This Data Processing Agreement (“DPA”) forms part of the Master Service Agreement (“MSA”) or other applicable services agreement between LitiSync, Inc. (“Processor”) and the subscribing law firm or legal organization (“Controller”) governing the processing of Personal Data in connection with the LitiSync platform (the “Service”).
1. Definitions
For purposes of this DPA:
- “Personal Data” means information relating to an identified or identifiable individual processed by Processor on behalf of Controller.
- “Applicable Data Protection Law” means any applicable privacy or data protection law governing the processing of Personal Data under the MSA.
- “Subprocessor” means a third party engaged by Processor to process Personal Data on behalf of Controller.
2. Roles of the Parties
For purposes of Applicable Data Protection Law:
- Controller: The subscribing law firm or legal organization determines the purposes and means of processing Personal Data submitted through the Service.
- Processor: LitiSync processes Personal Data solely on behalf of and under the documented instructions of the Controller in order to provide the Service.
Nothing in this DPA relieves Controller of its responsibilities as a data controller under Applicable Data Protection Law.
3. Scope and Nature of Processing
Processor may process Personal Data only as necessary to:
- Provide, operate, and maintain the Service
- Process intake information, communications, recordings, transcripts, uploaded materials, and structured matter data
- Generate summaries and organizational outputs at Controller’s direction
- Maintain system security, reliability, fraud prevention, and integrity
- Comply with applicable legal obligations
Processor shall not process Personal Data for its own independent commercial purposes except as permitted by Applicable Data Protection Law.
4. Confidentiality
Processor shall ensure that personnel authorized to process Personal Data:
- Are subject to written confidentiality obligations;
- Access Personal Data only as necessary to perform services; and
- Receive appropriate data protection and security awareness training where required.
5. Security Measures
Processor shall implement and maintain commercially reasonable administrative, technical, and organizational safeguards designed to protect Personal Data, including:
- Encryption in transit and at rest
- Role-based access controls
- Authentication safeguards
- Security monitoring and logging
- Incident detection and response procedures
Controller acknowledges that no security measure is infallible, and Processor does not warrant absolute security.
6. Subprocessors
Controller authorizes Processor to engage Subprocessors to support provision of the Service, including but not limited to hosting, infrastructure, communications, transcription, analytics, and security providers.
Processor shall:
- Maintain an up-to-date list of Subprocessors available upon reasonable request;
- Impose contractual data protection obligations on Subprocessors consistent with this DPA;
- Remain responsible for Subprocessor compliance with applicable obligations under this DPA.
Controller may object to a new Subprocessor on reasonable data protection grounds within a reasonable period following notice.
7. Assistance with Data Subject Requests
To the extent legally permitted and reasonably feasible, Processor shall provide reasonable assistance to Controller in responding to requests from individuals exercising rights under Applicable Data Protection Law.
Controller remains responsible for evaluating and responding to such requests.
8. Security Incidents
Processor shall notify Controller without undue delay after becoming aware of a confirmed security incident involving Personal Data processed under this DPA.
Such notice shall include reasonably available information necessary for Controller to assess the incident and comply with legal obligations. Processor shall cooperate in investigation and remediation consistent with industry practices.
9. Data Retention, Return, and Deletion
Processor shall retain Personal Data in accordance with:
- Controller’s documented instructions;
- Applicable contractual terms; and
- Legal or regulatory obligations.
Upon termination of the applicable services agreement, and at Controller’s direction, Processor shall delete or return Personal Data in accordance with established export and deletion procedures, unless retention is required by law.
Controller acknowledges that retention configurations may vary based on jurisdictional, professional responsibility, or insurance requirements.
10. International Data Transfers
Where Personal Data is transferred across jurisdictions, Processor shall implement safeguards required by Applicable Data Protection Law to support lawful transfer and processing.
11. Audits and Compliance Information
Upon reasonable written request, Processor shall provide information reasonably necessary to demonstrate compliance with this DPA, including summaries of relevant security controls or certifications where available.
Controller acknowledges that on-site audits may be limited to circumstances required by Applicable Data Protection Law and subject to reasonable confidentiality and security safeguards.
12. Privilege and Legal Matter Context
Processor processes Personal Data in the context of supporting attorney workflows. Controller remains solely responsible for determining whether Personal Data is subject to attorney-client privilege, confidentiality protections, or professional responsibility obligations.
Nothing in this DPA constitutes legal advice or alters Controller’s professional obligations.
13. Changes to This DPA
Processor may modify this DPA from time to time to reflect updates to the Service, Applicable Data Protection Law, or operational practices.
Unless otherwise required by law, modifications become effective upon posting or notice in accordance with the governing services agreement. Continued use of the Service after the effective date constitutes acceptance of the revised DPA.
To the extent permitted by law, modifications will not apply retroactively to disputes arising before the effective date.
14. Order of Precedence
In the event of conflict between this DPA and the MSA regarding the processing of Personal Data, the terms of this DPA shall control with respect to data protection obligations.
15. Term
This DPA remains in effect for as long as Processor processes Personal Data on behalf of Controller under the applicable services agreement.