Data Processing Addendum (DPA)

Version: 1.0 // Status: Active
Reference: Annex to Master Service Agreement

This Data Processing Addendum ("DPA") forms part of the agreement between SoundLegal, Inc. ("Processor") and the customer identified in the order or service terms ("Controller") for access to the Service (the "Agreement").

1. Scope & Roles

  • Controller Authority: Controller determines purposes/means of processing Customer Personal Data within Customer's documents, accounts, and configurations.
  • Processor Mandate: Processor processes solely on documented instructions (Agreement, this DPA, and in-product settings), including to provide the Service, ensure security, fulfill legal obligations, and (if enabled) perform training per Section 2.4.
  • CCPA/CPRA Status: SoundLegal acts as a Service Provider (not a "seller" or "third party").

2. Processing Details

  • Subject Matter: Operation of the Service (AI-enabled analysis/generation) for Customer.
  • Nature & Purpose: Hosting, storage, parsing, tokenization, inference, display, analytics, support, security (e.g., abuse detection), and backups.
  • Duration: Term of the Agreement plus limited post-termination retention per Section 9.
  • Categories: Names, business contact data, contract content referencing individuals, user credentials/usage logs.
  • Training Protocol (Opt-In): Processor will not use Customer Personal Data to train underlying models unless Controller enables Training Consent. Consent is revocable prospectively.

3. Controller Responsibilities

Controller is solely responsible for the lawfulness of data input, notices/consents to data subjects, and configuration of retention, deletion, and Training Consent. Controller will not upload unlawful content, malware, or data it lacks rights to process.

4. Security & Confidentiality

Processor ensures persons authorized to process personal data are bound by confidentiality. Processor implements the technical and organizational measures defined in Annex II (below), including TLS 1.3, AES-256, and MFA.

5. Subprocessors

Controller grants general authorization to engage subprocessors listed at soundlegal.ai/subprocessors. Processor remains liable for subprocessor acts/omissions.

6. International Transfers

Where processing involves transfer from the EEA/UK/Switzerland to countries without adequacy decisions, the parties incorporate:

  • EU SCCs: Module 2 (Controller→Processor) with Annexes populated below.
  • UK Addendum: The UK IDTA or UK Addendum to the SCCs for UK transfers.

7. Return & Deletion

Upon termination or instruction, Processor will return or delete Customer Personal Data, subject to legally required retention. Data in immutable backups will be isolated and purged on scheduled cycles.

ANNEX I // Processing Details

Data Exporter (Controller): Customer listed in the Order/Agreement.
Data Importer (Processor): SoundLegal, Inc. (Contact: info@soundlegal.ai)
Subject Matter: Hosting, storage, analysis, generation, security.
Transfers: From EEA/UK/CH to U.S. via SCC/IDTA safeguards.

ANNEX II // Security Measures

  • Access Control: Role-based access; Least privilege; MFA for admin; Quarterly reviews.
  • Encryption: TLS 1.3 (Transit); AES-256 (Rest); KMS-managed keys.
  • Network Defense: Segmented VPCs; Firewalls; Automated patching; EDR/IDS.
  • Monitoring: Centralized logs; Tamper-resistant storage; Anomalous access alerts.
  • Resilience: Daily backups; Restore testing; Multi-AZ redundancy.
  • Vulnerability Mgmt: Regular scans; Annual 3rd-party pen-testing.
  • Physical: Cloud provider data-center controls; No on-prem production storage.

ANNEX III & IV // Authorized Nodes

Current Subprocessors: Google Cloud Platform, Google Vertex AI, Stripe, Inc.
Full list maintained at soundlegal.ai/subprocessors

UK Addendum: For UK transfers, the UK International Data Transfer Addendum to the EU SCCs is incorporated by reference.

Legal Contact

Privacy & DPA Inquiries: info@soundlegal.ai
DMCA: info@soundlegal.ai
Service of Process: Delaware Registered Agent (Details upon request).