Skip to content
ParalegalMate
Legal

Data Processing Agreement

Effective: April 21, 2026 · Last updated: April 21, 2026

Interim DPA, Under Legal Review

This Data Processing Agreement reflects ParalegalMate’s good-faith commitments during our pre-launch phase. It is under continuous review and will be finalized by licensed counsel prior to paid customer onboarding at our July 1, 2026 general availability launch. Firm customers requiring a countersigned DPA for procurement purposes may email legal@paralegalmate.com.

1. Parties & Scope

This Data Processing Agreement (“DPA”) forms part of the agreement between ParalegalMate (“Processor”) and the law firm customer (“Controller”) regarding processing of personal data in connection with the Service. This DPA governs all processing of Customer Personal Data by ParalegalMate on behalf of the Controller.

2. Definitions

Customer Personal Data.Any personal data uploaded, processed, or generated through the Service by or on behalf of Controller, including matter content relating to the Controller’s clients, opposing parties, witnesses, or other individuals.

Processing. Any operation performed on personal data, including collection, storage, analysis, generation of AI outputs, transmission, and deletion.

Sub-processor. Any third party engaged by ParalegalMate to process Customer Personal Data on its behalf.

3. Processing Details

Subject matterProvision of the ParalegalMate Legal Operating System.
DurationFor the term of the Controller’s subscription, plus up to 30 days for deletion.
Nature & purposeDocument ingestion, embedding generation, AI-assisted research and drafting, matter organization, user collaboration, analytics.
Data categoriesIdentification data, contact details, employment data (legal professionals), matter content (which may include sensitive personal data about clients, witnesses, opposing parties).
Data subjectsController personnel, Controller’s clients, third parties referenced in matters.

4. ParalegalMate Obligations

  • Process Customer Personal Data only on documented instructions from the Controller, including as set out in the Terms of Service.
  • Ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
  • Implement and maintain the technical and organizational security measures described in Section 5.
  • Assist Controller in responding to data subject rights requests and regulatory inquiries.
  • Not use Customer Personal Data for any purpose other than providing the Service, and in particular, not to train third-party foundation models.

5. Security Measures

  • Encryption in transit via TLS 1.3.
  • Encryption at rest via AES-256.
  • Matter-scoped data isolation with row-level access enforcement.
  • Multi-factor authentication and role-based access control.
  • Least-privilege access policies for internal personnel.
  • Audit logging of access to Customer Personal Data.
  • Regular vulnerability scanning and annual penetration testing.
  • Incident response procedures with documented runbooks.
  • SOC 2 Type II audit in progress; targeted completion Q3 2026.

6. Sub-processors

Controller authorizes ParalegalMate to engage sub-processors to process Customer Personal Data. A current list of sub-processors (including cloud hosting, AI model providers, payment processing, and analytics) is maintained and made available upon request to legal@paralegalmate.com.

ParalegalMate will impose, on each sub-processor, data protection obligations no less protective than those in this DPA. ParalegalMate will provide notice of new sub-processors at least 30 days in advance, allowing Controller to object on reasonable grounds.

7. Data Subject Rights

ParalegalMate will, taking into account the nature of the processing, assist Controller in fulfilling its obligations to respond to requests from data subjects for access, correction, deletion, portability, or objection, through the tools exposed in the Service.

8. Personal Data Breach Notification

ParalegalMate will notify Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting Customer Personal Data, including information reasonably necessary for Controller to meet its own notification obligations.

9. Audit Rights

ParalegalMate will make available to Controller, upon reasonable request, information necessary to demonstrate compliance with this DPA, including summaries of security audits and certifications. For on-site audits, the parties will agree in good faith on scope, frequency (no more than annually absent a material incident), and cost-sharing.

10. Return or Deletion of Data

Upon termination, and at the Controller’s choice, ParalegalMate will return or delete all Customer Personal Data within 30 days, except where retention is required by law. Controller may export data through the Service at any time during the subscription term.

11. International Transfers

Customer Personal Data is stored and processed in the United States. ParalegalMate does not transfer Customer Personal Data outside the United States without Controller’s written consent and appropriate safeguards.

12. Term & Precedence

This DPA is effective from the effective date of the Controller’s subscription and continues for so long as ParalegalMate processes Customer Personal Data on Controller’s behalf. In the event of any conflict between this DPA and the Terms of Service, this DPA controls with respect to processing of Customer Personal Data.

13. Governing Law

This DPA is governed by the laws of the State of Wyoming, consistent with the Terms of Service.

14. Contact

DPA requests, sub-processor list, or security questionnaires: legal@paralegalmate.com

← Back to home·Privacy Policy·Terms of Service·DPA·Contact