Legal

Data Processing Agreement

Last updated: January 15, 2025 · Version 2.1

This Data Processing Agreement ("DPA") forms part of the Legalitize Terms of Service between Legalitize, Inc. ("Processor") and the Customer ("Controller"). This DPA applies where Legalitize processes personal data on behalf of the Customer in connection with the Legalitize platform.

📋 Need a signed DPA?

Enterprise customers requiring a signed, executed DPA for GDPR or HIPAA BAA purposes should contact legal@legalitize.com. We execute DPAs within 5 business days.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by Legalitize under this DPA.

"Controller" means the Customer who determines the purposes and means of processing personal data.

"Processor" means Legalitize, Inc., which processes personal data on behalf of the Controller.

"Sub-processor" means any third party engaged by Legalitize to assist in processing personal data.

"Protected Health Information (PHI)" means individually identifiable health information as defined under HIPAA, 45 CFR § 160.103.

2. Processing Instructions

Legalitize will process personal data only on documented instructions from the Customer, including those set out in the Terms of Service and this DPA, and solely for the purpose of providing the Legalitize legal practice management platform.

Legalitize will immediately notify the Customer if, in its opinion, any instruction infringes applicable data protection law.

3. Details of Processing

Nature & Purpose

Storage, retrieval, analysis, and AI-assisted processing of legal documents, matter data, and client information for the purpose of providing legal practice management services.

Categories of Data Subjects

Law firm staff (attorneys, paralegals, administrators); clients of Customer law firms; opposing parties and witnesses referenced in legal matters.

Categories of Personal Data

Names, contact information, legal identification numbers, case facts, deposition transcripts, PHI (where applicable), financial records in matters, and other data contained in uploaded documents.

Retention

As directed by Customer, up to the account termination period (90 days post-termination), after which data is securely deleted.

4. Security Measures

Legalitize implements the following technical and organizational security measures:

Encryption: AES-256 at rest; TLS 1.3 in transit
Access Control: Role-based access control; MFA enforcement for admin accounts; principle of least privilege
Monitoring: 24/7 security event monitoring; immutable audit logging
Testing: Annual penetration testing by independent third parties; quarterly vulnerability scanning
Incident Response: Documented breach notification procedures; 72-hour GDPR notification to Controller
Personnel: Background checks; security training; NDAs for all staff with data access
Physical: SOC 2 Type II certified data centers with restricted physical access

5. Sub-processors

Legalitize engages the following sub-processors under written agreements with equivalent data protection obligations:

Cloudflare, Inc. — Cloud infrastructure, CDN, R2 object storage (USA / Global)
Anthropic PBC — AI language model processing (USA)
Stripe, Inc. — Payment processing (USA)
Resend, Inc. — Transactional email delivery (USA)
Liveblocks Ltd. — Real-time document collaboration (USA/EU)

Legalitize will provide 30 days' notice before adding or replacing sub-processors. Customers may object to sub-processor changes by contacting legal@legalitize.com.

6. Data Subject Rights

Legalitize will provide reasonable assistance to enable the Customer to fulfil their obligations to respond to data subject requests (access, erasure, rectification, portability, restriction, objection). Customer-initiated data exports and deletions are available through the platform settings.

7. HIPAA Business Associate Agreement

For Customers who are HIPAA Covered Entities or Business Associates processing PHI through the platform, Legalitize offers a Business Associate Agreement (BAA) as required by 45 CFR § 164.308. Contact legal@legalitize.com to execute a BAA.

Legalitize maintains HIPAA-compliant controls including: minimum necessary access, PHI scanning and flagging, audit logs of all PHI access, and encrypted storage meeting § 164.312 technical safeguard requirements.

8. International Transfers

Where personal data is transferred outside the EEA or UK, Legalitize relies on Standard Contractual Clauses (Module 2: Controller-to-Processor) as approved by the European Commission. Copies of applicable SCCs are available upon request.

9. Breach Notification

Legalitize will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of a personal data breach affecting Customer data. Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

10. Audit Rights

Upon reasonable written notice (at least 30 days), Legalitize will make available information necessary to demonstrate compliance with this DPA, including access to relevant audit reports (SOC 2, ISO 27001 summaries). On-site audits are available for enterprise customers under a separate agreement.

11. Term & Termination

This DPA is coterminous with the Terms of Service. Upon termination, Legalitize will, at the Customer's election, delete or return all personal data within 90 days and certify such deletion in writing.

Contact

Data Protection inquiries: dpo@legalitize.com
Execute a DPA/BAA: legal@legalitize.com