// Trust & Security Report
Lex, Inc.
Lex is a collaborative document editing platform with integrated AI writing assistance. Core features include real-time collaboration, AI feedback and rewriting, version control, and publish-ready output. Uses Claude 3 and GPT-4 as AI backends.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on lex.page“Privacy policy states: 'one of the safeguards we may use to support such transfer is the EU Standard Contractual Clauses.' GDPR processing bases documented as: 'Performance of a Contract', 'Legitimate Interest', 'Consent', and 'Compliance with our Legal Obligations'.”
> Show 6 unconfirmed / not-held certifications
source: lex.pageNo public evidence found. Extensive web search and attempts to access /security page (404) found no SOC 2 attestation or audit report.
source: lex.pageNo public evidence found. No mention in privacy policy, terms, or public security documentation.
source: lex.pageNo public evidence found. Not mentioned in available privacy or compliance documentation.
source: lex.pageNo public evidence found. Not mentioned in compliance documentation.
source: lex.pageNo public evidence found. Not mentioned despite AI-first product design.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region (AWS/Google infrastructure in unspecified locations). EU data subject to SCC for transfers.
Terms of Service explicitly state: 'This license does not include the right to use any uploaded User Content to train our models or publish any User Content.' However, privacy policy is dated 6/28/2023 and does not explicitly address model training. CEO Nathan Baschez has stated (per TechCrunch 2023) the company is 'not using any user content for training,' though may 'train or fine tune' models in future with 'transparency and careful' inclusion practices.
// Security controls
Data Encryption
HTTPS/TLS for transit. At-rest encryption via AWS (unspecified key management). Data shared with OpenAI for chat features per privacy policy.
lex.pageThird-Party Service Providers
Stripe (payments), AWS (infrastructure), Google Analytics, Amplitude (analytics), OpenAI (AI chat processing). DPA with OpenAI or similar per privacy policy.
lex.pageAccess Controls & Vulnerability Handling
Terms of Service prohibit 'attempts to probe, scan or test vulnerability of Lex systems or breach security.' Company claims it 'monitors access to ensure compliance' but no third-party audit or bug bounty program publicly documented.
lex.pageIncident Response & Data Breach
Privacy policy mentions detection of 'security incidents' and 'malicious, deceptive, fraudulent or illegal activity' but does not specify breach notification timelines or procedures.
lex.page// Products & data scope
data: User documents, account info, usage analytics, crash reports. Chat messages shared with OpenAI.
Free tier and paid subscriptions. Real-time collaboration with link-sharing. AI-powered feedback, rewriting, and brainstorming.
// What to watch
- IDENTITY ALERT: Mozilla Foundation 'Privacy Not Included' review found for a 'Lex' dating/social app — this is NOT lex.page (writing tool). Do not conflate these two distinct products.
- No public trust center or dedicated security documentation page despite being a growth-stage SaaS with 300K+ users.
- Zero third-party security certifications (SOC 2, ISO 27001, HIPAA, etc.) found despite search across 2024-2026 and direct vendor domain attempts.
- Chat feature shares user messages with OpenAI (or 'similar provider'). This is a data processing dependency and privacy model users may not expect in a document editor.
- Privacy policy dated 6/28/2023 — over 2 years old. No public update history or change log visible; does not address AI training explicitly despite now offering AI features.
- DPA uses EU Standard Contractual Clauses (compliant) but no mention of adequacy decisions under Schrems II or ongoing EU-US data transfer frameworks (Data Privacy Framework as of 2024-2025).
- No AI governance certifications (ISO 42001, CSA STAR AI) despite AI-first product positioning.
// At a glance
Pricing model
Freemium with paid subscription tiers (pricing on lex.page/pricing)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Lex, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
lex.page