Data Processing Agreement

Controller & processor terms.

Version 1.0.0 · For B2B customers (Solo Practice, Practitioner, Enterprise)

Working draft pending counsel review. Final binding form will be countersignable PDF before first paid B2B engagement.

This DPA forms part of the Master Services Agreement (Terms of Service) between Customer ("Controller") and Agentic Agentic Enterprises ("Processor") where Customer's use of ADS involves processing of personal data of EU/UK/CA/etc. data subjects.

1. Roles & scope

Controller: Customer (the attorney or firm using ADS)
Processor: Agentic Agentic Enterprises
Sub-processors: per /sub-processors
Subject matter: providing the ADS platform per the Agreement
Duration: term of the Agreement plus retention periods in Privacy Policy
Categories of data subjects: Customer's clients, opposing parties named in Customer's queries, anyone Customer mentions in chat or documents
Categories of personal data: names, case details, legal-matter contents (which may constitute special-category data within Art. 9 GDPR)
Special categories: may include criminal-conviction data, sensitive category data within Art. 9 GDPR — Customer warrants it has lawful basis to upload

2. Processing instructions

Processor processes only on Controller's documented instructions, including transfer of data to a third country, except as required by law.

3. Confidentiality

Processor binds personnel to confidentiality.

4. Security measures (Annex II)

Encryption: TLS 1.2+ in transit; AES-256 at rest; KMS-managed keys
Access control: Cognito + IAM least-privilege; MFA available
Auditability: 7-year immutable audit log (S3 Object Lock COMPLIANCE mode)
Monitoring: CloudWatch alarms; WAF rate-limit; prompt-injection filter
Incident response: 72-hour breach notification per Art. 33 GDPR

5. Sub-processors

Controller authorizes sub-processors listed at /sub-processors. Processor will give 30-day notice of new sub-processors. Controller may object in writing within 30 days; if objection unresolved, Controller may terminate the affected service.

6. Data-subject rights assistance

Processor provides Controller with tools to fulfill access, rectification, erasure, portability, restriction, and objection requests via the platform's self-service endpoints (/api/v1/me/export, /api/v1/me/delete) and via direct support tickets.

7. Breach notification

Processor notifies Controller without undue delay (target: 24 hours after awareness) of any personal-data breach affecting Controller's data.

8. Audit rights

Once per year, Controller may audit Processor's security via:

Review of SOC 2 Type II report (when available — target Q4 2026); or
Submission of a security questionnaire that Processor will respond to within 30 days.

On-site audits available to Enterprise tier with 60 days' notice.

9. International transfers

Where data is transferred from EEA/UK/CH to USA, the EU Standard Contractual Clauses (Module Two — Controller-to-Processor; Decision (EU) 2021/914) apply and are incorporated by reference. The UK International Data Transfer Addendum applies where data originates in the UK.

10. Return / deletion on termination

Within 30 days of termination, Processor will return or delete Controller's data per Controller's choice, except data that must be retained by law (audit log § 7 yr).

11. Limitation of liability

Per the Agreement (cap = fees paid in the preceding 12 months).

12. Order of precedence

This DPA prevails over the MSA where they conflict.

13. How to execute

To countersign a copy of this DPA for your records, email legal@adslaw.ai with subject line "DPA execution — [Customer name]." [LAWYER REVIEW REQUIRED] before binding effect.