Security & data protection

How is personal data (PII) protected?

Names, national IDs, contact details, and document content are encrypted on your device with a PII password only you control (a sealed-box design). Relex stores the encrypted blob plus non-identifying metadata — never the plaintext. Because the server is zero-knowledge, even Relex cannot read your clients' identities. Decryption happens only in your browser, and the password is never cached server-side.

What does the AI actually see?

Labels and anonymized counts — never real identities. The case agent and any connected agent such as Claude operate on placeholders like [Party 1]. Any API call that would move plaintext PII (reading or writing parties, uploading or reading document content) is refused at the server, which returns a deep link so you complete that step securely in Relex. Parties can still be checked for existence through a blind index without decrypting anything.

Is my firm's know-how shared or used for training?

No. Your know-how is indexed into a private, per-tenant retrieval corpus that is searched during a matter but never copied to a model and never shared with third parties. Documents are redacted before indexing. A partner invited into a case can contribute know-how scoped to that case only, and never receives decryption access to your data.

Compliance and data residency

• GDPR-compliant data processing.
• EU data processing for stored data.
• Zero-knowledge PII — personal data is end-to-end encrypted in the browser; the server holds only ciphertext.
• Least exposure by design — the AI receives only de-identified labels and fragments, never the full identified picture.
• Human oversight — flagged clauses block signature until a professional resolves them.