Data Processing Agreement

RECITALS

WHEREAS:

A. The Controller and Processor have entered into a Service Agreement pursuant to which the Processor provides services to the Controller;
B. In the course of providing services, the Processor processes Personal Data on behalf of the Controller;
C. The Parties wish to ensure compliance with applicable Data Protection Laws, including GDPR, UK GDPR, and DPDPA;
D. This DPA sets forth the rights and obligations of the Parties with respect to the Processing of Personal Data.

1. Definitions and Interpretation

1.1 Key Definitions

Term	Definition
Controller	LawyerDesk Advocacy Pvt Ltd - determines purposes and means of Processing
Processor	Service Provider - Processes Personal Data on behalf of Controller
Personal Data	Any information relating to an identified or identifiable natural person
Processing	Any operation performed on Personal Data (collection, storage, use, etc.)
Data Breach	Security breach leading to unauthorized access or loss of Personal Data
GDPR	EU Regulation 2016/679 on data protection
DPDPA	Digital Personal Data Protection Act, 2023 of India
Sub-processor	Third party engaged by Processor to process Personal Data

2. Scope and Purpose of Processing

Processing Details

Subject Matter: Legal AI services, document processing, case management
Duration: Term of Service Agreement
Nature: Collection, storage, analysis, retrieval, deletion
Purpose: Provision of legal technology services

2.3 Roles of the Parties

Controller Responsibilities

✓ Compliance with Data Protection Laws
✓ Provide clear processing instructions
✓ Ensure lawful basis for processing
✓ Obtain necessary consents

Processor Responsibilities

✓ Process only on documented instructions
✓ Ensure personnel confidentiality
✓ Implement security measures
✓ Assist with Data Subject Rights

5. Security Measures

Technical & Organizational Measures

The Processor implements appropriate security measures including:

Encryption

• AES-256 encryption at rest
• TLS 1.2+ in transit
• End-to-end encryption

Access Control

• Multi-factor authentication
• Role-based access (RBAC)
• Audit logging

Monitoring

• 24/7 security monitoring
• Intrusion detection
• Regular penetration testing

Compliance

• ISO 27001 certification
• SOC 2 Type II
• Annual security audits

8. Data Breach Notification

Notification Timeline

Initial Notification: Within 24 hours of becoming aware of breach

Detailed Report: Within 72 hours with full incident details

Final Report: Within 30 days of resolution with lessons learned

Breach Information Requirements

Nature of the breach and categories of data affected
Approximate number of Data Subjects and records concerned
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact point for more information

10. International Data Transfers

Transfer Safeguards

Transfers to countries outside the EEA, UK, or India require appropriate safeguards:

EU/EEA Transfers

✓ Standard Contractual Clauses (SCCs)
✓ Adequacy decisions
✓ Binding Corporate Rules

UK Transfers

✓ UK International Data Transfer Agreement
✓ UK adequacy regulations
✓ Transfer impact assessments

India Transfers (DPDPA)

✓ Section 16 compliance
✓ Approved country transfers
✓ Comparable protection standards

Additional Measures

✓ Enhanced encryption
✓ Data minimization
✓ Technical access controls

12. Data Return and Deletion

12.1 Upon Termination

Within 30 days of termination, the Processor shall, at the Controller's option:

Option 1: Return Data

• Structured, machine-readable format
• CSV, JSON, or XML
• Complete data export
• Documentation included

Option 2: Secure Deletion

• Cryptographic erasure
• Deletion of all copies/backups
• Written certification provided
• Irreversible destruction

13. Liability and Indemnification

13.2 GDPR Liability Framework

Joint and Several Liability: Each Party is liable for damage caused by Processing where it has not complied with GDPR obligations
Processor Liability: Limited to breaches of Processor-specific obligations or unauthorized Processing
Exemption: Party is exempt if it proves it is not responsible for the damage
Right to Recover: Party that paid full compensation can claim back from other Party their portion of responsibility

Maximum Liability Cap

Subject to exceptions for fraud, gross negligence, and intentional violations, total liability shall not exceed the greater of:

• Fees paid in the 12 months preceding the claim, OR
• As specified in the Main Service Agreement

Contact Information

Controller

LawyerDesk Advocacy Pvt Ltd

Email: dpo (at) lawyerdesk.ai
Data Protection Officer: privacy (at) lawyerdesk.ai
Legal Team: legal (at) lawyerdesk.ai

Supervisory Authorities

EU/EEA: Your local Data Protection Authority
UK: Information Commissioner's Office (ICO)
India: Data Protection Board of India
You have the right to lodge a complaint with the supervisory authority in your jurisdiction.

Annexes

This DPA includes the following Annexes:

Annex 1: Details of Processing

Annex 2: Technical and Organizational Measures

Annex 3: List of Sub-processors

Annex 4: EU Standard Contractual Clauses

Annex 5: UK International Data Transfer Agreement

Full Annexes available upon request from our Legal Team.

Legal Notice

This Data Processing Agreement is legally binding and forms part of the Service Agreement between the parties. It ensures compliance with:

GDPR: EU Regulation 2016/679 (Article 28)
UK GDPR: Data Protection Act 2018
DPDPA: Digital Personal Data Protection Act, 2023 (India)

LawyerDesk Advocacy Pvt Ltd

Version 1.0 | Effective Date: January 11, 2025

For questions about this DPA, contact dpo (at) lawyerdesk.ai