Data Processing Agreement.

1. Parties

This DPA is between the customer identified in its LawGPT subscription (the "Controller") and LawGPT LLC ("Processor"). Terms used but not defined here have the meanings given in applicable data protection law, including the EU General Data Protection Regulation ("GDPR") and the UK GDPR.

2. Scope and purpose

Processor processes Customer Personal Data only on documented instructions from Controller, including with regard to transfers, as set out in the Agreement and this DPA. The purpose is to provide the LawGPT service.

3. Subject matter and duration

Processing takes place for the duration of the subscription, plus any retention period set out in Section 7 below.

4. Nature of processing

• Storage, retrieval, organization of customer content
• Rendering and displaying documents in the product
• AI inference on customer content to produce predictions (relevance, privilege, etc.)
• Transmission as necessary to provide the service

5. Types of personal data

Customer-determined. Typically contact details of user accounts, and any personal data contained in documents the Controller uploads into a matter.

6. Confidentiality and personnel

Processor ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations, and limits access to those with a need to know.

7. Security measures

Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These include encrypted transport, workspace-level isolation, role-based access control, and audit of server-side permission checks. See the Security page for the plain-English version of what is in place today and what is not.

8. Subprocessors

Controller authorizes Processor to engage subprocessors. A current list is available on request; Processor provides at least 30 days' advance notice of adding or replacing a subprocessor, and Controller may object on reasonable grounds, in which case the parties will discuss in good faith.

9. Data subject rights

Taking into account the nature of the processing, Processor assists Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Controller's obligation to respond to requests from data subjects.

10. Data breach notification

Processor notifies Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provides information reasonably needed for Controller to meet its notification obligations.

11. Audits

Processor makes available to Controller all information necessary to demonstrate compliance with this DPA, and contributes to audits, including inspections, conducted by Controller or another auditor mandated by Controller. Once Processor obtains a recognised third-party security attestation, Controller agrees to accept that attestation in lieu of on-site audits where reasonable.

12. International transfers

To the extent the service involves a transfer of Customer Personal Data out of the European Economic Area, the United Kingdom, or Switzerland, the parties agree that the applicable Standard Contractual Clauses are incorporated by reference and apply to that transfer.

13. Return or deletion

On termination Processor returns or deletes Customer Personal Data in accordance with the retention schedule published in the Privacy Policy, except to the extent law requires further storage.

14. Liability and governing law

Liability under this DPA is subject to the limits and exclusions in the Terms. This DPA is governed by the law governing the Terms.

15. Contact

Data protection questions: privacy@lawgpt.com.