Company

Data Processing Agreement

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms an integral part of the main agreement entered into between the Client and AIDOCS STUDIO. Its purpose is to define the conditions under which AIDOCS STUDIO, acting as a processor within the meaning of Regulation (EU) 2016/679 (“GDPR”), processes on behalf of the Client, the data controller, the personal data necessary for the provision of the Services as defined in the Agreement.

INTERPRETATION

Where this DPA uses the terms defined in the GDPR, those terms shall have the same meaning as in the GDPR.

This DPA shall be read and interpreted in the light of the provisions of the GDPR.

This DPA shall not be interpreted in a way that runs counter to the rights and obligations provided for in the GDPR or in a way that prejudices the fundamental rights or freedoms of the data subjects.

HIERARCHY

In the event of a contradiction between this DPA and the provisions of related agreements between the Parties existing at the time when this DPA are agreed or entered into thereafter, this DPA shall prevail.

DESCRIPTION OF PROCESSING(S)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex I.

OBLIGATIONS OF THE PARTIES

Instructions

AIDOCS STUDIO shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which AIDOCS STUDIO is subject. In this case, AIDOCS STUDIO shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented, lawful, reasonable, and consistent with the scope of the Services.

AIDOCS STUDIO shall immediately inform the controller if, in AIDOCS STUDIO’s opinion, instructions given by the controller infringe the GDPR or the applicable Union or Member State data protection provisions.

Purpose limitation

AIDOCS STUDIO shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex I, unless it receives further instructions from the controller.

Duration of the processing of personal data

Processing by AIDOCS STUDIO shall only take place for the duration specified in Annex I.

Security of processing

AIDOCS STUDIO shall implement appropriate technical and organisational measures to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

AIDOCS STUDIO shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. AIDOCS STUDIO shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Sensitive data

The Parties acknowledge that, due to the nature of the Services, the processing of personal data may include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health, a natural person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“Sensitive Data”).

Such processing shall be limited to what is strictly necessary for the performance of the Services and shall be carried out in accordance with the Controller’s documented instructions and as further specified in Annex I.

The Controller remains solely responsible for ensuring that the processing of Sensitive Data is lawful under applicable data protection laws, including the identification of an appropriate legal basis and the fulfillment of any additional conditions or safeguards required for such processing.

Where Sensitive Data is processed, AIDOCS STUDIO shall implement appropriate additional technical and organizational measures designed to protect such data, taking into account the nature of the processing, the risks to data subjects, and the state of the art.

Documentation and compliance

The Parties shall be able to demonstrate compliance with this DPA.

AIDOCS STUDIO shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with this DPA.

AIDOCS STUDIO shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from the GDPR, such as its internal policies, security procedures, and relevant independent audit reports and certifications (including ISO/IEC 27001, SOC 2, or equivalent). The controller undertakes to review these materials as a priority.

Audit

If, after reviewing the documentation provided, the Client reasonably considers that such documentation is insufficient to demonstrate AIDOCS STUDIO’s compliance, the Client may, at its own expense, conduct an audit of the processing activities covered by this DPA, subject to the following conditions:

The audit must be notified in writing with at least thirty (30) days’ prior notice, except in duly justified emergency situations (notably in the event of a suspected data breach or a formal instruction from a supervisory authority), in which case a reduced notice period of three (3) days may apply;
The audit may take place no more than once every twelve (12) months, except in the event of a proven breach or an instruction from a supervisory authority;
The audit shall be conducted during normal business hours and shall not unreasonably disrupt AIDOCS STUDIO’s operations;
The audit shall be carried out by an independent third-party auditor, previously approved by AIDOCS STUDIO, having no competitive relationship or conflict of interest with AIDOCS STUDIO, and subject to a strict confidentiality obligation;
Access granted shall be strictly limited to the systems, data, documents, and premises relevant to the purpose of the audit, to the exclusion of any information relating to other clients or to the overall security of AIDOCS STUDIO’s infrastructure.

Each Party shall bear its own costs related to the audit. AIDOCS STUDIO shall bear its reasonable internal costs related to the mobilization of its teams, preparation of documentation, and time spent, up to a maximum of two (2) person-days. Beyond this threshold, any additional costs incurred by AIDOCS STUDIO (including additional time, resource mobilization, or technical or administrative assistance) shall be invoiced to the Client upon presentation of a detailed breakdown.

Each Party undertakes to cooperate in good faith with the competent supervisory authority in the event of a formal request, within the limits of its respective obligations under this DPA.

Use of sub-processors

AIDOCS STUDIO has the controller’s general authorisation for the engagement of sub-processors from an agreed list. AIDOCS STUDIO shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). AIDOCS STUDIO shall provide the controller with the information necessary to enable the controller to exercise the right to object.

Where AIDOCS STUDIO engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with this DPA. AIDOCS STUDIO shall ensure that the sub-processor complies with the obligations to which AIDOCS STUDIO is subject pursuant to this DPA and to the GDPR.

At the controller’s request, AIDOCS STUDIO shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, AIDOCS STUDIO may redact the text of the agreement prior to sharing the copy.

AIDOCS STUDIO shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with AIDOCS STUDIO. AIDOCS STUDIO shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.

AIDOCS STUDIO shall use reasonable efforts to enter into a third-party beneficiary clause, or any equivalent mechanism, with any subsequent sub-processor, whereby, in the event that AIDOCS STUDIO has factually disappeared, ceased to exist as a matter of law, or has become insolvent, the Client shall have the right to terminate the sub-processor agreement and to instruct the sub-processor to erase or return the personal data.

Where such a clause or mechanism cannot be obtained, AIDOCS STUDIO shall cooperate in good faith with the Client to facilitate direct communications with the subsequent sub-processor, in particular in order to enable the erasure or return of the personal data as promptly as possible.

International transfers

Any transfer of data to a third country or an international organisation by AIDOCS STUDIO shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which AIDOCS STUDIO is subject and shall take place in compliance with Chapter V of the GDPR.

The controller agrees that where AIDOCS STUDIO engages a sub-processor in accordance with Section 4.7 for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, AIDOCS STUDIO and the sub-processor can ensure compliance with Chapter V of the GDPR by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met.

ASSISTANCE TO THE CONTROLLER

AIDOCS STUDIO shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.

AIDOCS STUDIO shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations, AIDOCS STUDIO shall comply with the controller’s instructions.

In addition, AIDOCS STUDIO shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing, the technical architecture of the Services and the information available to AIDOCS STUDIO:

the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if AIDOCS STUDIO becomes aware that the personal data it is processing is inaccurate or has become outdated;
the obligations in Article 32 the GDPR.

The assistance provided by AIDOCS STUDIO under this Section shall be limited to a maximum of two (2) man-days per calendar year, which are included in the fees payable under the main agreement.

Any assistance requested by the Controller beyond this limit, or requiring a level of effort that is materially disproportionate to the nature of the processing or the Services, shall be subject to additional fees, calculated on the basis of a quotation to be agreed in advance between the Parties. AIDOCS STUDIO shall not be required to commence such additional assistance until such quotation has been accepted by the Controller in writing.

NOTIFICATION OF PERSONAL DATA BREACH

In the event of a personal data breach, AIDOCS STUDIO shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 the GDPR, where applicable, taking into account the nature of processing and the information available to AIDOCS STUDIO.

In the event of a personal data breach concerning data processed by AIDOCS STUDIO, AIDOCS STUDIO shall notify the controller without undue delay after AIDOCS STUDIO having become aware of the breach. Such notification shall contain, at least:

a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
the details of a contact point where more information concerning the personal data breach can be obtained;
its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Such notification shall not be construed as an acknowledgment of fault or liability on the part of AIDOCS STUDIO.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

LIABILITY

The liability of each Party arising out of or in connection with this DPA shall be governed exclusively by the liability provisions set forth in the Terms and Conditions.

Nothing in this DPA shall be deemed to create any additional liability or to modify the scope, limitations, or caps of liability agreed between the Parties under the Terms and Conditions, to the extent permitted by applicable law.

NON-COMPLIANCE WITH THE CLAUSES AND TERMINATION

Without prejudice to any provisions of the GDPR, in the event that AIDOCS STUDIO is in breach of its obligations under this DPA, the controller may instruct AIDOCS STUDIO to suspend the processing of personal data until the latter complies with this DPA or the contract is terminated. AIDOCS STUDIO shall promptly inform the controller in case it is unable to comply with this DPA, for whatever reason.

The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with this DPA if:

the processing of personal data by AIDOCS STUDIO has been suspended by the controller pursuant to this Section and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
AIDOCS STUDIO is in substantial or persistent breach of this DPA or its obligations under the GDPR;
AIDOCS STUDIO fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA or to the GDPR.

AIDOCS STUDIO shall be entitled to terminate the contract insofar as it concerns processing of personal data under this DPA where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Section 4.1, the controller insists on compliance with the instructions.

Following termination of the contract, AIDOCS STUDIO shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, AIDOCS STUDIO shall continue to ensure compliance with this DPA.

Deletion shall be carried out in accordance with AIDOCS STUDIO’s standard technical processes, including applicable backup retention policies.

Effective date: March 30, 2026

ANNEX I: DESCRIPTION OF THE PROCESSING

Categories of data subjects	Authorized users of the Services (employees, contractors, or representatives of the Client) Individuals referenced in the content of the user’s requests and generated documents (e.g. contractual counterparties, legal representatives, employees, shareholders, or other third parties)
Categories of personal data	Identification data (such as name, surname, professional title, company name, business contact details) Professional data (such as role, position, employer, business-related information) Content of user requests submitted by email, which may include personal data depending on the information provided by the user Content of documents generated by the Services, which may include personal data depending on the user’s instructions
Sensitive data processed	Depending on the nature of the user’s requests and the content provided by the Client, the Services may process special categories of personal data within the meaning of Articles 9 and 10 of the GDPR, including data relating to health, trade union membership, criminal convictions and offences, or other sensitive information. Any processing of such sensitive data is determined and controlled solely by the Client through its use of the Services and the information it chooses to submit. The Processor does not require, request or actively seek the processing of such special categories of Personal Data.
Nature of the processing	Collection of user requests submitted by email Automated analysis and processing of such requests by an artificial intelligence system for the purpose of generating draft legal documents Generation of legal document drafts based on the user’s instructions Transmission of the generated documents to the user by email Transient technical processing, including short-term buffering, logging and security-related retention strictly necessary for the execution of Requests and compliance with legal obligations
Purpose(s) for which the personal data is processed on behalf of the controller	Provision of the Services, namely the automated drafting of legal documents based on user instructions Operation and maintenance of the Services, including security, reliability and performance monitoring Compliance with applicable legal obligations
Duration of the processing	During the term of the Agreement, Personal Data is processed solely on a transient, request-by-request basis for the purpose of executing each Request. No Personal Data is stored or retained by the Processor beyond such execution, except where required by applicable law or strictly necessary for security or legal compliance purposes.

ANNEX II: LIST OF SUB-PROCESSORS

Certain AI sub-processors below are used only where selected by AIDocs Studio for a given request, workflow, or model routing configuration.

Name	Address	Description of processing	Data localization
Microsoft Ireland Operations Limited (Microsoft 365)	One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland	Processing of inbound and outbound service emails, message metadata, and associated collaboration/security data necessary to operate the Services and deliver outputs to users	European Union (EU Data Boundary – Microsoft 365)
MacStadium, Inc.	2093 Philadelphia Pike #2130, Claymont, DE 19703, USA	Dedicated hosting infrastructure for production macOS servers running the Max platform and associated operational services	Ireland (MacStadium Dublin data center)
Backblaze, Inc.	2261 Market Street, Suite 81006, San Francisco, CA 94114, USA	Encrypted offsite backup storage of production operational data and system backups	European Union (EU Central – Amsterdam region)
OpenAI OpCo, LLC	3180 18th Street, San Francisco, CA 94110, USA	AI model inference for document analysis, drafting, and transformation of user-provided content	United States or European Union depending on configured data residency
Anthropic PBC	548 Market Street, PMB 90375, San Francisco, CA 94104, USA	AI model inference for document analysis, drafting, and transformation of user-provided content (Claude models)	United States
Google Ireland Limited (Gemini)	Gordon House, Barrow Street, Dublin 4, Ireland	AI model inference for document analysis, drafting, and transformation of user-provided content (Gemini models)	European Union
Mistral AI SAS	15 Rue des Halles, 75001 Paris, France	AI model inference for document analysis, drafting, and transformation of user-provided content	European Union