Legal & Compliance
This page is a high-level overview of licensing and compliance topics. It is not legal advice.
Software License
Lexega is proprietary software. Commercial terms (including any warranties, SLAs, and liability limits) are provided in the agreement/order form you sign.
Lexega provides risk signals as decision-support; final execution authority rests with the user.
Dependency Licenses
Lexega uses open-source dependencies. Many are permissively licensed (for example, MIT/Apache/BSD/ISC).
Exact dependency licenses and versions change over time. If you need a formal inventory for review, see the SBOM included with each release.
SBOM (Software Bill of Materials)
An SBOM in CycloneDX format (sbom.cdx.json) is included with every release and available for download from the GitHub releases page. The SBOM includes:
- All direct and transitive dependencies
- License for each dependency
- Version information
Export Compliance
Cryptography
Lexega uses cryptography for license validation:
| Algorithm | Use |
|---|---|
| ed25519 | Digital signatures |
| SHA-256 | Hashing |
This cryptography is used only for license validation and audit trail integrity—not for data encryption.
Export Controls
Export laws may apply depending on where you use or distribute the software. Consult legal counsel if you have export-control requirements.
Customer Responsibility
You are responsible for compliance with export laws in your jurisdiction. If you are unsure whether your use is compliant, consult legal counsel.
Data Processing
Data Processing Overview
Lexega's core CLI analyzes SQL text locally and does not query your table data or run your business queries. The CLI does not send your SQL or analysis results to Lexega-controlled services (no telemetry). The optional online playground at lexega.com processes SQL server-side on Cloudflare Workers — see below.
| Data Type | Core CLI | Online Playground | Catalog Integration (Optional) |
|---|---|---|---|
| SQL syntax | ✅ Analyzed locally | ✅ Analyzed server-side (not retained) | ✅ Analyzed locally |
| Customer table data / business-query results | ❌ Never accessed | ❌ Never accessed | ❌ Never accessed |
| Schema metadata | ❌ Not accessed | ❌ Not accessed | ✅ Read from connected platform |
| User/role identifiers (grant graph) | ❌ Not accessed | ❌ Not accessed | ✅ Optional (--include-grants) |
| PR/MR comment posting | ❌ Not used by default | ❌ Not applicable | ✅ Optional (--pr-comment) |
| Platform connection | ❌ None | ❌ None | ✅ Read-only metadata queries |
| Telemetry | ❌ None | ❌ None | ❌ None |
Online Playground: SQL submitted through the playground at lexega.com is transmitted to Cloudflare Workers for processing. The SQL is analyzed in memory and the result is returned to your browser. The SQL is not stored, logged, or retained beyond the duration of the request. Cloudflare may process standard request metadata (IP address, timestamps) in accordance with their privacy policy.
Catalog Integration: The optional lexega-sql catalog command connects to a supported platform using your credentials to fetch schema metadata. This metadata is written as a JSON snapshot to an output destination you configure (for example, stdout, a local file, CI artifacts, or cloud storage managed by your environment).
Supported platforms and the metadata they expose:
| Platform | Metadata Surfaces | Grants | Policies |
|---|---|---|---|
| Snowflake | INFORMATION_SCHEMA, SNOWFLAKE.ACCOUNT_USAGE, SHOW commands | ✅ Optional (--include-grants) | ✅ Masking, row access, tags |
| Databricks | Unity Catalog | ✅ Optional (--include-grants) | ⚠️ Collected (row filters, column masks) — analysis limited |
When --include-grants is enabled, the catalog snapshot includes user and role identifiers from the connected platform:
- Snowflake: role hierarchy, object privileges, and user-to-role assignments
- Databricks: Unity Catalog permissions and SCIM user/group memberships
These identifiers may constitute personal data. See the GDPR section below and the Security & Privacy documentation for details.
PR Comments: If you enable --pr-comment, Lexega posts the rendered markdown report to your code hosting provider (for example, GitHub/GitLab/Bitbucket) using CI-provided credentials. This transmits the report content to that third-party service.
GDPR Implications
Core CLI: Lexega typically acts as a tooling component running within your environment. It does not query your table data or run your business queries, and it does not transmit data to Lexega-controlled services.
- No table-data access: Operates on SQL text, not the data contained in your tables
- No telemetry: No upload of SQL or analysis results to Lexega
- Stateless by default: Outputs are written only where you direct them
Online Playground: SQL submitted through the playground is processed transiently on Cloudflare's infrastructure. If your SQL text contains personal identifiers (e.g., column names, literal values), this constitutes personal data processing. The legal basis is legitimate interest (product demonstration). No data is retained.
Catalog Integration: If you use catalog integration, Lexega reads metadata from your connected platform (Snowflake or Databricks). Depending on the options you enable, this metadata can include identifiers such as usernames and role assignments (for example, via --include-grants). Treat this as personal data if those identifiers can be linked to an individual.
If you enable --pr-comment, the posted report content is transmitted to your code hosting provider and stored according to that provider's retention and access controls.
- If your schema or policy metadata contains personal identifiers (including usernames), consult your DPO
- Catalog snapshots are written to an output destination you configure
- No catalog data is transmitted to Lexega
Recommendation: Whether a DPA is required depends on how you configure Lexega and your internal policies. If you enable options that collect user identifiers (for example, --include-grants) or transmit reports to third parties (for example, --pr-comment), consult your legal team/DPO.
CCPA Implications
When you request a trial license, Lexega collects your email address and temporarily processes your IP address for abuse prevention. This constitutes "personal information" under the California Consumer Privacy Act (CCPA).
Lexega does not:
- Sell or share personal information with third parties
- Use personal information for targeted advertising or profiling
- Collect personal information beyond what is listed in the Privacy Policy
Your rights under CCPA: California residents may request access to, deletion of, or information about the personal data we hold. To exercise these rights, email support@lexega.com. We do not discriminate against users who exercise their privacy rights.
Intellectual Property
Lexega IP
Lexega retains all intellectual property rights in:
- The software and documentation
- Analysis algorithms and rule logic
- Trademarks (Lexega, the Lexega logo)
Your IP
You retain all rights to:
- Your SQL code and queries
- Your policy configurations
- Your custom rules
- Decision records and analysis outputs
Feedback
If you provide feedback or suggestions, you grant Lexega a perpetual, irrevocable license to use that feedback to improve the product.
Contact
| Purpose | Contact |
|---|---|
| Security issues | security@lexega.com |
| General inquiries | support@lexega.com |
Last updated: February 25, 2026
Need Help?
Can't find what you're looking for? Check out our GitHub or reach out to support.