Data Processing Agreement

Lawcel Version 2.0 Effective Date: 8 May 2026

---

Table of Contents

1. Parties and Scope
2. Definitions
3. Processing Particulars
4. Roles
5. Controller Obligations
6. Processor Obligations
7. Sub-processors
8. Data Subject Rights
9. Security
10. Breach Notification
11. DPIAs and Prior Consultation
12. International Transfers
13. Audit
14. Return and Deletion
15. Liability
16. Term and Survival
17. General
18. Annex 1 — Processing Particulars
19. Annex 2 — Security Measures
20. Annex 3 — Sub-processors
21. Annex 4 — Standard Contractual Clauses

---

1. Parties and Scope

This Data Processing Agreement (the "DPA") is between Lawcel (Vesterbrogade 52a, 3250 Gilleleje, Denmark), acting as Processor, and the entity that has accepted Lawcel's Terms of Service or otherwise contracted with Lawcel for the Services (the "Customer"), acting as Controller.

This DPA forms part of the agreement between Lawcel and the Customer (the "Main Agreement") and governs Processing of Personal Data by Lawcel on the Customer's behalf in connection with the Services.

If this DPA conflicts with the Main Agreement, this DPA prevails on data-protection matters. If this DPA conflicts with the SCCs incorporated in Annex 4, the SCCs prevail.

---

2. Definitions

Unless defined here, capitalised terms have the meanings given in the GDPR.

• "Data Protection Laws" — the GDPR, the UK Data Protection Act 2018 / UK GDPR, the Swiss Federal Act on Data Protection, and (where applicable) the CCPA/CPRA.
• "Personal Data", "Processing", "Data Subject", "Controller", "Processor", "Sub-processor", "Supervisory Authority" — Article 4 GDPR.
• "Personal Data Breach" — Article 4(12) GDPR.
• "Documented Instructions" — the Main Agreement, this DPA, and any further written instructions the Customer issues consistent with this DPA.
• "Services" — the Lawcel platform and related services under the Main Agreement.
• "SCCs" — Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor).

---

3. Processing Particulars

The subject matter, duration, nature and purpose, categories of Data Subjects, and categories of Personal Data are set out in Annex 1.

---

4. Roles

The Customer is the Controller and Lawcel is the Processor. Lawcel Processes Personal Data only on the Customer's Documented Instructions.

Where the Customer is itself a Processor for a third-party controller, Lawcel acts as a Sub-processor; the Customer warrants it has obtained any required authorisations and flow-down terms.

Lawcel's processing of its own visitors, prospects, and administrative users in connection with operating the Services is governed by Lawcel's Privacy Policy, where Lawcel acts as an independent Controller. This DPA does not apply to that processing.

---

5. Controller Obligations

The Customer warrants that:

1. it has a lawful basis under Article 6 GDPR (and Article 9 where applicable) for the Processing it instructs;
2. its instructions are lawful and do not cause Lawcel to infringe Data Protection Laws;
3. it has provided all notices and obtained all consents required;
4. Personal Data submitted to the Services is accurate and minimised to what is necessary;
5. it will not submit special-category data (Article 9 GDPR) unless required for a specifically documented purpose; and
6. it will comply with its own Controller obligations, including responding to Data Subject requests and conducting DPIAs where required.

---

6. Processor Obligations

Lawcel will comply with Article 28(3) GDPR. In particular, Lawcel will:

1. Process Personal Data only on Documented Instructions, including for transfers to third countries, unless required otherwise by Union or Member State law (in which case Lawcel will inform the Customer first, unless the law prohibits disclosure);
2. ensure persons authorised to Process are bound by confidentiality;
3. implement and maintain the security measures set out in Section 9 and Annex 2 (Article 32 GDPR);
4. comply with the sub-processor conditions in Section 7;
5. taking into account the nature of Processing, assist the Customer with Data Subject requests by appropriate technical and organisational measures (Section 8);
6. assist the Customer with Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation);
7. on the Customer's choice, delete or return all Personal Data after the Services end, and delete remaining copies unless retention is legally required (Section 14); and
8. make available the information necessary to demonstrate compliance with Article 28 and contribute to audits (Section 13).

If Lawcel reasonably believes an instruction infringes Data Protection Laws, it will notify the Customer promptly and may suspend the instruction until confirmed or modified.

---

7. Sub-processors

The Customer grants Lawcel general written authorisation to engage Sub-processors, subject to this Section.

The current Sub-processor list is at https://app.lawcel.com/legal/lawcel/sub-processor-list (the "Sub-processor List") and forms part of this DPA. The Sub-processors approved at the Effective Date are listed in Annex 3.

Before engaging or replacing a Sub-processor, Lawcel will:

1. update the Sub-processor List at least 30 calendar days before Processing begins; and
2. notify Customers' designated privacy contacts by email.

The Customer may object on reasonable data-protection grounds within 14 calendar days of notification. If the parties cannot resolve the objection within a further 30 days, the Customer may terminate the affected portion of the Services without penalty and receive a pro-rata refund for the unused term.

Lawcel will impose on each Sub-processor, by written contract, data-protection obligations materially the same as those in this DPA (Article 28(4) GDPR), and remains fully liable for each Sub-processor's performance.

---

8. Data Subject Rights

Taking into account the nature of Processing, Lawcel will assist the Customer in fulfilling Data Subject requests under Chapter III GDPR by appropriate technical and organisational measures.

If Lawcel receives a Data Subject request relating to Personal Data Processed for the Customer, Lawcel will forward it to the Customer within 5 business days and will not respond directly unless authorised by the Customer or required by law.

Assistance fulfillable through standard platform functionality is provided at no additional cost. Custom engineering effort may be chargeable at standard rates, agreed in writing first.

---

9. Security

Lawcel implements and maintains appropriate technical and organisational measures under Article 32 GDPR. The current measures are summarised in Annex 2, reviewed periodically, and not materially reduced during the Main Agreement.

---

10. Breach Notification

Lawcel will notify the Customer of a Personal Data Breach affecting Personal Data Processed under this DPA without undue delay and in any event within 72 hours of becoming aware.

The notification will include, to the extent known: the nature of the breach (categories and approximate numbers of Data Subjects and records); likely consequences; measures taken or proposed; and Lawcel's incident point of contact. Further information will follow without undue delay as it becomes available.

Lawcel will not notify Data Subjects directly unless instructed in writing or required by law, and will reasonably cooperate with the Customer's investigation and remediation.

---

11. DPIAs and Prior Consultation

Lawcel will reasonably assist the Customer with DPIAs (Article 35 GDPR) and prior consultations with Supervisory Authorities (Article 36 GDPR), where the Customer cannot otherwise obtain the relevant information. Assistance is limited to information about the Services and Lawcel's Processing.

---

12. International Transfers

Lawcel may transfer Personal Data outside the EEA or the UK in connection with the Services, including via Sub-processors in the Sub-processor List. Lawcel ensures any such transfer is supported by an appropriate Chapter V GDPR mechanism, such as:

1. an adequacy decision (Article 45);
2. the SCCs (Article 46(2)(c)), including those incorporated in Annex 4;
3. the UK International Data Transfer Agreement or UK Addendum, for UK transfers; or
4. binding corporate rules (Article 47).

Lawcel applies a Transfer Impact Assessment and supplementary measures where necessary, in line with Schrems II (Case C-311/18) and EDPB Recommendations 01/2020. If a transfer mechanism is invalidated, the parties will cooperate in good faith on an alternative.

---

13. Audit

On reasonable prior written notice, Lawcel will make available the information necessary to demonstrate Article 28 compliance and will allow and contribute to audits by the Customer or an independent auditor.

To minimise disruption and protect the confidentiality of other customers' data:

1. audits are no more than once per calendar year, unless required by a Supervisory Authority or following a Personal Data Breach materially affecting the Customer;
2. on 30 days' written notice at reasonable times during business hours;
3. the auditor must be subject to a written confidentiality undertaking acceptable to Lawcel;
4. costs are borne by the Customer unless the audit reveals a material breach by Lawcel of this DPA or Data Protection Laws;
5. Lawcel may satisfy audit obligations through any of: a current SOC 2 Type II report, an ISO/IEC 27001 certificate, written security questionnaire responses, or a virtual security walk-through.

---

14. Return and Deletion

On termination or expiry of the Main Agreement, at the Customer's election, Lawcel will either return Personal Data in a commonly used machine-readable format or delete it from production systems. Lawcel will certify completion in writing within 30 days of the Customer's election.

Personal Data in routine automated backups is deleted in line with Lawcel's backup rotation (maximum 30 days) and remains subject to all confidentiality, security, and access-control obligations during that period.

Lawcel may retain Personal Data to the extent required by law, only for the period and purpose required, and subject to continuing confidentiality and security obligations.

---

15. Liability

Each party's liability under this DPA, in contract, tort, or otherwise, is subject to the limitations and exclusions in the Main Agreement.

Nothing limits or excludes either party's liability for: damage caused by Processing in breach of Data Protection Laws where the law does not permit limitation; fraud or wilful misconduct; or any liability that cannot be limited or excluded by applicable law. Article 82 GDPR applies to allocation of liability for compensation to Data Subjects.

---

16. Term and Survival

This DPA takes effect on the later of (a) the Effective Date and (b) the effective date of the Main Agreement, and remains in effect for the duration of the Main Agreement.

Provisions that by their nature should survive — including post-termination return and deletion (Sections 6 and 14), breach notification for incidents occurring before termination (Section 10), audit rights for 12 months after termination (Section 13), liability (Section 15), and this Section 16 — will survive termination.

---

17. General

Precedence: SCCs (Annex 4) → this DPA → Main Agreement on data-protection matters.

Amendment. Lawcel may amend this DPA to reflect changes in Data Protection Laws, regulatory guidance, or its Processing activities. Material amendments will be notified at least 30 days before taking effect.

Governing law. Save where the SCCs specify otherwise, Danish law governs, and the parties submit to the exclusive jurisdiction of the courts of Copenhagen.

Contact: privacy@lawcel.com.

---

Annex 1 — Processing Particulars

Subject matter and duration. Personal Data submitted to or otherwise made available through the Services. Duration: the term of the Main Agreement plus the retention periods set out in this DPA and the Privacy Policy.

Nature and purpose. Processing comprises:

1. compliance analysis of pull-request and issue artefacts (titles, descriptions, code diffs) against the Customer's legal documents;
2. generation, versioning, editing, and hosting of legal documents on behalf of the Customer;
3. creation and storage of compliance audit-trail records (cases, events, analysis traces);
4. operation of AI-assisted features, including the IDE integration and (where used) chat history and session memory;
5. administration of the Customer's organisation account, users, roles, and integrations.

Categories of Data Subjects. The Customer's administrative, developer, and legal users; and authors of pull requests, commits, and issues ingested via connected source integrations (typically the Customer's employees and contractors). The Services are not designed for Processing of end-user / consumer data of the Customer's product.

Categories of Personal Data. Names, email addresses, profile images, and authentication identifiers; author names, usernames, and email addresses present in code, PR, and issue metadata; free-text content of PR descriptions, issue titles and descriptions, and commit messages, which may incidentally contain Personal Data; content of legal documents, which may incidentally contain Personal Data; IP addresses and technical request metadata in operational logs.

Special categories. None, unless the Customer submits such data at its own risk.

---

Annex 2 — Security Measures

Lawcel implements the following measures, reviewed at least annually:

• Access control. Role-based access enforced at route and action level. Multi-factor authentication required for production administrative access. Least-privilege staff access. Customer-account impersonation by staff is logged with an immutable audit trail.
• Encryption. TLS 1.2+ in transit. At-rest encryption for production database volumes and backups using industry-standard algorithms. API keys stored only as salted SHA-256 hashes; raw key material is shown once at creation and never retained.
• Network security. Production behind a hardened reverse proxy. Public endpoints rate-limited. Webhook signatures HMAC-verified.
• Logical isolation. Customer data segregated by organisation identifier on every query and response; cross-organisation access prevented at the application layer with row-level checks.
• Resilience. Offsite encrypted backups on a regular schedule, retained for a rolling 30-day window. Restores tested periodically.
• Personnel. Written confidentiality obligations; security-awareness training required.
• Sub-processor oversight. Engagement only under contracts imposing materially equivalent obligations; security posture reviewed before engagement.
• Incident response. Documented procedures with a 72-hour breach-notification commitment to Customers (Section 10).
• Secure development. Source code reviewed before merge; automated tests in CI; dependency vulnerability monitoring.

---

Annex 3 — Sub-processors

The list of approved Sub-processors at the Effective Date is published at https://app.lawcel.com/legal/lawcel/sub-processor-list and incorporated by reference.

---

Annex 4 — Standard Contractual Clauses

For transfers of Personal Data from the EEA (or the UK) to a third country not covered by an adequacy decision, the parties incorporate by reference the SCCs approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor), with the following specifications:

• Clause 7 (Docking): incorporated.
• Clause 9 (Sub-processors): Option 2 (general written authorisation), 30-day notification period (Section 7).
• Clause 11 (Redress): the optional independent-dispute-resolution language is not incorporated.
• Clause 17 (Governing law): Danish law.
• Clause 18 (Choice of forum and jurisdiction): courts of Copenhagen, Denmark.
• Annex I.A (List of parties): as in Section 1.
• Annex I.B (Description of transfer): as in Annex 1.
• Annex I.C (Competent supervisory authority): Datatilsynet (the Danish Data Protection Agency).
• Annex II (Technical and organisational measures): as in Annex 2.
• Annex III (Sub-processors): as in Annex 3.

For UK transfers, the UK International Data Transfer Addendum to the EU Commission SCCs, Version B1.0, is incorporated by reference and completed in line with the above.