Skip to main content
LexLogik LogoLexLogik

Legal · Annex to the DPA (UK GDPR)

Annex to the DPA: Technical and Organisational Measures (TOM)

Provider: LexLogik (as of 2026)

Scope: processing of client matter data and documents (SaaS infrastructure); aligned with UK GDPR (Art. 32), the Data Protection Act 2018 and the SRA Standards and Regulations.

Preamble: The LexLogik zero-retention paradigm

LexLogik processes data on behalf of solicitors and other holders of legal professional privilege (LPP) in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the SRA Standards and Regulations. The core of our security architecture is the zero-retention principle: client matter data is at no point persisted on long-term storage media (HDDs/SSDs). All processing - including text extraction (OCR) and AI analysis - runs in isolated, volatile memory (in-memory).

1. Pseudonymisation and encryption (Art. 32(1)(a) UK GDPR)

  • Encryption in transit: All data transfers between the firm’s device and the LexLogik servers are mandatorily protected with state-of-the-art cryptographic protocols (TLS 1.3). Downgrades to older protocols are blocked at the server.
  • Encryption at rest: Although content data is not persistently stored, all server disks holding the operating system and application logic are fully encrypted (LUKS / AES-256).
  • Pseudonymisation of filenames: Uploaded filenames (e.g. Witness_Statement_Smith.pdf) are replaced server-side at upload time with temporary cryptographic hash values (UUIDs). Original filenames never appear in system logs.

2. Confidentiality (Art. 32(1)(b) UK GDPR)

2.1 Physical access control

Measures preventing unauthorised persons from physically accessing the data processing facilities.

  • Hosting partner: Servers are operated exclusively in ISO 27001-certified high-security data centres of Hetzner Online GmbH in Germany (Nuremberg / Falkenstein).
  • On-site safeguards: Biometric access controls, 24/7 security personnel, video surveillance and restrictive visitor policies.

2.2 System access control (preventing unauthorised system use)

Measures preventing IT systems from being used by unauthorised persons.

  • Administrative access: Access to the server infrastructure by LexLogik engineers is exclusively performed through encrypted VPN tunnels and requires mandatory multi-factor authentication (MFA).
  • No direct SSH access: Worker nodes performing document processing have no live SSH access for staff.

2.3 Data access control (preventing unauthorised reading of data)

Measures ensuring that only authorised persons can access the data covered by their access rights.

  • In-memory processing (/dev/shm): Processing runs exclusively in volatile RAM. Swap memory on the servers is permanently disabled at the kernel level (swapoff) to prevent inadvertent paging of RAM contents to disk.
  • Automated purge process (hard-kill): After the user has completed the download, or at the latest after the temporary session expires (max. 15 minutes), the isolated container instance - including all data in memory - is destroyed irrevocably.
  • Zero-logging policy for content data: Web server error logs and access logs contain no payloads, document content, extracted text or original filenames.

2.4 Separation of purposes

Measures ensuring that data collected for different purposes is processed separately.

  • Ephemeral container architecture: Every processing job runs in a freshly instantiated container that is logically and memory-technically isolated. Data spillover between sessions of different firms is technically excluded.

3. Integrity (Art. 32(1)(b) UK GDPR)

3.1 Disclosure control

Measures ensuring that personal data cannot be read, copied or altered by unauthorised parties during transmission.

  • No-US-cloud policy: LexLogik operates all OCR engines and AI models locally on its own servers in Germany. At no point is data or any API call transferred to non-European third parties such as OpenAI, Google Cloud, AWS or Azure.
  • UK adequacy: Data processing in Germany is covered by the UK Government’s adequacy regulations under section 17A DPA 2018 (EEA adequacy), so no additional transfer tool (UK Addendum / IDTA) is required for this processing.
  • Burn-after-reading downloads: Finished documents are provided through cryptographically secured one-time links that expire immediately after the first successful download.

3.2 Input control

Measures ensuring it is possible to verify after the fact who entered or modified data in the systems.

  • Logging of administrative access by LexLogik staff to the system (who performed which system maintenance and when). Metadata such as timestamps, firm ID and data volume is recorded; no content data is logged.

4. Availability and resilience (Art. 32(1)(b) and (c) UK GDPR)

4.1 Availability control

Measures ensuring that data is protected against accidental destruction or loss.

  • Note: As a zero-retention provider, the availability obligation applies to the service itself, not to the archiving of client matter data.
  • Redundant server infrastructure and load balancing to avoid downtime.
  • DDoS protection shielding at the network layer.
  • Uninterruptible power supply (UPS) and redundant internet connectivity in the data centre.

5. Procedures for regular review (Art. 32(1)(d) UK GDPR)

  • Regular review and adjustment of server configurations and TLS certificates.
  • Continuous monitoring of the infrastructure for anomalies and attempted attacks.
  • All LexLogik staff with system access are contractually bound to data secrecy and to the additional confidentiality duties applicable to information that is, or is likely to be, subject to legal professional privilege (LPP) under the laws of England and Wales, consistent with the SRA Code of Conduct (Paragraph 6.3) and the duty of confidentiality under DPA 2018 § 170 (unlawful obtaining or disclosure of personal data).

Privacy Policy · Terms and Conditions