Data Processing Agreement

This Data Processing Agreement ("DPA") governs the processing of personal data by LegalsOne LLC as a data processor on behalf of subscribing law firms as data controllers. It supplements the Terms of Service and is incorporated by reference for all active subscriptions.

Effective Date: February 23, 2026  |  Jurisdiction: Nebraska, USA (with GDPR-aligned provisions)

1. Definitions

  • "Controller" means the subscribing law firm, which determines the purposes and means of processing personal data within the LegalsOne platform.
  • "Processor" means LegalsOne LLC, which processes personal data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by LegalsOne in connection with the provision of the Platform to Controller.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, disclosure, and deletion.
  • "Data Subject" means the individual to whom Personal Data relates (e.g., firm employees, clients of the law firm).
  • "GDPR" means Regulation (EU) 2016/679 and/or the UK GDPR, as applicable.
  • "Security Incident" means any confirmed unauthorized access to, disclosure of, or destruction of Personal Data.

2. Roles of the Parties

The subscribing law firm (Controller) determines which personal data is entered into the LegalsOne platform and for what purposes. LegalsOne (Processor) processes that data only to deliver the contracted services, on documented instructions from the Controller, and does not use the data for any independent purpose.

Each party is independently responsible for complying with applicable data protection laws with respect to its own controller-level activities. LegalsOne's obligations as a processor are set out in this DPA.

3. Subject Matter and Details of Processing

  • Subject Matter: The operation of a hosted legal operations platform for law firms, including CRM, case management, document management, client portal, HR tools, and reporting modules.
  • Duration: The term of the subscription agreement, plus any post-termination data retention period specified in this DPA.
  • Nature and Purpose: Storage, organization, retrieval, transmission, and deletion of personal data as necessary to deliver the subscribed services.
  • Categories of Personal Data: May include names, contact information, case-related information, professional information, financial information (for trust accounting features), and employment information (for HR features).
  • Categories of Data Subjects: The Controller's employees, contractors, and the law firm's underlying clients and third parties whose data the Controller enters into the Platform.

4. Processing Instructions

LegalsOne shall process Personal Data only on documented instructions from the Controller, which includes the instructions reflected in the Terms of Service and this DPA, and any additional instructions provided in writing during the subscription term.

If LegalsOne is required by applicable law to process Personal Data in a manner that conflicts with the Controller's instructions, LegalsOne will inform the Controller before such processing (unless prohibited by law). LegalsOne must notify the Controller if, in its opinion, an instruction infringes applicable data protection law.

5. Security Measures

LegalsOne implements and maintains technical and organizational security measures appropriate to the risks presented by the processing. These include, at a minimum:

  • Encryption in Transit: All data transmitted between users and the platform is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: All customer data is stored on encrypted volumes using AES-256 via AWS SSE-KMS, with customer-specific encryption keys.
  • Access Controls: Role-based access control (RBAC) limits data access to authorized individuals within the firm. LegalsOne staff access to customer environments is limited to personnel with a documented support need.
  • Audit Logging: Login events, document access events, and permission changes are logged and available for review by firm administrators.
  • Infrastructure Isolation: Each subscribing firm receives a dedicated AWS server stack, database instance, and S3 storage bucket. Customers are logically and physically isolated from one another.
  • Backups: Nightly encrypted backups of database and object storage are performed. Backups are stored separately from primary data. See our Backups & Recovery Policy.
  • Personnel: LegalsOne staff with access to customer environments are subject to confidentiality obligations and security training.
  • Vulnerability Management: LegalsOne performs regular security reviews and patch management on its infrastructure.

6. Subprocessors

Controller authorizes LegalsOne to engage the subprocessors listed at legalsone.com/legal/subprocessors to assist in delivering the Platform. LegalsOne shall:

  • Impose data protection obligations on each subprocessor equivalent to those in this DPA;
  • Remain liable to Controller for the performance of each subprocessor's obligations; and
  • Notify Controller of any intended changes to the subprocessor list (additions or replacements) at least 14 days in advance by updating the Subprocessors page or by direct email notice. If Controller objects to a new subprocessor on reasonable data protection grounds, the parties will attempt in good faith to resolve the objection.

7. Data Subject Rights

LegalsOne will promptly notify Controller of any data subject request it receives directly relating to Personal Data processed under this DPA and will not respond to such requests without Controller's direction, except as required by law.

Taking into account the nature of processing, LegalsOne will assist Controller, through appropriate technical and organizational measures, to fulfill Controller's obligation to respond to data subject rights requests (access, correction, deletion, portability, objection) under applicable law.

8. Security Incident Notification

LegalsOne will notify Controller without undue delay, and no later than 72 hours after becoming aware of a confirmed Security Incident affecting Personal Data. Notification will be made to the primary administrator email address on file for the subscribing firm.

Notification will include, to the extent then known:

  • A description of the nature of the Security Incident, including categories and approximate number of affected Data Subjects and records;
  • Contact details for further information;
  • The likely consequences of the Security Incident; and
  • Measures LegalsOne has taken or proposes to take to address the incident.

Where all information is not available within 72 hours, LegalsOne may provide information in phases as it becomes available. The 72-hour clock runs from LegalsOne's confirmation of the incident, not from initial detection of a potential anomaly.

Controller is solely responsible for determining its own notification obligations to data subjects, regulators, and other third parties under applicable law.

9. Deletion and Return of Data

Upon termination or expiry of the subscription, LegalsOne will make Customer Content available for export for a period of 30 days via standard export tools. Following this period, LegalsOne will securely delete all Customer Content, including backups, from its systems within a commercially reasonable time (typically no longer than 90 days post-termination) unless retention is required by applicable law.

Controller may request written confirmation of deletion completion after the final deletion has occurred. Deletion of encrypted backups may occur on the backup rotation schedule, which may extend the 90-day window in limited circumstances.

10. Audit Rights

LegalsOne will provide Controller with all information reasonably necessary to demonstrate compliance with this DPA upon written request. LegalsOne may satisfy audit requests by providing relevant third-party certifications, audit reports, or written attestations prepared by qualified security personnel.

If Controller requires an on-site audit, it must provide at least 30 days' written notice, conduct the audit during normal business hours, ensure auditors are subject to appropriate confidentiality obligations, and reimburse LegalsOne for reasonable costs associated with the audit. Audits must not unreasonably disrupt LegalsOne's operations or compromise the security or confidentiality of other customers' data.

11. International Data Transfers

Personal Data processed under this DPA is stored and processed in the United States on AWS infrastructure. For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, LegalsOne relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission, or equivalent mechanisms as required by applicable law. Controllers may request a copy of the applicable SCCs by contacting privacy@legalsone.com.

12. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under applicable data protection law.

13. Term

This DPA is in effect for the duration of the subscription agreement and terminates upon expiry or termination of that agreement, subject to any survival provisions related to data deletion and confidentiality.

14. Contact

DPA inquiries: privacy@legalsone.com

Note: This DPA is provided as a standardized agreement incorporated automatically into all LegalsOne subscriptions. Customers requiring a countersigned DPA for regulatory purposes may contact us to execute a signed version.