Data Processing Agreement

Definitions

Personal data

Information relating to an identified or identifiable natural person submitted to the Service by Controller or its end users.

Data subject

The identified or identifiable natural person to whom personal data relates. Typically, this is the prospective or existing client of Controller's law firm.

Process / processing

Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

Sub-processor

A third party engaged by Processor to process personal data on its behalf.

Personal data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Standard Contractual Clauses

The standard contractual clauses adopted by the European Commission for the transfer of personal data to processors established in third countries.

Scope and roles

Controller acts as the data controller for personal data submitted to the Service. Processor acts as the data processor of that personal data, processing it solely on Controller's documented instructions and as necessary to provide the Service.

Where Controller is itself a processor for a third-party controller (for example, where the firm is processing data on behalf of a corporate client), Processor will act as a sub-processor and will follow Controller's instructions accordingly.

Processing details

Subject matter

Provision of the +law platform, including hosted intake forms, magic-link client portals, AI voice intake (where enabled), admin console, and related services.

Duration

For the term of the Agreement and any post-termination wind-down period during which Controller may export data.

Nature and purpose

Hosting, transmission, storage, and presentation of personal data necessary to operate the Service for Controller's benefit, including authentication, audit logging, transactional email, conflict checking, and (where enabled) AI-driven voice conversations and transcription.

Categories of data subjects

• Controller's prospective clients (leads, intake submissions, AI voice call recipients).
• Controller's existing clients with active matters.
• Controller's staff (administrative users of the Service).

Types of personal data

• Identification: name, email address, phone number, date of birth, postal address.
• Demographic: marital status, dependents, occupation.
• Case-relevant facts: matter description, parties involved, narrative responses to intake questions, uploaded documents.
• Sensitive categories where collected by Controller's intake configuration: government identifiers, health information, financial information.
• Audio and transcript data from AI voice intake calls (where enabled by Controller).
• Technical data: IP address, browser metadata, device identifiers, audit log entries.

Controller obligations

Controller represents and warrants that it has a lawful basis under applicable data protection law to collect, process, and transfer the personal data submitted to the Service. Controller is responsible for:

• Providing privacy notices to data subjects as required by law.
• Obtaining any necessary consents (including for AI voice intake calls and call recording).
• Configuring intake forms, retention rules, and access controls appropriate to the sensitivity of the data collected.
• Responding to data subject requests directed to Controller.
• Notifying Processor promptly if Controller becomes aware of any unlawful processing.

Processor obligations

Processor will:

• Process personal data only on Controller's documented instructions, including those set out in the Agreement and this DPA, and as necessary to provide the Service.
• Not process personal data for any other purpose, including the training of Processor's own machine learning models, without Controller's prior written consent.
• Ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations.
• Implement and maintain appropriate technical and organizational security measures (see Section 10).
• Assist Controller in fulfilling its obligations regarding data subject rights, security, and breach notification.
• Notify Controller without undue delay of a personal data breach affecting Controller's data.
• Make available information necessary to demonstrate compliance with this DPA.

Sub-processors

Controller authorizes Processor to engage sub-processors to provide the Service. A current list of sub-processors is maintained at our subprocessors page.

Processor will:

• Impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
• Remain liable to Controller for the acts and omissions of its sub-processors.
• Provide at least thirty days' advance notice of new sub-processors. Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection. If unresolved, Controller may terminate the affected portions of the Service.

To subscribe to sub-processor change notifications, email hello@pluslaw.com with the subject line "Subscribe: subprocessor changes".

Data subject rights

Where required by applicable law, Processor will assist Controller (taking into account the nature of the processing) in responding to data subject requests for access, correction, erasure, restriction, portability, and objection. The Service includes self-service tools enabling Controller to fulfill many such requests directly, including data export and right-to-be-forgotten redaction primitives.

If Processor receives a data subject request directed to Controller's data, Processor will redirect the request to Controller without responding to it directly, unless legally required to do so.

Personal data breach

Processor will notify Controller without undue delay, and in any event within seventy-two hours, of becoming aware of a personal data breach affecting Controller's personal data. The notification will include, to the extent known:

• The nature of the breach and the categories and approximate number of data subjects and records affected.
• The likely consequences of the breach.
• Measures taken or proposed to address the breach and mitigate its effects.

Processor will cooperate with Controller and take steps to assist in any required notifications to data subjects and regulators. Processor's notification of, or response to, a personal data breach is not an acknowledgment of fault or liability.

International transfers

Processor's primary processing location is the United States. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy determination, the parties agree that the Standard Contractual Clauses (Module 2: Controller-to-Processor) are incorporated into this DPA by reference and apply to such transfers, with the following selections:

• Clause 7 (docking clause) applies.
• Clause 9(a): Option 2 (general written authorization for sub-processors) applies, with thirty days' notice as set out in Section 6.
• Clause 11 (independent dispute resolution) does not apply.
• Clause 17: Governing law of the EU Member State in which Controller is established. If Controller is not established in the EU, Irish law applies.
• Clause 18: Disputes are resolved in the courts of the same Member State.

For transfers from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum.

Security measures

Processor maintains a written information security program with administrative, technical, and physical safeguards appropriate to the nature of the personal data processed. Current measures include:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest using industry-standard algorithms.
• Field-level encryption for designated sensitive fields.
• Logical isolation of customer workspaces, with automated tests verifying isolation on every release.
• Role-based access control with least-privilege principles.
• Multi-factor authentication for administrative and engineering access.
• Audit logging of all access to and modification of customer data.
• Network segmentation, secrets management, and dependency monitoring.
• Background checks and confidentiality obligations for personnel with access to customer data.
• Incident response procedures with defined roles and notification timelines.
• Regular third-party security assessments and penetration testing.

Processor will not materially decrease the protections afforded by these measures during the term of the Agreement.

Audit rights

Controller may verify Processor's compliance with this DPA through:

• Reviewing third-party audit reports and certifications made available by Processor (such as SOC 2 reports, where available).
• Reviewing Processor's responses to written security questionnaires reasonably submitted by Controller.
• Conducting on-site audits with at least thirty days' advance notice, no more than once per year (except following a personal data breach), at Controller's expense, conducted by Controller or a mutually agreed independent auditor bound by confidentiality.

Return and deletion of personal data

Upon termination of the Agreement, Controller may export its personal data using built-in tools for a period of thirty days. After that period, Processor will delete personal data from active systems and from backups within ninety days, unless retention is required by applicable law.

At any time during the term, Controller may request the deletion of specific personal data using built-in tools or by written request to Processor.

Contact

For questions about this DPA or to execute it on behalf of your firm, contact us: