oneDPA

VARIABLES

Parties' relationship

Controller to Processor or Processor to Sub-Processor, depending on the usage of the Law Insider tools.

Parties' roles

Customer will act as the Controller, Business and/or Processor (as defined in Section 1 of below)
Law Insider Inc. will act as the Processor, Service Provider, Sub-Processor and/or Controller (as defined in Section 1 of the Terms)

Contacts

Customer	Law Insider Inc.
Name: See Order Form.	Name: Legal Department
Email: See Order Form.	Email: support@lawinsider.com

Main Agreement

Law Insider Terms of Service

Term

This DPA will commence on the final date of signature and will continue for the duration of the Agreement

Breach Notification Period

Without undue delay after becoming aware of a personal data breach

Sub-processor Notification Period

A reasonable timeframe before the new sub-processor is granted access to Personal Data

Liability Cap

Each party's aggregate liability under this DPA will not exceed the liability caps as per the Main Agreement

Governing Law and Jurisdiction

As per the Main Agreement

Data Protection Laws

All laws, regulations and court orders which apply to the processing of Personal Data in:

the European Economic Area (EEA)
the United Kingdom (UK)
the United States (US)

This includes the European Union Regulation (EU) 2016/679, the Data Protection Act 2018, California Consumer Privacy Act of 2018 (CCPA)/California Privacy Rights Act of 2020 (CPRA), each as amended from time to time.

Services related to processing

As described in the Main Agreement

Duration of processing

For the Term of this DPA

Nature and purpose of processing

To provide Services under the Main Agreement

Personal Data

The types of personal data processed are determined at the discretion of Customer.

Data subjects

The individuals whose Personal Data will be processed are determined at the discretion of Customer.

Special provisions

N/A

Transfer Mechanism

Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (as amended from time to time), for the transfer of personal data from the EEA or adequate country to a third country]

ANNEX 1
Security measures. Technical and organisational measures to ensure the security of Personal Data	As a processor of personal data, Law Insider implements a comprehensive set of technical and organizational security measures designed to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR and other applicable data protection laws. 1. Hosting & Infrastructure All customer data is hosted on Google Cloud Platform, leading cloud infrastructure provider that maintain ISO 27001, SOC 1/2/3, and other internationally recognized certifications. Our AI Contract Review Word Add-In is powered by our sister company SimpleDocs which uses AWS as its cloud infrastructure provider. AWS data centers are located in the US and Ireland. Google Cloud Platform data centers are located within the US. Law Insider and by extension, SimpleDocs have selected these providers to meet applicable data residency and legal requirements. 2. Access Controls Access to personal data is restricted based on the principle of least privilege and is granted only to personnel with a business need. All system access requires strong authentication, and sensitive systems are protected with multifactor authentication (MFA). Access logs are maintained, monitored, and regularly reviewed. 3. Encryption & Data Security Personal data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 or an equivalent standard. Data is logically segregated to ensure that no customer can access another customer’s data in our multi-tenant architecture. 4. Employee Security All employees and contractors are bound by confidentiality obligations and receive regular training on data protection, secure data handling, and incident reporting procedures. Employment agreements and policies reinforce the importance of data security and define consequences for non-compliance. 5. Vulnerability & Threat Management Law Insider maintains a vulnerability management program, including regular internal and external scans, prompt patching of critical vulnerabilities, and annual third-party penetration testing. Systems are monitored for suspicious activity using automated alerting and logging. 6. Backup, Continuity & Disaster Recovery Customer data is backed up regularly and stored in geographically redundant locations within AWS. Disaster recovery and business continuity plans are tested periodically to ensure timely recovery in the event of an incident. Recovery time and recovery point objectives (RTO/RPO) are defined and reviewed regularly. 7. Incident Response A documented incident response plan is in place. In the event of a personal data breach, Law Insider will notify affected customers without undue delay and provide relevant details as required by law. The incident response process includes investigation, containment, remediation, and customer communication. 8. Subprocessor Oversight Subprocessors (including AWS and others) are subject to risk- based due diligence and must implement appropriate technical and organizational security measures. A current list of subprocessors is available upon request or as otherwise set out in the DPA. 9. Data Minimization & Retention Personal data is retained only for as long as necessary to fulfill the purposes of processing or as required by law or contractual obligations. When data is no longer needed, it is securely deleted using industry-standard deletion methods.

ANNEX 1

Security measures. Technical and organisational measures to ensure the security of Personal Data

As a processor of personal data, Law Insider implements a comprehensive set of technical and organizational security measures designed to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR and other applicable data protection laws.

1. Hosting & Infrastructure

All customer data is hosted on Google Cloud Platform, leading cloud infrastructure provider that maintain ISO 27001, SOC 1/2/3, and other internationally recognized certifications.
Our AI Contract Review Word Add-In is powered by our sister company SimpleDocs which uses AWS as its cloud infrastructure provider.
AWS data centers are located in the US and Ireland.
Google Cloud Platform data centers are located within the US.
Law Insider and by extension, SimpleDocs have selected these providers to meet applicable data residency and legal requirements.

2. Access Controls

Access to personal data is restricted based on the principle of least privilege and is granted only to personnel with a business need.
All system access requires strong authentication, and sensitive systems are protected with multifactor authentication (MFA).
Access logs are maintained, monitored, and regularly reviewed.

3. Encryption & Data Security

Personal data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 or an equivalent standard.
Data is logically segregated to ensure that no customer can access another customer’s data in our multi-tenant architecture.

4. Employee Security

All employees and contractors are bound by confidentiality obligations and receive regular training on data protection, secure data handling, and incident reporting procedures.
Employment agreements and policies reinforce the importance of data security and define consequences for non-compliance.

5. Vulnerability & Threat Management

Law Insider maintains a vulnerability management program, including regular internal and external scans, prompt patching of critical vulnerabilities, and annual third-party penetration testing.
Systems are monitored for suspicious activity using automated alerting and logging.

6. Backup, Continuity & Disaster Recovery

Customer data is backed up regularly and stored in geographically redundant locations within AWS.
Disaster recovery and business continuity plans are tested periodically to ensure timely recovery in the event of an incident.
Recovery time and recovery point objectives (RTO/RPO) are defined and reviewed regularly.

7. Incident Response

A documented incident response plan is in place. In the event of a personal data breach, Law Insider will notify affected customers without undue delay and provide relevant details as required by law.
The incident response process includes investigation, containment, remediation, and customer communication.

8. Subprocessor Oversight

Subprocessors (including AWS and others) are subject to risk- based due diligence and must implement appropriate technical and organizational security measures.
A current list of subprocessors is available upon request or as otherwise set out in the DPA.

9. Data Minimization & Retention

Personal data is retained only for as long as necessary to fulfill the purposes of processing or as required by law or contractual obligations.
When data is no longer needed, it is securely deleted using industry-standard deletion methods.

ANNEX 2

Sub-Processors. Current subprocessors

The following subprocessors and third-party platforms are engaged by the Law Insider Inc. for marketing, analytics, communications, and customer support purposes:

Vendor	Purpose of Processing	Data Categories Processed	Location
Mailchimp	Email marketing	Contact data	USA
Zoom	Webinars and virtual meetings	Contact data, usage data	USA
Unbounce	Landing page forms	Contact data	Canada
Hubspot	CRM and marketing automation	Contact data, usage data	USA
PostHog	Product analytics	Usage data, behavioral data	USA
ChartMogul	Subscription analytics	Account and revenue data	Germany
Stripe	Payment processing and billing	Contact and billing data	USA
SurveyMonkey (Momentive)	Surveys and feedback collection	Contact data, survey responses	USA
Airtable	Internal operations and data storage	Contact data, internal project data	USA
Zapier	Workflow automation	Metadata, contact and usage data	USA
Circle.so	Community engagement platform	Contact data, usage data	USA
Google Analytics	Website usage analytics	Usage and device data	USA
Google Drive & Sheets	Document and data storage	Contact data, internal data	Global (with EU SCCs)
Metabase (SimpleDocs)	Add-in usage analytics	Usage and behavioral data	USA
Zendesk	Customer support	Contact data, support interactions	USA
Varify.io	Website personalization	Behavioral and location data	USA
Reddit Ads	Advertising and tracking	Behavioral and pixel tracking data	USA
Twitter Ads	Advertising and tracking	Behavioral and pixel tracking data	USA
Calendly	Meeting scheduling	Contact data	USA
SimpleDocs Inc.	Technology Provider	Contact data, usage data	USA

TERMS

1. What is this agreement about?

1.1 Purpose. The parties are entering into this Data Processing Agreement (DPA) for the purpose of processing Personal Data (as defined above).

1.2 Definitions. Under this DPA:

adequate country means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data
Controller, data subject, personal data breach, process/processing, Processor and supervisory authority have the same meanings as in the Data Protection Laws
Business and Service Provider have the same meanings as in the CCPA/CPRA
Sub-Processor means another processor engaged by the Processor to carry out specific processing activities with Personal Data

2. What are each party’s obligations?

2.1 Customer obligations. Customer instructs Law Insider to process Personal Data in accordance with this DPA, and Customer is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Law Insider to process Personal Data.

2.2 Law Insider obligations. Law Insider will:

only process Personal Data in accordance with this DPA and Customer’s instructions (unless legally required to do otherwise)
not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA and the Main Agreement
inform Customer immediately if (in its opinion) any instructions infringe Data Protection Laws
use the technical and organisational measures described in Annex 1 when processing Personal Data to ensure a level of security appropriate to the risk involved
notify Customer of a personal data breach within the Breach Notification Period and provide assistance to Customer as required under Data Protection Laws in responding to it
ensure that anyone authorised to process Personal Data is committed to confidentiality obligations
without undue delay, provide Customer with reasonable assistance with:
1. data protection impact assessments
2. responses to data subjects’ requests to exercise their rights under Data Protection Laws
3. engagement with supervisory authorities
if requested, provide Customer with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA
allow for audits at Customer’s reasonable request, provided that audits are limited to once a year and during business hours except in the event of a personal data breach
return Personal Data upon Customer’s written request or delete Personal Data by the end of the Term, unless retention is legally required

2.3 Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.

3. Sub-processing

3.1 Use of sub-processors. Customer authorises Law Insider to engage other processors (referred to in this section assub-processors) when processing Personal Data. Law Insider’s existing sub-processors are listed in Annex 2.

3.2 Sub-processor requirements. Law Insider will:

require its sub-processors to comply with equivalent terms as Law Insider’s obligations in this DPA
ensure appropriate safeguards are in place before internationally transferring Personal Data to its sub-processor
be liable for any acts, errors or omissions of its sub-processors as if they were a party to this DPA

3.3 Approvals. Law Insider may appoint new sub-processors provided that they notify Customer in writing in accordance with the Sub-processor Notification Period.

3.4 Objections. Customer may reasonably object in writing to any future sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.

4. International personal data transfers

4.1 Instructions. Law Insider will transfer Personal Data outside the UK, the EEA or an adequate country only on documented instructions from Customer, unless otherwise required by law.

4.2 Transfer mechanism. Where a party is located outside the UK, the EEA or an adequate country and receives Personal Data:

that party will act as the data importer,
the other party is thedata exporter, and
the relevant Transfer Mechanism will apply.

4.3 Additional measures. If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.

4.4 Disclosures. Subject to the terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):

challenge the request and promptly notify the data exporter about it, and
only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure.

Standard Data Processing Agreement (oneDPA Version 1.0)
Law Insider Standards | Licensed under CC-BY 4.0
Click to learn more about oneSaaS

LAST UPDATED: [June 23,2025]