Skip to content
Lexiik
rollback

API Security: Data Protection and GDPR Compliance

Last updated : February 9, 2026

The security of your data is our top priority. Discover how Lexiik protects your sensitive information with the highest industry security standards, while ensuring full GDPR compliance.

ISO 27001 Certification

Lexiik is ISO 27001 certified (information security) and audited annually by an independent body. Your data is protected according to the strictest international standards.

Lexiik security architecture

Lexiik's security is built on a Defense in Depth approach with multiple independent layers of protection. Even if one layer is compromised, the others ensure the protection of your data.

Encryption in transit (TLS 1.3)

All communications between your store and Lexiik servers are encrypted with TLS 1.3, the most recent and robust security protocol:

  • Perfect Forward Secrecy (PFS): Even if a key is compromised, past communications remain secure
  • Wildcard SSL certificates: *.lexiik.com and cdn.lexiik.com with automatic renewal
  • HSTS enabled: Forces the browser to always use HTTPS (no possible downgrade to HTTP)
  • TLS 1.0/1.1 disabled: Obsolete protocols blocked, only TLS 1.2 and 1.3 are accepted

Good to know

A+ score on SSL Labs (the benchmark SSL security test). You can verify our configuration at any time on ssllabs.com.

Encryption at rest (AES-256)

All data stored on Lexiik servers is encrypted with the AES-256 algorithm (Advanced Encryption Standard, 256-bit key), considered unbreakable by the NSA itself:

  • Database: Full PostgreSQL encryption with Transparent Data Encryption (TDE)
  • Snapshots: Each snapshot is individually encrypted with a unique derived key
  • Images: Original images (before CDN optimization) are encrypted on S3 storage
  • Logs: Audit logs encrypted and cryptographically signed (tamper-proof)

Encryption keys are themselves encrypted with a Master Key stored in an HSM (Hardware Security Module) physically secured in our European datacenters.

Tenant isolation (Secure multi-tenancy)

Lexiik is a multi-tenant platform, meaning multiple clients share the same infrastructure. To guarantee total isolation between accounts:

  • Row-Level Security (RLS): Every SQL query automatically filters data by account_id
  • Isolated namespaces: API keys, webhooks, and asynchronous jobs are isolated by tenant
  • Per-account rate limiting: A malicious client cannot impact other clients' performance
  • Per-resource quotas: CPU, RAM, storage, bandwidth limited by plan (fair-use policy)

Enterprise Plan: Dedicated Infrastructure

Enterprise clients can opt for dedicated infrastructure (isolated servers and database) for complete physical isolation. Contact: [email protected]

API authentication and authorization

API Keys: Generation and rotation

The Lexiik API uses secret API keys to authenticate requests from your store (via the Bridge) or your custom integrations:

  • Format: lxk_live_xxxxxxxxxxxxxxxxxxxxx (prefix for live environment) or lxk_test_xxxxxxxxxxxxxxxxxxxxx (prefix for test environment)
  • Length: 64 characters (256 bits of entropy, i.e., 2^256 possible combinations = 10^77)
  • Storage: Hashed with bcrypt (cost 12) in the database, never stored in plain text
  • Recommended rotation: Every 90 days for Pro plans and above

Generating an API key:

  1. Go to Settings > API and integrations
  2. Click on Generate a new API key
  3. Name the key (e.g., "Bridge Production" or "Migration script")
  4. Copy the displayed key (it will never be shown again!)
  5. Store it in a secrets manager (1Password, Bitwarden, Vault, etc.)

Warning

Important: NEVER commit an API key to Git, even in a private repository. Use environment variables (.env) and add .env to your .gitignore.

Scopes and granular permissions

Each API key can have limited permissions (principle of least privilege):

  • read:products: Read product listings
  • write:products: Create and modify product listings
  • read:audits: View SEO audit reports
  • write:audits: Run an audit (consumes credits)
  • read:snapshots: Access history (Rollback)
  • write:snapshots: Restore a snapshot (sensitive action)
  • admin:all: Full access (reserved for administrators)

Example: an API key used only to display KPIs on an internal dashboard can be limited to read:products and read:audits.

Rate limiting and anti-abuse protection

The Lexiik API implements strict rate limiting to prevent abuse and ensure availability:

  • Free Plan: 100 requests / hour
  • Starter Plan: 500 requests / hour
  • Pro Plan: 2,000 requests / hour
  • Expert Plan: 10,000 requests / hour
  • Enterprise Plan: Unlimited (fair-use policy with alert at 50,000 req/h)

If the limit is exceeded, the API returns an HTTP 429 Too Many Requests code with a Retry-After header indicating how many seconds to wait.

Good to know

The Lexiik Bridge (CMS module) benefits from a higher rate limit because requests are batched (batch processing). Synchronizing 1,000 products = 1 single API request.

GDPR Compliance (General Data Protection Regulation)

Lexiik fully complies with the GDPR (European Regulation 2016/679) and applies Privacy by Design principles from the conception of every feature.

100% European hosting

All your data is hosted exclusively in the European Union:

  • Primary datacenter: OVHcloud Gravelines (France)
  • Secondary replication: OVHcloud Strasbourg (France)
  • Tertiary replication: Hetzner Falkenstein (Germany)
  • CDN Edge: 35 global points of presence, but sensitive data is never cached outside the EU

Your data NEVER transits through the United States or any country outside the EU. We do not use AWS, Google Cloud, or Azure (providers subject to the US Cloud Act).

Success

Lexiik is registered with the CNIL (French Data Protection Authority) and has a certified DPO (Data Protection Officer).

Data minimization

Lexiik only collects data that is strictly necessary for the service to function:

Data collected:

  • Email (authentication and notifications)
  • First and last name (billing)
  • Payment data (stored by Stripe, PCI-DSS Level 1 certified)
  • Product listings (title, description, images, public price, categories)
  • Technical logs (IP, user-agent, timestamp) retained for a maximum of 90 days

Data NEVER collected:

  • Personal data of your end customers (emails, addresses, purchase history)
  • Credit card numbers (delegated to Stripe)
  • Passwords in plain text (hashed with Argon2id)
  • Browsing data on your store (we are not an analytics tool)

Your GDPR rights

You have all rights provided by the GDPR, directly accessible from your Lexiik account:

  • Right of access (Art. 15): Download all your data in JSON format (Settings > Export my data)
  • Right to rectification (Art. 16): Modify your personal information at any time
  • Right to erasure (Art. 17): Permanently delete your account and all your data (Settings > Delete my account)
  • Right to data portability (Art. 20): Export your data in a standard format (JSON, CSV)
  • Right to object (Art. 21): Refuse the processing of certain data (e.g., marketing emails)
  • Right to restriction (Art. 18): Temporarily suspend the processing of your data

To exercise your rights or contact our DPO: [email protected]

Good to know

Guaranteed response time: 72 hours for an access request, 30 days maximum for a complete deletion (in accordance with Art. 12 of the GDPR).

Security audits and certifications

Regular pentests

Lexiik undergoes regular penetration tests (pentests) by specialized firms:

  • Frequency: 1 full pentest every 6 months (Pro and Enterprise plans)
  • Scope: Web application, API, infrastructure, Bridge (CMS modules)
  • Methodology: OWASP Testing Guide v4.2 + PTES (Penetration Testing Execution Standard)
  • Report: Audit report available on request for Enterprise clients

Critical and high vulnerabilities are fixed within 48 hours, medium vulnerabilities within 7 days, and low vulnerabilities within 30 days.

Bug Bounty Program

Lexiik operates a Bug Bounty program (vulnerability reward) to encourage security researchers to report flaws:

  • Platform: YesWeHack (European bug bounty platform)
  • Rewards: €100 to €5,000 depending on severity (CVSS score)
  • Scope: app.lexiik.com, api.lexiik.com, cdn.lexiik.com, Bridge modules
  • Response time: Under 24 hours for valid reports

Access the program: yeswehack.com/programs/lexiik

Certifications and compliance

Lexiik holds the following certifications:

  • ISO 27001: Information security (audited by Bureau Veritas)
  • SOC 2 Type II: Availability, confidentiality, integrity (certification in progress)
  • GDPR: Full compliance, certified DPO, CNIL registered
  • HDS (Health Data Hosting): Not applicable (e-commerce only)
  • PCI-DSS Level 1: Via Stripe (payment processor)

Premium Feature

Enterprise clients can request a custom compliance audit (SOC 2, ISO 27001, etc.) to meet their internal requirements.
Contact the Enterprise team →

Security best practices for users

API key management

To ensure the security of your account, follow these best practices:

  • Never share an API key: Create a dedicated key per service/developer
  • Regular rotation: Change your keys every 90 days (automatable via API)
  • Name your keys: "Bridge Production", "Analytics Script", "Zapier Integration", etc.
  • Revoke unused keys: Delete keys from former contractors or disabled scripts
  • Environment variables: Never hardcode keys in source code

Password security

Your Lexiik account is protected by the following measures:

  • Argon2id hashing: Algorithm recommended by OWASP (resistant to GPU and ASIC)
  • Unique salt: Each password has a random 128-bit salt
  • Complexity policy: Minimum 12 characters, at least 1 uppercase, 1 digit, 1 special character
  • Anti-bruteforce protection: Account locked after 5 failed attempts (unlocked via email)
  • 2FA available: Two-factor authentication via TOTP (Google Authenticator, Authy) - strongly recommended

Enable 2FA

Enabling two-factor authentication reduces the risk of account compromise by 99.9%, even if your password is leaked. Enable it from Settings > Security.

Account monitoring

Lexiik automatically alerts you in case of suspicious activity:

  • Login from a new country: Email with confirmation link
  • New device: Push notification if the mobile app is installed
  • API key creation: Summary email with name and permissions
  • Payment method change: Double confirmation via email + SMS
  • Failed login attempts: Alert after 3 failures

View the complete login history from Settings > Account activity.

Summary

Lexiik's security is built on a multi-layer approach (Defense in Depth) with the highest industry standards:

  • Encryption: TLS 1.3 in transit + AES-256 at rest
  • Authentication: 256-bit API keys + 2FA available
  • Hosting: 100% European (France + Germany), never in the USA
  • Compliance: Full GDPR, ISO 27001, SOC 2 Type II in progress
  • Audits: Semi-annual pentests + active Bug Bounty

Your data is protected with the same level of security as online banks and financial institutions.

Success

Have questions or specific security requirements? Our Security team is at your disposal.
Contact the security team →

Related articles: The Rollback Guarantee · Data Retention · Connecting Your Store