Quick heads up! We save your preferences locally - theme, language, text size, and your explorer progress. Nothing leaves your browser, nothing gets tracked. Cookies? Your honor, we object - we're privacy first. Learn more

Accessibility
Font Size
100%
Quick Contact
Email Us support@lexaitechnologies.com
Contact Form Send us a message
Download as PDF Full DPA document
Link copied to clipboard!
Jump to Section
Definitions Obligations Transfers Sub-processors Security Contact
DATA PROCESSING AGREEMENT

GDPR-Compliant Data Processing

Our Data Processing Agreement ensures your data is handled in full compliance with GDPR. Enterprise-ready documentation for your peace of mind.

GDPR Article 28
Zero-Knowledge
EU Data Residency
Read Full Agreement Download as PDF
48h Breach Notice
30 Day Data Deletion
SCC Compliant Transfers

Version 1.0 - Template

GDPR Ready
Lexi - GDPR Ready
Enterprise Compliant
Definitions Key terms
Obligations Processor duties
Transfers International data
Sub-processors Third parties
Security Technical measures
Processor
LexAI Technologies, s.r.o., Company ID (ICO): 23589825, registered office: Školská 660/3, Praha 1 - Nové Město, 110 00 Praha 1
Processor contact
support@lexaitechnologies.com

Preamble

This Data Processing Agreement (hereinafter "DPA" or "Agreement") is entered into between the Processor and the Controller identified above (together, the "Parties") in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter "GDPR").

The Controller uses the LexAI platform (hereinafter "Platform" or "Service") provided by the Processor under the Terms of Use (hereinafter "Main Agreement"). In the course of providing the Service, the Processor may process personal data of natural persons in respect of whom the Controller acts as controller within the meaning of Article 4(7) GDPR. This DPA governs the terms on which the Processor processes such data on behalf of the Controller.

In the event of any conflict between this DPA and the Main Agreement, this DPA shall prevail with respect to matters of personal data protection.

Article 1 - Definitions

For the purposes of this Agreement, the following definitions apply:

  • "GDPR" - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
  • "Controller Personal Data" - personal data that the Controller transfers to the Processor for processing in the course of using the Service, or that the Processor processes on behalf of the Controller as a result of providing the Service.
  • "Data Subject" - a natural person whose personal data is being processed; in particular clients, employees, or other natural persons whose data the Controller processes through the Platform.
  • "Processing" - any operation or set of operations performed on personal data within the meaning of Article 4(2) GDPR.
  • "Security Breach" - a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data.
  • "Sub-processor" - a third party engaged by the Processor to process personal data on behalf of the Controller.
  • "Standard Contractual Clauses" / "SCC" - standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
  • "EEA" - the European Economic Area.

All other terms shall have the same meaning as in the GDPR or the Main Agreement.

Article 2 - Subject Matter and Nature of Processing

2.1 Subject Matter

The Processor processes Controller Personal Data solely for the purpose of providing the Service under the Main Agreement, including:

  • processing legal documents, contracts, and other texts through AI models;
  • conducting legal research based on queries containing personal data;
  • storing and managing conversations and projects within the Platform;
  • technical support and operation of the Platform.

2.2 Nature of Processing

Processing is carried out in an automated manner through AI models (Claude, Anthropic) and includes in particular: reading, analysing, summarising, classifying, and storing personal data contained in documents and queries submitted by the Controller.

2.3 Categories of Data Subjects

Processing may concern the following categories of data subjects:

  • the Controller's clients (natural persons);
  • the Controller's employees or associates;
  • counterparties in legal matters;
  • other natural persons identified in documents submitted by the Controller for processing.

2.4 Categories of Personal Data

Personal data processed may include in particular:

  • identification data (name, surname, date of birth, national identification number);
  • contact data (address, email, telephone);
  • data relating to legal matters and disputes;
  • financial and asset data;
  • special categories of personal data under Article 9 GDPR (health data, data relating to criminal proceedings, etc.), where contained in submitted documents.

2.5 Duration of Processing

Processing shall continue for the duration of the Main Agreement, unless otherwise specified in this DPA.

Article 3 - Obligations of the Processor

The Processor commits to the following obligations:

3.1 Processing Only on Controller's Instructions

The Processor shall process Controller Personal Data solely on the basis of documented instructions from the Controller, which shall consist of: the Main Agreement, this DPA, and instructions given by the Controller through the Platform.

3.2 Confidentiality

The Processor shall ensure that persons authorised to process Controller Personal Data are subject to a duty of confidentiality, whether contractual or statutory.

3.3 Technical and Organisational Security Measures

The Processor shall implement and maintain technical and organisational measures appropriate to the risk of processing, in accordance with Article 32 GDPR. These measures include:

Technical measures:

  • Zero-knowledge architecture: conversation content is encrypted with three independent layers of AES-256-GCM encryption directly on the Controller's device; the Processor has no technical access to unencrypted content.
  • Encryption of data at rest and in transit (AES-256-GCM, TLS).
  • Cryptographic key derivation using PBKDF2-SHA256 (600,000 iterations).
  • Multi-factor authentication (WebAuthn, TOTP 2FA).
  • Database-level isolation of individual customers' data (Row Level Security).
  • Rate limiting and anomaly detection.
  • Automatic deletion of session keys after 2 hours of inactivity.

Organisational measures:

  • Access to systems on a least-privilege basis.
  • Regular internal security reviews.
  • Security logs retained for 90 days.

3.4 Engagement of Sub-processors

The Controller grants the Processor general prior authorisation to engage Sub-processors. The current list of Sub-processors is set out in Schedule 1 to this DPA.

The Processor shall notify the Controller at least 30 days in advance of engaging any new Sub-processor or making material changes to an existing Sub-processor.

3.5 Assistance to the Controller

The Processor shall assist the Controller in fulfilling its obligations under the GDPR, including responding to data subject requests and compliance with Articles 32-36 GDPR.

3.6 Security Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of any Security Breach affecting Controller Personal Data.

3.7 Data Protection Impact Assessments (DPIA)

Where the Controller intends to carry out processing that requires a DPIA under Article 35 GDPR, the Processor shall provide available information necessary for the performance of such assessment.

3.8 Deletion or Return of Data Upon Termination

Upon termination of the Main Agreement, the Processor shall delete or return all Controller Personal Data within 30 days, at the Controller's choice.

Article 4 - Obligations of the Controller

The Controller represents and warrants that:

  • it has a lawful legal basis for the processing of Personal Data it transfers to the Processor;
  • it has provided data subjects with all information required by the GDPR;
  • the instructions given to the Processor are compliant with the GDPR;
  • before transferring special categories of personal data, it has assessed the lawfulness of such processing;
  • it will promptly notify the Processor of any change that may affect the Processor's obligations.

Article 5 - International Transfers of Personal Data

5.1 Processing Within the EEA

The Processor primarily processes Controller Personal Data within the EEA (Supabase EU Frankfurt, Hetzner EU Frankfurt, Qdrant EU Frankfurt).

5.2 Transfers Outside the EEA

Certain Sub-processors are located outside the EEA, in particular in the USA (Anthropic, Vercel, Stripe, SendGrid, SerpAPI, Brave Search, IPInfo). Transfers to these countries are carried out on the basis of Standard Contractual Clauses (SCC) and/or adequacy decisions (EU-U.S. Data Privacy Framework).

5.3 Special Conditions for Transfers to Anthropic

The Controller acknowledges that conversation content is transferred to Anthropic (USA) for AI processing. Anthropic does not use data submitted via API to train its models. This transfer is safeguarded by SCCs.

Article 6 - Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and shall allow audits or inspections conducted by the Controller.

Any audit must be notified at least 30 days in advance, conducted during normal business hours, and limited to information necessary for compliance verification.

The costs of any audit shall be borne by the Controller, unless the audit reveals a material breach.

Article 7 - Liability

Each Party shall be liable to the other for damages caused by a breach of its obligations under this DPA or the GDPR.

The Processor's total liability shall not exceed the total amount of payments made by the Controller in the 12 months preceding the event, except for gross negligence or wilful misconduct.

If a supervisory authority imposes a fine on the Controller due to the Processor's breach, the Processor shall reimburse a proportionate share corresponding to its degree of fault.

Article 8 - Term and Termination

This DPA is effective for the entire duration of the Main Agreement between the Parties.

This DPA terminates automatically upon termination of the Main Agreement. Provisions that by their nature survive termination (in particular Articles 3.8 and 7) shall remain in force.

Article 9 - General Provisions

This DPA is governed by the laws of the Czech Republic, in particular Act No. 89/2012 Coll. (the Civil Code) and the GDPR.

All disputes arising out of this DPA shall be resolved by the courts of the Czech Republic.

The Processor may amend this DPA to ensure GDPR compliance. Material changes will be notified at least 30 days in advance.

If any provision is found invalid, the remaining provisions shall remain in full force.

This DPA, together with the Main Agreement and Privacy Policy, constitutes the entire agreement regarding personal data processing.

Schedule 1 - List of Sub-processors

Sub-processor Location Purpose Data Transferred
Anthropic, PBC USA AI query processing (Claude API) Conversation content, documents for analysis
Supabase, Inc. EU (Frankfurt) Database and authentication All user data (in encrypted form)
Vercel, Inc. USA / EU Serverless hosting Request logs, API calls
Hetzner Online GmbH EU (Frankfurt) Proprietary servers (vector DB, security logs) Security logs, document processing
Qdrant EU (Frankfurt) Vector database for public legislation Embeddings of public legal sources - no user data
Stripe, Inc. USA (EU compliance) Payment gateway Payment data, billing records
Twilio SendGrid USA Email communications Email addresses, notification emails
SerpAPI USA Web search Search queries
Brave Search USA Alternative web search Search queries
IPInfo USA IP address geolocation User IP addresses

The Processor reserves the right to update this list in accordance with Article 3.4 of this DPA.

Schedule 2 - Technical and Organisational Security Measures

This Schedule describes the security measures implemented pursuant to Article 32 GDPR.

Encryption and Cryptography

  • Conversation encryption: AES-256-GCM (3 layers), 12-byte IV, 128-bit auth tag, unique keys per conversation
  • Key derivation: PBKDF2-SHA256, 600,000 iterations
  • Password hashing: PBKDF2, 600,000 iterations, constant-time comparison
  • Data in transit: TLS 1.2+, HTTPS enforced

Access Control

  • Multi-factor authentication: WebAuthn (FIDO2) and TOTP
  • Row Level Security (RLS) at Supabase database level
  • Employee access on a least-privilege basis
  • Session timeout: 2 hours of inactivity, 24-hour maximum lifetime

Resilience and Availability

  • Serverless architecture (Vercel edge functions) for horizontal scaling
  • Primary data stored in the EU (Frankfurt)
  • Rate limiting at IP address and user level

Monitoring and Auditing

  • Security logs retained for 90 days
  • Anomaly detection: 5 incidents trigger 5-minute lockout
  • Cryptographic operations logged (success/failure)

Zero-Knowledge Architecture

  • User password never leaves the user's device
  • Key derivation performed exclusively client-side
  • Processor has no technical access to conversation content

Contact

LexAI Technologies, s.r.o.

Školská 660/3, Praha 1 - Nové Město, 110 00 Praha 1

Email: support@lexaitechnologies.com

Web: www.lexaitechnologies.com

Version 1.0 - template, to be reviewed and customised before execution