Legal
Data Processing Agreement
Jurisly Technologies, Inc.
Effective date: 1 June 2026 · Last updated: 18 June 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Jurisly Technologies, Inc. (“Jurisly”, “Processor”) and the Customer (“Controller”) and governs the processing of personal data by Jurisly on behalf of the Customer in connection with the Jurisly Service. This DPA is incorporated into and subject to the Terms of Service.
Where required by applicable data protection law (including the EU General Data Protection Regulation (“GDPR”), UK GDPR, and Swiss Federal Act on Data Protection (“FADP”)), this DPA constitutes the written contract between controller and processor required by Article 28 GDPR.
1. Definitions
Terms defined in the GDPR and UK GDPR have the same meaning in this DPA. In addition:
- “Customer Data” means any personal data submitted to the Service by or on behalf of the Customer.
- “Data Protection Laws” means all applicable laws and regulations relating to processing of personal data and privacy, including the GDPR, UK GDPR, FADP, and any national implementing legislation.
- “EEA” means the European Economic Area.
- “Services” means the Jurisly platform as described in the Terms of Service.
- “Subprocessor” means any third party engaged by Jurisly to process Customer Data.
- “Standard Contractual Clauses” or “SCCs” means the European Commission's standard contractual clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914).
2. Roles and responsibilities
2.1 Controller and Processor
The Customer is the Controller of Customer Data. Jurisly is the Processor of Customer Data and processes it solely on behalf of and under the instructions of the Customer.
2.2 Processor obligations
As Processor, Jurisly shall:
- Process Customer Data only on the documented instructions of the Controller (being the Terms of Service and this DPA) and not for any other purpose.
- Ensure that persons authorised to process the Customer Data are subject to appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organisational measures as required by Article 32 GDPR (see Section 5 of this DPA).
- Respect the conditions for engaging Subprocessors as set out in Section 6 of this DPA.
- Assist the Controller in ensuring compliance with the obligations under Articles 32–36 GDPR, taking into account the nature of processing and information available to Jurisly.
- Assist the Controller in responding to requests exercising data subject rights (Section 7).
- At the choice of the Controller, delete or return all Customer Data upon termination of the Services (Section 9).
- Provide all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits (Section 10).
2.3 Controller obligations
The Controller warrants and represents that: (a) it has a lawful basis to process and transfer Customer Data to Jurisly; (b) it has provided all required notices and obtained all required consents from data subjects as required by applicable Data Protection Laws; (c) its instructions to Jurisly are lawful.
3. Details of processing
| Subject matter | Provision of AI-powered legal document analysis, contract review, legal research, and related services |
| Duration | For the duration of the Customer's subscription to the Service, plus 30 days for deletion |
| Nature of processing | Storage, retrieval, analysis, AI-assisted processing, vectorisation (embeddings), transmission to AI model providers |
| Purpose | Providing the Services as described in the Terms of Service |
| Types of personal data | Names, contact details, professional information, and any other personal data contained in documents uploaded by the Customer |
| Categories of data subjects | Customer employees, end users, and any individuals identified in documents processed through the Service (e.g., contract parties, counterparties) |
4. Processing instructions
Jurisly shall process Customer Data only in accordance with the Customer's documented instructions, which consist of: (a) these Terms of Service and this DPA; (b) any additional written instructions provided by the Customer via email to privacy@jurisly.com.
If Jurisly is required by EU/UK/Swiss law to process Customer Data beyond the Customer's instructions, Jurisly shall inform the Customer of that legal requirement before processing (unless prohibited by law on grounds of public interest).
If Jurisly considers that an instruction from the Customer infringes applicable Data Protection Laws, it shall immediately inform the Customer and may decline to follow such instruction.
5. Technical and organisational security measures
Jurisly implements and maintains the following categories of technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk, pursuant to Article 32 GDPR:
Encryption in transit
TLS 1.2+ for all data in transit between clients, servers, and subprocessors.
Encryption at rest
AES-256 encryption for all stored data including database records and uploaded documents.
Access control
Role-based access control (RBAC), principle of least privilege, multi-factor authentication for administrative access.
Data minimisation
Customer Data is processed only to the extent necessary to provide the Services.
Pseudonymisation
Where technically feasible, personal data is pseudonymised for AI processing workflows.
Vulnerability management
Regular security assessments, dependency scanning, and penetration testing.
Business continuity
Automated daily backups, point-in-time recovery, multi-region redundancy.
Incident response
Documented incident response plan, 24/7 monitoring, escalation procedures.
Jurisly reviews and updates its TOMs periodically and in response to changes in risk. Upon request, Jurisly will provide additional information about its security measures for due diligence purposes.
6. Subprocessors
6.1 Authorisation
The Customer provides general written authorisation to Jurisly to engage Subprocessors. Jurisly will maintain an up-to-date list of Subprocessors and will notify the Customer of any intended changes (additions or replacements) with at least 14 days notice via email or the customer portal.
6.2 Current subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and file storage | EU (eu-west-1) |
| Vercel | Application hosting and edge functions | EU / US |
| Anthropic | AI language model processing (Claude) | US |
| OpenAI | AI language model processing (GPT), embeddings | US |
| Stripe | Payment processing | US / EU |
| Resend | Transactional email delivery | US |
6.3 Subprocessor obligations
Jurisly imposes on each Subprocessor data protection obligations that are no less protective than those in this DPA. Jurisly remains liable to the Customer for the performance of each Subprocessor's obligations under this DPA.
6.4 Objection right
If the Customer objects to a new Subprocessor on reasonable data protection grounds, it must notify Jurisly in writing within 14 days of notification. Jurisly will work in good faith with the Customer to address the objection. If the objection cannot be resolved, the Customer may terminate the relevant Services on 30 days written notice.
7. Data subject rights
Taking into account the nature of the processing, Jurisly shall assist the Customer by implementing appropriate technical and organisational measures to fulfil the Customer's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).
If Jurisly receives a request directly from a data subject, Jurisly will: (a) inform the data subject to submit the request to the Customer; (b) promptly forward the request to the Customer. Jurisly will not respond substantively to data subject requests relating to Customer Data without the Customer's prior written authorisation.
Jurisly will respond to reasonable Customer requests for assistance within 5 business days.
8. Personal data breach notification
Jurisly shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data (to the extent practicable). Notification will be sent to the Customer's designated security contact email.
The notification shall include, to the extent available at the time:
- A description of the nature of the breach, including categories and approximate number of data subjects and records affected.
- The name and contact details of the data protection contact at Jurisly.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach and mitigate its effects.
Where it is not possible to provide all information within 72 hours, Jurisly will provide initial notification within that time and supply further details as they become available. Jurisly will co-operate with the Customer in complying with the Customer's own breach notification obligations to supervisory authorities and data subjects.
9. Deletion and return of data
Upon termination or expiry of the Services, Jurisly shall, at the Customer's choice:
- Return: Provide the Customer with an export of Customer Data in a machine-readable format, within 30 days of the termination date.
- Delete: Securely delete all Customer Data from Jurisly's systems and those of its Subprocessors, within 30 days of the termination date.
After deletion, Jurisly will provide written confirmation upon request. Jurisly may retain Customer Data for longer where required by applicable law (e.g., legal hold obligations or statutory retention requirements), in which case Jurisly will notify the Customer of the retention basis.
Jurisly's automated backup systems may retain encrypted backups containing Customer Data for up to 35 days from the deletion date. These backups are subject to the same security measures as production data.
10. Audits and inspections
Jurisly shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
Prior to any audit, the Customer shall give at least 30 days prior written notice (except where required by a supervisory authority with shorter notice). Audits shall be conducted during normal business hours, no more than once per calendar year (unless required by a supervisory authority), at the Customer's expense, and shall not unreasonably disrupt Jurisly's operations.
In lieu of an on-site audit, Jurisly may provide: (a) results of a current third-party security audit (e.g., SOC 2 Type II, ISO 27001); (b) completion of a Customer security questionnaire; provided these adequately address the Customer's compliance requirements.
11. International data transfers
Some Subprocessors (including Anthropic and OpenAI) are located in the United States. Transfers of Customer Data to these Subprocessors from the EEA, UK, or Switzerland are conducted under one or more of the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): Jurisly enters into Controller-to-Processor SCCs (Module 2) with each Subprocessor as required. Copies of applicable SCCs are available on request.
- UK International Data Transfer Agreements (IDTAs): For transfers subject to UK GDPR.
- Swiss adequacy decisions: Where available from the Swiss Federal Data Protection Commissioner (FDPIC).
Where Jurisly determines that a Subprocessor can no longer provide adequate data protection under its transfer mechanism, Jurisly will promptly notify the Customer and take appropriate remedial action.
12. Data Protection Impact Assessments
Where a Customer's use of the Services is likely to result in a high risk to the rights and freedoms of natural persons, Jurisly shall assist the Customer in carrying out a Data Protection Impact Assessment (DPIA) pursuant to Article 35 GDPR, to the extent Jurisly has access to information relevant to the assessment.
Requests for DPIA assistance should be directed to privacy@jurisly.com.
13. Governing law
This DPA shall be governed by the same governing law as the Terms of Service, except where applicable Data Protection Laws mandate otherwise. For customers established in the EEA, this DPA shall be construed in accordance with EU data protection law as applicable.
14. Order of precedence
In the event of any conflict or inconsistency between this DPA and the Terms of Service regarding the processing of personal data, this DPA shall take precedence. In the event of any conflict between this DPA and the SCCs, the SCCs shall take precedence to the extent required by applicable Data Protection Laws.
15. Contact and DPO
For all data protection matters under this DPA:
Data Protection Contact
Jurisly Technologies, Inc.
Email: privacy@jurisly.com
Enterprise customers requiring a countersigned DPA for their compliance records may request one by emailing legal@jurisly.com.