Data Processing Agreement

Effective Date: 1st September 2025
Parties:

• We Are Spydr Ltd (registered in England and Wales, Company No. 11260347) of 40 Berkeley Square, Clifton, BS8 1HP (“Processor”); and
• The customer identified in the subscription agreement (“Controller”).

‍

Together, the “Parties”.

1. Definitions
   In this DPA:
   
   1. “Applicable Data Protection Law” means all applicable laws relating to the processing of personal data, including the UK GDPR and Data Protection Act 2018.
   2. “Controller”, “Processor”, “Data Subject”, “Personal Data”, and “Processing” shall have the meanings given in the UK GDPR.
   3. “Services” means the LegalWonder software-as-a-service platform provided by Spydr.
   4. “Sub-processor” means any third party appointed by the Processor to process Personal Data on behalf of the Controller.

‍

2. Subject Matter and Duration
   
   1. The Processor shall process Personal Data on behalf of the Controller in connection with the provision of the Services.
   2. This DPA shall apply for the duration of the Controller’s subscription and thereafter for so long as the Processor retains Personal Data.

‍

3. Nature and Purpose of Processing
   
   1. The Processor shall process Personal Data solely for the following purposes:
      
      1. to provide, support, and maintain the Services;
      2. to comply with the Controller’s instructions; and
      3. to comply with Applicable Data Protection Law.
   2. The processing shall include ephemeral storage of bundles files; organisation, analysis, and generation of outputs from case bundles provided by the Controller.

‍

4. Categories of Data and Data Subjects
   
   1. Categories of Personal Data processed may include:
      
      1. Names, contact details, and account information of Customers;
      2. Personal data contained within legal case bundles
      3. Metadata and usage logs.
   2. Categories of Data Subjects may include:
      
      1. Individuals named in legal documents.

‍

5. Processor Obligations
   The Processor shall:
   
   
   1. process Personal Data only on documented instructions from the Controller, unless required to do so by law;
   2. ensure persons authorised to process Personal Data are bound by confidentiality obligations;
   3. implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage;
   4. notify the Controller without undue delay after becoming aware of a Personal Data Breach;
   5. assist the Controller in fulfilling its obligations under Applicable Data Protection Law, including data subject rights, data protection impact assessments, and breach notifications;
   6. delete or return all Personal Data upon termination of the Services, subject to legal retention requirements;
   7. make available all information necessary to demonstrate compliance and allow for audits by the Controller.

‍

6. Sub-processors
   
   1. The Controller authorises the Processor to engage Sub-processors for the provision of the Services. Current Sub-processors include:
      
      1. Vercel
      2. Supabase
      3. Anthropic, OpenAI, AWS, Google Gemini
      4. Stripe
      5. Resend
   2. The Processor shall ensure Sub-processors are bound by written agreements imposing equivalent data protection obligations.
   3. The Processor shall notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object on reasonable grounds.

‍

7. International Transfers
   
   1. Where Personal Data is transferred outside the UK, the Processor shall ensure that such transfer is subject to appropriate safeguards, including:
      
      
      1. the UK Addendum to the EU Standard Contractual Clauses; or
      2. any other lawful transfer mechanism under Applicable Data Protection Law.

‍

8. Audit rights
   
   1. The Controller may, upon reasonable notice and at its own cost, audit the Processor’s compliance with this DPA.
   2. Audits may be conducted by the Controller or an independent auditor appointed by the Controller.
   3. The Processor may charge reasonable costs for facilitating on-site audits.

‍

9. Liability and Indemnity
   
   1. Each party’s liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions set forth in the main agreement between the Parties, except where prohibited by Applicable Law.
   2. The Controller shall indemnify the Processor against any claims, damages, or expenses arising from the Controller’s unlawful instructions or misuse of the Services.

‍

10. Termination
    
    1. Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all Personal Data, unless retention is required by law.
    2. Certificates of deletion shall be provided upon request.

‍

11. Governing Law and Jurisdiction
    
    1. This DPA shall be governed by and construed in accordance with the laws of England and Wales.
    2. The courts of England and Wales shall have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.

‍

12. Order of Precedence
    
    1. In the event of any inconsistency between this DPA and the Terms of Service or any other agreement, this DPA shall prevail with respect to data protection matters.