Data Processing Addendum

IMPORTANT TERMS
‍
‍This TrueLaw AI Studio Data Processing Addendum (the “DPA”) governs TrueLaw's processing of DPA Data required to provide the Service under the Terms of Service or any other agreement between You and TrueLaw pertaining to the use of TrueLaw's AI Studio software-as-a-service offering (the “Agreement”). This DPA is part of your Terms with TrueLaw. In the event of any conflicting language between the Agreement, the other Terms, or any operative Order Form, the terms of this DPA control.

You and TrueLaw each agree to comply with their respective obligations under Data Protection Law.

‍Data Processing Roles
‍As between You and TrueLaw, You are the Data Controller, and TrueLaw is the Data Processor, processing DPA Data on Your behalf.

‍Data Processing Purposes
‍TrueLaw will process DPA Data as your Data Processor to: (i) provide or maintain the Service; and (ii) for the purposes set forth in this DPA and the Agreement. TrueLaw acknowledges that you are disclosing DPA Data for these limited and specific purposes.

‍DEFINITIONS
‍The definitions in Section 15 (Defined Terms) apply to this DPA. All terms in quotation marks in the body of this DPA are also defined terms. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

‍PROCESSING REQUIREMENTS

‍As a Data Processor, TrueLaw will:

1. Process DPA Data on Your behalf, according to Your instructions, and only in a manner that is necessary for the performance of the Service. Specifically, TrueLaw agrees to process DPA Data:
(i) for the purpose of providing, providing access to, servicing, and supporting Your use of the Service; and
(ii) in compliance with the instructions received from You;

2. Promptly notify You in writing if it cannot comply with the requirements of this DPA;

3. Promptly inform You if, in TrueLaw’s opinion, an instruction from You infringes applicable Data Protection Law; and

4. Ensure that all persons authorized by TrueLaw to process DPA Data are subject to a duty of confidentiality.

SUBPROCESSORS
‍
‍TrueLaw will:
‍
1. Engage the organizations or persons necessary to perform the Service as Subprocessors. You consent to TrueLaw's use of its existing Subprocessors and grant TrueLaw a general written authorization to engage Subprocessors to perform all or part of the processing activities required to provide the Service. If You subscribe to receive email notifications at the Subprocessor List, then TrueLaw will notify You if TrueLaw intends to add one or more Subprocessors to the Subprocessor List at least 30 days before the change takes effect. You may, within fifteen (15) days of receiving the notice of the change, reasonably object to TrueLaw’s use of a Subprocessor on reasonable grounds relating to the protection of DPA Data (the “Objection”) by following the instructions set forth in the Subprocessor List or by contacting privacy@truelaw.com (the “Objection Notice”). In such case, TrueLaw shall have the right to cure the Objection through one of the following options:
(i) TrueLaw will offer an alternative to provide its Service without such Subprocessor;
(ii) TrueLaw will take the corrective steps requested by You in the Objection Notice and proceed to use the Subprocessor;
(iii) TrueLaw may cease to provide, or You may agree not to use, whether temporarily or permanently, the particular aspect or feature of the Service that would involve the use of such Subprocessor; or
(iv) You may cease providing DPA Data to TrueLaw for processing.

2. If none of the above options are commercially feasible, in TrueLaw’s reasonable judgment, and the Objection has not been resolved to the satisfaction of the parties within thirty (30) days of TrueLaw’s receipt of the Objection, then either party may terminate any subscriptions, order forms, or usage regarding the Service for cause. In such case, You will be refunded any prepaid but unused fees for the applicable subscriptions, order forms, or usage to the extent they cover periods or terms following the date of such termination. Such termination right is Your sole and exclusive remedy if You object to any new Subprocessor;

3. Enter into contractual arrangements with each Subprocessor binding them to provide the same level of data protection and information security as provided for in this DPA. TrueLaw will remain fully liable to You for the performance of each Subprocessor to the extent the Subprocessor fails to fulfill its data protection obligations under the applicable data processing agreement with TrueLaw.

4. A current list of subprocessors is available by contacting us via email at security@truelaw.ai.

‍NOTICE TO CUSTOMER
‍
‍TrueLaw will inform You, to the extent legally permitted, if TrueLaw receives:
‍
1. Any legally binding request for disclosure of DPA Data by a law enforcement authority.
If TrueLaw is legally prohibited from notifying You, TrueLaw will use its best efforts to request a waiver of the prohibition and will document that request. TrueLaw will notify You once the prohibition expires or has been lifted with the aim of providing as much relevant information to You as reasonably possible;
‍
2. Any notice, inquiry, or investigation by a Supervisory Authority with respect to DPA Data; or
‍
3. Any complaint or request from a Data Subject (including “verifiable consumer requests” as defined by CCPA) exercising their right under Data Protection Law to:(i) access their DPA Data;
(ii) have their DPA Data corrected or erased;
(iii) restrict or object to the Processing of their DPA Data; or
(iv) data portability (collectively “Data Subject Request”).
Other than to request further information or identify the Data Subject, TrueLaw will not respond to any Data Subject Request without prior written authorization from You.

‍PERSONAL DATA BREACH
‍If TrueLaw experiences any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to DPA Data (“Personal Data Breach”), TrueLaw will notify you in accordance with the timeframe set out under the heading “Incident Detection and Response” in the Security Addendum, which is incorporated into this DPA. TrueLaw will provide you with all information about the Personal Data Breach as required by Data Protection Law, including the information outlined under the heading “Incident Detection and Response” in the Security Addendum.

‍ASSISTANCE TO CUSTOMER AND AUDITS

‍Upon Your written request, TrueLaw will provide reasonable assistance to You regarding:
‍
1.Your obligations to respond to Data Subject Requests relating to TrueLaw’s Processing of DPA Data;

2.Your preparation of data protection impact assessments with respect to the processing of DPA Data by TrueLaw and, where necessary, carrying out consultations with any Supervisory Authority with jurisdiction over the Processing; and

3.Information, assessments, or audits, to the extent required by Data Protection Law, and as necessary to confirm that TrueLaw is processing Personal Data in a manner consistent with this DPA. All audits and assessments will be performed in the manner set out under the heading “Customer Audit Rights” in the Security Addendum. All reports and documentation provided to You are TrueLaw’s Confidential Information.

‍REQUIRED PROCESSING
‍If TrueLaw is required by Data Protection Law to Process DPA Data outside of Your instructions, TrueLaw will inform you of this requirement in advance of any processing, unless TrueLaw reasonably believes it is legally prohibited from informing you of such processing.

‍SECURITY
‍
‍TrueLaw will:

1. Implement and maintain a written information security program with the data security measures set out in the Security Addendum to protect against unauthorized or accidental access, loss, alteration, disclosure, or destruction of DPA Data and to protect the rights of the Data Subject; and
‍
2. Take appropriate steps to ensure that all TrueLaw personnel and persons or entities authorized to Process DPA Data are protecting the security, privacy, and confidentiality of DPA Data consistent with the requirements of this DPA.

‍US SPECIFIC DATA PROTECTION OBLIGATIONS
‍To the extent applicable under US State Privacy Law, TrueLaw certifies that it understands and will comply with its obligations under US State Privacy Law to:
‍
1. Only process DPA Data for the purposes set out in this DPA, the Agreement, and unless otherwise permitted by law;

2. Not “sell” or “share” (as defined by CCPA) DPA Data;
‍
3. Not retain, use, or disclose DPA Data outside of the direct business relationship between TrueLaw and Customer unless otherwise required or permitted by law;

4. Process DPA Data in a manner that provides no less than the level of privacy protection required by US State Privacy Law;

5. Not combine any personal data with DPA Data that TrueLaw receives from or on behalf of any other third party or collects from TrueLaw’s own interactions with individuals, provided that TrueLaw may so combine personal data as permitted under US State Privacy Laws, or if directed to do so by Customer;

6. Not attempt to reidentify any deidentified data You provide to TrueLaw, except for the sole purpose of determining whether the deidentification processes are compliant with applicable Data Protection Law; and

7. Grant You the right to:(i) Take reasonable and appropriate steps to ensure that TrueLaw uses DPA Data in a manner consistent with Data Protection Law; and(ii) Stop and remediate unauthorized use of DPA Data.

‍OBLIGATIONS OF CUSTOMER

1. You represent, warrant, and covenant that You have and shall maintain throughout the term all necessary rights, consents, and authorizations to provide the DPA Data to TrueLaw and to authorize TrueLaw to Process DPA Data as contemplated by this DPA, the Agreement, the Terms, and/or other instructions provided to TrueLaw.

2. You shall reasonably cooperate with TrueLaw to assist TrueLaw in performing any of its obligations with regard to any requests from Your data subjects.

3. You acknowledge and agree that You, rather than TrueLaw, are responsible for certain configurations and design decisions for the services and that You are responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Law. Without limitation to the above, You represent, warrant, and covenant that You shall only transfer DPA Data to TrueLaw using secure, reasonable, and appropriate mechanisms.

4. You shall not provide DPA Data to TrueLaw except through agreed mechanisms. For example, You shall not include DPA Data other than technical contact information in technical support tickets or transmit DPA Data to TrueLaw by email.

5. You shall not provide to TrueLaw any personally identifiable genetic, biometric or health data; or payment card industry data (such as credit card numbers).

‍CROSS-BORDER DATA TRANSFERS
‍You acknowledge that Your Personal Data may be transferred to and processed in the United States by TrueLaw in order to provide the Service.

‍FUTURE REGULATIONS ON ARTIFICIAL INTELLIGENCE

1. In the event that new legislation and regulations are implemented that specifically govern the use of artificial intelligence solutions, both parties agree to review this DPA to ensure compliance with such legislation and regulations.

2. If the implementation of the new regulations requires substantial modifications to the terms and conditions of this DPA, both parties shall negotiate in good faith to make necessary amendments.
‍
3. Should the new regulations render the continued provision of services under this contract infeasible or unlawful, either party may initiate termination by providing written notice to the other party. Termination shall be effective after a reasonable notice period, as agreed upon by both parties.
‍
4. The termination of this DPA due to the aforementioned regulations shall not relieve either party from any outstanding obligations or liabilities incurred prior to the termination.

5. If any provision of this DPA is found to be inconsistent with future regulations governing artificial intelligence, such provision shall be interpreted in a manner consistent with the applicable laws, or if necessary, deemed null and void without affecting the validity of the remaining provisions.

‍RETENTION PERIOD
‍This DPA shall remain in effect as long as TrueLaw Processes DPA Data on your behalf or until the termination of the Agreement (and all DPA Data has been returned or deleted in accordance with the Agreement). Upon the termination of the Services or upon your reasonable request, TrueLaw shall, and shall direct each Subprocessor to, return to you or delete the DPA Data, unless TrueLaw is required by law to retain DPA Data.

‍DEFINED TERMS
“Data Controller” means the person or entity that determines the purposes and means of Processing DPA Data, which may include, as applicable, equivalent concepts under Data Protection Law (for example, “Business” as defined by CCPA).
‍“Data Processor” means the person or entity that Processes DPA Data on behalf of the Data Controller, which may include, as applicable, equivalent concepts under Data Protection Law (for example, “Service Provider” as defined by CCPA).
‍“Data Protection Law” means applicable privacy and data protection law in connection with your use of the Service. Data Protection Law may include, depending on the circumstances, Cal. Civ. Code §§ 1798.100 et seq., as amended and its implementing regulations (“CCPA”) and other applicable U.S. state privacy laws.
‍“Data Subject” means an identified or identifiable natural person to which DPA Data relates and only to the extent their Personal Data is protected by Data Protection Law.
‍“DPA Data” means Customer Data or Your Content that is Personal Data.
‍“Personal Data” means any information relating to an identifiable natural person which is protected under Data Protection Law and Processed in connection with Your use of the Service. This includes equivalent concepts as defined by Data Protection Law (for example, “personal information” as defined under the CCPA).
‍“Processing” means any operation or set of operations which is performed on Your behalf on DPA Data, whether or not by automated means, such as collecting, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination. “Process,” “Processes,” and “Processed” will be interpreted accordingly.
‍“Security Addendum” means the Security Addendum located at truelaw.ai/security/
‍“Subprocessor” means an entity TrueLaw engages to Process DPA Data on TrueLaw’s behalf, to carry out specific processing activities on Your behalf.
‍“Supervisory Authority” means any government agency or regulatory body that oversees data protection laws applicable to You.
‍“Terms of Service” means the Terms of Service located at truelaw.ai/terms-and-conditions.
‍“You” means the organization contracting for the use of the Service.
‍“US State Privacy Law” means all state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act., a service provided by TrueLaw AI. AI studio offers AI application building services ("the Services") designed to enable our customers to build, deploy, and manage AI-driven applications to advance their operational capabilities.