← LegalisAI

Data Processing Agreement (DPA)

Effective date: 2026-04-10 Version: 1.0

Parties:

  • Controller (Customer): the business customer using the Service
  • Processor: LEGALISAI ANDREJS SMOĻAKS (jdg), NIP: 972137878, [AWAITING CONFIG]

This DPA forms part of the Terms of Service between Controller and Processor and is concluded pursuant to Art. 28 GDPR.

1. Subject matter and duration

Processor provides an AI-powered document drafting service to Controller during the term of the Service agreement. Processing takes place for as long as Controller uses the Service.

2. Nature and purpose of processing

Processing activities include:

  • operating the Service and generating draft documents from Controller-provided inputs;
  • security logging and fraud prevention;
  • support and service improvement;
  • billing and payment processing (via sub-processors).

3. Types of personal data; categories of data subjects

The Service is designed to avoid personal data in document inputs and uses filters. Personal data may still be processed incidentally, including:

  • account identifiers (email, name) of Customer's authorised users
  • technical log data (IP addresses, timestamps, device/browser info)
  • any personal data inadvertently submitted by Customer despite filters

Data subjects may include Customer's employees, authorised representatives, and end users of Customer's services.

4. Controller obligations

Controller shall: (a) avoid submitting personal data in free-text document inputs; (b) ensure a lawful basis exists for any personal data submitted; (c) provide appropriate notices to its own data subjects; (d) ensure only authorised persons access the Service under Customer's account.

5. Processor obligations

Processor shall: (a) process personal data only on documented instructions from Controller, unless required by EU or Member State law; (b) ensure that persons authorised to process personal data are bound by confidentiality; (c) implement appropriate technical and organisational security measures pursuant to Art. 32 GDPR; (d) assist Controller in responding to data subject requests under Chapter III GDPR, taking into account the nature of processing; (e) assist Controller with security obligations, breach notifications (Art. 33–34 GDPR), and DPIAs (Art. 35 GDPR) where applicable; (f) at Controller's choice, delete or return all personal data at the end of service provision, and delete existing copies unless EU or Member State law requires storage; (g) make available to Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits conducted by Controller or its auditor, with reasonable notice and at Controller's cost.

6. Sub-processors

Controller grants general authorisation for Processor to engage the sub-processors listed at /en/legal/subprocessors, including LLM providers and hosting infrastructure.

Processor shall inform Controller of any intended changes concerning the addition or replacement of sub-processors by updating the sub-processor list with at least 30 days' prior notice. Controller has the right to object to such changes. Where Controller does not object within 30 days, the change is deemed accepted.

Processor shall impose the same data protection obligations as set out in this DPA on sub-processors by contract.

7. International transfers

Where sub-processors transfer personal data outside the EEA, Processor shall ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) pursuant to Commission Decision 2021/914/EU;
  • where applicable, the EU-US Data Privacy Framework (for US-based processors that are certified participants).

Details of transfer mechanisms for each sub-processor are available at /en/legal/subprocessors.

8. Security measures

Processor implements the following minimum technical and organisational measures:

  • access control and least-privilege principles for all production systems;
  • encryption in transit (TLS 1.2+) for all data communications;
  • input filtering to detect and block personal data in document generation requests;
  • audit logging and monitoring of access to production systems;
  • regular review of sub-processor security posture;
  • incident response procedure including breach notification within 72 hours of becoming aware.

Annex A – Sub-processor list

See /en/legal/subprocessors.

Contact

Legal: [email protected]

Privacy: [email protected]