Data Processing Agreement. Available before you ask.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Controller" (Customer) means the entity that determines the purposes and means of the processing of personal data. Under this DPA, the Customer is the Data Controller.
• "Data Processor" (CounselAudit.ai) means the entity that processes personal data on behalf of the Data Controller. Under this DPA, CounselAudit.ai is the Data Processor.
• "Sub-processor" means any third party engaged by the Data Processor to process personal data on behalf of the Data Controller.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to the GDPR.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council.
• "Applicable Data Protection Law" means all laws and regulations relating to the processing of personal data that apply to the parties, including the GDPR, the UK GDPR, and any national implementing legislation.

2. Scope and Purpose

This DPA applies to all processing of personal data by CounselAudit.ai on behalf of the Customer in connection with the CounselAudit.ai service.

Processing is limited to what is strictly necessary to provide the CounselAudit.ai service as described in the Terms of Service, including:

• Authenticating and managing user accounts
• Processing and analyzing legal invoices
• Generating and applying outside counsel guidelines
• Producing reports, flags, and review outputs
• Maintaining audit logs and compliance records

3. Customer Responsibilities

As the Data Controller, you are responsible for:

• Determining the purposes and means of processing personal data within the CounselAudit.ai service.
• Ensuring there is a lawful basis for processing personal data (e.g., legitimate interest, consent, contractual necessity) before submitting it to the service.
• Ensuring the accuracy and relevance of personal data provided to the service.
• Providing any required notices to, and obtaining any necessary consents from, data subjects whose personal data is processed through the service.
• Complying with all applicable data protection laws in your use of the service.

4. Our Processing Obligations

As the Data Processor, we commit to the following obligations:

• We process personal data only on your documented instructions, unless required to do so by applicable law. In such cases, we will inform you of that legal requirement before processing unless prohibited from doing so.
• We ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations, whether statutory or contractual.
• We implement and maintain appropriate technical and organizational security measures as described in Section 5.
• We assist you, at your request, in responding to data subject rights requests under applicable data protection law.
• We assist you in ensuring compliance with your obligations regarding data protection impact assessments and prior consultations with supervisory authorities.
• At your choice, we delete or return all personal data upon termination of the service, and delete existing copies unless applicable law requires retention.
• We make available to you all information necessary to demonstrate compliance with this DPA.

5. Security Measures

We implement and maintain the following technical and organizational measures to protect personal data:

• Encryption at rest: AES-256 encryption for all stored personal data.
• Encryption in transit: TLS 1.3 for all data transmitted between your browser and our servers, and between our internal services.
• Multi-tenant isolation: Row-level security (RLS) ensures that each organization's data is logically isolated at the database level.
• Role-based access controls: Access to personal data within the application is restricted based on user roles (Legal, Legal Ops, Finance, Paralegal).
• Regular security assessments: We conduct periodic security reviews and vulnerability assessments of our infrastructure and application.
• Audit logging: Comprehensive audit logs record all data access and modifications, providing a full audit trail for compliance.
• Incident response: We maintain documented incident response procedures, including identification, containment, eradication, and recovery processes.

6. Sub-Processors

You authorize us to engage the sub-processors listed below. Each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

We will notify you at least 30 days before engaging any new sub-processor. You may object to a new sub-processor within 14 days of receiving notice. If you object on reasonable data protection grounds and we cannot provide the service without the sub-processor, either party may terminate the affected service.

7. Data Transfers

Where personal data is transferred outside your jurisdiction (including transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States), we ensure that appropriate safeguards are in place in accordance with applicable data protection law.

These safeguards may include:

• Standard Contractual Clauses (SCCs) adopted by the European Commission.
• The UK International Data Transfer Addendum, where applicable.
• Any other legally recognized transfer mechanism under applicable data protection law.

We will provide copies of the relevant transfer mechanisms upon request.

8. Data Subject Rights

We assist you in fulfilling your obligations to respond to data subject requests under applicable data protection law, including requests for:

• Access: Confirmation of whether personal data is being processed and a copy of the data.
• Rectification: Correction of inaccurate or incomplete personal data.
• Erasure: Deletion of personal data where there is no compelling reason for continued processing.
• Portability: Provision of personal data in a structured, commonly used, and machine-readable format.
• Restriction: Limitation of processing in certain circumstances.
• Objection: Cessation of processing where the data subject objects on grounds relating to their particular situation.

We respond within 72 hours to your requests for assistance with data subject rights. If a data subject contacts us directly, we will promptly redirect them to you.

9. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach.

Our notification will include, to the extent available:

• A description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected.
• The name and contact details of our data protection point of contact.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

We will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of each breach.

10. Audit Rights

You have the right to audit our compliance with this DPA. To exercise this right:

• We will provide you with all information reasonably necessary to demonstrate our compliance with the obligations set out in this DPA.
• We will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.
• Audits will be conducted with reasonable prior notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt our operations.
• Audit costs are borne by the requesting party, unless the audit reveals a material breach of this DPA by us.

11. Data Retention and Deletion

• We retain personal data only for the duration of the service agreement and as necessary to provide the service.
• You control document retention periods through configurable settings within the CounselAudit.ai application.
• Upon termination of the service agreement, we will delete all personal data within 30 days, unless applicable law requires us to retain certain data.
• You may request earlier deletion at any time during the term of the agreement.
• We will confirm deletion in writing upon your request.
• We ensure that personal data is securely destroyed using industry-standard methods that prevent recovery.

12. AI and Machine Learning

We are committed to responsible AI practices:

• We do not use your personal data to train AI or machine learning models. Your data is yours.
• AI processing (such as invoice parsing, guideline clause drafting, and flag generation) occurs in isolated, ephemeral sessions. No personal data persists beyond the specific processing task.
• Our third-party AI provider (Anthropic) is bound by equivalent data protection commitments. Anthropic does not retain your data after processing is complete and does not use it for model training.
• AI outputs are deterministic tools that assist your team — they do not make autonomous decisions about data subjects.

13. Governing Law

This DPA is governed by and construed in accordance with the same governing law as the Terms of Service between the parties. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data.

14. Contact

For any questions, concerns, or requests relating to data protection or this DPA, please contact us at legal@counselaudit.com.