This Client Data Processing Addendum (Addendum) forms part of the agreement between Lawyerly Ltd (company number 15697410) trading as Lawyerlink and the client receiving services from us.

This Addendum applies where, in the course of providing the services, we process personal data on your behalf as a processor.

For the purposes of this Addendum:

• you means the client, acting as controller unless stated otherwise;
• we, us and our mean Lawyerly Ltd trading as Lawyerlink, acting as processor where this Addendum applies;
• Agreement means our Terms of Service & Engagement together with any applicable Subscription Plan terms, Fixed Fee Proposal, scope confirmation, statement of work, order, or other written service-specific document under which we provide services to you;
• Client Personal Data means personal data processed by us on your behalf in connection with the services;
• Data Protection Legislation means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable UK legislation relating to privacy or data protection, each as amended or replaced from time to time; and
• Sub-processor means another processor engaged by us to process Client Personal Data on your behalf in connection with the services.

This Addendum prevails over any inconsistent provision of the Agreement, but only to the extent of that inconsistency and only in relation to the processing of Client Personal Data.

This Addendum applies for as long as we process Client Personal Data on your behalf. Any provisions which are intended to continue after the end of the services, including confidentiality, deletion, return, liability, and governing law, will continue accordingly.

You act as controller in relation to the Client Personal Data, unless applicable law provides otherwise.

We act as processor only to the extent that we process Client Personal Data on your behalf in connection with the services.

You are responsible for determining the purposes and lawful basis for the processing of Client Personal Data, including ensuring that:

• you are entitled to provide the relevant personal data to us;
• you have given any required privacy information to data subjects;
• you have obtained any consents required by law, where consent is the lawful basis relied on; and
• your instructions to us comply with Data Protection Legislation.

The subject matter, nature, purpose, duration, categories of personal data, and categories of data subjects relevant to this Addendum are described in Annexure 1.

We will process Client Personal Data only:

• on your documented instructions;
• as necessary to provide the services under the Agreement; and
• as otherwise required by applicable law.

If we are required by law to process Client Personal Data other than on your instructions, we will inform you of that requirement before processing, unless the law prohibits us from doing so.

You may provide documented instructions to us through the Agreement, through written service requests, through use of the Client Hub or related systems, or through other written communications that are reasonably clear and consistent with the Agreement.

If we reasonably believe that an instruction infringes Data Protection Legislation, we will inform you without undue delay.

We are not required to follow an instruction that is unlawful, technically impossible, outside the scope of the services, or would materially compromise the security or integrity of our systems or the confidentiality of other clients’ data.

We will:

• process Client Personal Data only in accordance with this Addendum and your lawful documented instructions;
• ensure that persons authorised to process Client Personal Data are subject to appropriate confidentiality obligations;
• take appropriate technical and organisational measures designed to protect Client Personal Data;
• assist you, taking into account the nature of the processing and the information available to us, with responding to requests from data subjects;
• assist you, taking into account the nature of the processing and the information available to us, with your compliance obligations relating to security, breach notification, data protection impact assessments, and prior consultation with the ICO where applicable;
• make available to you information reasonably necessary to demonstrate our compliance with this Addendum; and
• maintain records where required by Data Protection Legislation.

We may update our internal processes, systems, and security measures from time to time, provided that the overall level of protection for Client Personal Data is not materially reduced.

We will implement and maintain appropriate technical and organisational measures to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

These measures will be appropriate to the risks presented by the processing, having regard to the nature of the Client Personal Data and the harm that might result from a personal data breach.

A summary of the technical and organisational measures we apply is set out in Annexure 2.

We will not transfer Client Personal Data outside the United Kingdom, or otherwise make it available in a territory requiring transfer safeguards under Data Protection Legislation, unless:

• the transfer is made in compliance with Data Protection Legislation; and
• an appropriate safeguard, exemption, or other lawful transfer mechanism applies.

Where relevant, this may include reliance on adequacy regulations, the UK International Data Transfer Agreement, approved addenda, or another lawful transfer mechanism.

You provide general written authorisation for us to engage Sub-processors in connection with the services, subject to this section.

We will:

• use only Sub-processors that are capable of providing appropriate safeguards for the protection of Client Personal Data;
• enter into a written agreement with each Sub-processor imposing data protection obligations that are materially equivalent to the relevant obligations in this Addendum; and
• remain responsible for the performance of our Sub-processors to the extent required by Data Protection Legislation and the Agreement.

A list of our current authorised Sub-processors is set out in Annexure 3.

If we add or replace a Sub-processor, we may update Annexure 3 from time to time. Where the change is material, we will give you reasonable prior notice by email, through the Client Hub, or by another reasonable written method.

If you have a reasonable data protection objection to a proposed new Sub-processor, you must notify us promptly in writing, setting out the grounds of objection. We will consider the objection in good faith.

If we cannot reasonably resolve the objection, either party may suspend or end the affected part of the services on written notice, without affecting any other part of the Agreement.

If we receive a request from a data subject relating to Client Personal Data, we will notify you without undue delay unless we are legally prohibited from doing so.

We will not respond to such a request ourselves unless:

• you instruct us to do so; or
• we are required to do so by law.

If we receive any complaint, notice, enquiry, or other communication from the ICO or another regulator relating specifically to Client Personal Data processed under this Addendum, we will notify you without undue delay unless legally prohibited.

We will provide reasonable cooperation and assistance, taking into account the nature of the processing and the information available to us, in relation to:

• data subject rights requests;
• complaints and regulatory enquiries;
• data protection impact assessments;
• prior consultation with the ICO where applicable; and
• your compliance with Data Protection Legislation in relation to the processing we carry out for you.

If we become aware of a personal data breach affecting Client Personal Data, we will notify you without undue delay.

That notification will, to the extent reasonably available at the time, include:

• the nature of the breach;
• the categories of data affected;
• the likely consequences; and
• the measures taken or proposed to address the breach and mitigate its possible adverse effects.

We will take reasonable steps to contain, investigate, and remediate the breach, and will provide further information as it becomes available.

Unless required by law, we will not notify data subjects, the ICO, or any third party about a breach affecting Client Personal Data without first consulting you.

We will make available to you information reasonably necessary to demonstrate compliance with this Addendum.

Any audit or inspection requested by you must be reasonable, proportionate, and limited to information relevant to the processing covered by this Addendum. Audits must be conducted on reasonable notice, during normal business hours, and in a way that does not unreasonably disrupt our business, compromise security, or expose confidential information relating to other clients.

We may satisfy audit requests through provision of relevant documentation, policies, summaries, reports, or responses to reasonable questionnaires where appropriate.

On expiry or termination of the relevant services, and subject to any contrary requirement under applicable law, we will, on your written request and within a reasonable period:

• return the relevant Client Personal Data to you; or
• securely delete the relevant Client Personal Data.

If you do not make a request within a reasonable period after the end of the services, we may delete the relevant Client Personal Data in accordance with our retention practices, unless we are required by law to retain it.

We may retain Client Personal Data to the extent required by law, regulation, professional obligation, insurance requirement, dispute management, backup retention cycle, or legitimate internal record-keeping relating to the Agreement, provided that any retained data remains protected in accordance with this Addendum and is not used for any incompatible purpose.

We may also retain residual copies in routine backup systems for a limited period where immediate deletion is not reasonably practicable, provided those copies remain subject to appropriate safeguards and are deleted in accordance with our standard backup retention cycle.

Each party remains responsible for its own compliance with Data Protection Legislation.

Nothing in this Addendum relieves either party of its own direct responsibilities or liabilities under Data Protection Legislation.

Any contractual liability arising under or in connection with this Addendum will be subject to the liability, exclusion, and limitation provisions set out in the Agreement, unless Data Protection Legislation requires otherwise.

Nothing in this Addendum excludes or limits liability to a data subject, the ICO, or any other regulator where such liability cannot lawfully be excluded or limited.

This Addendum is governed by the laws of England and Wales, and the courts of England and Wales will have exclusive jurisdiction in relation to any dispute arising out of or in connection with it, unless the Agreement expressly states otherwise.

Annexure 1

Processing details

Subject matter of the processing

The provision of legal and related services by Lawyerlink to the client under the Agreement, where such services involve the processing of Client Personal Data on the client’s behalf.

Duration of the processing

For the duration of the relevant services and, where applicable, any post-termination period during which Client Personal Data is retained in accordance with the Agreement, this Addendum, or applicable law.

Nature of the processing

Collection, recording, organisation, structuring, storage, retrieval, consultation, use, analysis, disclosure by transmission where necessary, restriction, deletion, and other processing activities reasonably required to provide the services.

Purpose of the processing

To provide the services, administer the client relationship, operate the Client Hub and related systems, support communication and workflow, maintain service security and continuity, and otherwise perform our obligations under the Agreement.

Categories of data subjects

Depending on the services, these may include:

• the client’s personnel, officers, contractors, representatives, and users;
• the client’s customers, clients, suppliers, counterparties, or advisors;
• individuals referred to in documents or information uploaded or shared by the client; and
• other individuals whose personal data is included in materials processed on the client’s behalf.

Categories of personal data

Depending on the services, these may include:

• names, job titles, contact details, and identifiers;
• company and business details;
• billing and payment-related information;
• account, authentication, and usage information;
• correspondence and communication records;
• personal data contained in documents, contracts, advice requests, uploads, and working materials;
• compliance and verification information where relevant; and
• any other personal data the client chooses to provide or instruct us to process through the services.

Special category data

Not intentionally required as a standard feature of the services, but may be processed where included by the client in documents, instructions, or matters for which processing is required.

Criminal offence data

Not intentionally required as a standard feature of the services, but may be processed where included by the client in documents, instructions, or matters for which processing is required.

Annexure 2

Technical and organisational measures

We apply technical and organisational measures designed to provide a level of security appropriate to the risk, taking into account the nature of the processing and the sensitivity of the Client Personal Data involved.

These measures may include, where appropriate:

• information security and data protection policies, standards, and internal controls;
• access controls designed to ensure that Client Personal Data is available only to authorised personnel on a need-to-know basis;
• confidentiality obligations for staff and contractors with access to Client Personal Data;
• user authentication controls and account security measures;
• encryption or other protective measures for data in transit and, where appropriate, at rest;
• secure hosting environments and infrastructure safeguards;
• logging, monitoring, and alerting tools designed to support security oversight and incident detection;
• backup, resilience, and recovery measures designed to support service continuity and restoration;
• vulnerability management, patching, and system maintenance processes;
• incident response and breach management procedures;
• supplier and Sub-processor review processes;
• secure deletion and disposal practices where data is no longer required; and
• staff training and awareness measures relevant to privacy, confidentiality, and information security.

We may update and refine these measures over time as our systems, risks, and service model evolve, provided the overall level of protection is not materially reduced.

Annexure 3

Authorised Sub-processors

The following Sub-processors are currently authorised under this Addendum, to the extent they process Client Personal Data on our behalf in connection with the services:

Lawyerly Group (Pty) Ltd processes Client Personal Data for group operational, administrative, technology, product, development, support, and related service assistance in connection with the services. It is located in South Africa. Relevant data categories may include client contact details, account and user data, communication data, matter-related administrative data, uploaded content, and other service data to the extent accessed or processed in connection with the services.

Shft (Pty) Ltd processes Client Personal Data for system development, maintenance, and security infrastructure support. It is located in South Africa. Relevant data categories may include technical, operational, service, support, and limited client content data where reasonably necessary for debugging, maintenance, or security support.

LIPCO Group (Pty) Ltd processes Client Personal Data for client support and operational assistance. It is located in South Africa. Relevant data categories may include administrative data, client contact details, communication data, onboarding information, and related support data to the extent required to assist with the services.

Microsoft Corporation (including Microsoft Azure and Microsoft Teams) processes Client Personal Data for hosting, infrastructure, secure storage, meetings, chat, calls, collaboration, file sharing, and related workflow support. The relevant processing location depends on the selected Microsoft geography or tenant region. Microsoft states that customer data is stored and hosted in Azure services within the geographies the customer selects, while some service functionality may require additional replication or processing depending on the service. Relevant data categories may include service data, account data, uploaded content, support data, client contact details, communication content, meeting metadata, chat messages, shared files, recordings, transcripts, and related usage data.

Okta, Inc./Auth0 processes Client Personal Data for authentication and user access management. Okta states that customer data is hosted in data centres selected by the customer and that it has cells across the US, EMEA, Japan, Australia, Canada and India, with processing locations varying depending on the applicable service and selected cell. Relevant data categories may include login identifiers, authentication metadata, IP addresses, device information, access logs, and related account security data.

Sendbird, Inc. processes Client Personal Data for real-time communications functionality. Sendbird states that it offers regional hosting to support data residency needs. Relevant data categories may include communication content, messages, attachments, participant details, metadata, and related account or usage data.

monday.com Ltd processes Client Personal Data for project, task, onboarding, and workflow management. monday.com states that customer data is hosted in a single primary data region based on account setup and that accounts from the EU, Africa, or the Middle East are stored in the EU Data Region, while some processing may also occur in Israel and, for certain accounts, in the United States. Relevant data categories may include client contact details, task and project information, workflow data, uploaded files, updates, and related account data.

HubSpot, Inc. processes Client Personal Data for CRM, communications, and related client relationship workflows. HubSpot states that it offers data hosting locations in Europe, Canada, Australia, and the United States, and that the applicable hosting location depends on the customer’s account setup. Relevant data categories may include contact data, communication data, account and relationship data, and related workflow or support data.

ComplyCube processes Client Personal Data for identity verification, KYC, AML, and compliance screening. ComplyCube states that its data is stored in multiple data centres across the globe to meet GDPR, CCPA, and local data residency requirements. Relevant data categories may include identity data, contact data, verification documents, biometric data where applicable, and compliance screening data.

Better Stack, Inc. processes Client Personal Data for telemetry, monitoring, logging, alerting, and service performance oversight. Better Stack states that, by default, data is stored in EU regions, with custom data locations available for enterprise accounts. Relevant data categories may include technical telemetry, logs, timestamps, IP addresses, user or device identifiers, and service metrics.

Fireflies.ai Corp. processes Client Personal Data for AI-assisted meeting recording, transcription, note-taking, summarisation, and related meeting intelligence. Fireflies states that, by default, data is stored and processed in the United States, and that private storage can store meeting data in the EU while processing still occurs in the US. Relevant data categories may include client contact details, meeting content, audio recordings, transcripts, summaries, action items, participant metadata, calendar information, and related communication data.

We may update this Annexure from time to time in accordance with section 6 of this Addendum.