Trust Center

LexBridge is deployed on your own infrastructure — on-premises or in your chosen cloud provider within the GCC. Your client data never leaves your servers. We have no access to your data, no telemetry, and no cloud dependency. This model satisfies UAE PDPL data localization guidance and Saudi PDPL data residency requirements.

All client PII (email, phone, date of birth, national ID) is encrypted at the application layer using AES-256-CBC before storage. Passwords are hashed with bcrypt (cost factor 12). 2FA secrets use Laravel's encrypted cast (AES-256 keyed to your APP_KEY). Database connections and storage transfers use TLS.

LexBridge is designed against the OWASP Top 10. Controls include: nonce-based Content Security Policy, X-Frame-Options, X-Content-Type-Options, HSTS, CSRF tokens on all state-changing requests, rate limiting on all authentication endpoints, and session regeneration after authentication.

9 roles and 109 permissions using Spatie Laravel-Permission. Resource-level policies for Cases, Clients, Documents, and Invoices. 2FA enforced unconditionally for Firm Admin, Senior Lawyer, and Managing Partner roles. SSO via Google or Azure AD with encrypted token storage. Account lockout after 5 failed attempts.

LexBridge is designed to help your firm meet obligations under the UAE Personal Data Protection Law (PDPL 2022), Saudi Arabia PDPL (Royal Decree M/19), DIFC Data Protection Law 2020, ADGM Data Protection Regulations, and GCC Bar Association data standards. Built-in controls include consent management, data export, erasure requests, retention automation, and breach alerting.

Every create, update, and delete action on key models is logged in the audit_logs table with user ID, timestamp, and IP address. Real-time email alerts are sent to the system administrator for all HTTP 4xx/5xx errors (throttled to once per 5 minutes per unique error). Alerts include the full request context, user identity, and stack trace.

The AI Legal Advisor defaults to Ollama — an on-premises, open-source LLM that runs entirely on your server. No data is sent to any external AI service unless you explicitly configure an Anthropic API key. When using the cloud backend, the AI Advisor consent gate requires explicit user acknowledgement of cross-border data transfer. Legally privileged documents are excluded from AI context by design.

A formal Incident Response Runbook covers: detection, containment, evidence preservation, PDPL 72-hour regulatory notification (UAE Data Office, Saudi NDMO), client notification, and post-incident review. Procedures aligned to UAE PDPL Article 22 and Saudi PDPL Article 19.