MaxLex was built from day one with attorney-client privilege in mind. Every AI interaction is protected by automatic PII sanitization, explicit consent flows, and encryption at every layer.
All data is encrypted both at rest and in transit. We use the same encryption standards trusted by banks, hospitals, and government agencies.
AES-256-GCM Field-Level Encryption
Sensitive fields — SSNs, bank accounts, signatures, client messages, and contact details — are individually encrypted with AES-256-GCM before they ever reach the database. Each value gets a unique initialization vector, so even identical inputs produce different ciphertext. If the database were ever breached, attackers would see only encrypted gibberish.
TLS 1.3 in Transit
Every connection between your browser and MaxLex uses TLS 1.3 — the latest transport layer security protocol — ensuring no data can be intercepted in transit.
Secure JWT Authentication
Session tokens are signed with HMAC-SHA256 and expire automatically, preventing session hijacking and unauthorized access.
Protected Fields Include:
Before any text reaches an AI model — whether through Chat or Voice — MaxLex automatically detects and redacts personally identifiable information. The AI never sees raw client data.
Your client data never reaches AI. Here’s exactly what happens behind the scenes.
Your document:
John Smith signed the lease at 123 Oak St...
Becomes:
[PERSON_1] signed the lease at [LOCATION_1]...
Names, addresses, SSNs, emails, phone numbers, and account numbers are replaced with safe placeholders.
Max sees only:
[PERSON_1] signed the lease at [LOCATION_1]. Review for compliance issues...
AI response:
"[PERSON_1]'s lease at [LOCATION_1] contains a non-standard clause..."
The AI model never sees real client data. It works entirely with anonymized content — zero exposure risk.
You see the real result:
"John Smith's lease at 123 Oak St contains a non-standard clause..."
0 PII exposed to AI
Placeholders are swapped back to real names. You get actionable results — the AI got nothing identifiable.
Watch PII Shield© protect client data in real-time
Dear Sarah Johnson, Re: Case #2024-CV-1847 Please contact me at (212) 555-0147 or [email protected] regarding the deposition scheduled for your client (SSN: 287-65-4321) at 450 Park Avenue, New York.
Detected Entities
...
...
...
...
...
No AI feature activates without your explicit, informed consent. Before your first interaction with Max — whether chat or voice — you must review and accept our AI disclosure.
Versioned Consent
Each consent acceptance is recorded with a version number and timestamp. If our AI practices change, you'll be prompted to review and re-consent.
Granular Privacy Controls
Toggle PII sanitization, enable High Privacy Mode, and set custom data retention periods from your AI Privacy Settings dashboard.
Revocable at Any Time
You can revoke AI consent and disable all AI features at any time from your settings. Your data remains yours.
First AI Feature Access
Consent modal appears automatically
Review Disclosure
Read what data is processed and how
Accept Terms
Explicit checkbox + confirmation required
Consent Recorded
Version, timestamp, and user ID stored
AI Features Unlocked
Chat and Voice mode become available
Learn why we built PII Shield, the engineering decisions behind it, and how it protects attorney-client privilege in every AI interaction.
Download our comprehensive security whitepaper covering field-level encryption, PII Shield, compliance alignment, and data isolation architecture. Share it with your bar association or malpractice insurer.
MaxLex is designed to meet the security and ethical obligations of legal professionals.
MaxLex implements "reasonable efforts" to prevent unauthorized disclosure of client information, as required by Rule 1.6(c). PII is automatically stripped before any data leaves your environment, and all AI interactions are gated behind explicit consent.
While MaxLex is not a covered entity, our architecture follows HIPAA security principles: encryption at rest and in transit, access controls, audit logging, and minimum necessary data exposure for AI processing.
MaxLex is on the roadmap for SOC 2 Type II certification, covering security, availability, processing integrity, confidentiality, and privacy trust service criteria.
Data retention controls, right-to-deletion capabilities, and transparent data processing disclosures are built into the platform for compliance with privacy regulations.
Every MaxLex account operates in complete data isolation. Your cases, documents, contacts, and AI conversations are never accessible to other users — not even other attorneys on the same plan.
Per-User Data Isolation
Every database query is scoped to your user ID. There is no shared data pool between accounts.
Role-Based Access Control
Admin and user roles with procedure-level enforcement. Protected endpoints verify identity before every operation.
Automatic Session Timeout
Sessions expire automatically to prevent unauthorized access from unattended devices.
MaxLex uses the following third-party services. Here's exactly what data each receives:
Google Gemini API
Data sent: Sanitized prompts only (PII stripped)
Purpose: AI reasoning for Chat & Voice
Manus Forge LLM
Data sent: Sanitized prompts only (PII stripped)
Purpose: Fallback AI processing
Stripe
Data sent: Email, name, payment info
Purpose: Subscription billing
S3 Storage
Data sent: Encrypted file bytes
Purpose: Document storage
Join attorneys who trust MaxLex to protect their clients' data while supercharging their practice.