LEXICANON ← Back to lexicanon.com

Encryption & privacy, in depth

Last updated 11 July 2026 · Operated by Govannon, Netherlands · Covers the Lexicanon meeting-intelligence platform.

The short version. For Lexicanon workspaces, your meeting content is encrypted at rest under a key that belongs to your organisation alone — the transcript, the summary, the names and emails, the audio, all of it. The key that unlocks those keys is held separately from the database, so a stolen database or backup is just ciphertext. You hold two dials: who can read your data at rest and whose infrastructure processes it. This page shows exactly how that works, and is honest about the one thing encryption can't do — hide your words from the AI while it's actively reading them.

A note on honesty, same as every page here: this describes what the product does today. Where something is planned but not built, it's labelled roadmap and never implied as present. For the plain-language version see The Real Talk; for every third party that touches your data, the Data Flows page.

1 · Envelope encryption, layer by layer

"Encrypted at rest" is often just "the disk is encrypted" — which only helps if someone physically steals the drive, and does nothing against a leaked database dump. Lexicanon encrypts the actual column values and files, at the application level, under a key unique to your organisation. The scheme is envelope encryption: a fast key encrypts your data, and a second key encrypts that key.

How envelope encryption seals a meeting Your meeting content is sealed with your organisation's 256-bit data key (DEK) using AES-256-GCM, producing an encgcm2 ciphertext stored in your meeting row. The DEK itself is then wrapped (encrypted) by the platform key-encryption key (KEK), and the wrapped DEK is stored as ciphertext in the tenant_encryption_keys table. The KEK lives only in the live cluster's secret store, never in a backup. Reading reverses both layers. 1 · YOUR DATA IS SEALED WITH A DATA KEY Your meeting content subject · transcript · analysis · names · emails seal · AES-256-GCM encgcm2:2:‹iv›:‹tag›:‹ciphertext› stored as ciphertext in your meeting row The cipher binds your org id + the column name into the tag (AAD). A blob copied to another tenant — or another column — won't decrypt. 2 · AND THE DATA KEY IS ITSELF ENCRYPTED Per-org DEK 256-bit data key Platform KEK master key (SECRETS_KEY) wrap wrapped_dek the DEK, encrypted by the KEK → tenant_encryption_keys The KEK lives only in the live cluster's secret store never written to any database, replica, or backup Read = unwrap the DEK with the KEK, then open the envelope A stolen database or backup is ciphertext without the KEK. Rotate the DEK anytime; destroy it to crypto-shred the whole org.
Two keys, two layers. Your data is sealed by a per-organisation Data Key (DEK); the DEK is sealed by the platform Key-Encryption Key (KEK), which is kept apart from the data it protects.

The same envelope primitive protects a smaller, older set of settings too — your bring-your-own-key provider credentials are encrypted (AES-256-GCM) before they're stored, so one database leak can't spill every tenant's keys at once.

2 · What exactly is sealed

Encryption at rest is on by default for Lexicanon workspaces (a workspace can deliberately turn it off; almost none do). When it's on, everything that carries meeting content is sealed under your org's DEK:

Sealed under your keyWhat it is
Transcript & summariesThe streamed transcript segments, the final analysis (summary, decisions, action items), the live rolling summaries, chapter markers, and any translated analyses.
Names & emailsThe meeting subject, speaker names, and attendee emails.
Search text & vectorsThe indexed transcript text and the embedding vectors used for search — sealed, not just the readable copy.
Reports, edits & Ask-AIGenerated report artifacts, your manual edits to fields, and your Ask-AI conversations about a meeting.
Files on diskThe audio recording and the on-disk transcript, summary, metadata and embedding files — sealed under the same per-org key on the persistent volume.

A small amount of derived, non-content metadata stays plaintext by design: the meeting start time and its whole-minute duration. These aren't content — they're derived numbers — and keeping them readable lets your meeting list load without unsealing every row. Timing sidecars with no content stay plaintext for the same reason. Everything a human would recognise as the meeting itself is encrypted.

3 · Two dials you control

Two independent choices decide how much you trust the platform operator with your data. One is about who can read it at rest (key custody); the other is about whose infrastructure processes it (the transcription and AI step).

The two dials: key custody and processing exposure A field with two axes. The vertical axis is key custody: platform-held today, with customer-held keys on the roadmap. The horizontal axis is processing exposure, moving from platform AI in the EU, to bring-your-own-keys, to self-hosting. The bottom row — platform-held key — is available today across all three processing options; Standard is the default (our EU AI, our key). The top row — customer-held keys, where even the operator cannot read your data at rest — is on the roadmap. TWO DIALS YOU CONTROL KEY CUSTODY ↑ you hold it Customer-held key — even we can't read it at rest ON THE ROADMAP Standard our EU AI our key ★ default BYOK your provider keys Self-host your servers zero egress PROCESSING EXPOSURE → less of your data reaches us
Today you can move all the way right — to self-hosting, where your audio never reaches us. Moving up to customer-held keys, so we're cryptographically unable to read your data at rest, is on the roadmap.

4 · The life of a meeting

From the moment you hit record to the moment you erase it — and who can read it at each step.

The life of a meeting, from capture to crypto-shred A six-step timeline. One: capture — your device records, no bot joins the call. Two: live transcription streams in with a rolling summary. Three: the finished transcript is turned into an AI summary, decisions and action items. Four: everything is sealed at rest under your organisation's data key — transcripts, summaries, names, emails, search vectors, reports, chats, and the audio and transcript files on disk. Only start time and duration stay plaintext, by design, so the meeting list loads without unsealing every row. Five: only your workspace can read it; every request and row is scoped to your organisation on the server. Six: erasing crypto-shreds the key, making all of it unreadable live and in backups. 1 Capture your device records — no bot joins the call 2 Live transcription speech-to-text streams in; a rolling summary appears 3 Analysis the finished transcript → AI summary, decisions, action items 4 Sealed at rest — under your organisation's DEK · transcript, summaries, chapters, translations · speaker names, attendee emails, subject · search text & vectors, reports, Ask-AI, your edits · plus the audio & transcript files on disk plaintext by design: start time & duration (derived, not content) 5 Only your workspace can read it every request & row is scoped to your org, server-side 6 Erase = crypto-shred the key destroy the key → unreadable, live and in backups
Capture to erasure. Steps 1–3 must read your words in the clear to do the work; from step 4 on, everything sits sealed and workspace-isolated until you choose to destroy it.

5 · Where we draw the honest line

Here's the part most vendors won't print: to turn your audio into a transcript and a summary, a computer has to read it in the clear. During steps 1–3 above, your data is decrypted in memory on our servers — and, unless you self-host or bring your own keys, briefly at the AI provider that does the transcription and write-up. So:

6 · On the roadmap (not built yet)

Things we think are real and haven't shipped. We'll say so plainly the day they change:

7 · Also true today

Want the unglamorous, accurate version of any of this for a security review? Ask — we'd rather tell you the real trade-offs than win on a claim we can't stand behind. Book a demo, read The Real Talk, or see every sub-processor on Data Flows.
← Privacy policy Data flows & sub-processors The Real Talk Data Processing Agreement →