Data security / Compliance

Data Security
and Compliance

The controls behind the deployment: office boundary, RODO/GDPR, EU residency, encryption, audit trail, no training, and exit.

Office boundary — one deployment, one kancelaria.

The first deployment is single-office by design: one edge server, one local database, one local index, and one audit trail for that kancelaria. Client data is not pooled across offices. Internal matter-level access control can be added later for offices that need it, but it is not required for the first deployment model.

  • Single-office edge deployment
  • Separate local store and index per client
  • No shared central case database
  • Local audit trail for reads, queries, and generated outputs
  • Matter-level ACL available as a later hardening option

RODO / GDPR — by design, not bolted on.

Data-protection obligations are reflected in the deployment shape before they are described on paper. The first deployment pack includes a DPIA worksheet, a data-processing agreement, and a sub-processor list. The durable client record stays on the edge.

  • DPIA worksheet · prepared for bailiff-office workflows
  • Data Processing Agreement · PL & EN
  • Right-to-erasure procedure · file and case level
  • Sub-processor list · short, current, EU-only
  • EU-EU processing path

EU residency — index on-prem, inference in Germany.

The index sits on hardware inside your office. Standard inference runs on Hetzner servers in Germany, under a contract governed by EU law. A separate enterprise package can move inference onto client premises.

  • Index location: your edge server
  • Standard inference location: Hetzner Online GmbH · Germany
  • Enterprise inference location: your premises
  • Backup / DR: EU-only, encrypted, on your edge server

CLOUD Act — out of scope, structurally.

No US provider sits anywhere in the stack — not just for client data, but across the whole product and engineering supply chain. Bare metal, inference, billing, operations tooling, internal SaaS tools — every layer runs on an EU vendor. We are happy to walk through the supply chain on the call.

Encryption — at rest on the edge, encrypted in transit.

  • Encrypted local volumes for the edge store
  • TLS / NetBird-protected path to EU inference
  • Key handling and restore runbook included in the deployment pack

Audit — every query and generated output stays reviewable.

The first deployment records user, action, case reference, retrieval mode, inference transit metadata, and generated-output events on the edge server. Payload logging is avoided; the audit trail is for accountability, debugging, and DPO review.

No training on your data — architectural, not just contractual.

The inference server runs in inference-only mode; weights are read-only and pinned per release. Training data pipelines do not exist on this infrastructure. The contract states it; the architecture makes it true.

Exit — clean offboarding, certified wipe.

On cancellation, the office exports what it must retain — audit log copies, generated reports, summaries, and configuration. The edge device is wiped according to the deployment runbook. Because client case data is not stored centrally, offboarding does not require a central data purge.

Compliance evidence / Audit log

A DPO can read this.
So can an inspector.

Every hop, every role change, every transit — appended on your edge server, signed, exportable. Below: a realistic excerpt from a typical office day.

/var/log/lexindex/audit.signed.log
tail -f · live
2026-04-22T09:14:03+02:00  user=jkowalski   action=query      case=KM/2024/0123   scope=local-only           bytes_out=0
2026-04-22T09:14:18+02:00  user=jkowalski   action=summarize  case=KM/2024/0123   scope=eu-gpu               tokens_out=412  tokens_in=298
2026-04-22T09:14:18+02:00  system          action=transit    peer=eu-gpu-01      tls=1.3  sni=gpu.lexindex.eu
2026-04-22T09:14:21+02:00  system          action=receive    bytes_in=2104      persisted_remote=false
2026-04-22T09:18:44+02:00  user=anowak      action=qa         case=KM/2023/0871   scope=local-only           bytes_out=0
2026-04-22T11:02:09+02:00  admin=mwitkowski  action=role.set   target=anowak       role=komornik-asystent
2026-04-22T17:30:00+02:00  system          action=log.sign   range=09:14..17:30   sig=ed25519:7f3a...b2c0
Storage

On your edge server.

Append-only by service account. Backups are encrypted before leaving the edge environment.

Retention

You set it.

The deployment starts with a conservative retention policy and can be adjusted with your DPO.

Export

CSV · JSON · signed PDF.

For your DPO, your KRK inspection, or your own quarterly review.