Data Processing Agreement
Version 0.3 · draft · pending final legal review · 2026-05-10. The contract between AnoLawg (as processor) and your firm (as controller) governing processing of personal data under GDPR, UK GDPR, and applicable US state privacy laws.
Draft — pending attorney review.
This is a good-faith draft intended to be counter-signed by counsel before any firm executes it. It is published here so customers can review the substantive terms during sales conversations, but it is not yet the final operative agreement. Once counsel approves, the page will switch to effective YYYY-MM-DD and the draft notice will be removed.
1. Parties & roles
This Data Processing Agreement ("DPA") is entered into between the firm identified in the AnoLawg order form or subscription record (the "Customer" or "Controller") and AnoLawg, LLC, a Ohio limited liability company ("AnoLawg" or "Processor").
In respect of personal data processed under the AnoLawg Terms of Service, the Customer is the controller and AnoLawg is the processor as those terms are defined in Article 4 of the EU General Data Protection Regulation 2016/679 ("GDPR") and equivalent terms under the UK GDPR and applicable US state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and successors).
This DPA is effective when the Customer first accepts the Terms of Service and remains in force for the duration of the subscription, including any wind-down period.
2. Subject matter, nature & purpose of processing
Subject matter:AnoLawg processes the Customer's legal practice management data — matters, contacts, calendar events, tasks, billable time, expenses, invoices, trust-ledger entries, provider-import files, matter-document pointers, generated files, and communications — and operates the Client Portal through which the Customer's clients exchange messages and files with the firm. Matter-document file bytes are generally stored in the Customer's connected Microsoft or Google drive rather than in AnoLawg.
Nature and purpose: Storage, retrieval, display, indexing, transmission, backup, and deletion of personal data, in each case strictly as instructed by the Customer through the AnoLawg product and API.
Duration: For the term of the subscription plus the deletion window in §11.
3. Personal data & data subjects
Categories of data subjects: firm users (attorneys, paralegals, staff), the firm's clients, opposing parties, witnesses, and other third parties referenced in matter records, and any other natural persons whose personal data the Customer uploads.
Categories of personal data: names, contact details, professional credentials, matter facts (which may include sensitive categories such as health, financial, or criminal-justice information), billing records, provider-import raw CSV contents, generated invoice PDFs and export archives, matter document metadata and provider pointers, communications, authentication identifiers, session metadata, and service telemetry.
Special categories: AnoLawg does not require the upload of special-category data but acknowledges that legal matters frequently include it. The Customer warrants that it has a lawful basis under Art. 9(2) GDPR (or equivalent) for any such processing and remains solely responsible for matter content.
4. Processor obligations (Art. 28(3))
- Process personal data only on documented instructions from the Customer, including with regard to international transfers, unless required by EU or Member State law.
- Ensure persons authorised to process personal data are bound by confidentiality obligations.
- Implement the technical and organisational measures described in §7 (Art. 32 GDPR).
- Respect the conditions in §5 for engaging sub-processors.
- Assist the Customer with data-subject requests and with DPIAs (see §9).
- Notify the Customer of a personal-data breach without undue delay (see §8).
- Return or delete personal data at the Customer's choice on termination (see §11).
- Make available all information necessary to demonstrate compliance with Art. 28 and allow for audits (see §10).
5. Subprocessors
The Customer grants AnoLawg a general authorisation to engage the subprocessors listed below. AnoLawg will update this page and notify Customers by email (or an in-app announcement) at least 30 days before adding a new subprocessor, during which the Customer may object on reasonable grounds. Each subprocessor is under a written DPA containing data-protection obligations no less protective than this DPA.
Microsoft and Google are not listed as AnoLawg subprocessors when a Customer or user connects their own Microsoft 365, Outlook, OneDrive, Google Workspace, Gmail, Google Drive, or Google Calendar account. In those cases, AnoLawg acts on the Customer's or user's documented OAuth instruction and sends data to the provider account the Customer or user controls.
| Subprocessor | Purpose | Data categories | Location | Transfer mechanism |
|---|---|---|---|---|
| Vercel Inc. | Application hosting, edge compute, CDN, analytics infrastructure, Vercel Blob object storage, and logs. | All request-path data transits Vercel edge; generated invoice PDFs, firm export ZIPs, public profile pictures, service telemetry, and object-storage metadata may be stored in Vercel services. | United States (multi-region). | EU SCCs (2021/914) + UK IDTA Addendum, DPA in place. |
| Neon Inc. | Managed Postgres primary database (customer records, sessions, matters, activities, billing state). | Firm-operating data, account identifiers, hashed credentials, session records, billing identifiers, provider-import raw CSV text during the temporary import review period, and other persisted application records. | United States (AWS us-east-2 primary; daily encrypted backups). | EU SCCs (2021/914) + UK IDTA Addendum, DPA in place. |
| Stripe Inc. / Stripe Payments Europe Ltd. | Subscription billing, Stripe Checkout, Customer Portal, invoice rendering, card processing. | Billing identifiers (Stripe customer ID, subscription state, invoice history). Card numbers are held only by Stripe — AnoLawg never sees the PAN. | United States (Stripe Inc.) with EU processing via Stripe Payments Europe Ltd. (Ireland) for EU customers. | Stripe's standard DPA, EU SCCs (2021/914), UK IDTA, plus PCI-DSS Level 1 attestation. |
| Resend, Inc. | Transactional email delivery (login magic links, bill notifications, client-portal invitations, password resets). | Recipient email address, message subject, send timestamps, delivery / bounce events. | United States. | EU SCCs (2021/914) + UK IDTA Addendum, DPA in place. |
| Stream.io Inc. | Realtime chat infrastructure for the Client Portal (firm ↔ client messaging). | Client-portal chat messages and metadata. Where end-to-end encryption is active, message text is replaced with an encrypted placeholder and ciphertext payloads are stored for authorized recipients. | United States / European Union (region-configurable). | EU SCCs (2021/914) + UK IDTA Addendum, DPA in place. |
| Functional Software, Inc. d/b/a Sentry | Application-error reporting and performance tracing. | Stack traces, URL paths, request metadata, performance events, and user identifier (internal ID — no email). Sentry default PII capture is disabled in configuration. | United States / European Union (project configurable). | EU SCCs (2021/914) + UK IDTA Addendum, DPA in place. |
| PostHog, Inc. | Product analytics, consent-gated server-side event capture, and feature-flag / A-B testing support when configured. | Usage events, profile and firm identifiers, referral and billing-flow events, feature-test identifiers, and event metadata. No ad targeting. | United States / European Union, depending on configured PostHog host. | EU SCCs (2021/914) + UK IDTA Addendum where data leaves the EEA/UK; otherwise regional processing per configured host. |
6. International transfers
Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a third country that has not received an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor), as if set out in full. For transfers from the UK, the parties additionally incorporate the UK International Data Transfer Addendum (Version B1.0). For transfers from Switzerland, the SCCs apply with Swiss-specific adjustments per FADP.
Docking clause: third parties may accede to the SCCs incorporated here in accordance with Clause 7 of the SCCs.
AnoLawg maintains a transfer impact assessment (TIA) for each subprocessor in a third country and will provide it to the Customer on reasonable request.
7. Technical & organisational measures (Art. 32)
A summary is below; the full control set is described on the Security page and remains an integral part of this DPA.
Encryption
TLS 1.2+ in transit. Managed database and object-storage providers encrypt data at rest. Passwords are hashed with scrypt + per-user salt. OAuth tokens are encrypted with authenticated symmetric encryption. Client-portal chat payloads are additionally end-to-end encrypted where the encrypted channel state is active.
Tenant isolation
Firm-owned application records are scoped by firmId with defense-in-depth at the query layer. Admin users can only access data within their own firm; the Webmaster role is further gated by an email allowlist and MFA.
Backups & retention
Encrypted database backup windows follow the retention schedule described in the Privacy Policy and retention documentation. Deletion is subject to legal holds, tax and audit retention, active disputes, provider backup cycles, and dependency-safe deletion processing.
Access control & audit
Production access is limited to named personnel, protected by provider access controls and MFA where available, and logged. Privileged product actions such as billing changes, impersonation, exports, and permission changes write audit records.
8. Breach notification
AnoLawg will notify the Customer without undue delay, and in any event within 72 hoursof becoming aware of a confirmed personal-data breach affecting the Customer's personal data. The notification will describe, to the extent then known: the nature of the breach and categories / approximate numbers of data subjects and records concerned, likely consequences, measures taken or proposed, and a named point of contact.
AnoLawg will cooperate with the Customer in investigation, remediation, and any required regulator or data-subject notices. AnoLawg's notification is not an acknowledgement of fault and does not supersede the Customer's independent breach-notification obligations.
9. Data-subject rights & DPIA assistance
Taking into account the nature of the processing, AnoLawg will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to data-subject requests under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). Self-service export, edit, and delete tools are provided where available in-product; where an export or deletion workflow is not self-service, AnoLawg will route the written request through support and respond within 30 days.
AnoLawg will provide reasonable assistance with data-protection impact assessments and prior consultations with supervisory authorities under Arts. 35–36 GDPR, including by supplying the documentation referenced in §§5–7.
10. Audit rights
AnoLawg will make available to the Customer all information necessary to demonstrate compliance with Art. 28 GDPR. On reasonable written notice (at least 30 days), the Customer — or a mutually-agreed independent auditor bound by confidentiality — may conduct an audit no more than once per year, during business hours, without disrupting service to other customers. AnoLawg may satisfy this obligation by providing copies of its most recent independent third-party audit reports and penetration-test summary letter.
The Customer bears its own costs for audits; AnoLawg bears its own costs for producing standard reports.
11. Return or deletion on termination
On termination or expiry of the subscription, the Customer may export all firm-operating data via in-product export tools. At the Customer's written election within 30 days of termination, AnoLawg will either (a) return the remaining personal data in a structured, commonly-used format, or (b) begin dependency-safe deletion or anonymization.
Deletion and anonymization are subject to legal holds, firm instructions, tax and audit retention, active disputes, dependency mapping, provider-controlled storage, and backup cycles. Underlying matter documents in the Customer's connected Microsoft or Google drive remain under the Customer's control and are not deleted by AnoLawg.
12. Liability & governing law
Liability under this DPA is subject to the limitations in the Terms of Service (as modified for data-protection matters by the non-excludable provisions of applicable law).
This DPA is governed by the law specified in the Terms of Service, except where Art. 28 GDPR or the SCCs require otherwise; in those cases, EU Member State law or UK law applies to the affected provisions.
13. How to execute this DPA
Once this draft is counsel-approved and the page switches to effective YYYY-MM-DD, the DPA is automatically in force for every Customer that has accepted the Terms of Service — no separate signature is required for US customers processing only US personal data.
EU/UK/Swiss customers, or customers whose own compliance programme requires a counter-signed copy, may email privacy@anolawg.com with their legal-entity details and we will return a counter-signed PDF referencing the version stamp on this page.
Questions about this DPA, or a request to counter-sign? Email privacy@anolawg.com. For the platform's full security posture see our Security page.