logo
Legal Hub Page - Accelerate Package
To discuss any of these terms, please reach out to your point of contact at SpotDraft. Please do not download or redline this document. 

DATA PROCESSING AGREEMENT 

This Data Processing Agreement ("DPA") forms part of the Order Form and the Software Services Agreement ("Agreement") executed between the Company and the Customer, collectively the "Parties", and shall be effective as of the Effective Date of the first Order Form.

IMPORTANT NOTE: This DPA recognizes that Company acts in different capacities depending on the purposes of the processing of the Personal Data being. Part A contains general provisions, Part B applies where Company acts as a Data Controller, and Part C applies where Company acts as a Data Processor.

 

IT IS AGREED AS FOLLOWS: 

PART A: GENERAL PROVISIONS

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

1.1.1 "DPA" means this Data Processing Agreement and all Schedules.

1.1.2 "Customer Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Agreement.

1.1.3 "Contracted Processor" means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data on behalf of Customer subject to this DPA.

1.1.4 "Applicable Data Protection Laws" means the relevant data protection and data privacy laws, rules and regulations to which the Personal Data are subject. "Applicable Data Protection Law(s)" shall include, but not be limited to, EU General Data Protection Regulation 2016/679 ("GDPR"), the United Kingdom Data Protection Act 2018, the UK General Data Protection Regulation as defined by the Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), the Privacy and Electronic Communications Regulations 2003, French Data Protection Law (Law n° 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, as amended) ("French Data Protection Law"), the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) ("CCPA"), and its implementing regulations, and any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of personal data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.

1.1.5 "EEA" means the European Economic Area.

1.1.6 "User Personal Data" means Personal Data relating to Customer's authorized users who register for and access the Services, processed by Company as a Data Controller.

1.1.7 "Data Transfer" means: (i) a transfer of Customer Personal Data from the Customer to a Contracted Processor; or (ii) an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).

1.1.8 "Personal Data Breach" means a breach of security, directly attributable to the Company, leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.1.9 "Services" means the Services provided by the Company in accordance with the Agreement.

1.1.10 "Subprocessor" means any person appointed by or on behalf of Processor to process Customer Personal Data in connection with the DPA.

1.1.11 "Standard Contractual Clauses" or "SCCs" means: (a) for transfers from the EEA: the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021; (b) for transfers from the UK: the International Data Transfer Agreement ("IDTA") or UK Addendum to the EU SCCs issued by the UK Information Commissioner's Office; (c) for transfers from Switzerland: the Swiss Federal Data Protection and Information Commissioner approved version of the SCCs.

1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

 

2. Structure and Application of this DPA

2.1 This DPA consists of:

  • Part A: General Provisions (applicable to all Processing)
  • Part B: Provisions applicable where Company acts as a Data Controller
  • Part C: Provisions applicable where Company acts as a Data Processor
  • Schedules 1-5: Detailed specifications and lists

2.2 The Parties acknowledge that:

  • For User Personal Data (as described in Schedule 1), Company acts as a Data Controller
  • For Customer Personal Data (as described in Schedule 2), Company acts as a Data Processor

 

PART B: SPOTDRAFT ACTING AS A DATA CONTROLLER

 

3. Processing of User Personal Data

3.1 This Part B applies to Company’ s Processing of User Personal Data as a Data Controller.

3.2 Company shall:

  • Process User Personal Data in accordance with Applicable Data Protection Laws
  • Maintain a record of processing activities as required under Article 30 GDPR
  • Implement appropriate technical and organizational measures
  • Respond directly to Data Subject requests regarding User Personal Data

3.3 The lawful bases for Processing User Personal Data are:

  • Performance of the Agreement (Article 6(1)(b) GDPR)
  • Legitimate interests for service improvement and security (Article 6(1)(f) GDPR)
  • Consent for marketing communications where required (Article 6(1)(a) GDPR)

3.4 International transfers of User Personal Data shall be subject to:

  • Module 1 SCCs (Controller to Controller) where Customer requires access
  • Module 4 SCCs (Controller to Processor) for Company's service providers

 

PART C: SPOTDRAFT ACTING AS DATA PROCESSOR

 

4. Processing of Customer Personal Data

4.1 Processor shall:

4.1.1 comply with all Applicable Data Protection Laws in the Processing of Customer Personal Data;

4.1.2 not Process Customer Personal Data other than for the specific purposes set forth in Schedule 2 or outside the direct business relationship between Customer and the Company, unless obligated to do otherwise by applicable law. In such case, the Company will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so;

4.1.3 not Process special categories of Personal Data (as defined in Article 9 GDPR) or Personal Data relating to criminal convictions and offences (Article 10 GDPR) unless: (a) explicitly agreed in writing with Customer; (b) necessary for the provision of the Services; and (c) appropriate additional safeguards are implemented.

4.2 Customer Warranties and Obligations: Customer warrants that: (a) it has all necessary rights and lawful bases to upload Personal Data to the Services; (b) it will not upload special categories of Personal Data without prior written agreement; (c) it will implement appropriate measures to minimize Personal Data in uploaded documents where feasible; (d) it will inform Company if documents contain Personal Data of EU/UK/US or Singapore residents requiring specific protections.

4.3 The Company and its Sub-Processors shall process Customer Personal Data only in accordance with the documented instructions of Customer. The Agreement, including this DPA, along with any applicable statement of work, constitute Customer's complete and final instructions to the Company regarding the Processing of Customer Personal Data, unless more permissions are provided by Customer in writing.

 

5. Data Subject Rights and Requests

5.1 Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer obligations to respond to requests to exercise Data Subject rights under the Applicable Data Protection Laws. Customer acknowledges that Customers have sole authority to edit, delete, collect, and otherwise modify Personal Data that is uploaded or input by Customer (including personnel) into the Services. Processor only provides relevant features and functionalities which may assist Customers in taking the relevant actions with respect to Data Subject requests.

5.2 Processor shall: (a) promptly notify Customer if it receives a request from a Data Subject in respect of Customer Personal Data; (b) not respond to that request except on the documented instructions of Customer; (c) provide reasonable assistance to Customer in responding to such requests to the extent such assistance is technically feasible using available tools in the Services, and is permitted under the Agreement.

 

6. Processor Personnel

6.1 Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Customer Personal Data, ensuring in each case that: (a) access is strictly limited to those individuals who need to know or access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, (b) all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; (c) all personnel receive annual data protection training; (d) access rights are reviewed quarterly and revoked promptly upon termination.

 

7. Security

7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall implement appropriate technical and organizational measures as detailed in Schedule 3.

 

8. Sub-Processing

8.1 Customer provides general authorization for Company to engage Sub-Processors listed in Schedule 4.

8.2 Company shall: (a) notify Customer by email at least 30 days before any intended addition or replacement of Sub-Processors; (b) provide information about the new Sub-Processor including name, location, and processing activities; (c) ensure all Sub-Processors are bound by data protection obligations no less protective than this DPA; (d) remain fully liable for any failure by a Sub-Processor.

8.3 Customer may object to a new Sub-Processor within 14 days of notification by providing written notice with reasonable data protection grounds for objection.

8.4 If Customer objects and the parties cannot resolve the objection within 30 days, Customer may terminate the affected Services without penalty upon 30 days' written notice.

 

9. Personal Data Breach

9.1 Processor shall notify Customer without undue delay and in any event within 48 hours upon becoming aware of a Personal Data Breach affecting Customer Personal Data.

9.2 The notification shall include: (a) nature of the Personal Data Breach including categories and approximate numbers of Data Subjects and Personal Data records concerned; (b) likely consequences of the Personal Data Breach; (c) measures taken or proposed to address the breach and mitigate its effects; (d) contact details for more information.

9.3 Processor shall: (a) investigate the cause and contain the breach immediately; (b) provide regular updates on remediation progress; (c) assist Customer with regulatory notifications including to:

  • Supervisory Authorities (within 72 hours)
  • Data Subjects (without undue delay for high-risk breaches)
  • ICO for UK data (d) maintain a breach register documenting all breaches and remediation measures.

 

10. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities, taking into account the nature of the Processing and information available to the Processor.

 

11. Data Storage and Location

11.1 Customer Personal Data shall be stored:

  • Primary location: Netherlands (for EU customers).
  • Primary location: US (for US customers).
  • Primary location: India (for Indian customers).

11.2 Access from India shall be limited to:

  • Customer support and implementation functions (restricted access)
  • Technical support (under strict access controls)
  • No bulk data transfers to India

 

12. Deletion or Return of Customer Personal Data

12.1 Upon termination of the Agreement or upon Customer's request, Company shall: (a) return all Customer Personal Data in a commonly used format within 30 days; (b) delete all copies of Customer Personal Data within 60 days of return or as directed; (c) provide a certificate of deletion signed by an authorized officer.

12.2 Company may retain Customer Personal Data only: (a) as required by applicable law (with notice to Customer); (b) in anonymized form for analytics (with no re-identification possibility).

 

13. Audit Rights

13.1 Company shall make available to Customer all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections in accordance with the provisions below, by the Customer or an auditor mandated by the Customer exclusively in relation to the Processing of the Customer Personal Data by the Contracted Processors and provided that the auditor is not a direct competitor of the Processor.

13.2 Customer and/or the auditor may conduct on-site audits: (a) maximum once per 12-month period (b) upon 30 days' written notice (c) during business hours with minimal disruption (d) at Customer's expense and (e) subject to confidentiality agreements.

13.3 If an audit reveals non-compliance, Company shall remediate at its own cost within agreed timeframes.

 

14. International Data Transfers

14.1 Transfers from the EEA: (a) For Customer Personal Data: Module 3 SCCs (Processor to Processor) (b) Transfers to USA: SCCs plus supplementary measures (c) Transfers to India: SCCs plus transfer impact assessment.

14.2 Transfers from the UK: (a) UK IDTA or UK Addendum to EU SCCs (b) Transfer risk assessment documenting safeguards (c) Optional UK-only processing upon request.

14.3 Transfers from France: (a) CNIL requirements for international transfers (b) French language version of transfer documents available (c) Specific safeguards for transfers to non-adequate countries.

14.4 Transfer Safeguards: (a) SCCs shall be executed before first transfer (no retroactive application) (b) Transfer impact assessments available upon request (c) Supplementary measures including encryption and access controls (d) Annual review of transfer mechanisms.

 

15. Service-Specific Provisions

15.1 CLM Platform: (a) Customer acknowledges the repository nature of the service (b) Company implements access controls but does not monitor content (c) Customer responsible for minimizing Personal Data in contracts and inputs where feasible.

15.2 AI Services: (a) Processing limited to contract review purposes and providing responses to Customer queries (b) No use of Customer Personal Data for AI training (c) Outputs containing Personal Data subject to same protection.

15.3 Sidebar AI Assistant: (a) Isolation between Customer environments

 

16. Liability and Indemnification

16.1 Each party's liability under this DPA shall be subject to the limitations in the Agreement.

16.2 Company shall be liable for: (a) Its own violations of this DPA or Applicable Data Protection Laws (b) Acts and omissions of its Sub-Processors to the same extent as its own.

16.3 Customer acknowledges that Company's liability is limited given: (a) Customer controls what data is uploaded (b) Company cannot review all uploaded content (c) The self-service nature of certain Services.

 

17. General Terms

17.1 Confidentiality: Each Party must keep this DPA and information it receives about the other Party confidential, subject to legal requirements and public domain exceptions.

17.2 Term: This DPA shall be co-terminus with the Agreement.

17.3 Governance: (a) DPA contacts to be designated by each party (b) Annual review meetings (c) Amendments only in writing signed by both parties.

17.4 Order of Precedence: In case of conflict the following order of precedence shall apply: (a) Mandatory requirements of Applicable Data Protection Laws (b) This DPA (c) The Agreement.

 

18. Notices, Governing Law and Jurisdiction

18.1 Notices under this DPA shall be in writing to the contacts specified in the Agreement with copy to:

  • Company: legal@spotdraft.com
  • Customer: to the billing contact specified in the Agreement

18.2 Governing Law and Jurisdiction shall be in accordance with the Agreement, provided that matters specifically relating to EU/UK data protection compliance shall be subject to the relevant local law.

 

SCHEDULES

 

SCHEDULE 1: USER PERSONAL DATA PROCESSING (Company acting as Controller)

 

Categories of Data Subjects:

  • Customer's employees, contractors, and authorized users
  • Prospective customers (demo users)

Categories of Personal Data:

  • Identification: First name, last name, email address
  • Professional: Title, position, employer, department
  • Contact: Business phone, business address
  • System: IP address, device information, usage logs
  • Authentication: Login credentials, MFA tokens

Purpose of Processing:

  • Provision of Services under the Agreement
  • User authentication and access control
  • Service improvement and analytics
  • Security and fraud prevention
  • Legal compliance
  • Marketing (with consent where required)

Duration: Duration of Agreement plus statutory retention periods

 

 

SCHEDULE 2: CUSTOMER PERSONAL DATA PROCESSING (Company acting as Processor)

 

1. CLM Platform Processing

Categories of Data Subjects (as determined by Customer):

  • Parties to contract
  • Signatories and contacts
  • Any individuals referenced in uploaded documents or activity logs

Categories of Personal Data (as uploaded by Customer):

  • Names, addresses, contact details in contracts
  • Employment information
  • Any other data Customer chooses to upload

Purpose: Contract lifecycle management as directed by Customer

 

2. AI Services Processing

Purpose: Automated contract review against Customer guidelines, and other features of AI Services such as research, database search, and drafting (as applicable)

Nature of Processing: Analysis of contracts for various purposes including comparisons, redlining, compliance with Customer-defined rules, and database search

on Customer input

Duration for all: As directed by Customer, subject to Agreement terms

 

 

SCHEDULE 3: TECHNICAL AND ORGANIZATIONAL MEASURES

 

a. The Company agrees and acknowledges that it has developed, implemented, and will continuously maintain appropriate information security policies and procedures, which shall include administrative, technical, and physical safeguards designed to:

 

(i) ensure the security and confidentiality of the Customer’s information and materials;

(ii) protect against foreseeable threats or hazards to the security of such information; and

(iii) prevent unauthorized access or use of the same.

 

To this end, the Company shall regularly update all its systems, software, and equipment to the latest versions or security patches, ensuring implementation of all relevant patches released by the respective software or device manufacturers.

 

b. The Company certifies that it has implemented robust information classification mechanisms as part of its information security policy and agrees to treat all information related to the Customer with the appropriate level of confidentiality. All such information shall be transmitted, accessed, and used only through encrypted and secure internet connections.

 

c. The Company affirms that all its employees handling Confidential Information have received comprehensive training on its information security policies and procedures and shall undergo refresher training at least once annually.

   

d. The Company guarantees that it holds a valid SOC 2 Type II certification and such other certifications as may be required under applicable law and shall maintain them throughout the term of this Agreement. Failure to maintain such certifications shall be deemed a material breach and may lead to suspension of Services at the Customer’s discretion.

 

e. The Company, its personnel, and any permitted subcontractors or affiliates shall adhere to industry standard technology practices, policies, and procedures in rendering the Services.

 

f. The Company shall establish and maintain adequate contingency plans, including disaster recovery and backup measures, to ensure continuity of Services and integrity of the Customer’s data in the event of disruptions. All data shall be securely stored and disposed of as per the Customer’s data retention policies and applicable laws.

    

g. The Company shall maintain and test a disaster recovery and business continuity plan for the Services. Upon written request, the Company shall provide a copy of the plan and test results to the Customer, with tests conducted at least annually or more frequently as required under law.

   

h. The Company shall conduct annual vulnerability assessments and penetration testing of the Software, infrastructure, and APIs through a qualified external agency. Results shall be shared with the Customer on request.

 

 

 

SCHEDULE 4: APPROVED SUB-PROCESSORS

 

The list of sub-processors is available here.

 

 

SCHEDULE 5: STANDARD CONTRACTUAL CLAUSES

 

For EEA Transfers:

  • Module 1: Controller to Controller (User Personal Data to sub-processors)
  • Module 2: Controller to Processor (where applicable)
  • Module 3: Processor to Processor (Customer Personal Data)

For UK Transfers:

  • UK IDTA or UK Addendum as appropriate

For Swiss Transfers:

  • Swiss-approved SCCs