// Trust & Security Report

    Lex, Inc. logo

    Lex, Inc.

    Lex is a collaborative document editing platform with integrated AI writing assistance. Core features include real-time collaboration, AI feedback and rewriting, version control, and publish-ready output. Uses Claude 3 and GPT-4 as AI backends.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (Data Protection Adequacy)
    HELD

    Privacy policy states: 'one of the safeguards we may use to support such transfer is the EU Standard Contractual Clauses.' GDPR processing bases documented as: 'Performance of a Contract', 'Legitimate Interest', 'Consent', and 'Compliance with our Legal Obligations'.

    Verify on lex.page
    > Show 6 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence found. Extensive web search and attempts to access /security page (404) found no SOC 2 attestation or audit report.

    source: lex.page
    ISO 27001
    NOT CONFIRMED

    No public evidence found. No mention in privacy policy, terms, or public security documentation.

    source: lex.page
    HIPAA
    NOT CONFIRMED

    No public evidence found. Not mentioned in available privacy or compliance documentation.

    source: lex.page
    PCI DSS
    NOT CONFIRMED

    No public evidence found. Not mentioned in compliance documentation.

    source: lex.page
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence found.

    source: lex.page
    ISO 42001 (AI Management)
    NOT CONFIRMED

    No public evidence found. Not mentioned despite AI-first product design.

    source: lex.page

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region (AWS/Google infrastructure in unspecified locations). EU data subject to SCC for transfers.

    Terms of Service explicitly state: 'This license does not include the right to use any uploaded User Content to train our models or publish any User Content.' However, privacy policy is dated 6/28/2023 and does not explicitly address model training. CEO Nathan Baschez has stated (per TechCrunch 2023) the company is 'not using any user content for training,' though may 'train or fine tune' models in future with 'transparency and careful' inclusion practices.

    // Security controls

    Data Encryption

    HTTPS/TLS for transit. At-rest encryption via AWS (unspecified key management). Data shared with OpenAI for chat features per privacy policy.

    lex.page

    Third-Party Service Providers

    Stripe (payments), AWS (infrastructure), Google Analytics, Amplitude (analytics), OpenAI (AI chat processing). DPA with OpenAI or similar per privacy policy.

    lex.page

    Access Controls & Vulnerability Handling

    Terms of Service prohibit 'attempts to probe, scan or test vulnerability of Lex systems or breach security.' Company claims it 'monitors access to ensure compliance' but no third-party audit or bug bounty program publicly documented.

    lex.page

    Incident Response & Data Breach

    Privacy policy mentions detection of 'security incidents' and 'malicious, deceptive, fraudulent or illegal activity' but does not specify breach notification timelines or procedures.

    lex.page

    // Products & data scope

    Lex StandardDocument Editor / Writing Assistant

    data: User documents, account info, usage analytics, crash reports. Chat messages shared with OpenAI.

    Free tier and paid subscriptions. Real-time collaboration with link-sharing. AI-powered feedback, rewriting, and brainstorming.

    // What to watch

    • IDENTITY ALERT: Mozilla Foundation 'Privacy Not Included' review found for a 'Lex' dating/social app — this is NOT lex.page (writing tool). Do not conflate these two distinct products.
    • No public trust center or dedicated security documentation page despite being a growth-stage SaaS with 300K+ users.
    • Zero third-party security certifications (SOC 2, ISO 27001, HIPAA, etc.) found despite search across 2024-2026 and direct vendor domain attempts.
    • Chat feature shares user messages with OpenAI (or 'similar provider'). This is a data processing dependency and privacy model users may not expect in a document editor.
    • Privacy policy dated 6/28/2023 — over 2 years old. No public update history or change log visible; does not address AI training explicitly despite now offering AI features.
    • DPA uses EU Standard Contractual Clauses (compliant) but no mention of adequacy decisions under Schrems II or ongoing EU-US data transfer frameworks (Data Privacy Framework as of 2024-2025).
    • No AI governance certifications (ISO 42001, CSA STAR AI) despite AI-first product positioning.

    // At a glance

    Pricing model

    Freemium with paid subscription tiers (pricing on lex.page/pricing)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Lex, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    lex.page

    > Browse all vendor trust reports