Data Processing
Agreement

This data processing agreement ("Agreement") explains how we handle your personal data when you use our services. By subscribing to our services and accepting our Terms of Service and Privacy Policy during the sign-up process, you ("controller") agree to the terms outlined in this Agreement. We, Lawyerly Ltd (company number 15697410) under our legal service subscription brand name, Lawyerlink ("processor"), are committed to protecting your personal data in compliance with UK data protection laws.

Background

> Our services

You engage us to provide the legal services outlined in our Terms of Service. These services are designed to support your business needs and may involve accessing and handling your personal data.

> Processing your personal data

To deliver these services effectively, we need to process certain personal data on your behalf. The types of data we process, the individuals it relates to, how we process it, why we process it, and how long we keep it are detailed in Schedule 1.

> Legal requirements

UK data protection laws, specifically Article 28(2) of the UK General Data Protection Regulation (UK GDPR), require us to have a written agreement with you. This agreement governs how we process your personal data and ensures that both parties comply with legal obligations.

> Purpose of this agreement

This Agreement sets out the terms under which we process your personal data, ensuring that we both meet our responsibilities under the UK GDPR. It outlines how we handle your data, keep it secure, and respect your rights.

> Scope of this agreement

The terms in this Agreement apply to all processing of personal data we carry out for you, now and in the future. It covers all personal data we hold related to our services, whether we have it now or receive it later.

Key points

> Data controller and processor roles

You are the data controller: You determine the purposes and means of processing your personal data.
We are the data processor: We process your personal data on your behalf to provide our services.

> Compliance with data protection laws

Both parties agree to comply with all applicable data protection laws, including the UK GDPR and the Data Protection Act 2018.

> Integration with our service agreement

This Agreement is part of our overall service agreement with you. If there's any conflict between this Agreement and other agreements regarding personal data, this Agreement takes precedence.

> Duration of the agreement

This Agreement remains effective as long as we process personal data on your behalf. Certain obligations, like confidentiality and data protection measures, continue even after we stop providing services to you.

By entering into this Agreement, both you and we acknowledge our responsibilities and agree to work together to protect personal data in accordance with legal requirements.

1. Definitions and interpretation

In this Agreement, the following terms have the meanings set out below:

"Commissioner": This refers to the UK's Information Commissioner's Office (ICO), which is the authority responsible for enforcing data protection laws.

"Controller": That's you—the person or organisation who decides why and how personal data is processed.

"Data protection legislation": All the current UK laws about data protection and privacy. This includes the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, among others.

"Data subject": Any living person whose personal data is being processed. In other words, individuals whom the data is about.

"Personal data": Any information that can identify a living person, either on its own or when combined with other information. This could be names, identification numbers, location data, online identifiers, or factors specific to that person's physical, physiological, genetic, mental, economic, cultural, or social identity.

"Personal data breach": A security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data.

"Processor": That's us—Lawyerly Limited and the Lawyerlink legal service subscription brand. We process personal data on your behalf.

"Processing" (and related terms like "process", "processed", "processes"): Any action taken with personal data. This includes collecting, recording, organising, storing, altering, retrieving, using, disclosing, erasing, or destroying data.

"Services": The services we provide to you, as described in our Terms of Service. This includes everything you use from us for the purposes outlined there.

"UK GDPR": The UK General Data Protection Regulation. This is the main data protection law in the UK, which came into effect after Brexit.

For clarity in this Agreement:

When we say something is "in writing," this includes electronic communications like emails or faxes.
References to laws or statutes mean those laws as they are currently in force, including any amendments or updates.
"This Agreement" includes all its Schedules (the sections at the end that provide additional details), as they may be updated over time.
A "Schedule" refers to a specific section attached at the end of this Agreement.
A "Clause" or "paragraph" refers to a specific numbered section within this Agreement.
"Party" or "Parties" means you and us—the people or organisations entering into this Agreement.
The headings used in this Agreement are there to help you navigate the document and don't affect its interpretation.
Words indicating the singular (e.g., "Party") also include the plural (e.g., "Parties"), and vice versa.
References to one gender include all genders.
References to "persons" include individuals, companies, and other legal entities.

2. Providing services and processing personal data

You confirm that you have the necessary rights and legal basis to share personal data with us for processing under this agreement. It’s your responsibility to comply with data protection laws, including giving any required notices to individuals and getting their consent if needed.

You must also give us clear, written instructions on how to handle the data. We’ll only process your data:

To provide the services you’ve requested.
As far as it’s necessary for those services.
According to your written instructions, unless the law requires us to act differently.

3. Data protection compliance

3.1. Your instructions:

All additional instructions you give us must be in writing and must comply with data protection laws. We'll only act on these written instructions unless the law requires us to do otherwise.

3.2. Handling requests:

If you ask us to amend, transfer, delete, or otherwise handle your personal data differently, we'll comply promptly. We'll also act immediately if you need us to stop or fix any unauthorised processing.

3.3. Data access:

We'll provide you with all your personal data upon your request, in the formats and within the timeframes you specify, following your written instructions.

3.4. Mutual compliance:

Both you and we agree to always comply with data protection laws. We'll ensure that our actions don't cause either of us to breach these laws.

3.5. Your assurance:

You confirm that your personal data complies with data protection laws in every way, including how it's collected, held, and processed. You've obtained all necessary consents and provided any required notices to allow us to process the data lawfully.

3.6. Our cooperation:

We are committed to taking any reasonable measures you require to ensure compliance with this Agreement and data protection laws. This includes adhering to best practice guidance issued by the Information Commissioner’s Office (ICO). What qualifies as "reasonable" will depend on the nature of our processing activities and the information at our disposal.

If you need to conduct a Data Protection Impact Assessment (DPIA) or consult with the ICO, we’ll provide the support you need. Our assistance will be based on the specific processing we carry out and the information we can provide.

3.7. Changes in law:

We'll inform you promptly if any changes to data protection laws might affect our ability to perform our services or meet our obligations under this Agreement.

4. Our commitments when processing your personal data

When we're processing your personal data on your behalf:

4.1. Third-party sharing:

If we share your personal data with third parties, we will ensure they protect your data in line with this Agreement.

4.2. Lawful processing:

We'll process your personal data only as necessary to fulfil our obligations to you or as required by law. If required by law, we'll inform you of the legal requirement before processing, unless the law prohibits us from doing so.

4.3. Security measures:

We'll implement appropriate technical and organisational measures (as described in Schedule 2) to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. We'll inform you in advance of any changes to these measures.

4.4. Security standards:

We'll ensure a level of security appropriate to the risks involved, including:

Data protection techniques: Using methods like pseudonymisation (replacing identifying information with pseudonyms) and encryption where practical.
System integrity: Ensuring ongoing confidentiality, integrity, availability, and resilience of our processing systems and services.
Disaster recovery: Having the ability to restore access to personal data promptly in the event of physical or technical issues.
Regular testing: Frequently testing and evaluating the effectiveness of our security measures.

4.5. Additional information:

If you request it (and within reasonable timeframes you specify), we'll provide further details about our technical and organisational systems in place to safeguard your personal data and prevent unauthorised access.

4.6. Record keeping:

We'll keep complete and accurate records of all processing activities we carry out on your personal data. This is to demonstrate our compliance with this Agreement and data protection laws.

4.7. Legal compliance:

We'll inform you immediately if we're asked to do anything that would infringe data protection laws.

5. Transferring personal data outside the UK or EEA

We won’t transfer your personal data outside the UK or EEA unless it meets the rules set out in Chapter V of the UK GDPR. If a transfer is necessary, we’ll make sure the right safeguards are in place, like using Standard Contractual Clauses or relying on an adequacy decision. We will provide documentation to show how we’re meeting these requirements when you ask us to.

6. Working with other processors

We won’t bring in any additional processors (called sub-processors) to help with your data without getting your written approval first. You can find a list of approved sub-processors in Schedule 3 of this agreement.

If we intend to add or replace a sub-processor, we will notify you in advance, giving you a reasonable opportunity to raise any objections. Should you object on valid grounds, we will either refrain from appointing the sub-processor or allow you to terminate this agreement without penalty.

7. Handling data subject requests, notices, complaints, and data breaches

We are dedicated to helping you comply with data protection laws. Here's how we manage various situations:

7.1. Requests from individuals (data subjects):

If we receive a request from someone to exercise their rights under data protection laws (like accessing their personal data), we will inform you immediately in writing.

We won't respond directly to the individual unless you instruct us to do so or we're legally required.

7.2. Other communications:

If we receive any complaints, notices, or communications related to the processing of personal data or compliance with data protection laws, we will notify you right away.

7.3. Our cooperation:

We will fully cooperate and assist you in handling any requests or communications. This includes providing all details of the request or complaint, supplying any necessary information to help you respond, sharing any relevant personal data we hold within the timeframes you specify, and providing any additional information you request.

7.4. Data breaches:

If we become aware of any data breach, such as unauthorised access, loss, or destruction of personal data, we will notify you immediately. If possible, we will recover any affected data as soon as possible.

Without undue delay, we will provide a description of what happened, including the types of data affected and the number of records and individuals involved. We will outline the likely consequences of the breach and provide details of the measures taken or proposed to address the breach and mitigate any potential adverse effects.

We will cooperate fully with you in investigating and handling the breach. We will not inform any third parties about the breach without your express written consent, unless required by law.

You have the sole right to decide whether to notify data subjects, the Information Commissioner's Office (ICO), or other authorities, and whether to offer any remedies to affected individuals.

8. Our staff and Data Protection Officer

8.1. Staff training and obligations

All our staff who access or process personal data are informed about its confidential nature. They are bound by contractual obligations to keep the data confidential and use it appropriately. They receive proper training on data protection laws and understand how it affects their roles. Staff are also aware of their duties under data protection laws and this agreement.

8.2. Data Protection Officer

We have appointed a Data Protection Officer in line with legal requirements.

Contact details:

Name: Willie van der Merwe
Email: dpo@lawyerlink.co.uk

9. Liability and indemnity

9.1. Your liability

You are responsible for, and will compensate us for, any costs, claims, or losses we suffer due to your non-compliance with data protection laws, processing we do based on your instructions that infringe data protection laws, or any breach by you of your obligations under this agreement.

9.2. Our liability

We are responsible for, and will compensate you for, any costs, claims, or losses you suffer due to our processing activities under this agreement, but only if the loss results from our breach of this agreement, your instructions, or data protection laws, and was not contributed to by any breach on your part.

9.3. Limitations

You cannot claim back from us any amounts you have paid in compensation if you are responsible for indemnifying us as described above.

9.4. Direct obligations to data subjects

Nothing in this agreement removes or affects either party's liability to any individual (data subject) or for any breach of direct obligations under data protection laws. We acknowledge that we remain subject to the authority of the ICO and will fully cooperate as required. We understand that failing to comply with our obligations may result in fines, penalties, and compensation requirements under data protection laws.

10. Intellectual property rights

All rights to the personal data (like copyright or database rights) belong to you or any third party you've obtained the data from (like the individuals themselves).

We have permission to use this personal data only for providing our services to you and as outlined in this Agreement.

11. Subcontractors

11.1. If we use subcontractors:

We'll enter into a written agreement with them that imposes the same obligations on them as we have under this Agreement.
We'll ensure that both we and you can enforce these obligations against the subcontractor.
We'll make sure the subcontractor fully complies with their obligations under that agreement and data protection laws.
We'll maintain control over all personal data transferred to the subcontractor.
Our agreement with the subcontractor to process your personal data will automatically end if this Agreement ends for any reason.

11.2. Our responsibility:

If the subcontractor fails to meet their obligations, we remain fully liable to you for fulfilling our obligations under this Agreement.

11.3. Control over data:

Legally, we're considered to have control over any personal data in the possession of or controlled by our subcontractors.

12. Deletion or return of personal data

12.1. Your rights:

At your written request, we'll delete, dispose of, or return all personal data to you in the format you reasonably request, within a reasonable time after:

We've finished providing the services; or
We no longer need to process that personal data to fulfil our obligations to you.

12.2. Deletion of copies:

After deleting, disposing of, or returning the personal data, we'll also delete or dispose of any further copies we hold, unless we're required by law to keep them. If we need to retain copies, we'll inform you in writing.

12.3. Methods of deletion:

We'll delete or dispose of all personal data using the following methods:

Electronic data: Secure data erasure software.
Physical documents: Cross-cut shredding.

13. Governing law and jurisdiction

This Agreement is governed by the laws of England and Wales. Any disputes or claims arising from this Agreement will be resolved in the courts of England and Wales.

Schedule 1: Personal data

Type of Personal Data	Category of Data Subject	Nature of Processing	Purpose(s) of Processing	Duration of Processing
Name	Clients (business owners)	Collection, recording, storage, retrieval, use, erasure	To identify clients, manage accounts, provide services	Duration of agreement and as required by law
Contact details (address, email, phone)	Clients	Collection, recording, storage, retrieval, use, erasure	To communicate with clients, send notifications and updates	Same as above
Payment information (e.g., credit card)	Clients	Collection, recording, storage, use, erasure	To process payments for subscription services	As required by financial regulations
Business information (company name, etc.)	Clients	Collection, recording, storage, retrieval, use, erasure	To tailor services to client needs, compliance purposes	Same as above
Usage data (access logs, activity data)	Clients	Collection, recording, storage, analysis, use, erasure	To improve services, monitor compliance, security purposes	Same as above
Personal data in documents uploaded by clients	Clients, clients' customers or employees	Collection, storage, retrieval, use, erasure	To provide legal services, document review, advice	Same as above

Schedule 2: Technical and organisational data protection measures

We are committed to protecting your personal data. Here’s how we ensure its security:

1. Appropriate security standards

We maintain security measures that are suitable for the potential harm that could result from unauthorised access, loss, or destruction of your personal data, as well as the nature of the personal data we handle.

2. Our security commitments:

2.1. Comprehensive data protection policy

We have a detailed data protection policy that:

Identifies our security needs based on thorough risk assessments.
Assigns responsibility for implementing the policy to specific individuals, such as our Data Protection Officer or designated team members.
Is available to you upon request.
Is shared with all relevant staff members.
Includes a process for feedback and regular review to keep it up-to-date.

2.2. Safeguarding hardware and software

We use advanced security safeguards and up-to-date virus protection to protect the hardware and software used in processing your personal data, following best industry practices.

2.3. Preventing unauthorised access

We implement strict measures to prevent unauthorised access to your personal data.

2.4. Encryption and pseudonymisation

Where practical, we protect your personal data by:

Encryption: Scrambling data so it cannot be read without a special key.
Pseudonymisation: Replacing identifying details with pseudonyms to make data less identifiable.

2.5. Secure data storage

We ensure that all personal data is stored securely. Physical records and electronic data are kept in secure locations, and access by our staff is strictly monitored and controlled.

2.6. Secure data transfer

We use secure methods to transfer personal data. For physical data, we use trusted couriers instead of regular mail. For electronic data, we use secure encryption methods like SSL/TLS when sending data online.

2.7. Password protection

All devices storing personal data are password-protected. Passwords are strong (at least 8 characters, including upper- and lower-case letters, numbers, and special characters) and are never shared.

2.8. Mobile device security

Mobile devices, such as laptops or tablets, used to access or store personal data are encrypted and secured. They are never left unattended in unsecured locations.

2.9. Trusted personnel

We take reasonable steps to ensure our staff who handle your personal data are reliable and trustworthy.

2.10. Monitoring and breach response

We have methods to detect and handle any security breaches, including loss or unauthorised access. We can identify which staff members have worked with specific personal data, and we have procedures to investigate and fix any data protection issues. If a security breach occurs, we will notify you immediately.

2.11. Regular backups

We securely back up all electronic personal data and store backups separately from the originals.

2.12. Secure disposal

We use secure methods to dispose of unwanted personal data, including backups, disks, print-outs, and old equipment.

2.13. Compliance with standards

We adopt processes and procedures to comply with the requirements of ISO/IEC 27001:2013, an international standard for information security management.

2.14. Staff training

We regularly train our staff on data protection and privacy policies to keep them informed and vigilant.

2.15. Security assessments

We perform regular security assessments and penetration testing to identify and fix any vulnerabilities.

Note: Our commitment to data security is ongoing. We continuously review and improve our practices to ensure your information remains safe with us.

Schedule 3: Approved or authorised sub-processors

This schedule lists the sub-processors authorised by the Controller to process personal data on behalf of the Processor. These sub-processors are engaged to support specific services under this Agreement. These are the approved sub-processors:

HubSpot

Purpose: Customer relationship management (CRM) tools, marketing automation, and sales management.
Location: United States.
Data Categories: Customer and marketing data.

Stripe

Purpose: Payment processing and subscription management.
Location: United States and global operations.
Data Categories: Payment and financial data.

Shft

Purpose: System development, maintenance, and security infrastructure.
Location: South Africa.
Data Categories: System and operational data, including technical information.

Seek the Just

Purpose: Marketing, branding, and digital advertising.
Location: South Africa.
Data Categories: Marketing and branding data.

LIPCO Group

Purpose: Client support and operational assistance.
Location: South Africa.
Data Categories: Administrative and client support data.

Microsoft Azure

Purpose: Secure storage of data and web service.
Location: Azure West EU
Data Categories: Customer personal and support data.

SendBird

Purpose: Realtime communication between Lawyerly and customer.
Location: USA
Data Categories: Limited to data shared by customer with Lawyerly while communicating.

Okta Auth0

Purpose: Authentication and authorization of users and internet communication.
Location: EU
Data Categories: No personal information

Zoom Video Communications, Inc

Purpose: Realtime communication between Lawyerly and customer..
Location: USA
Data Categories: Limited to data shared by customer with Lawyerly while communicating.

Better Stack, Inc

Purpose: Telemetry and monitoring of web services.
Location: USA
Data Categories: No personal information

Conditions for authorisation of new sub-processors

The Processor may engage new sub-processors only after notifying the Controller in advance and providing a reasonable period for the Controller to raise objections based on valid concerns. The Processor shall ensure that all sub-processors comply with the same data protection obligations set out in this Agreement.

If you have any questions or need assistance, please feel free to reach out to us at any time by sending an email to support@lawyerlink.co.

Data Processing Agreement