This Data Processing Agreement ("DPA") forms part of the agreement between DiffAnalytics and customers using Legal Agreement Analyzer to process personal data.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Controller" means the entity that determines the purposes and means of Processing (Customer).
• "Processor" means the entity that Processes Personal Data on behalf of the Controller (DiffAnalytics).

2. Scope and Roles

Customer is the Controller of Personal Data contained in documents uploaded to LAA. DiffAnalytics acts as Processor, Processing Personal Data solely to provide the LAA service.

3. Processing Instructions

DiffAnalytics will Process Personal Data only in accordance with Customer's documented instructions, which are deemed to include:

• Processing to provide the LAA service
• Processing to comply with applicable law
• Processing as otherwise agreed in writing

4. Sub-processors

Customer authorizes DiffAnalytics to use the following sub-processors:

• Google Cloud Platform - Infrastructure and storage (US/EU regions available)
• Groq - LLM API for document extraction
• Google (Gemini) - Alternative LLM API

DiffAnalytics will notify Customer of new sub-processors and provide opportunity to object.

5. Security Measures

DiffAnalytics implements appropriate technical and organizational measures including:

• Encryption at rest and in transit
• Access controls and authentication
• Regular security assessments
• Incident response procedures
• Employee security training

6. Data Subject Rights

DiffAnalytics will assist Customer in responding to data subject requests (access, deletion, portability, etc.) to the extent technically feasible.

7. Data Breach Notification

DiffAnalytics will notify Customer without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach affecting Customer data.

8. Data Deletion

Upon termination of the service agreement, DiffAnalytics will delete or return Customer's Personal Data within 30 days, unless retention is required by law.

9. International Transfers

Where Personal Data is transferred outside the EEA, DiffAnalytics ensures appropriate safeguards through Standard Contractual Clauses or other approved mechanisms.

10. Audit

DiffAnalytics will make available information necessary to demonstrate compliance with this DPA and allow for audits by Customer or an appointed auditor, subject to reasonable notice and confidentiality obligations.

11. Term

This DPA remains in effect for the duration of the service agreement and until all Personal Data has been deleted or returned.