Security & Privacy
Lexega is an offline-by-default CLI you run in your own environment. This page documents data flow boundaries and what changes when you enable optional integrations.
Defaults (Offline)
- No telemetry to Lexega-controlled services.
- Core formatting/risk analysis runs locally on SQL text.
- Output is written only to destinations you configure (stdout/files/CI artifacts/object storage).
| Data Type | Core CLI behavior |
|---|---|
| SQL text | Read and analyzed locally |
| Customer table data / business-query results | Not accessed |
| Telemetry/analytics | Not sent |
| License validation | Offline (cryptographic verification) |
Optional Integrations (Outbound)
Lexega can be configured to talk to external systems. When you enable these options, data may leave the machine/network where the CLI runs.
| Integration | What it connects to | What data may be transmitted |
|---|---|---|
Catalog integration (lexega-sql catalog) | Snowflake | Schema/governance metadata; optionally user/role identifiers via --include-grants |
PR comments (--pr-comment) | Your code host (GitHub/GitLab/Bitbucket) | The rendered markdown report posted as a PR/MR comment |
Optional: Catalog Integration
The lexega-sql catalog command connects to Snowflake using your credentials to fetch metadata.
Metadata Surfaces
Catalog reads metadata from Snowflake surfaces such as INFORMATION_SCHEMA and SNOWFLAKE.ACCOUNT_USAGE, plus some SHOW commands.
If you enable --include-grants, metadata can include usernames/user-role assignments.
What It Does NOT Access
- ❌ Your actual table data — never runs SELECT on your tables
- ❌ Business-query results — catalog queries are limited to metadata surfaces
- ❌ User credentials — uses your existing Snowflake authentication
Security Notes
- Catalog integration is opt-in — if you don't use it, the CLI never connects to Snowflake
- All queries are read-only metadata — no write operations
- ACCOUNT_USAGE queries may fail without appropriate privileges — the catalog tool handles this gracefully
- The catalog tool does not transmit data to Lexega or third-party telemetry endpoints; output is written to the destination you configure (stdout, local files, or cloud storage)
Data Handling
Input Processing
- SQL file read into memory
- Analyzed in-process
- Results written to stdout or a destination you configure
- Memory released—no persistent state
No Data Retention
- Stateless operation: Each CLI invocation is independent
- No caching: Queries are not cached between runs
- No logging: No query logs written to disk (unless you configure output)
- No temporary files: Analysis performed entirely in memory
Compliance Considerations
GDPR
- Typically no personal data: Core analysis operates on SQL text, not the data returned by queries
- No data transfer to Lexega: No telemetry or upload to Lexega-controlled services
- DPA depends on configuration: If you enable options that collect user identifiers (for example, grant graph) or transmit reports to third parties (for example, PR comments), consult your legal team/DPO
HIPAA
- No PHI exposure: Lexega does not access table data or the results of your business queries
- BAA depends on your program: Whether you need a BAA is a decision for your compliance/legal team based on how you deploy and what metadata you collect/store
Auditability
- Audit trail: Decision records provide immutable evidence of policy enforcement
- Deterministic: Same input always produces same output (reproducible)
- No Lexega telemetry by default: Optional integrations (Snowflake catalog / PR comments) may transmit data to systems you configure
PCI-DSS
- No cardholder data: Lexega operates on SQL text, not data
- Scope depends on deployment: PCI scope is determined by where you run Lexega and where you store outputs
- Access controls: Runs under your CI/CD identity and permissions
Vulnerability Disclosure
If you discover a security vulnerability in Lexega:
- Email: security@lexega.com
- Include: Detailed description, reproduction steps, impact assessment
- Response: We'll do our best to acknowledge quickly
- Disclosure: Coordinated disclosure after fix is available
Security Questionnaire
Some organizations require security questionnaires. Key answers:
| Question | Answer |
|---|---|
| Does the product transmit data externally? | No telemetry to Lexega. Optional: catalog pulls connect to Snowflake; --pr-comment posts reports to your code host. |
| Does the product store customer data? | Only outputs you direct (reports/decisions/catalog snapshots); no internal persistence. |
| What encryption is used for data at rest? | N/A (no data storage) |
| What encryption is used for data in transit? | N/A for core CLI. Optional integrations (Snowflake / PR comments) use TLS via the underlying service/clients. |
| Is there a SOC 2 Type II report? | No (not currently pursued) |
| Is source code escrowed? | Not currently offered |
| What is the vulnerability response SLA? | No formal SLA (best-effort response) |
Questions? Contact security@lexega.com
Need Help?
Can't find what you're looking for? Check out our GitHub or reach out to support.