Data Processing Agreement
Data Processing Agreement
Data Processing Agreement
Data Processing Agreement
Last updated 31 January 2025
1
Introduction
1
Introduction
1
Introduction
1.1
This data processing agreement (the ”DPA”) governs the processing of Personal Data in the course of the provision of the Services provided by Legora or its Affiliates to the Subscriber and forms part of the Agreement between the Parties.
1.1
This data processing agreement (the ”DPA”) governs the processing of Personal Data in the course of the provision of the Services provided by Legora or its Affiliates to the Subscriber and forms part of the Agreement between the Parties.
1.1
This data processing agreement (the ”DPA”) governs the processing of Personal Data in the course of the provision of the Services provided by Legora or its Affiliates to the Subscriber and forms part of the Agreement between the Parties.
1.2
This DPA regulates the Subscriber’s rights and obligations in its capacity as data controller or processor as well as Legora’s rights and obligations in its capacity as data processor or sub-processor when Legora processes Personal Data on behalf of the Subscriber under the Agreement.
1.2
This DPA regulates the Subscriber’s rights and obligations in its capacity as data controller or processor as well as Legora’s rights and obligations in its capacity as data processor or sub-processor when Legora processes Personal Data on behalf of the Subscriber under the Agreement.
1.2
This DPA regulates the Subscriber’s rights and obligations in its capacity as data controller or processor as well as Legora’s rights and obligations in its capacity as data processor or sub-processor when Legora processes Personal Data on behalf of the Subscriber under the Agreement.
1.3
The purpose of this DPA is to regulate the processing of Personal Data in accordance with the requirements set forth by Applicable Data Protection Laws. Concepts, terms, and expressions in this DPA shall be interpreted in accordance with Applicable Data Protection Laws (as defined below).
1.3
The purpose of this DPA is to regulate the processing of Personal Data in accordance with the requirements set forth by Applicable Data Protection Laws. Concepts, terms, and expressions in this DPA shall be interpreted in accordance with Applicable Data Protection Laws (as defined below).
1.3
The purpose of this DPA is to regulate the processing of Personal Data in accordance with the requirements set forth by Applicable Data Protection Laws. Concepts, terms, and expressions in this DPA shall be interpreted in accordance with Applicable Data Protection Laws (as defined below).
1.4
In case of any conflict between the rest of the Agreement and this DPA (including its appendices), the wording of this DPA shall prevail.
1.4
In case of any conflict between the rest of the Agreement and this DPA (including its appendices), the wording of this DPA shall prevail.
1.4
In case of any conflict between the rest of the Agreement and this DPA (including its appendices), the wording of this DPA shall prevail.
1.5
The following shall form part of the DPA:
a) Specification of data processing
b) Pre-approved sub-processors
c) Security measures
1.5
The following shall form part of the DPA:
a) Specification of data processing
b) Pre-approved sub-processors
c) Security measures
1.5
The following shall form part of the DPA:
a) Specification of data processing
b) Pre-approved sub-processors
c) Security measures
1.6
Capitalized terms that are used but not defined in this document shall have the meaning set out in the Agreement Order Form or the General Terms and Conditions Legora AI.
1.6
Capitalized terms that are used but not defined in this document shall have the meaning set out in the Agreement Order Form or the General Terms and Conditions Legora AI.
1.6
Capitalized terms that are used but not defined in this document shall have the meaning set out in the Agreement Order Form or the General Terms and Conditions Legora AI.
2
Processing of Personal Data
2
Processing of Personal Data
2
Processing of Personal Data
2.1
Legora undertakes to process Personal Data for purposes set forth in this DPA (including Appendix A) and in accordance with the Subscriber’s written instructions, unless otherwise required by Applicable Data Protection Laws. The Subscriber’s instructions to Legora regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects, and the rights and obligations of both Parties are set forth in this DPA and in Appendix A.
2.1
Legora undertakes to process Personal Data for purposes set forth in this DPA (including Appendix A) and in accordance with the Subscriber’s written instructions, unless otherwise required by Applicable Data Protection Laws. The Subscriber’s instructions to Legora regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects, and the rights and obligations of both Parties are set forth in this DPA and in Appendix A.
2.1
Legora undertakes to process Personal Data for purposes set forth in this DPA (including Appendix A) and in accordance with the Subscriber’s written instructions, unless otherwise required by Applicable Data Protection Laws. The Subscriber’s instructions to Legora regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects, and the rights and obligations of both Parties are set forth in this DPA and in Appendix A.
2.2
As data processor, Legora undertakes to:
a) Comply with all Applicable Data Protection Laws that are applicable to it as a processor of the Personal Data;
b) Cooperate with audits conducted by the Subscriber; and
c) Inform the Subscriber promptly if Legora determines that an instruction from the Subscriber violates Applicable Data Protection Laws.
2.2
As data processor, Legora undertakes to:
a) Comply with all Applicable Data Protection Laws that are applicable to it as a processor of the Personal Data;
b) Cooperate with audits conducted by the Subscriber; and
c) Inform the Subscriber promptly if Legora determines that an instruction from the Subscriber violates Applicable Data Protection Laws.
2.2
As data processor, Legora undertakes to:
a) Comply with all Applicable Data Protection Laws that are applicable to it as a processor of the Personal Data;
b) Cooperate with audits conducted by the Subscriber; and
c) Inform the Subscriber promptly if Legora determines that an instruction from the Subscriber violates Applicable Data Protection Laws.
2.3
Any transfer of Personal Data to Legora using the Services shall be made using secure, reasonable, and appropriate mechanisms for data transfers.
2.3
Any transfer of Personal Data to Legora using the Services shall be made using secure, reasonable, and appropriate mechanisms for data transfers.
2.3
Any transfer of Personal Data to Legora using the Services shall be made using secure, reasonable, and appropriate mechanisms for data transfers.
2.4
Legora shall, without undue delay, inform the Subscriber of any communication with any Data Protection Authority that relates to Legora’s processing of Personal Data under this DPA, and Legora will provide reasonable assistance to the Subscriber if the Subscriber receives a request from such authority or is subject to a regulatory investigation. In addition, if data subjects, competent authorities or any other third parties request information from Legora regarding the processing of Personal Data covered by this DPA, Legora shall refer such requests to the Subscriber to the extent permissible under applicable law.
2.4
Legora shall, without undue delay, inform the Subscriber of any communication with any Data Protection Authority that relates to Legora’s processing of Personal Data under this DPA, and Legora will provide reasonable assistance to the Subscriber if the Subscriber receives a request from such authority or is subject to a regulatory investigation. In addition, if data subjects, competent authorities or any other third parties request information from Legora regarding the processing of Personal Data covered by this DPA, Legora shall refer such requests to the Subscriber to the extent permissible under applicable law.
2.4
Legora shall, without undue delay, inform the Subscriber of any communication with any Data Protection Authority that relates to Legora’s processing of Personal Data under this DPA, and Legora will provide reasonable assistance to the Subscriber if the Subscriber receives a request from such authority or is subject to a regulatory investigation. In addition, if data subjects, competent authorities or any other third parties request information from Legora regarding the processing of Personal Data covered by this DPA, Legora shall refer such requests to the Subscriber to the extent permissible under applicable law.
2.5
Legora shall provide reasonable assistance to the Subscriber, through appropriate technical and organizational measures, with the Subscriber’s compliance obligations to implement reasonable security procedures and practices appropriate to the nature of the Personal Data.
2.5
Legora shall provide reasonable assistance to the Subscriber, through appropriate technical and organizational measures, with the Subscriber’s compliance obligations to implement reasonable security procedures and practices appropriate to the nature of the Personal Data.
2.5
Legora shall provide reasonable assistance to the Subscriber, through appropriate technical and organizational measures, with the Subscriber’s compliance obligations to implement reasonable security procedures and practices appropriate to the nature of the Personal Data.
2.7
Legora certifies that it will not:
a) retain, use, or disclose Personal Data outside the context of the relationship between Legora and the Subscriber, other than to provide the Services in accordance with the Agreement and this DPA, or as otherwise permitted by Applicable Data Protection Laws;
b) sell or share Personal Data; or
c) combine Personal Data Legora obtains in the performance of the Services with any personal information that Legora collects from other sources, except as permitted by Applicable Data Protection Laws.
2.7
Legora certifies that it will not:
a) retain, use, or disclose Personal Data outside the context of the relationship between Legora and the Subscriber, other than to provide the Services in accordance with the Agreement and this DPA, or as otherwise permitted by Applicable Data Protection Laws;
b) sell or share Personal Data; or
c) combine Personal Data Legora obtains in the performance of the Services with any personal information that Legora collects from other sources, except as permitted by Applicable Data Protection Laws.
2.7
Legora certifies that it will not:
a) retain, use, or disclose Personal Data outside the context of the relationship between Legora and the Subscriber, other than to provide the Services in accordance with the Agreement and this DPA, or as otherwise permitted by Applicable Data Protection Laws;
b) sell or share Personal Data; or
c) combine Personal Data Legora obtains in the performance of the Services with any personal information that Legora collects from other sources, except as permitted by Applicable Data Protection Laws.
3
Obligations of the Subscriber
3
Obligations of the Subscriber
3
Obligations of the Subscriber
3.1
The Subscriber shall ensure that it has a valid legal basis, and all necessary rights, consents, and authorizations, to provide the Personal Data to Legora and to authorize Legora to process that Personal Data in accordance with this DPA, the Agreement and/or other processing instructions provided by the Subscriber to Legora.
3.1
The Subscriber shall ensure that it has a valid legal basis, and all necessary rights, consents, and authorizations, to provide the Personal Data to Legora and to authorize Legora to process that Personal Data in accordance with this DPA, the Agreement and/or other processing instructions provided by the Subscriber to Legora.
3.1
The Subscriber shall ensure that it has a valid legal basis, and all necessary rights, consents, and authorizations, to provide the Personal Data to Legora and to authorize Legora to process that Personal Data in accordance with this DPA, the Agreement and/or other processing instructions provided by the Subscriber to Legora.
3.2
The Subscriber shall comply with all Applicable Data Protection Laws that are applicable to it as controller of the Personal Data.
3.2
The Subscriber shall comply with all Applicable Data Protection Laws that are applicable to it as controller of the Personal Data.
3.2
The Subscriber shall comply with all Applicable Data Protection Laws that are applicable to it as controller of the Personal Data.
3.3
The Subscriber shall limit the provision of Personal Data to Legora to what is necessary for the purpose of the Agreement. For example, the Subscriber shall not include Personal Data, other than technical contact information, in technical support tickets.
3.3
The Subscriber shall limit the provision of Personal Data to Legora to what is necessary for the purpose of the Agreement. For example, the Subscriber shall not include Personal Data, other than technical contact information, in technical support tickets.
3.3
The Subscriber shall limit the provision of Personal Data to Legora to what is necessary for the purpose of the Agreement. For example, the Subscriber shall not include Personal Data, other than technical contact information, in technical support tickets.
4
Sub-processors
4
Sub-processors
4
Sub-processors
4.1
Legora is, subject to Clause 4.2, and Clause 5 entitled to engage subcontractors acting as sub-processors, and under the condition that they are bound by a written agreement which impose on them materially the same data processing obligations as the obligations under this DPA in respect of data protection.
4.1
Legora is, subject to Clause 4.2, and Clause 5 entitled to engage subcontractors acting as sub-processors, and under the condition that they are bound by a written agreement which impose on them materially the same data processing obligations as the obligations under this DPA in respect of data protection.
4.1
Legora is, subject to Clause 4.2, and Clause 5 entitled to engage subcontractors acting as sub-processors, and under the condition that they are bound by a written agreement which impose on them materially the same data processing obligations as the obligations under this DPA in respect of data protection.
4.2
Legora shall inform the Subscriber of any new sub-processors by updating the subprocessor list on www.legora.com/legal and give the Subscriber the opportunity to object to such changes. Such objections by the Subscriber shall be based on grounds regarding the new sub-processor’s ability to comply with Applicable Data Protection Laws and be made in writing within 30 days from posting. Legora may not engage a new sub-processor before the 30-day period has ended. Legora shall upon request provide the Subscriber with such information available to Legora that the Subscriber may reasonably request to assess the new sub-processor’s ability to comply with Applicable Data Protection Laws. If Legora, despite the Subscriber’s objection, wishes to engage the sub-processor, the Parties shall in good faith discuss and try to find an alternative solution which is reasonably acceptable to both Parties. If the Parties cannot find an alternative solution and the Subscriber still objects to the appointment of the sub-processor, and if the Subscriber’s objection would result in additional costs or expenses for Legora, then Legora is entitled to adjust its fees under the Agreement to ensure that Legora is compensated for such additional and/or increased costs or expenses. Notwithstanding the previous sentence, if the Subscriber’s objection would result in costs or operational consequences which, in Legora’s opinion, would not be commercially reasonable, Legora may terminate the Agreement upon reasonable written notice.
4.2
Legora shall inform the Subscriber of any new sub-processors by updating the subprocessor list on www.legora.com/legal and give the Subscriber the opportunity to object to such changes. Such objections by the Subscriber shall be based on grounds regarding the new sub-processor’s ability to comply with Applicable Data Protection Laws and be made in writing within 30 days from posting. Legora may not engage a new sub-processor before the 30-day period has ended. Legora shall upon request provide the Subscriber with such information available to Legora that the Subscriber may reasonably request to assess the new sub-processor’s ability to comply with Applicable Data Protection Laws. If Legora, despite the Subscriber’s objection, wishes to engage the sub-processor, the Parties shall in good faith discuss and try to find an alternative solution which is reasonably acceptable to both Parties. If the Parties cannot find an alternative solution and the Subscriber still objects to the appointment of the sub-processor, and if the Subscriber’s objection would result in additional costs or expenses for Legora, then Legora is entitled to adjust its fees under the Agreement to ensure that Legora is compensated for such additional and/or increased costs or expenses. Notwithstanding the previous sentence, if the Subscriber’s objection would result in costs or operational consequences which, in Legora’s opinion, would not be commercially reasonable, Legora may terminate the Agreement upon reasonable written notice.
4.2
Legora shall inform the Subscriber of any new sub-processors by updating the subprocessor list on www.legora.com/legal and give the Subscriber the opportunity to object to such changes. Such objections by the Subscriber shall be based on grounds regarding the new sub-processor’s ability to comply with Applicable Data Protection Laws and be made in writing within 30 days from posting. Legora may not engage a new sub-processor before the 30-day period has ended. Legora shall upon request provide the Subscriber with such information available to Legora that the Subscriber may reasonably request to assess the new sub-processor’s ability to comply with Applicable Data Protection Laws. If Legora, despite the Subscriber’s objection, wishes to engage the sub-processor, the Parties shall in good faith discuss and try to find an alternative solution which is reasonably acceptable to both Parties. If the Parties cannot find an alternative solution and the Subscriber still objects to the appointment of the sub-processor, and if the Subscriber’s objection would result in additional costs or expenses for Legora, then Legora is entitled to adjust its fees under the Agreement to ensure that Legora is compensated for such additional and/or increased costs or expenses. Notwithstanding the previous sentence, if the Subscriber’s objection would result in costs or operational consequences which, in Legora’s opinion, would not be commercially reasonable, Legora may terminate the Agreement upon reasonable written notice.
5
Third country transfers
5
Third country transfers
5
Third country transfers
5.1
The Subscriber acknowledges that it may transfer Personal Data or make Personal Data available by remote access to Legora in the EU, in order for Legora to provide the Services. Legora may not process Personal Data outside or engage sub-processors processing the personal data outside of the EU/EEA (which shall be considered given if the Subscriber has not objected to a new sub-processor within the time set out in Clause 4.2).
5.1
The Subscriber acknowledges that it may transfer Personal Data or make Personal Data available by remote access to Legora in the EU, in order for Legora to provide the Services. Legora may not process Personal Data outside or engage sub-processors processing the personal data outside of the EU/EEA (which shall be considered given if the Subscriber has not objected to a new sub-processor within the time set out in Clause 4.2).
5.1
The Subscriber acknowledges that it may transfer Personal Data or make Personal Data available by remote access to Legora in the EU, in order for Legora to provide the Services. Legora may not process Personal Data outside or engage sub-processors processing the personal data outside of the EU/EEA (which shall be considered given if the Subscriber has not objected to a new sub-processor within the time set out in Clause 4.2).
5.2
To the extent any transfer described in Clause 5.1 constitutes a Restricted Transfer, Legora shall upon request provide all reasonably relevant information regarding the Restricted Transfer to enable the Subscriber to make an informed decision, including details of the country or territory to which the Personal Data will be transferred.
5.2
To the extent any transfer described in Clause 5.1 constitutes a Restricted Transfer, Legora shall upon request provide all reasonably relevant information regarding the Restricted Transfer to enable the Subscriber to make an informed decision, including details of the country or territory to which the Personal Data will be transferred.
5.2
To the extent any transfer described in Clause 5.1 constitutes a Restricted Transfer, Legora shall upon request provide all reasonably relevant information regarding the Restricted Transfer to enable the Subscriber to make an informed decision, including details of the country or territory to which the Personal Data will be transferred.
5.3
If Standard Contractual Clauses are used as a Data Transfer Mechanism under this DPA, they shall be implemented as follows:
a) Legora shall ensure that the Restricted Transfer is subject to adequate safeguards as stated in Chapter V of the GDPR and may for this purpose rely on the Standard Contractual Clauses provided that the clauses, including supplementary security measures, ensure an essentially equivalent level of protection.
b) The Parties acknowledge and agree that Legora or its Sub-processor, as applicable, shall apply module 3 of the Standard Contractual Clauses.
5.3
If Standard Contractual Clauses are used as a Data Transfer Mechanism under this DPA, they shall be implemented as follows:
a) Legora shall ensure that the Restricted Transfer is subject to adequate safeguards as stated in Chapter V of the GDPR and may for this purpose rely on the Standard Contractual Clauses provided that the clauses, including supplementary security measures, ensure an essentially equivalent level of protection.
b) The Parties acknowledge and agree that Legora or its Sub-processor, as applicable, shall apply module 3 of the Standard Contractual Clauses.
5.3
If Standard Contractual Clauses are used as a Data Transfer Mechanism under this DPA, they shall be implemented as follows:
a) Legora shall ensure that the Restricted Transfer is subject to adequate safeguards as stated in Chapter V of the GDPR and may for this purpose rely on the Standard Contractual Clauses provided that the clauses, including supplementary security measures, ensure an essentially equivalent level of protection.
b) The Parties acknowledge and agree that Legora or its Sub-processor, as applicable, shall apply module 3 of the Standard Contractual Clauses.
5.4
Legora represents and warrants that Legora has no reason to believe that legislation or practices applicable to it or its sub-processors, including in any country to which Personal Data is transferred either by itself or through a sub-processor, prevents it from fulfilling its obligations under Applicable Data Protection Laws, this DPA or its obligations in the Standard Contractual Clauses. In the event Legora is unable to fulfil its obligations in this Clause 5.4, Legora agrees to immediately notify the Subscriber.
5.4
Legora represents and warrants that Legora has no reason to believe that legislation or practices applicable to it or its sub-processors, including in any country to which Personal Data is transferred either by itself or through a sub-processor, prevents it from fulfilling its obligations under Applicable Data Protection Laws, this DPA or its obligations in the Standard Contractual Clauses. In the event Legora is unable to fulfil its obligations in this Clause 5.4, Legora agrees to immediately notify the Subscriber.
5.4
Legora represents and warrants that Legora has no reason to believe that legislation or practices applicable to it or its sub-processors, including in any country to which Personal Data is transferred either by itself or through a sub-processor, prevents it from fulfilling its obligations under Applicable Data Protection Laws, this DPA or its obligations in the Standard Contractual Clauses. In the event Legora is unable to fulfil its obligations in this Clause 5.4, Legora agrees to immediately notify the Subscriber.
6
Information security and confidentiality
6
Information security and confidentiality
6
Information security and confidentiality
6.1
To maintain an adequate level of security for the protection of Personal Data, and without prejudice to the information security and confidentiality obligations which otherwise follows from the Agreement, Legora commits to the appropriate technical and organizational measures described in Appendix C.
6.1
To maintain an adequate level of security for the protection of Personal Data, and without prejudice to the information security and confidentiality obligations which otherwise follows from the Agreement, Legora commits to the appropriate technical and organizational measures described in Appendix C.
6.1
To maintain an adequate level of security for the protection of Personal Data, and without prejudice to the information security and confidentiality obligations which otherwise follows from the Agreement, Legora commits to the appropriate technical and organizational measures described in Appendix C.
6.2
Legora shall protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. The Personal Data shall also be protected against other forms of unlawful processing.
6.2
Legora shall protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. The Personal Data shall also be protected against other forms of unlawful processing.
6.2
Legora shall protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. The Personal Data shall also be protected against other forms of unlawful processing.
6.3
Legora shall ensure that only staff and other representatives who require access to Personal Data to fulfil Legora’s obligations under the Agreement have access to such information. Legora shall guarantee that all persons authorized to process the Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Furthermore, all persons authorized to process Personal Data shall receive sufficient and necessary training covering awareness of GDPR and data processing agreements.
6.3
Legora shall ensure that only staff and other representatives who require access to Personal Data to fulfil Legora’s obligations under the Agreement have access to such information. Legora shall guarantee that all persons authorized to process the Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Furthermore, all persons authorized to process Personal Data shall receive sufficient and necessary training covering awareness of GDPR and data processing agreements.
6.3
Legora shall ensure that only staff and other representatives who require access to Personal Data to fulfil Legora’s obligations under the Agreement have access to such information. Legora shall guarantee that all persons authorized to process the Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Furthermore, all persons authorized to process Personal Data shall receive sufficient and necessary training covering awareness of GDPR and data processing agreements.
7
Data breach notifications
7
Data breach notifications
7
Data breach notifications
7.1
Legora shall inform the Subscriber without undue delay and at the latest within 36 hours from becoming aware of a Personal Data breach.
7.1
Legora shall inform the Subscriber without undue delay and at the latest within 36 hours from becoming aware of a Personal Data breach.
7.1
Legora shall inform the Subscriber without undue delay and at the latest within 36 hours from becoming aware of a Personal Data breach.
7.2
Legora shall assist the Subscriber with any information reasonably required to fulfil the Subscriber’s data breach notification requirements under Applicable Data Protection Laws. Any costs associated with such assistance will be subject to the limitations of liability in the General Terms and Conditions.
7.2
Legora shall assist the Subscriber with any information reasonably required to fulfil the Subscriber’s data breach notification requirements under Applicable Data Protection Laws. Any costs associated with such assistance will be subject to the limitations of liability in the General Terms and Conditions.
7.2
Legora shall assist the Subscriber with any information reasonably required to fulfil the Subscriber’s data breach notification requirements under Applicable Data Protection Laws. Any costs associated with such assistance will be subject to the limitations of liability in the General Terms and Conditions.
8
Data protection impact assesments and prior consultations
8
Data protection impact assesments and prior consultations
8
Data protection impact assesments and prior consultations
Legora shall, at the Subscriber’s reasonable expense, considering the nature of the processing and the information available to Legora, assist the Subscriber in fulfilling the Subscriber’s obligation to, when applicable, carry out data protection impact assessments and prior consultations with the Data Protection Authority.
Legora shall, at the Subscriber’s reasonable expense, considering the nature of the processing and the information available to Legora, assist the Subscriber in fulfilling the Subscriber’s obligation to, when applicable, carry out data protection impact assessments and prior consultations with the Data Protection Authority.
Legora shall, at the Subscriber’s reasonable expense, considering the nature of the processing and the information available to Legora, assist the Subscriber in fulfilling the Subscriber’s obligation to, when applicable, carry out data protection impact assessments and prior consultations with the Data Protection Authority.
9
Audit rights
9
Audit rights
9
Audit rights
9.1
Subscriber shall have the right to perform audits of Legora’s processing of Subscriber’s personal data to verify Legora’s compliance with this DPA and Applicable Data Protection Laws. This audit right is limited to once per 12-month period unless the Subscriber has clear reasons to believe that Legora has materially breached its obligations under this DPA.
9.1
Subscriber shall have the right to perform audits of Legora’s processing of Subscriber’s personal data to verify Legora’s compliance with this DPA and Applicable Data Protection Laws. This audit right is limited to once per 12-month period unless the Subscriber has clear reasons to believe that Legora has materially breached its obligations under this DPA.
9.1
Subscriber shall have the right to perform audits of Legora’s processing of Subscriber’s personal data to verify Legora’s compliance with this DPA and Applicable Data Protection Laws. This audit right is limited to once per 12-month period unless the Subscriber has clear reasons to believe that Legora has materially breached its obligations under this DPA.
9.2
Legora undertakes to make available to the Subscriber all information and other assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by an authorized and reputable auditor mandated by the Subscriber, provided that the individuals performing the audits enter into confidentiality agreements or are bound by statutory obligations of confidentiality.
9.2
Legora undertakes to make available to the Subscriber all information and other assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by an authorized and reputable auditor mandated by the Subscriber, provided that the individuals performing the audits enter into confidentiality agreements or are bound by statutory obligations of confidentiality.
9.2
Legora undertakes to make available to the Subscriber all information and other assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by an authorized and reputable auditor mandated by the Subscriber, provided that the individuals performing the audits enter into confidentiality agreements or are bound by statutory obligations of confidentiality.
9.3
In this context, it is noted that among Legora’s customers there may be entities which are subject to statutory and/or bar association rules on confidentiality in relation to client/customer matters (e.g. banks, financial institutions, law firms, etc.). Hence, the Subscriber acknowledges that audits under this DPA shall not include access to information pertaining or belonging to Legora’s other customers.
9.3
In this context, it is noted that among Legora’s customers there may be entities which are subject to statutory and/or bar association rules on confidentiality in relation to client/customer matters (e.g. banks, financial institutions, law firms, etc.). Hence, the Subscriber acknowledges that audits under this DPA shall not include access to information pertaining or belonging to Legora’s other customers.
9.3
In this context, it is noted that among Legora’s customers there may be entities which are subject to statutory and/or bar association rules on confidentiality in relation to client/customer matters (e.g. banks, financial institutions, law firms, etc.). Hence, the Subscriber acknowledges that audits under this DPA shall not include access to information pertaining or belonging to Legora’s other customers.
9.4
The Subscriber is responsible for all costs associated with audits, save for when an audit concludes a material breach of Legora’s undertakings in violation of the Agreement. If so, Legora shall compensate the Subscriber for reasonable and verified costs associated with the audit.
9.4
The Subscriber is responsible for all costs associated with audits, save for when an audit concludes a material breach of Legora’s undertakings in violation of the Agreement. If so, Legora shall compensate the Subscriber for reasonable and verified costs associated with the audit.
9.4
The Subscriber is responsible for all costs associated with audits, save for when an audit concludes a material breach of Legora’s undertakings in violation of the Agreement. If so, Legora shall compensate the Subscriber for reasonable and verified costs associated with the audit.
10
Term of Agreement
10
Term of Agreement
10
Term of Agreement
The provisions of this DPA shall apply as long as Legora processes Personal Data for which the Subscriber is data controller or until such time this DPA is replaced with another data processing agreement.
The provisions of this DPA shall apply as long as Legora processes Personal Data for which the Subscriber is data controller or until such time this DPA is replaced with another data processing agreement.
The provisions of this DPA shall apply as long as Legora processes Personal Data for which the Subscriber is data controller or until such time this DPA is replaced with another data processing agreement.
11
Measures upon completion of processing of Personal Data
11
Measures upon completion of processing of Personal Data
11
Measures upon completion of processing of Personal Data
11.1
Before the expiration of this DPA, Legora shall, at the choice and instruction of the Subscriber, securely delete or return all Personal Data to the Subscriber, unless Applicable Data Protection Laws require Legora to store the Personal Data in which case the obligations set out in Clause 11.4(a)–(c) shall apply.
11.1
Before the expiration of this DPA, Legora shall, at the choice and instruction of the Subscriber, securely delete or return all Personal Data to the Subscriber, unless Applicable Data Protection Laws require Legora to store the Personal Data in which case the obligations set out in Clause 11.4(a)–(c) shall apply.
11.1
Before the expiration of this DPA, Legora shall, at the choice and instruction of the Subscriber, securely delete or return all Personal Data to the Subscriber, unless Applicable Data Protection Laws require Legora to store the Personal Data in which case the obligations set out in Clause 11.4(a)–(c) shall apply.
11.2
If return or destruction is impracticable or incidentally prohibited by a valid legal requirement, Legora shall take measures to inform the Subscriber and block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required under Swedish or EU law) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control and, where any authorized sub-processor continues to possess Personal Data, require the authorized sub-processor to take the same measures that would be required of Legora.
11.2
If return or destruction is impracticable or incidentally prohibited by a valid legal requirement, Legora shall take measures to inform the Subscriber and block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required under Swedish or EU law) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control and, where any authorized sub-processor continues to possess Personal Data, require the authorized sub-processor to take the same measures that would be required of Legora.
11.2
If return or destruction is impracticable or incidentally prohibited by a valid legal requirement, Legora shall take measures to inform the Subscriber and block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required under Swedish or EU law) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control and, where any authorized sub-processor continues to possess Personal Data, require the authorized sub-processor to take the same measures that would be required of Legora.
11.3
Upon request by the Subscriber, Legora shall provide a written notice of the measures taken regarding the Personal Data upon completion of the processing as set out in Clause 11.1.
11.3
Upon request by the Subscriber, Legora shall provide a written notice of the measures taken regarding the Personal Data upon completion of the processing as set out in Clause 11.1.
11.3
Upon request by the Subscriber, Legora shall provide a written notice of the measures taken regarding the Personal Data upon completion of the processing as set out in Clause 11.1.
11.4
If Legora is legally required to retain archival copies of any specific data belonging to the Subscriber for tax or similar regulatory purposes, Legora shall:
a) inform the Subscriber thereof in writing specifying the legal obligation and the affected Subscriber data,
b) not use the archived information for any other purpose than to strictly comply with the applicable legal obligation; and
c) remain bound by its obligations under the Agreement, including this DPA, including, its confidentiality and security obligations under the Agreement and the obligations under this DPA to protect the information using appropriate safeguards and to notify the Subscriber of any security incident involving the information.
11.4
If Legora is legally required to retain archival copies of any specific data belonging to the Subscriber for tax or similar regulatory purposes, Legora shall:
a) inform the Subscriber thereof in writing specifying the legal obligation and the affected Subscriber data,
b) not use the archived information for any other purpose than to strictly comply with the applicable legal obligation; and
c) remain bound by its obligations under the Agreement, including this DPA, including, its confidentiality and security obligations under the Agreement and the obligations under this DPA to protect the information using appropriate safeguards and to notify the Subscriber of any security incident involving the information.
11.4
If Legora is legally required to retain archival copies of any specific data belonging to the Subscriber for tax or similar regulatory purposes, Legora shall:
a) inform the Subscriber thereof in writing specifying the legal obligation and the affected Subscriber data,
b) not use the archived information for any other purpose than to strictly comply with the applicable legal obligation; and
c) remain bound by its obligations under the Agreement, including this DPA, including, its confidentiality and security obligations under the Agreement and the obligations under this DPA to protect the information using appropriate safeguards and to notify the Subscriber of any security incident involving the information.
12
Amendments
12
Amendments
12
Amendments
12.1
Any amendments to this DPA shall, to be valid, be agreed in writing and duly signed by authorized representatives of both Parties.
12.1
Any amendments to this DPA shall, to be valid, be agreed in writing and duly signed by authorized representatives of both Parties.
12.1
Any amendments to this DPA shall, to be valid, be agreed in writing and duly signed by authorized representatives of both Parties.
12.2
Notwithstanding Clause 12.1, the Subscriber is entitled to make updates to its written instructions regarding the processing set out in Appendix A. Legora shall be entitled to remuneration for any reasonable and verified additional costs that Legora incurs due to the Subscriber having made amendments to its written instructions regarding the processing. Notwithstanding the aforesaid, no remuneration shall be payable due to amendments in the written instructions directly due to, or directly based on, regulatory requirements.
12.2
Notwithstanding Clause 12.1, the Subscriber is entitled to make updates to its written instructions regarding the processing set out in Appendix A. Legora shall be entitled to remuneration for any reasonable and verified additional costs that Legora incurs due to the Subscriber having made amendments to its written instructions regarding the processing. Notwithstanding the aforesaid, no remuneration shall be payable due to amendments in the written instructions directly due to, or directly based on, regulatory requirements.
12.2
Notwithstanding Clause 12.1, the Subscriber is entitled to make updates to its written instructions regarding the processing set out in Appendix A. Legora shall be entitled to remuneration for any reasonable and verified additional costs that Legora incurs due to the Subscriber having made amendments to its written instructions regarding the processing. Notwithstanding the aforesaid, no remuneration shall be payable due to amendments in the written instructions directly due to, or directly based on, regulatory requirements.
13
Liability
13
Liability
13
Liability
The liability provisions and limitations thereof set out in the General Terms and Conditions Legora AI shall apply to this DPA.
The liability provisions and limitations thereof set out in the General Terms and Conditions Legora AI shall apply to this DPA.
The liability provisions and limitations thereof set out in the General Terms and Conditions Legora AI shall apply to this DPA.
14
Governing law and settlement of disputes
14
Governing law and settlement of disputes
14
Governing law and settlement of disputes
14.1
Except as otherwise required by Applicable Data Protection Laws, this DPA shall be governed by and construed in accordance with the governing law provision in the GTCs.
14.1
Except as otherwise required by Applicable Data Protection Laws, this DPA shall be governed by and construed in accordance with the governing law provision in the GTCs.
14.1
Except as otherwise required by Applicable Data Protection Laws, this DPA shall be governed by and construed in accordance with the governing law provision in the GTCs.
14.2
Any dispute, controversy, or claim arising out of or in connection with this DPA, or the breach, termination, or invalidity thereof, shall be finally settled in accordance with the dispute resolution provision set out in the General Terms and Conditions Legora AI.
14.2
Any dispute, controversy, or claim arising out of or in connection with this DPA, or the breach, termination, or invalidity thereof, shall be finally settled in accordance with the dispute resolution provision set out in the General Terms and Conditions Legora AI.
14.2
Any dispute, controversy, or claim arising out of or in connection with this DPA, or the breach, termination, or invalidity thereof, shall be finally settled in accordance with the dispute resolution provision set out in the General Terms and Conditions Legora AI.
15
Definitions
15
Definitions
15
Definitions
“Applicable Data Protection Laws” means any nationally or internationally binding data protection laws, case law, and regulations, including those (i) applicable within the European Union (the “EU”), including the EU General Data Protection Regulation (“EU GDPR”), the United Kingdom General Data Protection Regulation, which is the EU GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), and all other privacy and data protection laws of the European Economic Area (“EEA”) and the United Kingdom and (ii) those applicable in the United States, including the California Consumer Privacy Act, and applicable subordinate legislation and regulations implementing those laws in (i) and (ii), as amended and supplemented from time to time.
“Data Transfer Mechanism” means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under Applicable Data Protection Laws. This includes transfer mechanisms that are required under Applicable Data Protection Laws in the EEA, UK, and Switzerland such as the Data Privacy Framework, the Standard Contractual Clauses, the UK International Data Transfer Addendum and any data transfer mechanism available under Applicable Data Protection Laws.
“Data Protection Authority” means a regulatory authority, supervisory authority, or other government agency authorized to enforce Applicable Data Protection Laws.
“Personal Data” means any Subscriber Content that (i) relates to an identified or identifiable natural person, or (ii) constitutes “personal data”, “personal information” or any similar term within the meaning of Applicable Data Protection Laws.
“Restricted Transfer” means any transfer of Personal Data that requires a Data Transfer Mechanism.
“Standard Contractual Clauses” means the European Commission’s standard contractual clauses adopted 4th of June 2021 or any clauses thereafter replacing such standard contractual clauses.
The terms “data controller” and “data processor” have the meanings accorded to them under Applicable Data Protection Laws.
“Applicable Data Protection Laws” means any nationally or internationally binding data protection laws, case law, and regulations, including those (i) applicable within the European Union (the “EU”), including the EU General Data Protection Regulation (“EU GDPR”), the United Kingdom General Data Protection Regulation, which is the EU GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), and all other privacy and data protection laws of the European Economic Area (“EEA”) and the United Kingdom and (ii) those applicable in the United States, including the California Consumer Privacy Act, and applicable subordinate legislation and regulations implementing those laws in (i) and (ii), as amended and supplemented from time to time.
“Data Transfer Mechanism” means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under Applicable Data Protection Laws. This includes transfer mechanisms that are required under Applicable Data Protection Laws in the EEA, UK, and Switzerland such as the Data Privacy Framework, the Standard Contractual Clauses, the UK International Data Transfer Addendum and any data transfer mechanism available under Applicable Data Protection Laws.
“Data Protection Authority” means a regulatory authority, supervisory authority, or other government agency authorized to enforce Applicable Data Protection Laws.
“Personal Data” means any Subscriber Content that (i) relates to an identified or identifiable natural person, or (ii) constitutes “personal data”, “personal information” or any similar term within the meaning of Applicable Data Protection Laws.
“Restricted Transfer” means any transfer of Personal Data that requires a Data Transfer Mechanism.
“Standard Contractual Clauses” means the European Commission’s standard contractual clauses adopted 4th of June 2021 or any clauses thereafter replacing such standard contractual clauses.
The terms “data controller” and “data processor” have the meanings accorded to them under Applicable Data Protection Laws.
“Applicable Data Protection Laws” means any nationally or internationally binding data protection laws, case law, and regulations, including those (i) applicable within the European Union (the “EU”), including the EU General Data Protection Regulation (“EU GDPR”), the United Kingdom General Data Protection Regulation, which is the EU GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), and all other privacy and data protection laws of the European Economic Area (“EEA”) and the United Kingdom and (ii) those applicable in the United States, including the California Consumer Privacy Act, and applicable subordinate legislation and regulations implementing those laws in (i) and (ii), as amended and supplemented from time to time.
“Data Transfer Mechanism” means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under Applicable Data Protection Laws. This includes transfer mechanisms that are required under Applicable Data Protection Laws in the EEA, UK, and Switzerland such as the Data Privacy Framework, the Standard Contractual Clauses, the UK International Data Transfer Addendum and any data transfer mechanism available under Applicable Data Protection Laws.
“Data Protection Authority” means a regulatory authority, supervisory authority, or other government agency authorized to enforce Applicable Data Protection Laws.
“Personal Data” means any Subscriber Content that (i) relates to an identified or identifiable natural person, or (ii) constitutes “personal data”, “personal information” or any similar term within the meaning of Applicable Data Protection Laws.
“Restricted Transfer” means any transfer of Personal Data that requires a Data Transfer Mechanism.
“Standard Contractual Clauses” means the European Commission’s standard contractual clauses adopted 4th of June 2021 or any clauses thereafter replacing such standard contractual clauses.
The terms “data controller” and “data processor” have the meanings accorded to them under Applicable Data Protection Laws.
Appendix A - Specification and purposes of the processing
Appendix A - Specification and purposes of the processing
Appendix A - Specification and purposes of the processing
1
Subject matter and purposes of the processing
1
Subject matter and purposes of the processing
1
Subject matter and purposes of the processing
Legora provides teams with an AI workspace for legal knowledge work through a SaaS solution.
The Services are defined in the Agreement and include i.a. an AI chat interface to interact with public legal sources, as well as the organization and Subscriber data.
Legora shall process Personal Data on behalf of the Subscriber for the purpose of providing the Services under the Agreement. Legora’s processing of Personal Data on behalf of the Subscriber will be as necessary to perform the Services, and as further legal applications based.
Legora provides teams with an AI workspace for legal knowledge work through a SaaS solution.
The Services are defined in the Agreement and include i.a. an AI chat interface to interact with public legal sources, as well as the organization and Subscriber data.
Legora shall process Personal Data on behalf of the Subscriber for the purpose of providing the Services under the Agreement. Legora’s processing of Personal Data on behalf of the Subscriber will be as necessary to perform the Services, and as further legal applications based.
Legora provides teams with an AI workspace for legal knowledge work through a SaaS solution.
The Services are defined in the Agreement and include i.a. an AI chat interface to interact with public legal sources, as well as the organization and Subscriber data.
Legora shall process Personal Data on behalf of the Subscriber for the purpose of providing the Services under the Agreement. Legora’s processing of Personal Data on behalf of the Subscriber will be as necessary to perform the Services, and as further legal applications based.
2
Data subjects
2
Data subjects
2
Data subjects
Individuals included in Subscriber Content, i.e. natural persons who are mentioned or otherwise included in the Subscriber’s input data submitted to the Legora Platform.
Individuals included in Subscriber Content, i.e. natural persons who are mentioned or otherwise included in the Subscriber’s input data submitted to the Legora Platform.
Individuals included in Subscriber Content, i.e. natural persons who are mentioned or otherwise included in the Subscriber’s input data submitted to the Legora Platform.
3
Personal Data
3
Personal Data
3
Personal Data
Name, title, email or other personal data submitted in search queries, prompt queries or documents uploaded into the Services.
Name, title, email or other personal data submitted in search queries, prompt queries or documents uploaded into the Services.
Name, title, email or other personal data submitted in search queries, prompt queries or documents uploaded into the Services.
4
Duration of processing
4
Duration of processing
4
Duration of processing
Legora’s processing of Personal Data on the Subscriber’s behalf will continue until the expiration or termination of the Agreement or as otherwise agreed between the Parties.
Legora’s processing of Personal Data on the Subscriber’s behalf will continue until the expiration or termination of the Agreement or as otherwise agreed between the Parties.
Legora’s processing of Personal Data on the Subscriber’s behalf will continue until the expiration or termination of the Agreement or as otherwise agreed between the Parties.