Data Processing Agreement

Parties

Between: the law firm identified in the Services Agreement (the "Controller")

And: YairTech Ltd, a company registered in England and Wales, trading as Legal Mate (the "Processor").

1. Background

1.1 The Controller is a law firm authorised and regulated by the Solicitors Regulation Authority (SRA). It instructs the Processor to provide AI-assisted legal case analysis, document processing, case management, and communications drafting services (the "Services") under a separate Services Agreement (the Terms of Service).

1.2 In providing the Services, the Processor processes Personal Data on behalf of the Controller. This DPA sets out the terms applicable to that Processing in accordance with Article 28 UK GDPR.

2. Definitions

Capitalised terms bear the meanings given in the UK GDPR and the Data Protection Act 2018, except as below:

• Applicable Data Protection Laws: the UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR.
• Personal Data: Personal Data processed by the Processor on behalf of the Controller in connection with the Services.
• Sub-processor: a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Services Agreement: the Terms of Service plus any order form or subscription between the parties.

3. Roles and Scope

3.1 The Controller is the Controller of Personal Data processed under this DPA. The Processor is the Processor. Details of Processing are set out in Annex I.

3.2 The Controller warrants that (a) it has a valid lawful basis under Articles 6 and 9 UK GDPR for the Processing carried out on its behalf, and (b) it has provided Data Subjects with the information required under Articles 13–14.

4. Processor Obligations (Article 28(3))

4.1 Documented instructions

The Processor shall process Personal Data only on the Controller's documented instructions, including as to international transfers, unless required by law. The Services Agreement together with the Controller's configuration constitute the Controller's standing documented instructions.

4.2 Confidentiality

Persons authorised to process Personal Data are bound by confidentiality undertakings or statutory obligation.

4.3 Security (Article 32)

The Processor implements the technical and organisational measures set out in Annex IIto ensure a level of security appropriate to the risk. Measures may be updated provided the level of protection is not reduced.

4.4 Sub-processors

The Controller grants general written authorisation for the Sub-processors in Annex III. The Processor will notify the Controller of any addition or replacement at least thirty (30) days in advance; the Controller may object on reasonable data-protection grounds, and if the parties cannot agree may terminate the affected Services without penalty. The Processor imposes equivalent data-protection obligations on every Sub-processor and remains liable for their compliance.

4.5 Data Subject Rights

The Processor assists the Controller, by appropriate technical and organisational measures, in responding to requests under Articles 15–22 UK GDPR.

4.6 Assistance with Articles 32–36

The Processor assists the Controller in ensuring compliance with security, breach notification, DPIA and prior-consultation obligations, taking into account the nature of Processing and the information available to the Processor.

4.7 Personal Data Breach notification

The Processor notifies the Controller without undue delay, and in any event within 48 hours of becoming aware, of any Personal Data Breach affecting the Controller's data — designed to preserve the Controller's 72-hour ICO notification window.

4.8 Return or deletion

On termination, at the Controller's choice, the Processor deletes or returns all Personal Data, and deletes existing copies, except where law requires continued storage. Return format: structured export via the Controller's admin account. Deletion completed within ninety (90) days of termination with a written certificate on request.

4.9 Records and audit

On written request under confidentiality, the Processor makes available its ROPA, TIA, information security policy, incident response plan, Sub-processor DPAs and certifications. The Controller may audit the Processor's compliance once per twelve-month period on thirty (30) business days' notice, at its own cost; a third-party audit report (e.g. SOC 2) may be provided in lieu.

5. International Transfers (Chapter V)

5.1 The Processor does not transfer Personal Data outside the UK except where necessary to deliver the Services and where an appropriate Chapter V safeguard is in place.

5.2 For Sub-processors in the United States, the Processor relies on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, the UK Extension to the EU–US Data Privacy Framework where the Sub-processor is certified, or other ICO-recognised mechanisms. See the Privacy Policy and the Transfer Impact Assessment (available on request).

5.3 For EEA Sub-processors, transfers rely on the UK adequacy regulations; no Chapter V safeguard is required. By executing this DPA the Controller approves the transfers described in Annex III.

6. Liability

Aggregate liability is subject to the limitations in the Services Agreement, save for liability that cannot be limited under Applicable Data Protection Laws. Each party indemnifies the other for Article 83 fines arising from its own breach of this DPA, subject to those limitations.

7. Term and Termination

This DPA commences on the Effective Date and runs for the duration of the Services Agreement. Obligations which by their nature survive — confidentiality, deletion/return, records, liability — survive termination.

8. Order of Precedence

In the event of conflict with the Services Agreement, this DPA prevails on matters concerning the Processing of Personal Data.

9. Governing Law and Jurisdiction

Governed by the laws of England and Wales. Parties submit to the exclusive jurisdiction of the courts of England and Wales.

10. Execution

The Controller accepts this DPA by ticking the acceptance checkbox during account signup, or by executing a counterpart via electronic signature. The Processor has signed below.

Annex I — Description of Processing

A. Parties

• Controller: the law firm identified during signup (name, registered address, SRA number as provided).
• Processor: YairTech Ltd, registered in England and Wales. Contact: privacy@legal-mate.ai.

B. Description

C. Retention

D. Competent Supervisory Authority

Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow SK9 5AF, UK.

Annex II — Technical & Organisational Measures

Technical

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• Row Level Security on all multi-tenant tables; firm-scoped access control.
• Supabase Auth with email verification and password complexity policy.
• Role-based permissions (admin, solicitor, paralegal, read-only); least privilege.
• JWT-bearer API with rate limiting, input validation, OWASP Top-10 checks.
• Immutable audit_logs table (no UPDATE/DELETE by RLS design).
• Daily encrypted backups with point-in-time recovery.
• Automated dependency vulnerability scanning.
• PII filtering in error reports (send_default_pii=False, masked headers).

Organisational

• Named privacy lead; staff confidentiality undertakings.
• Least-privilege access management with periodic review.
• 72-hour ICO breach procedure (48-hour Controller notification window).
• Sub-processor due diligence; annual DPA and certification review.
• Data minimisation; privacy awareness training.
• Annual review of ROPA, TIA and this DPA.

Annex III — Sub-processors

Authorised Sub-processors as at the version date above:

Material changes are notified to firm admins as set out in clause 4.4.