Data Processing Agreement

1. Definitions

Terms not defined here have the meaning given in the Privacy Act 1988 (Cth), the Australian Privacy Principles (“APPs”), the European Union General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the United Kingdom GDPR (the GDPR as it forms part of UK law), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code § 1798.100 et seq, “CCPA”).

• “Lex Protocol”, “we”, “us”: Avci Technologies Pty Ltd (ABN 69 688 146 581), the processor / service provider.
• “Customer”, “you”: the firm, organisation or individual practitioner using Lex Protocol, acting as controller of the personal data processed through the service.
• “Customer Personal Data”: personal data that the Customer (or its end users) submits to or generates within Lex Protocol — including file notes, recordings, transcripts, matter facts, client identifiers, and the Customer’s own account data.
• “Sub-processor”: any third party engaged by Lex Protocol to process Customer Personal Data on our behalf.
• “Data Protection Laws”: all laws applicable to the processing of Customer Personal Data, including the Privacy Act, APPs, GDPR, UK GDPR and CCPA.

2. Roles of the parties

For the purposes of Data Protection Laws:

• The Customer is the data controller (or, in CCPA terms, the “business”) of the Customer Personal Data.
• Lex Protocol is the data processor (and, in CCPA terms, the “service provider”) acting on the Customer’s documented instructions.

Each party will comply with the Data Protection Laws that apply to it in its respective role.

3. Subject-matter, duration, nature and purpose of processing

• Subject matter: the processing of Customer Personal Data for the purpose of providing the Lex Protocol service to the Customer.
• Duration: for the term of the Customer’s subscription to Lex Protocol, plus any post-termination period during which we retain Customer Personal Data in accordance with our Privacy Policy.
• Nature and purpose: recording, transcription, AI-assisted drafting, structuring and storage of file notes and related artefacts; matter organisation; document export; chat assistance grounded in the Customer’s own matter data; account administration; billing.
• Types of personal data: Customer account data (name, email, firm, professional credentials, IP address); client information that the Customer chooses to submit (names, contact details, matter facts, narrative content of recorded conversations, document attachments); and any “sensitive” or “special category” data introduced by the Customer in the course of providing legal services (for example, health information in personal-injury matters, criminal-history information in criminal-defence matters).
• Categories of data subjects: the Customer’s clients, opposing parties named in Customer notes, witnesses, and Customer’s own staff (where the Customer uses Lex Protocol for internal meetings).

4. Customer instructions

We will process Customer Personal Data only on the Customer’s documented instructions. The Customer’s instructions are:

• The use of the Lex Protocol service in accordance with our Terms of Service, Privacy Policy and Usage Policy;
• Any additional instructions the Customer gives in writing that we accept in writing.

We will inform the Customer if, in our opinion, an instruction infringes Data Protection Laws. We will not be required to comply with an instruction that requires us to act unlawfully.

5. Confidentiality

We will ensure that personnel authorised to process Customer Personal Data are bound by written confidentiality obligations and have received appropriate training. Access to Customer Personal Data is restricted to those of our personnel who need access to provide the service or to meet our legal obligations.

6. Security measures

We have implemented technical and organisational measures designed to ensure a level of security appropriate to the risk of the processing, taking into account the nature, scope, context and purpose of the processing. The current measures include, without limitation:

• Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest (AES-256-GCM for sensitive fields and Customer-Provided artefacts; Google-managed AES-256 for the underlying Firestore datastore);
• Two-factor authentication on destructive account actions (delete, restore);
• Per-IP and per-account rate limits on authentication and password-reset surfaces;
• Append-only audit logs of authentication and account-lifecycle events;
• Daily Firestore backups with seven-day Point-in-Time Recovery;
• Helmet-style HTTP security headers on backend endpoints and a Content Security Policy on the marketing site;
• Annual review of access controls; multi-factor authentication enforced on all administrative accounts.

The current set of technical and organisational measures is described in full in our Security Policy, which forms part of this DPA. We may update the measures over time provided they continue to meet the standard required by Data Protection Laws and do not materially reduce overall protection.

7. Sub-processors

The Customer authorises us to engage the sub-processors listed in § 5 of our Security Policy (the “Sub-processor List”). We will:

• Impose written data-protection obligations on each Sub-processor that are no less protective than this DPA;
• Remain liable to the Customer for the acts and omissions of our Sub-processors;
• Publish the Sub-processor List on our website and update it whenever the list changes materially.

The Customer may subscribe to material changes by emailing privacy@lexprotocol.co with the subject line “Sub-processor notifications”. The Customer may object to the addition of a new Sub-processor on reasonable data-protection grounds within thirty (30) days of notice; if the parties cannot agree a resolution, the Customer may terminate the affected service on written notice and receive a pro-rated refund of any pre-paid fees for the unexpired term.

8. International data transfers

Customer Personal Data is hosted in Australia (Google Cloud australia-southeast1 region) by default. Certain Sub-processors are located in the United States and other jurisdictions, as identified in the Sub-processor List. Where Customer Personal Data is transferred from the European Economic Area, the United Kingdom or Switzerland to a country that does not have an adequacy decision under GDPR (or the equivalent UK / Swiss regime), the transfer is governed by the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2 — Controller to Processor) and, for transfers from the UK, the UK International Data Transfer Addendum, together with supplementary technical measures (encryption in transit and at rest, contractual no-AI-training commitments).

9. Assistance with data subject requests

Lex Protocol provides in-app tools that allow the Customer to fulfil most data-subject requests directly:

• Access / portability: Settings → Account & Data → Download your data;
• Rectification: Settings → Profile;
• Erasure / deletion: Settings → Account & Data → Delete account.

Where these in-app tools are insufficient (for example, the Customer needs us to retrieve historical data following a request from a former end user), we will provide reasonable assistance to enable the Customer to respond to the request, taking into account the nature of the processing and the information available to us. We will not respond directly to a data-subject request that concerns Customer Personal Data — we will route the request to the Customer as controller.

10. Personal-data breach notification

Where we become aware of a personal-data breach affecting Customer Personal Data, we will notify the Customer without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the breach. The notification will include, to the extent then known to us, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to be taken in response. We will assist the Customer in meeting any notification or communication obligations the Customer has under Data Protection Laws. Our incident-response process and timing commitments are published at our Incident Response page.

11. Data protection impact assessments

We will provide the Customer with reasonable assistance for any data protection impact assessment or prior consultation with a supervisory authority that the Customer is required to carry out under Data Protection Laws, in each case to the extent the assistance is reasonably required and relates to processing by Lex Protocol.

12. Return or deletion of Customer Personal Data

Within thirty (30) days after termination of the Customer’s subscription, the Customer may export Customer Personal Data using the in-app data export tools (Settings → Account & Data → Download your data). After that thirty-day grace period, we will delete or anonymise Customer Personal Data from our active systems, subject to retention permitted or required by applicable law (for example, financial records held by Stripe for tax and accounting purposes). Backups containing Customer Personal Data are overwritten in accordance with the seven-day Point-in-Time Recovery cycle.

13. Audit rights

We will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including by making available a copy of our annual MVSP self-assessment, our Security Policy and, on reasonable request and at the Customer’s cost, summaries of any independent security assessments we have commissioned. We will allow for, and contribute to, audits conducted by the Customer or by a third-party auditor mandated by the Customer, provided that:

• Audits are conducted no more than once in any twelve-month period (except where required by a supervisory authority or following a confirmed material breach affecting the Customer);
• The Customer gives at least thirty (30) days’ written notice;
• The auditor is bound by appropriate confidentiality obligations;
• The audit is conducted during business hours, in a manner that does not unreasonably interfere with our operations.

14. CCPA-specific provisions

We act as a “service provider” (Cal. Civ. Code § 1798.140(ag)) to the Customer (as “business”) in respect of personal information processed through Lex Protocol on behalf of California residents. We:

• Will not sell or share personal information (as those terms are defined in CCPA);
• Will not retain, use or disclose personal information for any purpose other than the business purposes specified in this DPA and the Terms of Service;
• Will not retain, use or disclose personal information outside of the direct business relationship between us and the Customer;
• Will not combine personal information received from the Customer with personal information received from any other source, except as permitted by CCPA § 1798.140(ag)(2);
• Will notify the Customer if we determine we can no longer meet our service-provider obligations.

Our public “Your Privacy Choices” page records our non-sale / non-sharing position for California residents.

15. Liability and order of precedence

Liability under this DPA is subject to the limitations and exclusions set out in our Terms of Service, except where the law prohibits such limitation. To the extent of any conflict between this DPA and the Terms of Service in respect of the processing of Customer Personal Data, this DPA prevails.

16. Governing law

This DPA is governed by the law of Victoria, Australia, except where Data Protection Laws require a different governing law for cross-border transfer arrangements (for example, the law of the data exporter’s EU Member State for transfers under Standard Contractual Clauses).

17. Contact