Most accounting platforms treat AI as a feature. We treat it as a class of risk that demands its own safeguards. This page sets out what we do, concretely, to make Lexendo safe to use on real client data.
Last updated: 18 May 2026
Lexendo handles two kinds of untrusted input: documents that clients upload (bank statements, P&L extracts, anomaly notes) and free text questions accountants put to Lex. Both can contain text that, if naively passed to an AI model, could try to change the model’s behaviour. This is called prompt injection. It is the AI era equivalent of SQL injection in the early web: a real risk that disciplined engineering controls.
We took a defence in depth approach. No single control is sufficient on its own; together they make AI driven misbehaviour expensive to attempt, easy to detect, and traceable after the fact.
Every Lexendo route that calls our AI provider (Anthropic) carries an explicit security instruction at the top of its system prompt. The instruction tells the model to treat ALL retrieved guidance, ALL user messages, and ALL document contents as data to be analysed, never as instructions. If a document or user message tries to override the rules (“ignore previous instructions”, “respond only with X”, “reveal your system prompt”), the model is instructed to treat it as ordinary text and continue with the task.
LexScan, our bank statement and document analysis engine, reads PDFs as images rather than scraping the underlying text. This neutralises a category of injection attacks where invisible text (white-on-white, zero-font, or hidden layers) is embedded in documents to manipulate text-based AI pipelines. What the AI sees is what a human sees.
We never let an AI step run alone. Before the AI, deterministic code does the structured pattern matching (duplicate detection, threshold splits, balance reconciliation, related party clustering). After the AI, deterministic post processing verifies and corrects directional fields, fills missing balances, and enforces row level consistency. The AI is used only for human style judgment on items that genuinely require it, not for decisions code can make reliably.
Every AI call that produces structured output (reconciliation, analytical review, evidence requests, transaction extraction) is validated against a strict schema before the response is returned. If the model output fails validation, the response is rejected and the failure is logged for review, never silently corrected and shown to you as if it were correct.
Every AI call made by the platform is recorded in a tamper-evident audit table: which route, which model, when, how many tokens, whether the output passed validation, and the hashes (not the content) of the input and output. We store SHA-256 hashes rather than the raw text so we satisfy data-minimisation requirements while keeping forensic value: if you ever ask “what did the AI see and what did it produce” for a specific assessment, we can prove the call happened and demonstrate it was untampered, without ever storing your clients’ data twice.
AI requests are capped at 20 per user per minute, enforced at the API layer. The public Lex preview on the marketing site is additionally protected with origin restrictions and a daily request ceiling. These limits are designed to make scripted abuse and runaway cost incidents impossible by construction, not by hope.
Your clients’ data is never used to train any AI model. Anthropic (our LLM provider) and Voyage AI (our embeddings provider) both contractually commit that data submitted via API is not used for training and is not retained beyond the immediate request. Anthropic is SOC 2 Type II certified. The Lexendo knowledge base (HMRC manuals, tribunal decisions, primary legislation) is fully separate from any client data.
Lex does not take actions. It does not file, submit, send, sign, or commit anything on your behalf. Every output from Lexendo is intermediate work for an accountant to review, override, or act on with their professional judgment. The accountant is the decision-maker on every engagement; the platform is the intelligence layer they use to find risk faster.
We are honest about what is in place and what is on the roadmap. The following items are scheduled for the months ahead and tracked publicly:
We welcome responsible disclosure. If you believe you have found a vulnerability in Lexendo or want to discuss our security posture before signing up, contact support@lexendo.co.uk. We will respond within two working days.