Data Processing Agreement

Last Updated: May 2026

This agreement applies to customers who require a formal data processing agreement under GDPR Article 28. For the current list of sub-processors referenced in this DPA, see our Sub-processors page.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller: [Customer Name] ("Controller" or "Customer")
  • Data Processor: Legistry AI ("Processor" or "Legistry AI")

This DPA forms part of the Terms of Service and governs Legistry AI's processing of Personal Data on behalf of the Customer.

2. Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person
  • "Processing": Any operation performed on Personal Data (collection, storage, analysis, etc.)
  • "Data Subject": The individual to whom Personal Data relates
  • "GDPR": General Data Protection Regulation (EU) 2016/679
  • "Sub-processor": Third-party service providers engaged by Legistry AI

3. Scope and Purpose

Legistry AI will process Personal Data on behalf of the Customer solely for the purpose of providing the Service as described in the Terms of Service, including:

  • Contract lifecycle management and document processing
  • Compliance monitoring and regulatory tracking
  • Vendor management and risk assessment
  • Legal analytics and reporting

4. Processor Obligations

Legistry AI agrees to:

  • Process Personal Data only in accordance with Customer's documented instructions
  • Implement appropriate technical and organizational measures to ensure security
  • Maintain confidentiality and ensure personnel are bound by confidentiality obligations
  • Assist Customer in responding to Data Subject requests (access, rectification, deletion)
  • Notify Customer without undue delay of any Personal Data breach
  • Assist Customer in conducting data protection impact assessments
  • Make available to Customer all information necessary to demonstrate compliance

5. Sub-processors

Customer authorizes Legistry AI to engage Sub-processors. Current Sub-processors include:

  • Cloud Infrastructure: AWS/Google Cloud/Azure (data hosting)
  • AI Providers: OpenAI, Anthropic, Perplexity AI (AI processing)
  • Email Services: SendGrid (transactional emails)
  • Monitoring: Sentry (error tracking)

Legistry AI will notify Customer of any new Sub-processors and provide opportunity to object. Legistry AI remains liable for Sub-processor compliance.

6. Data Security

Legistry AI implements the following security measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and role-based permissions
  • Regular security audits and vulnerability assessments
  • Incident response procedures
  • Backup and disaster recovery systems

7. Data Transfers

If Personal Data is transferred outside the EEA, Legistry AI ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Data Retention and Deletion

Personal Data will be retained only for as long as necessary to provide the Service or as required by law. Upon termination of the Service or upon Customer's request, Legistry AI will delete or return all Personal Data within 30 days, unless retention is required by law.

9. Audit Rights

Customer has the right to audit Legistry AI's compliance with this DPA. Audits will be conducted during business hours with reasonable advance notice. Legistry AI will provide reasonable assistance and access to relevant documentation.

10. Liability

Legistry AI's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. Legistry AI is liable for the acts and omissions of its Sub-processors.

11. Contact

For questions about this DPA or data processing activities, contact:

Legistry AI Data Protection Officer

Email: privacy@legistry.ai

Note for Enterprise Customers: Custom DPA terms can be negotiated as part of enterprise agreements. Contact sales@legistry.ai for custom terms.