Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Agreements.ai platform services as described in the Terms of Service. This includes contract creation, analysis, storage, e-signatures, and related AI-powered legal document services.

3. Types of Personal Data Processed

• Contact information (name, email address, phone number)
• Account credentials and profile information
• Payment and billing information
• Content of legal documents uploaded or created on the platform
• Usage data and platform interaction logs
• E-signature data and identity verification information

4. Data Subject Categories

• Customers and their authorized users
• Individuals whose data is contained within documents uploaded to the platform
• Signatories and counterparties to contracts
• End users accessing shared or public documents

5. Duration of Processing

Personal Data will be processed for the duration of the service agreement. Upon termination, the Processor will delete or return all Personal Data within 90 days, unless retention is required by applicable law.

6. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors. The Processor will notify the Controller of any changes to this list and provide the Controller an opportunity to object.

7. Data Subject Rights

The Processor will assist the Controller in fulfilling Data Subject requests under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection. The Processor will promptly notify the Controller of any Data Subject request received directly.

8. Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures are described in detail on our Security & Trust page and include encryption at rest and in transit, access controls, regular security assessments, and employee training.

9. Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification will include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

10. Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures that appropriate safeguards are in place, including the European Commission's Standard Contractual Clauses (SCCs) for international data transfers. The Processor will comply with any additional requirements under applicable data protection law regarding cross-border transfers.

11. Audit Rights

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection law. The Processor will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and scope.

12. Termination and Data Deletion

Upon termination of the service agreement, the Processor will, at the Controller's choice, delete or return all Personal Data and delete existing copies within 90 days, unless applicable law requires storage of the Personal Data. The Controller may export their data at any time during the term of the agreement.