Data processing
addendum

A. Background

We provide the services described in the Terms of Service, which may involve processing personal data on your behalf. Article 28(3) UK GDPR requires a written addendum governing that processing. This Addendum sets out how we process personal data for you, the security we apply, and how we support your rights and compliance. It applies to all personal data we process for you under the Subscription Agreement, now or in the future.

B. Key points

• Roles: You are the Controller; we are the Processor.

• Law: Both parties will comply with UK GDPR and the Data Protection Act 2018.

• Precedence: This Addendum forms part of the Subscription Agreement and prevails in any conflict regarding personal data.

• Duration: It applies for as long as we process personal data for you; confidentiality and data-protection obligations continue after termination.

1. Definitions and interpretation

In this Addendum, the following terms have the meanings set out below:

• Controller: That's you, the person or organisation who decides why and how personal data is processed.

• Data protection legislation: All the current UK laws about data protection and privacy. This includes the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, among others.

• Data subject: Any living person whose personal data is being processed. In other words, individuals whom the data is about.

• Personal data: Any information that can identify a living person, either on its own or when combined with other information. This could be names, identification numbers, location data, online identifiers, or factors specific to that person's physical, physiological, genetic, mental, economic, cultural, or social identity.

• Personal data breach: A security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data.

• Processor: That's us, Lawyerly Limited and the Lawyerlink legal service subscription brand. We process personal data on your behalf.

• Processing (and related terms like process, processed, processes): Any action taken with personal data. This includes collecting, recording, organising, storing, altering, retrieving, using, disclosing, erasing, or destroying data.

• Services: The services we provide to you, as described in our Terms of Service. This includes everything you use from us for the purposes outlined there.

2. Providing services and processing personal data

You confirm you have a lawful basis to share personal data with us and have provided all required notices (and consents where lawfully required). We will process personal data only: (a) to provide the services under the Subscription Agreement; (b) to the extent necessary for those services; and (c) in accordance with your documented instructions, unless the law requires otherwise (in which case we will inform you before processing, unless prohibited by law).

3. Data protection compliance

3.1. Your instructions

All additional instructions you give us must be in writing and must comply with data protection laws. We'll only act on these written instructions unless the law requires us to do otherwise.

3.2. Handling requests

If you instruct us to amend, transfer, delete or otherwise handle personal data differently, we will act promptly in accordance with your written instructions.

3.3. Access to information

We will provide information about our processing, including the personal data we hold for you, within reasonable timeframes to support your compliance.

3.4. Our cooperation

We are committed to taking any reasonable measures you require to ensure compliance with this Addendum and data protection laws. This includes adhering to best practice guidance issued by the Information Commissioner’s Office (ICO). What qualifies as reasonable will depend on the nature of our processing activities and the information at our disposal.

If you need to conduct a Data Protection Impact Assessment (DPIA) or consult with the ICO, we’ll provide the support you need. Our assistance will be based on the specific processing we carry out and the information we can provide.

3.5. Changes in law

We'll inform you promptly if any changes to data protection laws might affect our ability to perform our services or meet our obligations under this Addendum.

4. Our commitments when processing your personal data

When we're processing your personal data on your behalf:

4.1. Third-party sharing

If we share your personal data with third parties, we will ensure they protect your data in line with this Addendum.

4.2. Lawful processing

We'll process your personal data only as necessary to fulfil our obligations to you or as required by law. If required by law, we'll inform you of the legal requirement before processing, unless the law prohibits us from doing so.

4.3. Security measures

We'll implement appropriate technical and organisational measures (as described in Schedule 2) to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

We may update these measures from time to time to maintain or enhance security, and we will ensure the overall level of protection is not reduced.

4.4. Security standards

We'll ensure a level of security appropriate to the risks involved, including:

• Data protection techniques: Using methods like pseudonymisation (replacing identifying information with pseudonyms) and encryption where practical.

• System integrity: Ensuring ongoing confidentiality, integrity, availability, and resilience of our processing systems and services.

• Disaster recovery: Having the ability to restore access to personal data promptly in the event of physical or technical issues.

• Regular testing: Frequently testing and evaluating the effectiveness of our security measures.

4.5. Additional information:

If you request it (and within reasonable timeframes you specify), we'll provide further details about our technical and organisational systems in place to safeguard your personal data and prevent unauthorised access.

4.6. Record keeping

We'll keep complete and accurate records of all processing activities we carry out on your personal data. This is to demonstrate our compliance with this Addendum and data protection laws.

4.7. Audit

We will make available all information necessary to demonstrate compliance with this Addendum and will allow for and contribute to reasonable audits or inspections by you or your mandated auditor, on reasonable notice and during business hours, provided this does not compromise the security or confidentiality of other clients’ data.

5. Transferring personal data outside the UK or EEA

We won’t transfer your personal data outside the UK or EEA unless it meets the rules set out in Chapter V of the UK GDPR. If a transfer is necessary, we’ll make sure the right safeguards are in place, like using Standard Contractual Clauses or relying on an adequacy decision. We will provide documentation to show how we’re meeting these requirements when you ask us to.

6. Working with other processors

We may use other trusted service providers (sub-processors) to help us deliver our services. A current list of approved sub-processors is set out in Schedule 3 and may be updated from time to time.

If we add or replace a sub-processor, we will give you notice in advance. You may raise an objection if you have valid reasons related to data protection. If we cannot reasonably resolve your objection, you may choose to stop using the affected services.

7. Handling data subject requests, notices, complaints, and data breaches

We are dedicated to helping you comply with data protection laws. Here's how we manage various situations:

7.1. Requests from individuals (data subjects)

If we receive a request from an individual to exercise their rights under data protection laws (such as a request for access, correction, or deletion), we will notify you promptly in writing. We will not respond to the request ourselves unless you instruct us to do so, or we are legally required to respond.

7.2. Other communications

If we receive any complaints, notices, or communications related to the processing of personal data or compliance with data protection laws, we will notify you without delay.

7.3. Our cooperation

We will fully cooperate and assist you in handling any requests or communications. This includes providing all details of the request or complaint, supplying any necessary information to help you respond, sharing any relevant personal data we hold within the timeframes you specify, and providing any additional information you request.

7.4. Data breaches

If we become aware of a personal data breach, we will notify you without undue delay and, where feasible, promptly take steps to contain and remedy the incident.

Without undue delay, we will provide a description of what happened, including the types of data affected and the number of records and individuals involved. We will outline the likely consequences of the breach and provide details of the measures taken or proposed to address the breach and mitigate any potential adverse effects.

We will cooperate fully with you in investigating and handling the breach. We will not inform any third parties about the breach without your express written consent, unless required by law.

You have the sole right to decide whether to notify data subjects, the ICO, or other authorities, and whether to offer any remedies to affected individuals.

8. Our staff and Data Protection Officer

8.1. Staff training and obligations

All our staff who access or process personal data are informed about its confidential nature. They are bound by contractual obligations to keep the data confidential and use it appropriately. They receive proper training on data protection laws and understand how it affects their roles. Staff are also aware of their duties under data protection laws and this Addendum.

8.2. Data Protection Officer

We have appointed a Data Protection Officer in line with legal requirements.

Contact details:

Name: Willie van der Merwe

Email: dpo@lawyerlink.co

9. Liability and indemnity

9.1 Your liability

You are responsible for ensuring that the personal data you provide to us complies with data protection law. You will compensate us for any costs, claims, or losses we suffer as a result of:

• your failure to comply with data protection law;

• processing we carry out in accordance with your instructions that infringes data protection law; or

• any breach by you of your obligations under this Addendum.

9.2 Our liability

We are responsible for the processing we carry out under this Addendum. We will compensate you for any direct costs, claims, or losses you suffer, but only where they arise from:

• our breach of this Addendum;

• our failure to follow your lawful instructions; or

• our failure to comply with data protection law,

• and only to the extent that the loss is not contributed to by your own breach.

9.3 Limitations

• Neither party is liable for any indirect or consequential losses, including loss of profit, revenue, business, goodwill, or data.

• Our total liability to you under this Addendum is limited to the total Subscription Fees you have paid to us in the 12 months immediately before the event giving rise to the claim.

• You cannot claim back from us any amounts you are required to indemnify us for under clause 9.1.

9.4 Direct obligations to data subjects

Nothing in this Addendum limits or removes either party’s liability to any individual (data subject) for any breach of direct obligations under data protection law.

We acknowledge that we remain subject to the authority of the ICO and will cooperate fully as required.

10. Intellectual property in personal data

Rights in personal data belong to you or the relevant third party. We may use personal data only to deliver the services and as permitted by this Addendum and your instructions.

11. Deletion or return of personal data

11.1. Your rights

At your written request, we'll delete, dispose of, or return all personal data to you in the format you reasonably request, within a reasonable time after:

• we've finished providing the services; or

• we no longer need to process that personal data to fulfil our obligations to you.

11.2. Deletion of copies

After deleting, disposing of, or returning the personal data, we'll also delete or dispose of any further copies we hold, unless we're required by law to keep them. If we need to retain copies, we'll inform you in writing.

11.3. Methods of deletion

We'll delete or dispose of all personal data using the following methods:

• Electronic data: Secure data erasure software.

• Physical documents: Cross-cut shredding.

12. Governing law and jurisdiction

This Addendum is governed by the laws of England and Wales. Any disputes or claims arising from this Addendum will be resolved in the courts of England and Wales.

Schedule 1: Personal data

Schedule 2: Technical and organisational data protection measures

We are committed to protecting your personal data. Here’s how we ensure its security:

1. Appropriate security standards

We maintain security measures that are suitable for the potential harm that could result from unauthorised access, loss, or destruction of your personal data, as well as the nature of the personal data we handle.

2. Our security commitments

2.1. Comprehensive data protection policy

We have a detailed data protection policy that:

• Identifies our security needs based on thorough risk assessments.

• Assigns responsibility for implementing the policy to specific individuals, such as our Data Protection Officer or designated team members.

• Is available to you upon request.

• Is shared with all relevant staff members.

• Includes a process for feedback and regular review to keep it up-to-date.

2.2. Safeguarding hardware and software

We use advanced security safeguards and up-to-date virus protection to protect the hardware and software used in processing your personal data, following best industry practices.

2.3. Preventing unauthorised access

We implement strict measures to prevent unauthorised access to your personal data.

2.4. Encryption and pseudonymisation

Where practical, we protect your personal data by:

• Encryption: Scrambling data so it cannot be read without a special key.

• Pseudonymisation: Replacing identifying details with pseudonyms to make data less identifiable.

2.5. Secure data storage

We ensure that all personal data is stored securely. Physical records and electronic data are kept in secure locations, and access by our staff is strictly monitored and controlled.

2.6. Secure data transfer

We use secure methods to transfer personal data. For physical data, we use trusted couriers instead of regular mail. For electronic data, we use secure encryption methods like SSL/TLS when sending data online.

2.7. Password protection

All devices storing personal data are password-protected. Passwords are strong (at least 8 characters, including upper- and lower-case letters, numbers, and special characters) and are never shared.

2.8. Mobile device security

Mobile devices, such as laptops or tablets, used to access or store personal data are encrypted and secured. They are never left unattended in unsecured locations.

2.9. Trusted personnel

We take reasonable steps to ensure our staff who handle your personal data are reliable and trustworthy.

2.10. Monitoring and breach response

We have methods to detect and handle any security breaches, including loss or unauthorised access. We can identify which staff members have worked with specific personal data, and we have procedures to investigate and fix any data protection issues. If a security breach occurs, we will notify you without undue delay.

2.11. Regular backups

We securely back up all electronic personal data and store backups separately from the originals.

2.12. Secure disposal

We use secure methods to dispose of unwanted personal data, including backups, disks, print-outs, and old equipment.

2.13. Compliance with standards

We adopt processes and procedures to comply with the requirements of ISO/IEC 27001:2013, an international standard for information security management.

2.14. Staff training

We regularly train our staff on data protection and privacy policies to keep them informed and vigilant.

2.15. Security assessments

We perform regular security assessments and penetration testing to identify and fix any vulnerabilities.

Note: Our commitment to data security is ongoing. We continuously review and improve our practices to ensure your information remains safe with us.

Schedule 3: Approved or authorised sub-processors

This schedule lists the sub-processors authorised by the Controller to process personal data on behalf of the Processor. These sub-processors are engaged to support specific services under this Agreement. These are the approved sub-processors:

HubSpot

• Purpose: Customer relationship management (CRM) tools, marketing automation, and sales management.

• Location: United States.

• Data Categories: Customer and marketing data.

Stripe

• Purpose: Payment processing and subscription management.

• Location: United States and global operations.

• Data Categories: Payment and financial data.

Shft

• Purpose: System development, maintenance, and security infrastructure.

• Location: South Africa.

• Data Categories: System and operational data, including technical information.

Seek the Just

• Purpose: Marketing, branding, and digital advertising.

• Location: South Africa.

• Data Categories: Marketing and branding data.

LIPCO Group

• Purpose: Client support and operational assistance.

• Location: South Africa.

• Data Categories: Administrative and client support data.

Microsoft Azure

• Purpose: Secure storage of data and web service.

• Location: Azure West EU

• Data Categories: Customer personal and support data.

SendBird

• Purpose: Real-time communication between Lawyerly and customer.

• Location: USA

• Data Categories: Limited to data shared by customer with Lawyerly while communicating.

Okta Auth0

• Purpose: Authentication and authorisation of users and internet communication.

• Location: EU

• Data Categories: Authentication metadata (e.g., email/username, IP address, device and login timestamps).

Zoom Video Communications, Inc

• Purpose: Real-time communication between Lawyerly and customer.

• Location: USA

• Data Categories: Limited to data shared by customer with Lawyerly while communicating.

Better Stack, Inc

• Purpose: Telemetry and monitoring of web services.

• Location: USA

• Data Categories: Technical telemetry and log data (e.g., IP address, timestamps, service metrics).

Monday.com Ltd

• Purpose: Project and task management, client onboarding and workflow coordination.

• Location: Israel and EU data centres.

• Data Categories: Client contact details, task information, project management data.

LexisNexis

• Purpose: Legal research, regulatory compliance checks, and know-how support.

• Location: United Kingdom and EU data centres.

• Data Categories: May include limited client identifiers used for compliance searches, case research data, and professional contact information.

Conditions for authorisation of new sub-processors

The Processor may engage new sub-processors only after notifying the Controller in advance and providing a reasonable period for the Controller to raise objections based on valid concerns. The Processor shall ensure that all sub-processors comply with the same data protection obligations set out in this Addendum.

If you have any questions or need assistance, please feel free to reach out to us at any time by sending an email to support@lawyerlink.co.