Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between VUGA Enterprises LLC d/b/a LegalPrizm ("LegalPrizm," "Processor," "we," "us") and the Customer ("Controller," "you," "your") for the provision of the LegalPrizm Service ("Service").

This DPA complies with:

GDPR (EU) 2016/679 (General Data Protection Regulation)
UK GDPR (as retained in UK law)
DORA (EU) 2022/2554 (Digital Operational Resilience Act)
NIS2 (EU) 2022/2555 (Directive on Security of Network and Information Systems)
EU Data Act (EU) 2023/2854
CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
Other applicable data protection laws

1. Definitions

Unless otherwise defined herein, capitalized terms have the meanings set forth in the GDPR and the Terms of Service.

"Controller": The entity that determines the purposes and means of processing Personal Data (i.e., the Customer).
"Processor": The entity that processes Personal Data on behalf of the Controller (i.e., LegalPrizm).
"Sub-processor": Any third-party processor engaged by LegalPrizm to process Personal Data.
"Personal Data": Any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
"Data Subject": The identified or identifiable natural person to whom Personal Data relates.
"Processing": Any operation performed on Personal Data as defined in GDPR Article 4(2).
"Data Protection Laws": GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy and data protection laws.
"Standard Contractual Clauses" (SCCs): European Commission-approved contractual clauses for international data transfers (2021 version).
"ICT Services": Information and communication technology services provided by LegalPrizm.
"Major ICT-Related Incident": An ICT incident with significant adverse impact on service availability, integrity, or security as defined under DORA Article 18.

2. Scope and Applicability

2.1 Processing Activities

This DPA applies to all Processing of Personal Data by LegalPrizm on behalf of the Controller in connection with the Service, including:

Document management and storage
Optical character recognition (OCR) processing
Legal research and document classification
Calendar and deadline management
Client and case data management
Billing and payment processing
Email communications and notifications
Analytics and service improvement (with anonymization where applicable)

2.2 Geographic Scope

This DPA applies to Processing of Personal Data:

EU Data: Data subjects located in the EEA, UK, or Switzerland, processed in accordance with GDPR
US Data: Data subjects located in the United States, processed in accordance with CCPA/CPRA and state privacy laws
Global: Data subjects in any jurisdiction, processed in accordance with applicable local laws

2.3 Regulatory Scope

This DPA incorporates requirements from:

GDPR Articles 28, 32, 33: Processor obligations, security, breach notification
DORA Articles 28-30: ICT third-party risk management, contractual arrangements, exit strategies
NIS2 Directive Articles 21-23: Cybersecurity risk management, incident reporting, supply chain security
EU Data Act Articles 23-29: Data portability, switching rights, interoperability

3. Controller and Processor Responsibilities

3.1 Controller Responsibilities

The Controller:

Determines the purposes and means of Processing Personal Data
Ensures it has lawful basis for Processing (GDPR Article 6)
Obtains necessary consents from Data Subjects where required
Provides clear privacy notices to Data Subjects
Ensures Processing instructions to LegalPrizm are lawful
Conducts Data Protection Impact Assessments (DPIAs) where required (GDPR Article 35)
Responds to Data Subject requests, with assistance from LegalPrizm as needed
Maintains records of Processing activities (GDPR Article 30(1))

3.2 Processor Responsibilities

LegalPrizm:

Processes Personal Data only on documented instructions from the Controller
Ensures personnel are bound by confidentiality obligations
Implements appropriate technical and organizational measures (Article 32)
Assists the Controller in responding to Data Subject requests
Assists the Controller with security breach notifications
Deletes or returns Personal Data upon termination (as instructed)
Makes available all information necessary to demonstrate compliance
Allows for and contributes to audits and inspections
Immediately informs the Controller if instructions violate Data Protection Laws
Maintains records of Processing activities (GDPR Article 30(2))

4. Data Processing Details

4.1 Subject Matter and Duration

Subject Matter: Provision of legal document management and automation services
Duration: The term of the Service subscription, plus retention periods as specified in Section 11

4.2 Nature and Purpose of Processing

LegalPrizm processes Personal Data to:

Provide the Service as described in the Terms of Service
Store and manage legal documents and client information
Perform OCR and document analysis
Facilitate communication and collaboration
Provide customer support
Ensure security and prevent fraud
Comply with legal obligations

4.3 Categories of Data Subjects

Legal professionals (attorneys, paralegals, legal staff)
Law firm clients (individuals seeking legal services)
Opposing parties and witnesses in legal matters
Law firm employees and contractors
Service users and administrators

4.4 Categories of Personal Data

Basic Personal Data:

Identifiable information: Name, email, phone number, address
Professional information: Bar number, firm name, practice area
Account information: Username, password (hashed), preferences
Usage data: Access logs, feature usage, IP addresses

Sensitive Personal Data (Encrypted with AES-256-CBC):

Government identifiers: Social Security Numbers (SSN), passport numbers, driver's license numbers
Immigration data: Alien registration numbers, visa information
Financial information: Bank account numbers, credit card data (last 4 digits only, tokenized via Stripe)
Biometric data: Signatures, photographs (when included in legal documents)
Health information: Medical records (when part of legal cases)
Special categories data (GDPR Article 9): Racial/ethnic origin, political opinions, religious beliefs, trade union membership (when disclosed in legal filings)

Case-Related Data:

Legal documents: Pleadings, motions, contracts, discovery materials
Case metadata: Case numbers, court information, deadlines, statuses
Communications: Attorney-client communications, correspondence
Research data: Legal research results, citations, annotations

5. Technical and Organizational Security Measures

5.1 Encryption (GDPR Article 32(1)(a))

Data at Rest:

AES-256-GCM encryption for all databases and file storage
AES-256-CBC field-level encryption for sensitive PII (SSN, passport numbers, DOB) with per-firm encryption keys derived using PBKDF2
Hardware Security Modules (HSMs) for encryption key generation and storage, FIPS 140-3 validated
Searchable encryption using HMAC-SHA256 for encrypted field indexing without decryption

Data in Transit:

TLS 1.3 with perfect forward secrecy (PFS) for all API communications
Certificate pinning for mobile applications
Encrypted database connections with TLS for all database traffic

5.2 Confidentiality (Article 32(1)(b))

Multi-factor authentication (MFA) required for all administrative accounts
Role-based access control (RBAC) with principle of least privilege
Background checks for all personnel with access to Personal Data
Confidentiality agreements (NDAs) signed by all employees and contractors
Annual security awareness training covering GDPR, phishing, social engineering

5.3 Integrity and Availability (Article 32(1)(b))

High Availability:

99.9% uptime SLA with multi-region redundancy
Load balancing across multiple availability zones
Database replication with automatic failover
DDoS protection via Cloudflare

Backup and Recovery:

Automated daily backups with 7-day retention (incremental) and 90-day retention (full)
Point-in-time recovery (PITR) for databases (1-hour RPO)
Cross-region backup replication for disaster recovery
Quarterly backup restoration testing

5.4 Resilience (Article 32(1)(c))

Recovery Time Objective (RTO): 4 hours for critical systems
Recovery Point Objective (RPO): 1 hour maximum data loss
Disaster recovery plan tested semi-annually
Multi-region deployment (EU: Frankfurt, Dublin; US: Virginia, Oregon)

5.5 Testing and Evaluation (Article 32(1)(d))

Annual penetration testing by CREST-certified third-party experts
Quarterly vulnerability scanning
Continuous security monitoring with real-time alerting
Bug bounty program for responsible disclosure

6. Sub-Processors

6.1 General Authorization

The Controller provides general authorization for LegalPrizm to engage Sub-processors to process Personal Data, subject to the conditions set forth in this DPA.

6.2 Current Sub-processors

A complete and current list of Sub-processors is maintained at: legalprizm.com/sub-processors

6.3 Sub-processor Requirements

LegalPrizm ensures that all Sub-processors:

Are bound by written agreements imposing data protection obligations equivalent to this DPA
Implement appropriate technical and organizational security measures (Article 32)
Provide sufficient guarantees of compliance with Data Protection Laws
Allow for audits and inspections by LegalPrizm or the Controller
Delete or return Personal Data upon termination of services
For EU data: Execute Standard Contractual Clauses (SCCs) where data is transferred outside the EEA

6.4 Notification of Sub-processor Changes

LegalPrizm will notify the Controller of any intended changes to Sub-processors (additions or replacements) at least 30 days in advance via email.

6.5 Objection Right

The Controller may object to the appointment of a new Sub-processor within 14 days of notification if there are reasonable grounds relating to data protection compliance. If no resolution is reached, the Controller may terminate the affected Service without penalty.

7. International Data Transfers

7.1 Data Residency Commitment

For EU Personal Data:

All Personal Data of EU Data Subjects is stored and processed exclusively within the European Economic Area (EEA), specifically in Germany (Frankfurt)
No routine transfers of EU Personal Data to the United States or other non-EEA countries

For US Personal Data:

Stored and processed in United States data centers
No transfer to non-US jurisdictions without Controller consent

7.2 Standard Contractual Clauses (SCCs)

For any transfer of EU Personal Data outside the EEA, LegalPrizm uses European Commission-approved Standard Contractual Clauses (2021 version).

7.3 Transfer Impact Assessments

LegalPrizm conducts Transfer Impact Assessments (TIAs) as required by Schrems II for all transfers to countries without adequacy decisions, including:

Evaluation of third-country laws
Analysis of risks from governmental access requests
Assessment of effectiveness of supplementary measures

8. Data Breach Notification

8.1 Notification Timeline

For EU Personal Data (GDPR Articles 33-34):

LegalPrizm will notify the Controller within 24 hours of becoming aware of a Personal Data breach
Controller is responsible for notifying the relevant supervisory authority within 72 hours (with LegalPrizm's assistance)

8.2 Major ICT-Related Incident Reporting (DORA Article 19)

Initial Notification: Within 4 hours of classifying the incident as major
Intermediate Report: When significant status changes occur
Final Report: Within 72 hours of incident resolution

8.3 Incident Response Contacts

Security Incidents: [email protected]
24/7 Hotline: +1-786-967-6544 (option 9)
Data Protection Officer: [email protected]

9. Data Subject Rights

Data Subjects have the following rights under GDPR:

Right of Access (Article 15): Obtain confirmation of Processing and copy of Personal Data
Right to Rectification (Article 16): Correct inaccurate or incomplete Personal Data
Right to Erasure (Article 17): Request deletion ("Right to be Forgotten")
Right to Restriction of Processing (Article 18): Limit Processing in certain circumstances
Right to Data Portability (Article 20): Receive Personal Data in machine-readable format
Right to Object (Article 21): Object to Processing based on legitimate interests

LegalPrizm will forward requests received directly from Data Subjects to the Controller within 24 hours and provide assistance in responding to requests within 5 business days.

10. Data Retention and Deletion

10.1 Retention Periods

Data Category	Retention Period	Legal Basis
Account and user data	Subscription + 7 years	Tax compliance
Documents and files	As directed by Controller	Controller instruction
Payment records	7 years	Tax and accounting
Audit logs	7 years	GDPR Article 32, DORA
Session data	90 days	Security monitoring
Backup data	90 days (rolling)	Disaster recovery

10.2 Data Deletion Upon Termination

90-day grace period: Controller has 90 days to export all Personal Data
Data export assistance: Data provided in machine-readable formats (JSON, CSV, PDF) at no additional cost
Secure deletion: After 90 days, all Personal Data is securely deleted using NIST SP 800-88 standards
Certificate of destruction: Provided to Controller upon request

11. Audits and Inspections

The Controller has the right to:

Audit LegalPrizm's compliance with this DPA and Data Protection Laws
Inspect facilities and systems (with reasonable notice)
Review documentation (security policies, incident reports, compliance certifications)
Appoint independent third-party auditors

As an alternative to individual audits, the Controller may rely on LegalPrizm's third-party compliance certifications including SOC 2 Type II Report and ISO 27001:2022 Certificate.

12. Data Portability and Switching

12.1 Data Export Formats

LegalPrizm provides data in the following formats at no charge:

JSON: Complete data export with full schema
CSV: Tabular data (clients, cases, users)
PDF: Documents, reports, invoices
XML: Structured data export

12.2 Zero Switching Fees (EU Data Act)

No charges for data portability or switching to another service provider
No early termination fees for EU Users exercising switching rights
Continued access to systems during transition (up to 30 days)

13. Compliance Certifications

Certification	Status	Scope
SOC 2 Type II	In Progress (Q4 2025)	Security, Availability, Confidentiality, Privacy
ISO 27001:2022	In Progress (Q2 2026)	Information Security Management System
ISO 27701:2019	In Progress (Q2 2026)	Privacy Information Management System
GDPR Compliance	Ongoing	EU data protection compliance
DORA Compliance	In Progress	ICT operational resilience
NIS2 Compliance	In Progress	Cybersecurity of network systems

14. Liability and Insurance

LegalPrizm maintains the following insurance coverage:

Cyber Liability Insurance: $5,000,000 coverage for data breaches, cyber incidents, and privacy violations
Professional Liability Insurance (E&O): $2,000,000 coverage for errors and omissions
General Liability Insurance: $1,000,000 per occurrence

Liability is limited to direct damages only, excluding indirect, consequential, or punitive damages. Maximum liability is capped at the greater of $100,000 or amounts paid by Controller to LegalPrizm in the 12 months preceding the event.

15. Term and Termination

This DPA remains in effect for the duration of the Service subscription and continues until all Personal Data has been deleted or returned to the Controller.

Termination by Controller: The Controller may terminate if LegalPrizm materially breaches this DPA and fails to remedy within 30 days of written notice, or if LegalPrizm violates Data Protection Laws.

Effect of Termination: Upon termination, processing ceases, Personal Data is returned or deleted as instructed, and provisions relating to confidentiality, liability, and audit rights survive for 7 years.

16. Governing Law

For US Controllers: Governed by the laws of the State of Florida, USA. Disputes resolved in state or federal courts in Miami-Dade County, Florida.

For EU Controllers: Governed by the laws of the Republic of Ireland. Disputes resolved in Irish courts. EU Controllers have the right to bring claims in their country of residence.

For UK Controllers: Governed by the laws of England and Wales.

17. Contact Information

Data Protection Officer
Email: [email protected]

Privacy and Legal
Email: [email protected]
Phone: +1-786-967-6544

Security Incidents
Email: [email protected]
24/7 Hotline: +1-786-967-6544 (option 9)

VUGA Enterprises LLC d/b/a LegalPrizm
Address: 18117 Biscayne Blvd Unit 1039, Aventura, FL 33160, United States