Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Lexilio and Customer.

1. Definitions

Controller, Processor, Data Subject, Personal Data, Personal Data Breach have the meanings given in GDPR.

Data Protection Law means GDPR, UK GDPR, and any applicable local data protection laws.

2. Roles and Scope

When Lexilio processes Personal Data on Customer's behalf, Customer is the Controller and Lexilio is the Processor.

Personal Data may include names, email addresses, and other data contained in uploaded contracts.

3. Lexilio's Obligations

Lexilio shall:

  • Process Personal Data only on documented instructions from Customer
  • Ensure personnel are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Notify Customer of any Personal Data Breach without undue delay
  • Assist Customer with Data Subject rights requests
  • Assist Customer with data protection impact assessments
  • Delete or return Personal Data on termination (unless required by law)
  • Allow Customer audits upon reasonable notice (at Customer's expense)

4. Sub-Processors

Lexilio may use sub-processors (e.g., AWS, Google Cloud) provided:

  • Customer is notified of any changes
  • Sub-processors are bound by equivalent obligations
  • Lexilio remains liable for sub-processor acts

Current sub-processors: AWS, Railway, Supabase, Vercel, Claude

5. International Transfers

Personal Data may be transferred outside the EEA/UK. Lexilio ensures appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions).

6. Security Measures

Lexilio implements:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and authentication
  • Regular security audits and penetration testing
  • Incident response procedures
  • Employee security training

7. Data Subject Rights

Lexilio will assist Customer in responding to Data Subject requests for:

  • Access, rectification, erasure
  • Restriction, objection, portability

Customer is responsible for responding to Data Subjects. Lexilio charges reasonable costs for assistance.

8. Retention

Lexilio retains Personal Data only as long as necessary to provide services or as required by law.

On termination, Personal Data is deleted within 30 days unless Customer requests export.

9. Liability

Lexilio is liable for damages caused by processing in violation of GDPR or failing to comply with Customer instructions.

10. Contact

Data Protection Officer: hello@lexilio.co

ANNEX: Processing Details

  • Purpose: Contract risk analysis, compliance checking, AI-powered insights
  • Duration: For the term of the service agreement
  • Nature of Processing: Automated analysis, data extraction, machine learning
  • Categories of Data Subjects: Customer's employees, contractors, contract counterparties
  • Types of Personal Data: Names, email addresses, phone numbers, addresses (as contained in contracts)
  • Sensitive Data: Not typically processed (Customer should not upload sensitive data)