Data Processing Addendum

This DPA applies to all personal data processing LexHub performs on the Customer's behalf while providing Services.

This DPA remains effective throughout the Agreement and until all Customer Personal Data is deleted or returned.

LexHub processes personal data for service provision and improvement, including: storage, retrieval, AI-assisted analysis, workflow automation, document review, monitoring, reporting, support, security monitoring, billing, backup, and disaster recovery.

Includes documents, emails, contracts, user account information, logs, metadata, usage statistics, credit data, and AI-generated content.

May include customer employees, customer clients, counterparties, and third parties mentioned in uploaded materials.

Customer acts as Data Controller; LexHub acts as Data Processor.

Must ensure lawful basis for uploaded data, avoid unnecessary special category data, inform data subjects, ensure accuracy, and review AI-generated output.

LexHub processes data only on documented instructions from the Customer unless law requires otherwise. Unlawful instructions trigger notification.

All personnel with data access must maintain confidentiality obligations.

Implements ISO 27001-level practices including encryption, access controls, logging, vulnerability scanning, secure development, data segmentation, and regular security reviews.

Supports data subject rights requests, DPIAs, authority consultations, and breach handling.

Prohibits data selling, advertising use, or model training without explicit separate written agreement.

Uses AI models for analysis, summaries, drafts, classifications, translations, and insights strictly for service provision per customer instructions.

Output containing personal data is treated as Customer Personal Data under this DPA.

LexHub does not train foundation models on Customer Personal Data unless the Customer explicitly opts in via a separate written agreement.

LexHub may use sub-processors; the current list is available at lexhub.app/sub-processors.

LexHub provides at least ten (10) days notice before adding or replacing sub-processors.

Customers may object on reasonable grounds; unresolved disputes allow terminating affected Services only.

LexHub remains fully liable for sub-processor performance.

Customer Personal Data is stored within the European Economic Area (EEA).

If necessary, LexHub implements GDPR Chapter V safeguards including Standard Contractual Clauses, adequacy decisions, and additional protective measures.

LexHub supports responses to access, rectification, erasure, portability, objection, restriction, and automated processing rights requests.

LexHub forwards directly-submitted requests to the Customer without responding unless authorized.

LexHub notifies Customer without undue delay, and in any event within 72 hours of personal data breaches.

Includes breach nature, scope, affected data categories, likely consequences, proposed measures, and follow-up contact.

LexHub assists with regulatory notifications and communications.

LexHub makes documentation available demonstrating DPA compliance.

One annual audit is permitted with 30 days notice; satisfaction may be achieved through ISO 27001 certifications, SOC 2 reports, third-party audits, whitepapers, or policies.

Permitted when legally or regulatory required.

Customers may export data within a 30-day window post-termination.

LexHub deletes data after the export window unless legally required.

Backup and log deletion follow LexHub's standard secure retention schedule.

LexHub confirms deletion in writing upon request.

LexHub processes usage data and metadata for billing, security, abuse detection, optimization, troubleshooting, analytics, and improvements.

Such data processing occurs as an independent controller and excludes document content.

When customers enable integrations (Microsoft Word, Google Drive, OneDrive, iManage, external legal sources), LexHub processes only necessary data.

Third-party systems operate under their own terms and privacy policies.

Customers ensure compliance when enabling third-party integrations.

Agreement liability limitations apply to this DPA.

LexHub is not liable for customer failure to obtain lawful bases, unlawful special category data uploads, or customer misuse of AI-generated content.