LawPal Data Processing Agreement (DPA)

Effective Date: 1 September 2025

Last Updated: 6 January 2026

This DPA explains how LawPal processes personal data when customers upload documents for contract review and analysis. It supports procurement, vendor assurance, and UK GDPR obligations by setting clear processor commitments and safeguards.

LawPal recognises its role as a data processor under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Data Processing Agreement ("DPA") forms part of the contractual relationship between LawPal and its customers and sets out the terms on which LawPal processes personal data on behalf of its customers. This page provides an overview of the DPA. A full executed copy is available upon request.

Related documents: Terms, Privacy policy, Security overview. For procurement or compliance queries, use Support.

1. Purpose

Sets out how LawPal processes personal data on customer instructions in line with UK GDPR Article 28. It provides baseline commitments used in procurement reviews and vendor governance.

This DPA ensures that LawPal processes personal data lawfully, fairly, and transparently, and that it implements appropriate technical and organisational measures to safeguard such data.

2. Roles of the Parties

Clarifies controller and processor responsibilities so decision making and accountability are unambiguous. This helps customers document lawful basis, DPIAs, and internal approvals.

• Customer acts as the Data Controller, determining the purposes and means of processing personal data.
• LawPal acts as the Data Processor, processing personal data solely on the instructions of the Customer.

3. Processing of Personal Data

Confirms LawPal processes personal data only to deliver the contracted services and on documented instructions. Confidentiality commitments apply to anyone authorised to process personal data.

LawPal shall:

• Process personal data only as necessary to provide the contracted services.
• Not process personal data for its own purposes.
• Ensure that any persons authorised to process personal data are bound by confidentiality.

4. Data Subject Rights

Explains how LawPal supports customers with rights requests, subject to verification and legal limits. Requests can be routed via privacy@lawpal.co.uk.

LawPal assists Customers in fulfilling their obligations with respect to data subject rights, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to data portability
• Right to object to processing

Requests may be submitted to privacy@lawpal.co.uk.

5. Technical and Organisational Measures

Summarises security measures used to protect personal data, including encryption and access controls. For more detail, refer to the Security overview.

LawPal implements measures appropriate to the risk, including:

• Encryption of personal data at rest and in transit
• Multi-factor authentication and access controls
• Logging, monitoring, and intrusion detection
• Regular backups and disaster recovery testing
• Vendor due diligence and sub-processor controls

6. Sub-Processors

Allows use of vetted sub-processors under written agreements with equivalent protections. Sub-processor details can be provided for vendor due diligence.

LawPal may engage sub-processors to support the provision of services.

• Sub-processors are bound by written agreements requiring equivalent data protection obligations.
• A current list of sub-processors is available on request.

7. International Data Transfers

Explains that processing locations and residency controls depend on plan and configuration. Where transfers occur, appropriate safeguards apply and can be disclosed on request.

LawPal is designed for UK-first workflows. Processing locations and data residency depend on your plan and configuration. Where personal data is transferred outside the UK, appropriate safeguards apply. Details can be requested via Support.

8. Data Retention and Deletion

Commits to retaining personal data only as long as needed for service delivery and secure deletion after termination, subject to legal requirements. This supports minimisation and auditability.

LawPal retains personal data only for as long as necessary to provide services. Upon termination of services, data is securely deleted, subject to any legal retention obligations.

9. Breach Notification

Sets the notification standard for personal data breaches so customers can meet regulatory obligations. Information is provided to support assessment and reporting where required.

In the event of a personal data breach, LawPal will notify the Customer without undue delay and provide information necessary for the Customer to meet its legal obligations.

10. Audit and Compliance

Describes how LawPal demonstrates compliance and supports reasonable audit requests. Audits are managed to protect confidentiality and system security.

LawPal will make available information necessary to demonstrate compliance with its obligations under Article 28 UK GDPR. Customers may request reasonable audits or inspections, subject to confidentiality and security limitations.

11. Contact

Use this route to request sub-processor information, transfer details, or a signed copy of the standard DPA. Provide your organisation name and procurement timeline for faster handling.

For further details or to request a signed copy of LawPal's standard DPA, please contact:
LawPal Privacy & Security Office

Email: support@lawpal.co.uk

How to Request a DPA

Customers who require a signed DPA may submit a request via email. LawPal will provide a standard GDPR compliant DPA template for execution.