Trust
Subprocessors
LexaAI uses the following vendors to deliver the service. Each is bound by a
written agreement and limited to processing customer data solely to provide
functionality on our behalf. We review this list regularly and notify customers
of material changes.
Last updated: April 2026
- Purpose
- LLM inference for email extraction, classification, and assistant features
- Data categories
- Email content, extracted billing entries, user prompts during processing
- Endpoint
- api.anthropic.com
- Retention
- No training or retention on API traffic per Commercial Terms
- DPA / Terms
- anthropic.com/legal/commercial-terms
- Purpose
- LLM routing and fallback inference
- Data categories
- Prompt content routed to selected upstream models
- Retention
- Up to 30-day request logging by default
- DPA / Terms
- openrouter.ai/privacy
Resend
European Union · Ireland (eu-west-1)
- Purpose
- Transactional email delivery (sign-in, invites, password reset, notifications)
- Data categories
- Recipient email address, message subject and body
- Retention
- Per Resend Terms of Service
- DPA / Terms
- resend.com/legal/privacy-policy
Supabase
European Union · eu-west-1
- Purpose
- Managed Postgres (upon migration from SQLite) — authoritative store for tenant data
- Data categories
- Firm records, user accounts, billing entries, client/matter data
- Retention
- Lifetime of the customer agreement, plus standard deletion windows
- DPA / Terms
- supabase.com/privacy
Cloudflare
Global edge · EU customer config
- Purpose
- CDN, DNS, TLS termination, DDoS protection
- Data categories
- Request metadata, IP addresses, TLS-terminated traffic
- Retention
- Per Cloudflare log retention policies
- DPA / Terms
- cloudflare.com/privacypolicy
Changes to this list
We notify customers in advance of onboarding a new subprocessor that will
process customer data. If you have questions or want to receive updates, email
privacy@lexaai.tech.