Data Processing Addendum

1. FOUNDATIONAL TERMS

This Data Processing Addendum (the "DPA") governs Casepal's processing of DPA Data that is required to provide the Service under the agreement between You and Casepal pertaining to the use of Casepal's AI-powered legal platform (the "Agreement"). This DPA is incorporated into and forms part of Your Terms with Casepal. In the event of any conflicting language between the Agreement, other Terms, or an operative Order Form, the terms of this DPA control.

You and Casepal each agree to comply with their respective obligations under Data Protection Law.

1.1 Data Processing Roles

As between You and Casepal, You are the Data Controller, and Casepal is the Data Processor, processing DPA Data on Your behalf.

1.2 Data Processing Purposes

Casepal will process DPA Data as Your Data Processor for the purpose of providing or maintaining the Service and in accordance with the Instructions. Casepal acknowledges that You are disclosing DPA Data for these limited and specific purposes. You acknowledge that the Service utilizes large language models and AI systems that generate probabilistic outputs, and that such outputs may require human review for accuracy and completeness.

Casepal does not use DPA Data to train, fine-tune, or improve Casepal's proprietary AI models or any third-party AI models. DPA Data is processed solely to generate outputs in response to Customer's use of the Service. Prompts, outputs, and usage patterns are not retained beyond the session duration except as necessary to provide the Service (e.g., conversation history within a workspace) or as required by Section 14 (Retention and Deletion).

1.3 Categories of Personal Data

Personal Data contained within Customer Data and Content processed through the Service. This processing potentially involves all types of Personal Data, including Special Categories of Personal Data as defined under Data Protection Law. Examples include:

Contact information: names, addresses, telephone numbers, email addresses

Identification information: photos, passport numbers, national identity numbers, social insurance numbers, tax identification numbers

Employment information: employment history, job titles, responsibilities, CVs, professional qualifications

User-generated content: instructions, comments, opinions, documents, and all information entered into the AI platform

Legal case information: information about legal cases concerning individuals, family relationships, contractual relationships

Financial information: payment and transaction information, bank account numbers

Location information: geographic location data

Special Categories of Personal Data: criminal conviction data, data about minors, health data, trade union membership, political opinions, religious or philosophical beliefs, biometric data, genetic data, data concerning sex life or sexual orientation

‍

1.4 Categories of Data Subjects

Individuals identified in Customer Data and Content. Examples include:

Controller's employees and personnel

Controller's clients and their representatives

Counterparties and opposing parties in legal matters

Lawyers, judges, and other legal professionals

Witnesses, experts, and consultants

Controller's business associates and service providers

Any individuals referenced in legal documents or cases

‍

1.5 Duration of Processing

Subject to the Terms and Section 14 of this DPA, DPA Data will be processed for the term of the Agreement.

‍

2. DEFINITIONS

The definitions in Section 15 (Defined Terms) apply to this DPA. All terms in quotation marks in the body of this DPA are also defined terms. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

‍

3. PROCESSING REQUIREMENTS

As a Data Processor, Casepal will:

(a) process DPA Data on Your behalf, according to the Instructions, and only in a manner necessary for the performance of the Service;

(b) promptly notify You in writing if it cannot comply with the requirements of this DPA;

(c) promptly inform You if, in Casepal's opinion, an instruction from You infringes applicable Data Protection Law;

(d) ensure that all persons authorized by Casepal to process DPA Data are subject to a duty of confidentiality and have received adequate training in relation to their obligations under this DPA and Data Protection Law;

(e) comply with Data Protection Law and is responsible for demonstrating its compliance; and

(f) keep a record of processing activities for the processing carried out for the Controller, in accordance with the provisions of Article 30(2) of the GDPR.

‍

4. SUBPROCESSORS

4.1 General Authorization

Casepal will engage the organizations or persons listed at https://trust.casepal.co/subprocessors (the "Subprocessor List") as necessary to perform the Service. You consent to Casepal's use of its existing Subprocessors and You grant Casepal a general written authorization to engage Subprocessors to perform all or part of the processing activities required to provide the Service.

‍

4.2 Notice and Objection Rights

If You subscribe to receive email notifications at the Subprocessor List, then Casepal will notify You if Casepal intends to add one or more Subprocessors to the Subprocessor List at least 30 days before the change takes effect. You may, within 30 days of receiving the notice of the change, reasonably object to Casepal's use of a Subprocessor on reasonable grounds relating to the protection of DPA Data (the "Objection") by following the instructions set forth in the Subprocessor List or by contacting privacy@casepal.co (the "Objection Notice").

‍

4.3 Resolution Process

In the event of an Objection, Casepal shall have the right to cure the Objection through one of the following options:

(i) Casepal will offer an alternative to provide its Service without such Subprocessor;

(ii) Casepal will take the corrective steps requested by You in the Objection Notice and proceed to use the Subprocessor;

(iii) Casepal may cease to provide, or You may agree not to use, whether temporarily or permanently, the particular aspect or feature of the Service that would involve the use of such Subprocessor; or

(iv) You may cease providing DPA Data to Casepal for processing.

If none of the above options are commercially feasible, in Casepal's reasonable judgment, and the Objection has not been resolved to the satisfaction of the parties within thirty (30) days of Casepal's receipt of the Objection Notice, then either party may terminate any subscriptions, order forms or usage regarding the Service for cause and in such case, You will be refunded any prepaid but unused fees for the applicable subscriptions, order forms or usage to the extent they cover periods or terms following the date of such termination. Other than accepting such cure as may be offered by Casepal, such termination right is Your sole and exclusive remedy if You object to any new Subprocessor.

‍

4.4 Subprocessor Obligations

Casepal will:

(a) enter into contractual arrangements with each Subprocessor binding them to provide the same level of data protection and information security to that provided for in this DPA and meeting the essential requirements of Article 28(3) of the GDPR;

(b) conduct an appropriate investigation prior to engaging each Subprocessor to ensure that the Subprocessor is able to provide the level of protection for the DPA Data required by this DPA;

(c) provide the Controller, whenever requested, for inspection, with copies of its agreements with the Subprocessors (from which any confidential commercial information not related to the requirements of this DPA may be deleted); and

(d) remain fully liable to You for the performance of each Subprocessor to the extent the Subprocessor fails to fulfill its data protection obligations under the applicable data processing agreement with Casepal.

‍

5. NOTICE TO CUSTOMER

Casepal will inform You, to the extent legally permitted, if Casepal receives:

(a) any legally binding request for disclosure of DPA Data by a law enforcement authority. If Casepal is legally prohibited from notifying You, Casepal will use its best efforts to request a waiver of the prohibition and will document that request. Casepal will notify You once the prohibition expires or has been lifted with the aim of providing as much relevant information to You as reasonably possible;

(b) any notice, inquiry, or investigation by a Supervisory Authority with respect to DPA Data; or

(c) any complaint or request from a Data Subject (including "verifiable consumer requests" as defined by CCPA) exercising their right under Data Protection Law to (i) access their DPA Data; (ii) have their DPA Data corrected or erased; (iii) restrict or object to the Processing of their DPA Data; or (iv) data portability (collectively "Data Subject Request"). Casepal will record any Data Subject Request received either by it or its Subprocessor and shall notify You within five (5) business days of receipt, or such shorter period as may be necessary to enable You to respond within applicable legal deadlines. Other than to request further information or identify the Data Subject, Casepal will not respond to any Data Subject Request without prior written authorization from You.

‍

6. PERSONAL DATA BREACH

If Casepal experiences a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to DPA Data ("Personal Data Breach"), Casepal will notify You without undue delay and, where feasible, not later than 72 hours after becoming aware of it. Casepal will provide You with all information about the Personal Data Breach as required by Data Protection Law. Casepal will cooperate with You and assist You, as You may require, in the investigation, mitigation, and redress of any Personal Data Breach.

‍

7. ASSISTANCE TO CUSTOMER AND AUDITS

7.1 Data Subject Rights Assistance

Upon Your written request, Casepal will provide reasonable assistance to You regarding Your obligations to respond to Data Subject Requests relating to Casepal's Processing of DPA Data. Such assistance shall be provided at no additional cost to the extent such requests arise from the normal operation of the Service. Where You request assistance that requires substantial additional effort beyond Casepal's standard operational processes, Casepal may charge reasonable fees to be agreed in advance.

‍

7.2 Data Protection Impact Assessments

Upon Your written request, Casepal will provide reasonable assistance to You regarding Your preparation of data protection impact assessments with respect to the processing of DPA Data by Casepal and, where necessary, carrying out consultations with any Supervisory Authority with jurisdiction over the Processing. Such assistance shall be limited to providing information about the Processing activities and security measures implemented by Casepal. Where You request Casepal to conduct assessments, analyses, or generate reports beyond the provision of existing documentation, Casepal may charge reasonable fees to be agreed in advance.

‍

7.3 Audits

Upon Your written request, Casepal will provide information, assessments, or audits, to the extent required by Data Protection Law, and as necessary to confirm that Casepal is processing Personal Data in a manner consistent with this DPA.

7.3.1 Documentation and Remote Audits

Casepal shall provide, at no cost, access to:

(a) all documentation related to Casepal's data processing activities;

(b) third-party security certifications (e.g., SOC 2, ISO 27001); and

(c) participation in remote audits conducted via questionnaire or video conference, up to two (2) such audits per calendar year.

‍

7.3.2 On-Site Audits

Customer may conduct one (1) on-site audit per calendar year, at no cost to Customer, upon thirty (30) days' prior written notice and subject to Casepal's reasonable security and confidentiality procedures.

‍

7.3.3 Additional Audits

Audits beyond those specified in Sections 7.3.1 and 7.3.2, or audits requiring more than 20 person-hours of Casepal effort, may be subject to Casepal's reasonable costs, to be agreed in writing in advance. Costs of remediation identified by any audit shall be borne by Casepal.

‍

7.3.4 Supervisory Authority Audits

The rights set forth in this Section 7.3 do not limit or restrict audits or inspections conducted directly by a Supervisory Authority, which Casepal shall accommodate at no cost in accordance with applicable Data Protection Law.

‍

7.4 Remediation

Casepal shall take commercially reasonable measures to correct any material gaps in relation to the protection of DPA Data identified through audit, within a timeframe proportionate to the severity of the gap. Casepal shall bear the cost of remediation where such gaps represent a breach of Casepal's obligations under this DPA. Where an audit identifies recommendations for enhancements beyond Casepal's contractual obligations, implementation shall be subject to mutual agreement and may be subject to additional fees.

‍

7.5 AI Literacy and Training Support

Casepal shall provide Customer with access to educational resources and training materials to support Customer's AI literacy obligations under applicable Data Protection Law and AI regulations. Such support shall include:

(a) Knowledge Hub Access: Casepal makes available a dedicated knowledge resource at https://knowledge.casepal.co/ containing documentation, tutorials, and best practice guides on the responsible use of AI-powered legal tools and Casepal-specific features;

(b) Personnel Availability: Casepal personnel are available to Customer to discuss questions, provide guidance, and facilitate Customer's understanding of the Service's AI capabilities, limitations, and appropriate use cases; and

(c) Cooperation on AI Literacy: Casepal encourages and supports Customer in developing and implementing AI literacy programs for Customer's personnel who use the Service, and shall reasonably cooperate with Customer to provide information about the Service's AI functionality to support such programs.

Casepal's provision of these resources does not relieve Customer of its independent obligations under applicable law to ensure appropriate AI literacy and training for its personnel.

‍

8. REQUIRED PROCESSING

If Casepal is required by applicable law to Process DPA Data outside of Your Instructions, Casepal will inform You of this requirement in advance of any processing, unless Casepal reasonably believes it is legally prohibited from informing You of such processing.

‍

9. SECURITY

9.1 Security Measures

Casepal will implement and maintain a written information security program with the data security measures set out in the Trust centre (available at https://trust.casepal.co/) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of DPA Data and to protect the rights of the Data Subject.

‍

9.2 Security Standards

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of individuals, Casepal shall implement appropriate technical and organisational measures to ensure an appropriate level of security against risks, which may include, as appropriate:

(a) the pseudonymization and encryption of personal data, in particular during their transmission and storage;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) procedures for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing; and

(e) the ability to ensure that the DPA Data is kept separately from personal data of other clients of Casepal.

(f) AI-Specific Security and Transparency Controls: 

For processing activities involving artificial intelligence and large language models, Casepal implements technical and organisational measures designed to:

(i) User Notification and Transparency: inform users that they are interacting with an AI system through clear, visible notifications displayed within the Service interface. Casepal displays text messages or visual indicators on every tool or feature that relies on AI-generated outputs, ensuring users are aware that the content they are viewing or receiving has been produced by artificial intelligence before their first interaction with such content;

(ii) Adversarial Input Protection: prevent and detect attempts to manipulate AI system behavior through adversarial inputs, including prompt injection attacks, jailbreaking techniques, or other methods designed to circumvent the Service's intended functionality or safety controls;

(iii) Input Validation and Filtering: validate and sanitize Customer inputs to AI systems to reduce risks of processing malicious, inappropriate, or out-of-scope content that could compromise system integrity or generate harmful outputs;

(iv) Output Monitoring and Quality Control: implement automated monitoring of AI-generated outputs to detect and mitigate the generation of inaccurate, biased, inappropriate, or potentially harmful content, including through the use of content filtering and safety classifiers;

(v) Data Segregation: maintain logical and, where appropriate, segregation of Customer prompts, outputs, and usage data from those of other customers to prevent unauthorized cross-customer data access or model contamination;

(vi) Model Security and Integrity: ensure the security and integrity of AI models used in the Service, including protection against model poisoning, unauthorized model extraction, and tampering with model parameters or behavior;

(vii) Logging and Traceability: log AI processing activities, including prompts, outputs, and system decisions, for security monitoring, incident response, audit purposes, and to enable investigation of potential security incidents or misuse, in accordance with Section 14 (Retention and Data Deletion);

(viii) Continuous Risk Assessment: assess and update AI-specific security measures in light of evolving threat landscapes, including emerging attack vectors specific to large language models and generative AI systems; and

(ix) Third-Party AI Model Security: where the Service utilizes third-party general-purpose AI models as Subprocessors, ensure that such models are obtained from providers who maintain appropriate cybersecurity protections, undergo adversarial testing, and comply with industry standards for AI model security.

‍

9.3 Personnel Security

Casepal will take appropriate steps to confirm that all Casepal personnel and persons or entities authorized to Process DPA Data on Casepal's behalf are protecting the security, privacy and confidentiality of DPA Data consistent with the requirements of this DPA.

‍

9.4 Business Continuity

Casepal maintains business continuity and disaster recovery procedures appropriate to the nature of the Services. Upon Your request, Casepal shall provide You with a summary of its business continuity measures.

‍

10. US SPECIFIC DATA PROTECTION OBLIGATIONS

To the extent applicable under US State Privacy Law, Casepal certifies that it understands and will comply with its obligations under US State Privacy Law to:

(a) only process DPA Data for the purposes set out in this DPA, the Agreement, or the Terms, unless otherwise permitted by law;

(b) not "sell" or "share" (as defined by CCPA) DPA Data;

(c) not retain, use or disclose DPA Data outside of the direct business relationship between Casepal and Customer unless otherwise required or permitted by law;

(d) Process DPA Data in a manner that provides no less than the level of privacy protection required by US State Privacy Law;

(e) not combine any DPA Data with Personal Data that Casepal receives from or on behalf of a third party other than You or collects from Casepal's own interactions with individuals, provided that Casepal may combine Personal Data as permitted under US State Privacy Laws or if directed to do so by Customer;

(f) not attempt to reidentify any deidentified data You provide to Casepal, except for the sole purpose of determining whether the deidentification processes are compliant with applicable Data Protection Law; and

(g) grant You the right to take reasonable and appropriate steps to (i) ensure that Casepal uses DPA Data in a manner consistent with Data Protection Law and (ii) stop and remediate unauthorized use of DPA Data.

‍

11. OBLIGATIONS OF CUSTOMER

11.1 Rights and Consents

You represent, warrant and covenant that You have and shall maintain throughout the term all necessary rights, consents and authorizations to provide the DPA Data to Casepal and to authorize Casepal to Process DPA Data as contemplated by this DPA, the Agreement, the Terms and/or other Instructions provided to Casepal.

‍

11.2 Instructions

By using the Service, you are instructing Casepal to process DPA Data as reflected in the Documentation and as reasonably necessary for the performance of the Services.

‍

11.3 Cooperation

You shall reasonably cooperate with Casepal to assist Casepal in performing any of its obligations under Data Protection Law in relation to DPA Data.

‍

11.4 Secure Design and Configuration

You acknowledge and agree that You, rather than Casepal, are responsible for certain configurations and design decisions for the Service and that You are responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Law. Examples include but are not limited to: access control settings, user permission levels, data retention settings, and geographic storage preferences. Without limitation to the above, You represent, warrant and covenant that You shall only transfer DPA Data to Casepal using secure, reasonable and appropriate mechanisms. 

‍

11.5 Prohibited Methods of Data Transfer

You shall not provide DPA Data to Casepal except through agreed mechanisms. For example, You should avoid including DPA Data in support tickets where possible.

‍

11.6 Responsible Use of AI Features

You acknowledge that the Service includes AI-powered features that generate outputs based on large language models and machine learning. You agree that:

(a) Human Review Required: AI-generated outputs, including legal analysis, contract drafting, research summaries, and case law citations, must be reviewed and verified by qualified legal professionals before use in client communications, court filings, legal advice, or any other professional legal work. Casepal does not warrant that AI outputs are accurate, complete, or suitable for any particular purpose.

(b) Special Categories of Personal Data: You shall exercise particular caution when processing Special Categories of Personal Data through AI features and should implement appropriate safeguards, including pseudonymization or anonymization where feasible, before submitting such data to the Service.

(c) Prohibited Manipulation: You shall not attempt to manipulate, jailbreak, or circumvent the Service's safety controls, including through prompt injection, adversarial inputs, or other techniques designed to cause the AI system to behave in unintended ways.

(d) Output Responsibility: You retain sole responsibility for any use of AI-generated outputs and any decisions made based on such outputs. Casepal is not responsible for consequences arising from reliance on AI-generated content without independent professional verification.

‍

12. CROSS-BORDER DATA TRANSFERS

12.1 Default Processing Location

Unless You and Casepal have agreed, in your currently operative order form or otherwise in writing, to process and store DPA Data exclusively in a different geographic location, DPA Data will be processed and stored within the European Economic Area (EEA). Casepal's primary infrastructure is hosted in Frankfurt, Germany on Google Cloud Platform's EU-based infrastructure.

‍

12.2 Permitted Transfers Outside the EEA

Notwithstanding Section 12.1, limited transfers of DPA Data outside the EEA may occur where:

(a) the European Commission has issued an adequacy decision for the destination country under Article 45 of the GDPR; or

(b) Casepal and the recipient of the DPA Data have entered into Standard Contractual Clauses issued by the European Commission under Article 46 of the GDPR and have complied with any other provisions of Data Protection Law in respect of transfers of DPA Data (including completion of Transfer Impact Assessments where required).

‍

12.3 Standard Contractual Clauses

Where transfers occur under Section 12.2(b), the parties agree that:

(a) For EEA Transfers: Module 2 (Controller to Processor) of the European Commission's Standard Contractual Clauses as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 shall apply. For the purpose of those clauses:

You are the "data exporter" and Casepal is the "data importer"

The details in Section 1 of this DPA satisfy the Annex requirements

The optional clauses are completed as follows: Clause 7 (docking clause) applies; Clause 9(a) (prior authorization for sub-processors) applies with 30 days' notice; Clause 11(a) (no independent redress mechanism) does not apply; Clause 17 (governing law) shall be the law of Cyprus; Clause 18 (choice of forum) shall be the courts of Cyprus(b) For UK Transfers: The UK International Data Transfer Addendum issued by the UK Information Commissioner's Office (version B1.0, in force 21 March 2022) shall apply to the Standard Contractual Clauses, with the Mandatory Clauses deemed amended as needed to be read consistently with UK law.

(c) For Swiss Transfers: The Standard Contractual Clauses shall apply with the following modifications: references to "Regulation (EU) 2016/679" shall be understood as references to the Swiss Federal Act on Data Protection; references to "EU", "Union" and "Member State" law shall be understood as references to Swiss law; and references to the "competent supervisory authority" and "courts" shall be replaced with the Swiss Federal Data Protection and Information Commissioner and Swiss courts respectively.

(d) Transfer Impact Assessments: Casepal has conducted Transfer Impact Assessments for transfers to the United States and has implemented supplementary measures including encryption in transit and at rest, strict access controls, and contractual commitments from US-based Subprocessors to challenge disproportionate government access requests.

‍

12.4 US-Based Subprocessors

To the extent Casepal engages US-based Subprocessors (as identified in the Subprocessor List at https://trust.casepal.co/subprocessors), such transfers are protected by:

(a) the EU-U.S. Data Privacy Framework (where the Subprocessor is DPF-certified and listed on the Data Privacy Framework List maintained by the U.S. Department of Commerce at dataprivacyframework.gov/list); and/or

(b) Standard Contractual Clauses in accordance with Section 12.3.

‍

12.5 Notification of Transfers

Casepal shall maintain current information about international transfers and the safeguards applied in the Subprocessor List (available at https://trust.casepal.co/subprocessors), which shall be updated from time to time. Casepal shall inform You of any material changes to such transfers in accordance with the notification procedure set out in Section 4.2.

‍

12.6 Customer Control Over Data Location

You may, at the time of subscription or by written request, specify that Your DPA Data must be stored and processed exclusively within:

The European Economic Area

Other geographic regions offered by Casepal

Any such restriction will be documented in Your Order Form and may affect Service availability or pricing.

‍

13. FUTURE REGULATIONS

13.1 Review for AI Regulations

In the event that new legislation and regulations are implemented that specifically govern the use of artificial intelligence solutions (including but not limited to the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), or AI-specific regulations enacted by US states or other jurisdictions), both parties agree to review this DPA to ensure compliance with such legislation and regulations.

‍

13.2 Good Faith Amendment

If substantial modifications are required to the terms and conditions of this DPA to render it or the Parties' performance under it compliant with any regulations implemented following its Effective Date, both parties shall negotiate in good faith to make necessary amendments.

‍

13.3 Termination for Infeasibility

Should new regulations render the continued provision of services under this contract infeasible or unlawful, either party may initiate termination by providing written notice to the other party. Termination shall be effective after a reasonable notice period, as agreed upon by both parties.

‍

13.4 Survival of Prior Obligations

The termination of this DPA due to the aforementioned regulations shall not relieve either party from any outstanding obligations or liabilities incurred prior to the termination.

‍

13.5 Severability and Regulatory Compliance

If any provision of this DPA is found to be inconsistent with future regulations, such provision shall be interpreted in a manner consistent with the applicable laws, or if necessary, deemed null and void without affecting the validity of the remaining provisions.

‍

14. RETENTION PERIOD AND DATA DELETION

14.1 DPA Term

This DPA shall remain in effect until (i) the Service is terminated and (ii) Casepal no longer processes DPA Data on Your behalf.

‍

14.2 Data Deletion Timeline

Within 30 days following termination of the Service or upon your reasonable request, Casepal shall, and shall direct each Subprocessor to, return to You or delete the DPA Data, unless Casepal is required by law to retain DPA Data.

‍

14.3 Backup Retention

Casepal may retain DPA Data in backup systems for up to 90 days following termination, provided such data is not actively processed and remains subject to the security obligations of this DPA.

‍

14.4 Confirmation of Deletion

Casepal shall notify You in writing that Casepal has fully complied with the deletion requirements of this Section 14.

‍

14.5 Survival

Any clause which by its nature is still valid after the termination of this DPA (including Sections 5, 6, 7, 10, 14, and 15) shall continue to apply. Termination of this DPA shall not affect the rights and obligations of the Parties that arose prior to its termination.

‍

15. DEFINED TERMS

"Applicable Law" means any law, regulation, directive, decision, or any other secondary law which is applicable to either Party; any binding decision or court order, any applicable directive, policy, rule of any public authority having jurisdiction in relation to the Parties or in relation to any Party.

"Data Controller" means the person or entity that determines the purposes and means of Processing DPA Data, which may include, as applicable, equivalent concepts under Data Protection Law (for example, "Business" as defined by CCPA).

"Data Privacy Framework" or "DPF" means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework, as applicable.

"Data Processor" means the person or entity that Processes DPA Data on behalf of the Data Controller, which may include, as applicable, equivalent concepts under Data Protection Law (for example, "Service Provider" as defined by CCPA).

"Data Protection Law" means privacy and data protection law applicable in connection with your use of the Service, including but not limited to:

(a) The GDPR and any applicable EU member state legislation implementing or supplementing the GDPR;

(b) The UK GDPR and UK Data Protection Act 2018;

(c) The Swiss Federal Act on Data Protection;

(d) US State Privacy Law; and

(e) Any other applicable legislation (including Treaties, Constitutions, Regulations, Directives, Laws) that is in force and regulates the protection of personal data or the protection of privacy.

"Data Subject" means an identified or identifiable natural person to which DPA Data relates, to the extent their Personal Data is protected by Data Protection Law.

"Data Transfer Mechanism" means a transfer mechanism that enables the lawful cross-border transfer of DPA Data under Data Protection Law. This includes transfer mechanisms that are required under Data Protection Law in the EEA, UK, and Switzerland such as the Data Privacy Framework, the EEA SCCs, the UK International Data Transfer Addendum and any data transfer mechanism available under Data Protection Law that is incorporated into this DPA.

"Documentation" means Casepal's user guides, help documentation, and other materials made available to You in connection with the Service.

"DPA Data" means Customer Data or Your Content that is provided through the Service and that is Personal Data.

"EEA" means the European Economic Area.

"EEA SCCs" means Module 2 (Controller to Processor) of the standard contractual clauses set out in the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries according to the GDPR.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation).

"Instructions" means any (i) documented communication from You which includes actions taken or input provided through the Service; or (ii) agreement between You and Casepal that requires Casepal to provide the Service; or (iii) the Documentation.

"Personal Data" means any information relating to an identifiable natural person which is protected under Data Protection Law and Processed in connection with Your use of the Service. This includes equivalent concepts as defined by Data Protection Law (for example, "personal information" as defined under the CCPA).

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

"Processing" means any operation or set of operations which is performed on Your behalf on DPA Data, whether or not by automated means, such as collecting, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, or dissemination. "Process", "Processes" and "Processed" will be interpreted accordingly.

"Trust centre" means the Trust centre located at https://trust.casepal.co/.

"Service" means Casepal's AI-powered legal platform and related services as described in the Agreement.

"Special Categories of Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, as well as Personal Data relating to criminal convictions and offences.

"Subprocessor" means an entity Casepal engages to Process DPA Data on Casepal's behalf, to carry out specific processing activities on Your behalf.

"Subprocessor List" means the list of Subprocessors maintained by Casepal at https://trust.casepal.co/subprocessors.

"Supervisory Authority" means an independent public authority which is (i) established by a member state pursuant to Article 51 of the GDPR; (ii) the Information Commissioner's Office in the United Kingdom; (iii) the Federal Data Protection and Information Commissioner in Switzerland; or (iv) any other public authority governing data protection that has supervisory jurisdiction over You.

"UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

"UK International Data Transfer Addendum" means the international data transfer addendum to the EEA SCCs issued by the United Kingdom's Information Commissioner's Office which came into force in accordance with s119A of the UK Data Protection Act on 21 March 2022.

"Terms" means, collectively, the following documents, which together govern the provision and use of the Service:

(a) the Master Subscription Agreement available at https://www.casepal.co/master-subscription-agreement (the "MSA");

(b) any Subscription Order Form executed between You and Casepal specifying the subscription details, pricing, and term (the "Order Form"); and

(c) this Data Processing Addendum.

"US State Privacy Law" means all state laws relating to the protection and processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and any other similar state privacy legislation.

"You" means the organization contracting for the use of the Service.

‍

16. GOVERNING LAW AND JURISDICTION

16.1 Governing Law

This Data Processing Addendum shall be governed by and construed in accordance with the laws of Cyprus.

‍

16.2 Jurisdiction

Any dispute arising out of or in connection with this Data Processing Addendum, including disputes relating to its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts of Cyprus.

‍

16.3 Supervisory Authority Rights

Nothing in this Section 16 limits:

(a) the rights of Data Subjects to lodge complaints with a competent Supervisory Authority under Article 77 GDPR or to seek judicial remedies under Article 79 GDPR; or

(b) the investigatory, corrective, or enforcement powers of any Supervisory Authority under applicable Data Protection Law.

‍

17. ORDER OF PRECEDENCE

Nothing in this Data Processing Addendum reduces the obligations of Casepal under any other agreement in relation to the protection of Personal Data or allows Casepal to process (or allow the processing of) Personal Data in a manner prohibited by any other agreement. Regarding the subject matter of this Data Processing Addendum, in the event of a conflict between the provisions of this DPA and any other agreements between the Parties, the provisions of this DPA shall prevail.

‍

18. CHANGES AND SEVERABILITY

18.1 Amendment for Regulatory Changes

This Data Processing Addendum may be amended from time to time, in particular in the event that the European Commission, UK authorities, Swiss authorities, or any other competent authority shall settle any matter relating to this DPA in a different manner, or in the event of changes to Data Protection Law that require amendments to maintain compliance.

‍

18.2 Severability

If any provision of this Data Processing Addendum is found by a court to be invalid, unenforceable or illegal, the remaining provisions shall remain in force and the validity and enforceability of this DPA shall not be affected. In the event that a term is deemed non-existent, the Parties will negotiate in good faith to agree to its replacement so that the original desired result is achieved to the greatest extent possible.

‍