This Data Processing Addendum ("DPA") forms part of the agreement between SoundLegal, Inc. ("Processor") and the customer identified in the order or service terms ("Controller") for access to the Service (the "Agreement").
1. Scope & Roles
Controller determines purposes/means of processing Customer Personal Data within Customer's documents, accounts, and configurations.
Processor processes solely on documented instructions (Agreement, this DPA, and in-product settings), including to provide the Service, ensure security, fulfill legal obligations, and (if enabled) perform training per Section 2.4.
For CCPA/CPRA, SoundLegal acts as Service Provider (not "seller" or "third party").
2. Processing Details
Subject matter: Operation of the Service (AI-enabled analysis/generation) for Customer.
Nature & purpose: Hosting; storage; parsing; tokenization; inference; display; analytics; support; security (e.g., abuse detection); and backups.
Duration: Term of the Agreement plus limited post-termination retention per Section 9.
Data subjects: Individuals referenced in Customer documents; authorized users; counterparties.
Categories: Names; business contact data; contract content referencing individuals; user credentials/usage logs.
Special categories: Not intended. If Controller inputs such data, Controller is responsible for the lawful basis and disclosures.
Training (opt-in only): Processor will not use Customer Personal Data to train underlying models unless Controller enables Training Consent. Consent is revocable prospectively.
3. Controller Instructions & Responsibilities
Controller is solely responsible for the lawfulness of data input, notices/consents to data subjects, and configuration of retention, deletion, and Training Consent.
Controller will not upload unlawful content, malware, or data it lacks rights to process.
Processor will promptly inform Controller if it believes an instruction violates law.
4. Confidentiality
Processor ensures persons authorized to process personal data are bound by confidentiality and receive privacy/security training.
5. Security Measures
Processor implements and maintains the technical and organizational measures in Annex II, including TLS 1.3, AES-256, least-privilege, MFA for admin access, logging/monitoring, vulnerability management, backups/DR, and subprocessor oversight.
6. Subprocessors
Controller grants general authorization to engage subprocessors listed at https://soundlegal.ai/subprocessors.
Processor imposes data-protection terms no less protective than this DPA and remains liable for subprocessor acts/omissions.
Change notice & objections: As set forth on the Subprocessors page and the Agreement; unresolved reasonable objections permit termination of the affected Service with pro-rata refund.
7. Assistance
Taking into account the nature of processing, Processor will assist Controller with:
Data subject requests (access, correction, deletion, restriction, objection, portability) using available tools and reasonable efforts;
Security, breach notifications, and information needed for DPIAs and prior consultations.
8. Breach Notification
Processor will notify Controller without undue delay (and in any case consistent with applicable law) after confirming a Personal Data Breach involving Customer Personal Data, provide details as known, and cooperate on remediation and notifications.
9. Return & Deletion
Upon termination/expiry or upon Controller's instruction, Processor will return or delete Customer Personal Data (at Controller's election), subject to legally required retention and backup rotation. Data remaining in immutable backups will be isolated and purged on scheduled cycles.
10. International Transfers
Where processing involves transfer from the EEA/UK/Switzerland to countries without adequacy decisions, the parties incorporate:
EU SCCs (Module 2, Controller→Processor) (Commission Decision 2021/914) with Annexes populated by this DPA and Annexes I–III; and
UK IDTA or UK Addendum to the SCCs for UK transfers.
Processor implements supplementary measures (e.g., encryption, access controls, government request scrutiny).
11. Audits
Upon written request (not more than once annually, unless required by a competent authority or following a material incident), Processor will:
Provide available reports/certifications (e.g., SOC 2 summary) and security responses; and
Permit a focused audit by Controller or independent auditor under reasonable NDA, timing, and scope conditions that avoid undue burden or exposure of unrelated data.
12. Government & Third-Party Requests
Processor will, to the extent legally permitted, promptly notify Controller of third-party or government requests for Customer Personal Data and redirect such requests to Controller. Processor will not disclose data unless legally required.
13. CCPA/CPRA Service-Provider Terms
Processor shall not sell or share personal information, shall not retain/use/disclose it for any purpose other than performing the Service or as permitted by law, and shall implement reasonable security procedures. Processor certifies its understanding and compliance.
14. Liability; Precedence
The limitations of liability and dispute resolution in the Agreement apply to this DPA. In case of conflict, this DPA controls solely as to personal data processing.
15. Term
This DPA is effective for the Agreement term and survives as necessary to effect Sections 7–12.
Annex I - Details of Processing (SCC/IDTA)
Data exporter (Controller): Customer listed in the Order/Agreement. Contact: the admin email on Customer's account.
Data importer (Processor): SoundLegal, Inc. Contact: info@soundlegal.ai.
Subject matter & duration: As in Sections 2 and 9.
Nature & purpose: Hosting, storage, analysis, generation, security, support.
Categories of data subjects/data: As in Section 2.
Frequency: Continuous for the Agreement term.
Transfers: From EEA/UK/CH to U.S. and any other non-adequate locations required by subprocessors, with SCC/IDTA safeguards.
Competent supervisory authority: Determined under SCC Clause 13 based on exporter location.
Annex II - Technical & Organizational Security Measures
Governance: Security policies; designated security lead; annual training; vendor risk management.
Access Management: Role-based access control; least privilege; MFA for admin; quarterly access reviews; immediate revocation on role change/termination.
Encryption: TLS 1.3 in transit; AES-256 at rest; KMS-managed keys; encrypted backups.
Network & Systems: Segmented VPCs; firewalls/security groups; hardened baselines; automated patching; EDR/IDS where appropriate.
Monitoring & Logging: Centralized logs; time-sync; tamper-resistant storage; alerting on anomalous access; on-call rotation.
Vulnerability Management: Regular scans; critical patch SLA; annual 3rd-party penetration testing; remediation tracking.
Application Security: SDLC controls; code review; secrets management; dependency scanning; environment isolation.
Data Resilience: Daily backups; restore testing; multi-AZ redundancy; defined RTO/RPO.
Physical Security: Cloud provider data-center controls; no on-prem production storage.
Incident Response: Documented plan; 24/7 escalation; forensic support; post-mortems and corrective actions.
Annex III - Authorized Subprocessors (at Effective Date)
Google Cloud Platform (Google LLC) - hosting, storage, networking, logging, backups.
Google Vertex AI / Gemini (Google LLC) - model inference.
Stripe, Inc. - payment processing and billing.
The current list is maintained at https://soundlegal.ai/subprocessors.
Annex IV - UK Addendum (Summary)
For UK transfers, the UK International Data Transfer Addendum to the EU SCCs is incorporated. Tables 1–4 are populated by Annex I–III and this DPA. In case of conflict, the UK Addendum controls for UK transfers.
Contact (All Pages)
For legal service of process or mailed notices, use our Delaware registered agent on file with the Delaware Secretary of State (details provided upon request or via official records).
