Data Processing Agreement

“Personal Data” means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

“Data Subject” means the identified or identifiable natural person to whom the Personal Data relates, including but not limited to clients of the Controller, case participants, and authorized users.

“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

Subject Matter: Provision of AI-powered legal case management services, including case data storage, AI analysis, document processing, voice transcription, and real-time collaboration tools.

Duration: Processing shall continue for the duration of the Agreement between the Controller and Processor, plus any retention period required by law or agreed upon in writing.

Nature and Purpose: The Processor processes Personal Data to provide the Controller with case management, AI-driven legal analysis, document intelligence, client portal services, and associated functionality as described in the Agreement.

Types of Personal Data: Names, contact information, case details, legal documents, voice recordings, financial information related to cases, correspondence, evidence materials, and any other data uploaded by the Controller or their clients.

Categories of Data Subjects: Lawyers and staff of the Controller, clients of the Controller, case participants (witnesses, opposing parties), and other individuals whose data is included in case materials.

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure / right to be forgotten (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

The Processor shall notify the Controller without undue delay upon receiving a request from a Data Subject. The Processor shall not respond to such requests directly unless authorized by the Controller.

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: Field-level encryption for sensitive Personal Data at rest; TLS 1.3 for data in transit
• Access Control: Role-based access control with 5 permission levels; multi-factor authentication
• Audit Trails: Complete, immutable audit logs of all data access and modifications
• Data Isolation: Logical tenant isolation ensuring data separation between Controller organizations
• Backup & Recovery: Automated encrypted backups with point-in-time recovery capability
• Employee Training: Regular security awareness training for all personnel with access to Personal Data

The Controller hereby provides general authorization for the Processor to engage the Sub-processors listed below. The Processor shall notify the Controller of any intended changes to Sub-processors, providing the Controller with an opportunity to object within 30 days.

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure that such transfers are subject to appropriate safeguards as required by Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• Transfer Impact Assessments conducted for each Sub-processor outside the EEA
• Supplementary measures where required (encryption, pseudonymization, access controls)

The Processor is actively working toward full EU data residency for all core processing operations. The Controller will be notified when this migration is complete.

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach. Such notification shall include:

• A description of the nature of the breach
• The categories and approximate number of Data Subjects affected
• The categories and approximate number of Personal Data records affected
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each breach.

This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement:

• The Processor shall, at the Controller's choice, return or delete all Personal Data within 30 days, unless retention is required by applicable law
• The Controller may request a complete data export in a structured, machine-readable format before deletion
• The Processor shall provide written certification of deletion upon request
• Obligations relating to confidentiality and data protection shall survive termination