How Prilex protects your data — architecturally, operationally, and contractually.
Last updated: May 2026
Prilex is built on the principle that legal data should never touch shared infrastructure. Every architectural decision flows from that commitment. We do not offer a contractual promise that your data won't be retained; we offer hardware and infrastructure where retention is structurally impossible.
This page documents the security, privacy, and compliance measures we maintain, the standards we inherit from our infrastructure and inference providers, and the contractual protections available to our customers.
Prilex inherits security certifications from our infrastructure and inference providers. We are pursuing independent certification and will update this page as audits complete.
Understanding where your data lives is the foundation of trust. Here is the complete path. Every byte, every hop, every storage point.
Source documents, OCR output, and embeddings are stored locally on the lawyer's device. Nothing leaves your machine until you submit a query. The desktop app is the first and last line of defense.
When you query, relevant text reaches a dedicated, single-tenant orchestrator running on a Hetzner cloud instance. You choose the jurisdiction: Frankfurt, Helsinki, or other available regions. Your orchestrator is never shared with other firms. It routes queries, enforces ZDR policy, and logs every external call.
Queries are routed to ZDR inference providers. We use a two-tier architecture: stateless LPU processors for real-time work (no KV cache, no disk, no memory between requests) and enterprise ZDR endpoints with contractual zero data retention for heavy reasoning. Both providers hold SOC 2 Type II certification. Both have signed Data Processing Agreements with Prilex.
Each customer receives unique, per-VPC API tokens generated at provisioning time. Tokens are SHA-256 hashed in storage and revocable. Authentication is enforced on every request to the orchestrator. The desktop app authenticates with username/password against the VPC.
All traffic between the desktop app and your VPC is encrypted via TLS 1.3. Traffic between the VPC and inference providers is also TLS-encrypted. Documents at rest on the lawyer's machine remain under the firm's existing device encryption policies.
Your VPC is provisioned with a firewall restricting inbound traffic to necessary ports only (SSH, HTTPS). Hetzner provides physical security for all data centers: 24/7 on-site personnel, biometric access controls, video surveillance, and redundant power and cooling.
We monitor dependencies for known vulnerabilities and apply patches promptly. Security researchers may report vulnerabilities to privacy@prilex.ai. We follow coordinated disclosure practices.
Every external inference call is logged in an immutable audit trail stored on your VPC. Each log entry includes:
The audit trail is exportable as a signed PDF, suitable for regulatory submission, court filing, or CISO review. No external party has access to your audit logs. They live on your VPC, under your control.
The following third-party services process data as part of delivering Prilex. Each has a signed Data Processing Agreement with Prilex and is selected for its ZDR or data-residency properties.
| Provider | Purpose | Data processed | Location | Certifications |
|---|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure (VPC hosting) | Orchestrator runtime, audit logs | Germany, Finland | ISO 27001, BSI C5 Type 2, TÜV-audited TOMs |
| LPU Inference Provider | Real-time inference (hot path) | Query text, context chunks (ephemeral) | United States, Europe | SOC 2 Type II, DPA signed |
| Enterprise ZDR Inference Provider | Heavy reasoning (deep path) | Query text, context chunks (ephemeral) | United States, Europe | SOC 2 Type II, HIPAA, DPA signed |
We do not name inference providers publicly to maintain flexibility in our supply chain. Full subprocessor details, including named providers and DPA copies, are available to customers under NDA. Contact privacy@prilex.ai.
Prilex offers a standard DPA to all customers governing the processing of personal data on your behalf. For healthcare and life sciences customers, a BAA is available; our inference providers support HIPAA-compliant processing and we inherit those controls through our agreements with them.
Both the DPA and BAA cover:
To request a DPA or BAA, contact privacy@prilex.ai.
In the event of a security incident affecting your Prilex deployment:
Report security concerns to privacy@prilex.ai. We follow coordinated vulnerability disclosure and will acknowledge reports within 72 hours.
Security, privacy & compliance
DPA/BAA requests, vulnerability reports, compliance documentation, subprocessor details, and all other trust & security inquiries.