Data Processing Addendum

1.1 “Applicable Data Protection Law” means, to the extent applicable to a party’s Processing of Customer Personal data under the Agreement, (i) European Data Protection Laws; (ii) Canadian Privacy Laws; and (iii) US Privacy Laws as amended or replaced from time to time.

1.2 “Canadian Privacy Laws” includes, as applicable: (i) the Personal Information Protection and Electronic Documents Act (PIPEDA); (ii) the Personal Information Protection Acts of Alberta and British Columbia; (iii) Québec’s Act Respecting the Protection of Personal Information in the Private Sector; and (iv) Canada’s Anti-Spam Legislation (CASL), along with their implementing regulations.

1.3 “European Data Protection Laws” means, as applicable: (i) Regulation (EU) 2016/679 (“GDPR”); (ii) Directive 2002/58/EC (“e-Privacy Directive”); (iii) applicable national implementations; (iv) the Swiss Federal Act on Data Protection (“Swiss DPA”); and (v) the UK Data Protection Act 2018 and the GDPR as saved into UK law by the European Union (Withdrawal) Act 2018 (“UK GDPR”); in each case as amended.

1.4 “Controller” means the entity that determines, alone or jointly with others, the purposes and means of Processing Personal Data.

1.5 “Customer Personal Data” means Personal Data within User Data that CounselAI Processes on Customer's behalf under the Agreement, including Personal Data in Customer's attachments and support requests.

1.6 “Personal Data” means information relating to an identified or identifiable natural person, or strictly as defined by Applicable Data Protection Law.

1.7 “Process,” “Processes,” “Processed,” and “Processing” shall have the meaning given in Applicable Data Protection Law. If undefined, it means any operation performed on Personal Data, such as access, storage, or use.

1.8 “Processor” means an entity that Processes Personal Data on behalf of a Controller. Under the CCPA, this refers to a “service provider.”

1.9 “Security Incident” means a security breach resulting in accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, User Data Processed by CounselAI or its Subprocessors.

1.10 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of June 4, 2021.

1.11 “Subprocessor” means a third-party Processor engaged by CounselAI to help provide the Services.

1.12 “UK Addendum” means the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner.

1.13 “US Privacy Laws” means applicable US state laws regarding data privacy, information security, and breach notification, excluding HIPAA.

1.14 The terms “data subject” and “supervisory authority” have the meanings ascribed in European Data Protection Laws.

2.1 CounselAI as a Processor. CounselAI acts as a Processor and will Process Customer Personal Data solely on Customer’s behalf and in accordance with the Agreement, this DPA, and Customer’s lawful instructions. Processing details are in Schedule 1. If CounselAI believes an instruction violates Applicable Data Protection Law, it will notify Customer and may suspend the instruction until validated.

2.2 CounselAI as a Controller. CounselAI acts as a Controller regarding Personal Data in User Accounts and Usage Data, Processing it to manage the Customer relationship, improve Services, and for billing and security purposes as described in the Agreement.

2.3 Customer. Customer is solely responsible for the content, accuracy, and legality of Customer Personal Data. Customer warrants it has obtained all necessary consents and rights for CounselAI to lawfully Process such data.

3.1 Security Measures. CounselAI maintains technical and organizational measures designed to protect User Data integrity and confidentiality and prevent Security Incidents, as described in Schedule 3. Customer acknowledges that the Security Measures are subject to technical progress and development and that CounselAI may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security originally provided by CounselAI. CounselAI ensures its authorized personnel are bound by confidentiality obligations.

3.2 Customer Security Responsibilities. Customer is responsible for implementing security measures to protect its User Data and Accounts, including using available Service configurations. CounselAI is not liable for the accuracy or legality of Customer Personal Data.

3.3 Security Incidents. CounselAI will notify Customer without undue delay upon discovering a Security Incident. CounselAI will investigate, take steps to mitigate and remediate the Incident, and provide updates to Customer. Notification is not an admission of fault.

4.1 General Authorization. Customer generally authorizes CounselAI to engage Subprocessors (listed at https://www.counselai.com/company/legal/subprocessors). CounselAI will: (i) ensure written agreements with Subprocessors contain obligations no less protective than this DPA; and (ii) remain responsible for CounselAI’s compliance with the obligations under this DPA and for any acts and omissions of any Subprocessor to the extent an act or omission causes a breach of CounselAI’s data protection obligations under this DPA.

4.2 Changes to Sub-processors. CounselAI will email Customer before changing Subprocessors. Customer may object in writing within 30 days. If the parties cannot resolve the objection within 90 days, Customer may terminate the affected Services without liability to either party and without prejudice to any fees incurred by Customer.

5.1 Data Subject Rights. If Customer cannot address a data subject request via the Services, CounselAI will provide reasonable assistance. If CounselAI receives a request directly, it will verify with Customer before responding, unless legally required otherwise. If CounselAI is otherwise required to respond, or CounselAI does not receive a response from Customer within the legally required timeframe, CounselAI shall respond to the request with the information known to CounselAI.

5.2 Third Party Requests. CounselAI will notify Customer of valid law enforcement requests for Customer Personal Data unless prohibited. CounselAI will attempt to redirect third-party inquiries to Customer. If prohibited from notifying Customer, CounselAI will assess the validity of the request and challenge it if there are reasonable grounds to believe it is unlawful or overbroad. For the avoidance of doubt, nothing in this DPA shall be interpreted to require CounselAI to pursue action or inaction that could result in a civil or criminal penalty for CounselAI, including without limitation a contempt of court.

Customer may manage User Data during the Subscription Term. Upon termination, CounselAI deletes User Data per its policies. CounselAI may retain data if required by law or in backups, subject to continued confidentiality and this DPA until deletion.

7.1 Audit Reports. Independent auditors regularly audit the Platform. Upon request and subject to an NDA, CounselAI will provide summary audit reports to Customer. Such Reports are CounselAI’s Confidential Information. If the report is insufficient, CounselAI will respond to reasonable written information requests once every 12 months.

7.2 Data Protection Impact Assessments. Upon written request, CounselAI will assist Customer with required data protection impact assessments related to the Services, provided the information is not otherwise available to Customer.

CounselAI may Process Customer Personal Data in the US, Canada, or other locations where it or Subprocessors operate. Region-specific terms in Schedule 2 apply if Customer Personal Data is protected by laws in those regions.

9.1 Applicability of the Agreement. This DPA is governed by the Agreement's law and jurisdiction clauses, unless Applicable Data Protection Law requires otherwise, and in such event, then only for purposes of this DPA and only for purposes of that specific jurisdiction. In conflicts between this DPA and the Agreement, this DPA controls.

9.2 Liability Caps and Damages Waiver. To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.

9.3 Related-Party Claims. Claims under this DPA must be brought by the entity that signed the applicable Order Form.

1. Categories of data subjects whose Personal Data is Processed: Customer controls the categories of data subjects. Customer warrants it has consent to transfer such data to CounselAI.

2. Subject matter of the Processing: Personal Data transferred by Customer for the Services.

3. Types of Personal Data: Personal Data necessary for Services, such as contact details. Customer controls the types of data transmitted.

4. Duration and frequency of the transfer: Ongoing during the Service term.

5. Nature of the Processing: Processing to provide the Services.

6. Purposes of the Processing of Customer Personal Data: To deliver the Services.

1. Personal Data Transfers outside the European Economic Area (EEA). For transfers of Customer Personal Data from the EEA/Switzerland to countries without adequacy decisions, CounselAI adopts the SCCs as follows:

1.1 Module 2 (Controller to Processor Transfers) applies where Customer is the Controller of Customer Personal Data and Module 3 (Processor to Processor Transfers) applies where Customer is the Processor of Customer Personal Data;

1.2 For Clause 7, the optional docking clause shall not apply;

1.3 For Clause 9(a), Option 2 applies and the time period for prior notice of Sub-processor changes shall be as set out in Section 4.2 of this DPA;

1.4 For Clause 9(c), where confidentiality restrictions prohibit CounselAI from providing a copy of a Sub-processor agreement to Customer, CounselAI shall (on a confidential basis) provide all information that it reasonably can in connection with such Sub-processor agreement to Customer;

1.5 For Clause 11(a), the optional language shall not apply;

1.6 For Clause 13 and Annex I.C of the SCCs, Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to CounselAI upon request;

1.7 For Clause 17, Option 1 shall apply, and the SCCs shall be governed by the law of Ireland;

1.8 For Clause 18(b), disputes shall be resolved before the courts of Ireland;

1.9 For Annex I.A., the “data importer” shall be CounselAI and the “data exporter” shall be Customer;

1.10 For Annex I.B., the description of the transfer is as described in Schedule 1 of this DPA;

1.11 For Annex II, the technical and organizational measures are those measures described in Schedule 3 of this DPA;

1.12 For Annex III, the Sub-processors shall be as described in Section 4.1 of this DPA.

2. UK GDPR. For UK transfers to non-adequate countries, the SCCs apply as modified by the UK Addendum (Part 2). Tables 1-3 of the UK Addendum are deemed completed with Schedule 1 info; Table 4 selects 'neither party'.

3. Standard Contractual Clauses Precedence. This DPA is not intended to contradict the SCCs. If a conflict arises, the SCCs control.

4. Alternative Transfer Mechanism. If CounselAI adopts a valid alternative transfer mechanism (e.g., new SCCs), it will apply automatically if compliant with European Data Protection Law.

5. US Privacy Laws. Compliance. Regarding US Privacy Laws: CounselAI will not (i) use Customer Personal Data for purposes other than providing Services; (ii) “sell” or “share” such data; or (iii) combine it with other data outside the business relationship, except as legally permitted. CounselAI will notify Customer if it cannot comply.

CounselAI shall maintain administrative, physical and technical safeguards for the protection of security, confidentiality and integrity of Customer Personal Data in connection with the Services, including the following:

1. Data Security Measures

• Encrypt data at rest and in transit.
• Maintain security monitoring (activity, integrity, vulnerability, malware).
• Utilize secure cloud platforms with redundancy.
• Prevent unauthorized access.

2. Access Control Measures

• Restrict access based on roles.
• Enforce MFA for sensitive access.
• Review access permissions annually.
• Log and monitor for unauthorized access.
• Comply with Applicable Data Protection Law regarding access.

3. Data Deletion Measures

• Enable data deletion requests.
• Use secure deletion standards.

4. Employee Training and Awareness

• Regular security training for employees.
• Updates on security policies.
• Onboarding security training.
• Promote security culture.

5. Incident Response and Management

• Maintain an incident response plan.
• Mandatory reporting of vulnerabilities.
• Clear incident reporting channels.
• Annual review of incident response plan.