains logs of significant user actions for security and compliance purposes:

Audit logs are retained for compliance review and are not deleted by the 90-day case shredder. Logs contain user identity (user ID, email), action type, affected resource, and timestamp. Log contents are not accessible to end users through the UI but are available to your organization upon request for compliance purposes.

9. Infrastructure

A complete list of our infrastructure and service providers, and what data each receives, is on our Subprocessors page.

Questions about security controls or to request a security review: security@loxmetis.com