Security, privacy & compliance

Built so solicitor-client privilege is never compromised by technology

TruLexa is an AI legal workflow platform built for Canadian law firms. The architecture stands on three commitments: your data stays in Canada, your clients' content never trains AI models, and we keep as little of it as possible - only what your request needs, only for as long as it needs it.

Canada-first - aligned with PIPEDA, Ontario PHIPA, and Alberta and BC PIPA

Four trust pillars

Each pillar answers a question Canadian law firms ask before signing.

  • Your data stays in Canada

    Our application and the core AI processing behind every TruLexa workflow run in Canadian data centres. Prompts, documents, uploaded files, and generated content do not leave Canada.

  • Your clients' content never trains our AI

    We do not use what you submit to train AI models, and we do not sell or share it with advertisers. Your firm's work product stays your firm's.

  • No conversation history kept on our servers

    Once a request is complete, we do not keep a copy of the conversation on TruLexa servers. A local copy may stay on the user's own device for session continuity, governed by your firm's endpoint policy.

  • Personal information is minimized before the AI sees it

    When directly identifying details are detected, they are automatically replaced with placeholders such as {{PERSON-1}} or {{ADDRESS-1}} before the AI runs the workflow. The original names and details are restored in the final output you receive, so your generated documents read naturally and you never have to reconcile placeholders by hand. This is a safeguard, not a substitute for professional review.

What firms confirm before they sign

These commitments are baked into the product. They are not optional add-ons or paid upgrades.

  • Our AI providers do not keep your prompts, documents, or generated content. Everything is deleted from their environment as soon as the request finishes or is cancelled.
  • We do not write your prompts, conversations, generated content, or uploaded files into our logs or analytics. Operational logs only contain metadata such as uptime, error category, request status, and security events.
  • When a workflow needs an external lookup - case law, trademarks, patents - we send only AI-generated search queries. Your prompts, documents, files, matter facts, and personal information are never exposed.
  • Every workflow, including substantive legal research, consults our internal and local sources before any external lookup is considered.
  • We never sell what you submit, share it for advertising, or use it to profile users.
  • Administrative access to our identity, billing, and infrastructure systems is limited to authorized personnel and protected by multi-factor authentication.

How your data flows, in plain English

  1. Submit

    You send a prompt, document, or file from a signed-in session over an encrypted connection.

  2. Minimize

    Directly identifying personal information is automatically masked before the AI runs the workflow, then restored in the output you receive.

  3. Process

    Only the components needed for your workflow receive the request, all inside Canadian data centres.

  4. Stream

    Results are streamed back to your screen over an encrypted channel.

  5. Delete

    When the request finishes or is cancelled, the AI provider deletes its copy. We keep no transcript on our servers.

Compliance & privacy frameworks

Designed to align with Canadian private-sector privacy law and standard enterprise security practice.

PIPEDA
Aligned with the ten fair-information principles of Canada's Personal Information Protection and Electronic Documents Act.
Ontario PHIPA
Aligned with Ontario's Personal Health Information Protection Act, including breach notification to affected individuals and the Information and Privacy Commissioner of Ontario where required.
Alberta & BC PIPA
Aligned with Alberta's and British Columbia's substantially-similar provincial privacy regimes.
SOC 2 Type II - getting ready for an independent audit
We are running an internal readiness review of our security controls so we can stand up to an independent SOC 2 Type II audit. We will only claim certification once an independent auditor has issued a report.
AES-256 at rest, TLS 1.3 in transit
Strong encryption is enforced on all stored data and on every user, service, and AI-provider connection.
Canadian data residency
Application hosting and AI workflow processing in Canadian data centres.

Access control & administration

Access is granted on a least-privilege, need-to-know basis through Role-Based Access Control (RBAC), so lawyers, staff, and partners only see the matters they need. Multi-factor authentication is required for every administrative login to our cloud, identity, billing, and infrastructure systems. Single Sign-On through providers like Microsoft Entra ID is available on TruLexa Enterprise.

  • RBAC with separation of duties and regular access reviews
  • MFA required on every administrative system
  • SSO available on TruLexa Enterprise
  • You manage your own users, roles, and matter access

Need the full security white paper for your due diligence?

We'll send you the complete TruLexa security white paper, help you complete vendor questionnaires, and put you in touch with our security team for client reviews.