LEGALLast updated: May 2026

Data Processing Agreement.

Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Lexilio Inc. ("Processor") and the Customer ("Controller"). It applies where Lexilio processes personal data on behalf of the Customer in connection with the provision of the Platform.

This DPA is subject to the Terms of Service and is incorporated into them by reference.

Definitions

Controller
The Customer, who determines the purposes and means of processing personal data.
Processor
Lexilio Inc., who processes personal data on behalf of the Controller.
Data Subject
An individual whose personal data is processed.
Personal Data
Any information relating to an identified or identifiable natural person.
Personal Data Breach
A breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data.
Data Protection Law
GDPR, UK GDPR, and any applicable local data protection legislation.
GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council.

Roles and Responsibilities

The parties acknowledge that:

  • For personal data processed through the Platform on the Customer's behalf (including data contained in uploaded contracts), the Customer is the Controller and Lexilio is the Processor.
  • For personal data relating to Customer's account, billing, and direct communications, Lexilio acts as an independent Controller as described in our Privacy Policy.

Details of Processing

Purpose
Contract risk analysis, obligation extraction, compliance checking, notice generation, and AI-powered commercial intelligence.
Duration
For the term of the service agreement, plus 30 days following termination for deletion.
Nature of processing
Automated analysis, data extraction, natural language processing, report generation.
Categories of data subjects
Customer employees, contractors, contract counterparties, and any individuals named in uploaded documents.
Types of personal data
Names, email addresses, phone numbers, postal addresses, job titles, and other personal data contained in uploaded contracts and documents.
Sensitive data
Not intended to be processed. Customers should not upload special category data as defined under GDPR Article 9.

Lexilio's Obligations as Processor

Lexilio shall:

  • Process personal data only on documented instructions from the Customer, unless required to do so by applicable law
  • Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: encryption in transit (TLS 1.2+) and at rest (AES-256); access controls and authentication; periodic security reviews; incident response procedures
  • Not engage sub-processors without prior general or specific authorisation from the Customer (general authorisation is given by acceptance of these Terms)
  • Notify the Customer without undue delay upon becoming aware of a Personal Data Breach
  • Assist the Customer in responding to Data Subject rights requests
  • Assist the Customer with data protection impact assessments where required
  • At the Customer's choice, delete or return all personal data on termination of services, and delete existing copies unless retention is required by law
  • Make available all information necessary to demonstrate compliance with this DPA and allow for audits upon reasonable prior notice (costs to be borne by Customer)

Sub-Processors

Lexilio uses the following approved sub-processors to deliver the Platform. All sub-processors are bound by data protection obligations equivalent to those in this DPA. Lexilio remains fully liable for the acts of its sub-processors.

AWS
Cloud infrastructure and storage
European Union
Railway
Application hosting
European Union
Supabase
Database and authentication
European Union
Vercel
Website hosting and CDN
United States and European Union
Anthropic
AI processing (fallback)
United States
xAI
AI processing (primary)
United States
OpenAI
AI processing (supplementary)
United States
Stripe
Payment processing
United States
Crisp
Customer support
European Union

We will notify Customers of any intended changes to sub-processors at least 14 days in advance, providing opportunity to object.

International Data Transfers

Some sub-processors are located outside the European Economic Area (EEA) and UK. Where personal data is transferred to a third country, Lexilio ensures that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
  • UK International Data Transfer Agreements (IDTAs) where applicable
  • Adequacy decisions where available

A copy of applicable transfer mechanisms is available on request by contacting hello@lexilio.co.

Data Subject Rights

Lexilio will provide reasonable assistance to the Customer in fulfilling its obligations to respond to Data Subject requests under Data Protection Law, including requests for:

  • Access to personal data
  • Rectification of inaccurate data
  • Erasure of personal data
  • Restriction of processing
  • Data portability
  • Objection to processing

The Customer is responsible for responding to Data Subjects directly. Lexilio will forward any requests received directly from Data Subjects to the Customer without undue delay.

Personal Data Breach Notification

In the event of a Personal Data Breach, Lexilio will notify the Customer without undue delay and in any event within 72 hours of becoming aware, providing:

  • A description of the nature of the breach
  • Categories and approximate number of data subjects and records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

Data Retention and Deletion

Lexilio retains Customer personal data only for as long as necessary to provide the services.

On termination of the service agreement:

  • Customer Data is deleted within 30 days of termination
  • Customers should export any data they require before this period expires
  • Backup copies are purged within 30 days of the live deletion
  • Certain data may be retained longer where required by applicable law

Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

Lexilio is liable for damages caused by processing in violation of this DPA or applicable Data Protection Law, to the extent such damages are attributable to Lexilio.

The Customer is liable for damages caused by processing that infringes Data Protection Law where such damages are attributable to the Customer's instructions or use of the Platform.

Contact and Governing Law

This DPA is governed by the laws of Delaware, United States, consistent with the Terms of Service.

Data protection enquiries: hello@lexilio.co

Data Protection Officer:
Muhammad Y Malik
Lexilio Inc., Delaware, United States