Data Processing Agreement

Capitalized terms not defined here have the meanings given in the Terms of Service or in applicable Data Protection Laws. "Data Protection Laws" means the EU GDPR, UK GDPR, the California Consumer Privacy Act, and any other applicable law governing the protection of personal data.

Customer is the Controller of personal data submitted to the Service. eLaw acts as Processor on Customer's documented instructions, except where required to act otherwise by applicable law.

Subject matter: Provision of the eLaw platform.
Duration: The term of the underlying subscription agreement, plus any post-termination retention period.
Nature & purpose: Hosting, indexing, semantic search, AI-assisted analysis, and related processing necessary to operate the Service.

• Customer's personnel (lawyers, paralegals, administrators)
• Customer's clients and counterparties referenced in uploaded documents
• Other individuals whose personal data appears in Customer Data

• Identity & contact data (name, email, role)
• Authentication credentials (hashed)
• Document content uploaded to the vault
• Prompts, conversations, and AI-generated outputs
• Usage and log data

Customer is responsible for determining whether special categories of personal data may be uploaded and for ensuring an appropriate legal basis exists.

eLaw will:

• Process personal data only on documented instructions from Customer (the Terms and use of the Service)
• Ensure persons authorized to process personal data are bound by confidentiality
• Implement appropriate technical and organizational measures (Article 32 GDPR) — see the Security page
• Assist Customer with data subject requests, security, breach notifications, DPIAs, and prior consultations
• At Customer's choice, delete or return personal data after termination, and delete existing copies (subject to legal retention requirements)
• Make available information necessary to demonstrate compliance and allow audits as described below

Customer authorizes eLaw to engage sub-processors listed at /legal/subprocessors. We will impose data protection terms on each sub-processor that are no less protective than this DPA, and we remain liable for sub-processor performance.

We will provide at least 30 days' notice of new sub-processors. If you object on reasonable data protection grounds, you may terminate the affected portion of the Service.

Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) are incorporated by reference, with the UK International Data Transfer Addendum applying to UK transfers.

eLaw maintains the technical and organizational measures described on the Security page, including encryption in transit and at rest, role-based access control, multi-factor authentication for privileged access, audit logging, and incident response procedures.

eLaw will notify Customer without undue delay (and, where feasible, within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Data, providing information reasonably required for Customer to meet its own notification obligations.

On reasonable notice and no more than once per year, eLaw will provide Customer with the most recent third-party audit reports (e.g., SOC 2) and respond to reasonable security questionnaires. On-site audits may be conducted in cases of a confirmed breach or where required by a supervisory authority.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

This DPA is automatically incorporated into the Terms of Service. Customers requiring a counter-signed copy may request one at legal@elawplatform.com.