Legal & Compliance
This page is a high-level overview of licensing and compliance topics. It is not legal advice.
Software License
Lexega is proprietary software. Commercial terms (including any warranties, SLAs, and liability limits) are provided in the agreement/order form you sign.
Lexega provides risk signals as decision-support; final execution authority rests with the user.
Dependency Licenses
Lexega uses open-source dependencies. Many are permissively licensed (for example, MIT/Apache/BSD/ISC).
Exact dependency licenses and versions change over time. If you need a formal inventory for review, see the SBOM included with each release.
SBOM (Software Bill of Materials)
An SBOM in CycloneDX format (sbom.cdx.json) is included with every release and available for download from the GitHub releases page. The SBOM includes:
- All direct and transitive dependencies
- License for each dependency
- Version information
Export Compliance
Cryptography
Lexega uses cryptography for license validation:
| Algorithm | Use |
|---|---|
| ed25519 | Digital signatures |
| SHA-256 | Hashing |
This cryptography is used only for license validation and audit trail integrity—not for data encryption.
Export Controls
Export laws may apply depending on where you use or distribute the software. Consult legal counsel if you have export-control requirements.
Customer Responsibility
You are responsible for compliance with export laws in your jurisdiction. If you are unsure whether your use is compliant, consult legal counsel.
Data Processing
Data Processing Overview
Lexega analyzes SQL text locally and does not query your table data or run your business queries. Lexega does not send your SQL or analysis results to Lexega-controlled services (no telemetry).
| Data Type | Core CLI | Catalog Integration (Optional) |
|---|---|---|
| SQL syntax | ✅ Analyzed locally | ✅ Analyzed locally |
| Customer table data / business-query results | ❌ Never accessed | ❌ Never accessed |
| Schema metadata | ❌ Not accessed | ✅ Read from Snowflake |
| User/role identifiers (grant graph) | ❌ Not accessed | ✅ Optional (--include-grants) |
| PR/MR comment posting | ❌ Not used by default | ✅ Optional (--pr-comment) |
| Snowflake connection | ❌ None | ✅ Read-only queries |
| Telemetry | ❌ None | ❌ None |
Catalog Integration: The optional lexega-sql catalog command connects to Snowflake using your credentials to fetch schema metadata. This metadata is written as a JSON snapshot to an output destination you configure (for example, stdout, a local file, CI artifacts, or cloud storage managed by your environment). The catalog queries:
- INFORMATION_SCHEMA: Table/column names, data types, constraints
- ACCOUNT_USAGE (with flags): Masking policies, row access policies, policy references, tags, and grant graph data (including user-to-role assignments)
See the Security & Privacy documentation for detailed query tables.
PR Comments: If you enable --pr-comment, Lexega posts the rendered markdown report to your code hosting provider (for example, GitHub/GitLab/Bitbucket) using CI-provided credentials. This transmits the report content to that third-party service.
GDPR Implications
Core CLI: Lexega typically acts as a tooling component running within your environment. It does not query your table data or run your business queries, and it does not transmit data to Lexega-controlled services.
- No table-data access: Operates on SQL text, not the data contained in your tables
- No telemetry: No upload of SQL or analysis results to Lexega
- Stateless by default: Outputs are written only where you direct them
Catalog Integration: If you use catalog integration, Lexega reads metadata from Snowflake. Depending on the options you enable, this metadata can include identifiers such as usernames and role assignments (for example, via --include-grants). Treat this as personal data if those identifiers can be linked to an individual.
If you enable --pr-comment, the posted report content is transmitted to your code hosting provider and stored according to that provider's retention and access controls.
- If your schema or policy metadata contains personal identifiers (including usernames), consult your DPO
- Catalog snapshots are written to an output destination you configure
- No catalog data is transmitted to Lexega
Recommendation: Whether a DPA is required depends on how you configure Lexega and your internal policies. If you enable options that collect user identifiers (for example, --include-grants) or transmit reports to third parties (for example, --pr-comment), consult your legal team/DPO.
CCPA Implications
Lexega does not:
- Collect personal information from California residents
- Sell personal information
- Use personal information for targeted advertising
Intellectual Property
Lexega IP
Lexega retains all intellectual property rights in:
- The software and documentation
- Analysis algorithms and rule logic
- Trademarks (Lexega, the Lexega logo)
Your IP
You retain all rights to:
- Your SQL code and queries
- Your policy configurations
- Your custom rules
- Decision records and analysis outputs
Feedback
If you provide feedback or suggestions, you grant Lexega a perpetual, irrevocable license to use that feedback to improve the product.
Contact
| Purpose | Contact |
|---|---|
| Security issues | security@lexega.com |
| General inquiries | support@lexega.com |
Last updated: January 2026
Need Help?
Can't find what you're looking for? Check out our GitHub or reach out to support.