Legal

Data Processing Agreement

Version 1.0 · Effective March 2026

This DPA forms part of the Terms of Service between LexVault and each Customer.

This Data Processing Agreement ("DPA") is incorporated by reference into LexVault's Terms of Service. By subscribing to and using the Service, you (the Customer) agree to this DPA. No separate signature is required.

1. Definitions

"LexVault"The entity operating the LexVault platform, acting as Data Processor.

"Customer"The law firm or individual that has subscribed to the Service, acting as Data Controller.

"Service"The LexVault web application, APIs, AI features, and related infrastructure.

"Personal Data"Any information relating to an identified or identifiable natural person processed through the Service, as defined under applicable data protection law.

"Customer Content"Documents, files, queries, matter records, contact records, and other data uploaded to or generated within the Service by the Customer or its Users.

"Processing"Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.

"Sub-processor"A third-party service provider engaged by LexVault to process Personal Data on LexVault's behalf.

"Data Subject"The natural person whose Personal Data is being processed.

"Applicable Law"All applicable data protection laws including, where applicable, the EU General Data Protection Regulation (GDPR), UK GDPR, and relevant US state privacy laws (CCPA/CPRA).

2. Roles and responsibilities

The Customer is the Data Controller: it determines the purposes and means of processing the Personal Data it uploads or generates within the Service.

LexVault is the Data Processor: it processes Personal Data on behalf of and under the documented instructions of the Customer, solely for the purpose of providing the Service.

The Customer represents and warrants that it has a lawful basis to upload any Personal Data to the Service and has provided any required notices to, and obtained any required consents from, the relevant Data Subjects. LexVault assumes no responsibility for the Customer's compliance obligations as Controller.

3. Subject matter and nature of processing

3.1 Purpose

LexVault processes Personal Data solely to deliver the features of the Service: document storage and retrieval, AI-powered legal document analysis and Q&A, document drafting assistance, structured data extraction, conflict-of-interest screening, matter and case management, and team collaboration.

3.2 Types of Personal Data

The Personal Data processed may include: names, email addresses, firm names, and role information of Customer's Users; and any Personal Data contained within Customer Content, which may include client names, contact details, financial information, legal matters, and other information typical of legal practice files. LexVault does not review or assess the content of Customer Content.

3.3 Categories of Data Subjects

Data Subjects may include: the Customer's own Users (employees and contractors of the law firm); and third parties whose information appears in Customer Content (including the law firm's clients, opposing parties, witnesses, and other individuals mentioned in legal documents).

3.4 Duration

Processing continues for the duration of the Customer's subscription to the Service. Upon termination, Personal Data is deleted as described in Section 10 below.

4. LexVault's processor obligations

4.1 Processing on instructions only

LexVault processes Personal Data only on documented instructions from the Customer (as set out in these Terms of Service and this DPA) and will not process Personal Data for any other purpose. If LexVault is required by Applicable Law to process Personal Data in a way that goes beyond those instructions, it will notify the Customer before doing so (unless prohibited by law).

4.2 Confidentiality

LexVault ensures that its personnel authorized to process Personal Data are subject to binding confidentiality obligations (whether by contract or operation of law) and process Personal Data only as necessary to provide the Service.

4.3 No use for model training

LexVault does not use Customer Content — including documents, queries, or AI conversation history — to train, fine-tune, or improve any AI models, whether operated by LexVault or its AI sub-processors. This restriction is enforced through contractual terms with our AI providers.

4.4 Assistance with Data Subject rights

LexVault will provide reasonable assistance to the Customer to fulfil Data Subject rights requests (access, rectification, erasure, portability, restriction, and objection) to the extent that LexVault has the technical ability to do so. Requests must be submitted to privacy@lexvault.legal.

4.5 Assistance with compliance obligations

Taking into account the nature of processing, LexVault will provide reasonable assistance to the Customer in meeting its obligations under Applicable Law, including obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

5. Security measures

LexVault implements the following technical and organizational measures to protect Personal Data. These measures represent the current state of the Service:

Control	Implementation
Encryption in transit	TLS 1.2 or higher enforced on all connections to the Service and sub-processors.
Encryption at rest	All data stored in Supabase is encrypted at rest using AES-256 (managed by Supabase/AWS).
Data isolation	Each firm's data is strictly isolated by a firm_id tenant identifier enforced at the database row-level (PostgreSQL Row-Level Security). No firm can access another firm's data.
Access control	Role-based access controls (owner, admin, member) restrict what actions each User may perform. Matter-level access restrictions can be applied by matter creators.
Audit logging	All material actions (document upload/delete, matter creation, team invitations, access grants) are recorded in a tamper-evident audit log accessible only to firm owners and admins.
Authentication	All User authentication is handled through Supabase Auth with secure session tokens. Passwords are not stored in plain text.
Personnel access	LexVault personnel do not access Customer Content in the normal course of operations. Support access requires explicit Customer authorization.
Sub-processor security	All sub-processors are required by contract to implement appropriate technical and organizational security measures (see Section 6).

No security measure is infallible. LexVault takes commercially reasonable steps to protect Personal Data but cannot guarantee absolute security against all threats.

6. Sub-processors

The Customer grants LexVault general authorization to engage the sub-processors listed below. LexVault will notify the Customer of any intended changes to this list (additions or replacements) by updating this page with at least 14 days' notice. Customers who object to a new sub-processor may terminate their subscription without penalty within that 14-day period.

Sub-processor	Purpose	Data transferred	Location
Supabase, Inc.	Database, file storage, and authentication	Account data, session tokens, uploaded documents and embeddings	United States (AWS)
OpenAI, LLC	AI chat completions, document embeddings, data extraction, and conflict analysis	Query text, relevant document excerpts, and contact names sent to OpenAI API. No data is used for model training under OpenAI's API terms.	United States
Vercel, Inc.	Web application hosting and content delivery	HTTP request data, server-side session tokens	United States / global CDN
Resend, Inc.	Transactional email delivery	Recipient email addresses and email content (e.g. account confirmations, team invitations)	United States

LexVault has entered into data processing agreements with each sub-processor that impose data protection obligations at least as protective as those in this DPA.

7. Data breach notification

In the event LexVault becomes aware of a confirmed Personal Data Breach affecting Customer's data, LexVault will:

Notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the breach, at the email address on file for the Customer's account.
Provide a description of the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
Take reasonable steps to mitigate and remediate the breach.

The Customer is solely responsible for determining whether the breach triggers any notification obligation to supervisory authorities or affected Data Subjects under Applicable Law, and for making any such notifications.

8. International data transfers

LexVault and its sub-processors are based in the United States. Where Applicable Law restricts transfers of Personal Data outside a given jurisdiction (e.g. EEA → US under GDPR), LexVault relies on the following transfer mechanisms:

Standard Contractual Clauses (SCCs): Where required, LexVault's sub-processor agreements incorporate the European Commission's Standard Contractual Clauses as the lawful transfer mechanism.
Customer instruction: By using the Service and uploading data, the Customer instructs LexVault to transfer Personal Data to the US-based sub-processors listed in Section 6 as necessary to provide the Service.

EEA and UK Customers should ensure they have a lawful basis for instructing such transfers from their jurisdiction.

9. Audit rights

LexVault will make available to the Customer, upon written request to privacy@lexvault.legal, all information reasonably necessary to demonstrate LexVault's compliance with this DPA. This may include documentation of security controls, sub-processor agreements (in redacted form), and responses to security questionnaires. LexVault is not required to provide access to systems, raw infrastructure, or other customers' data.

10. Deletion and return of data

Upon expiry or termination of the Customer's subscription:

The Customer may export their data (documents, matter records, contacts) from the Service during the active subscription period. LexVault does not provide automated data export after termination.
Within 30 days of termination, LexVault will delete all Customer Content and associated Personal Data from its systems and those of its sub-processors, except where retention is required by Applicable Law.
Billing records are retained for up to 7 years for legal and tax compliance. These records contain only account-level data (name, email, payment history) and do not include Customer Content.

11. Liability

11.1 LexVault's liability for any claim arising under this DPA is subject to the limitations set out in the Terms of Service, including the cap on total liability (fees paid in the prior 12 months) and the exclusion of indirect and consequential damages.

11.2 Customer's liability. The Customer is solely responsible for: (a) ensuring it has a lawful basis to upload Personal Data to the Service; (b) the accuracy and completeness of any data it submits; (c) compliance with its own obligations as Data Controller under Applicable Law; (d) securing its account credentials; and (e) any obligations owed to Data Subjects (including clients) under professional responsibility rules, applicable bar rules, or attorney-client confidentiality obligations. LexVault accepts no responsibility for the Customer's failure to meet these obligations.

11.3 AI outputs. LexVault processes data using third-party AI models (OpenAI). AI-generated outputs are provided as informational tools only and do not constitute legal advice. LexVault is not liable for any legal, professional, or other consequences arising from the Customer's reliance on AI-generated content.

11.4 Sub-processor incidents. LexVault is not liable for security incidents, outages, or data breaches caused by sub-processors that are outside LexVault's direct control, provided LexVault has exercised commercially reasonable diligence in selecting and contracting with those sub-processors and notifies the Customer as described in Section 7.

12. Attorney-client privilege and professional responsibility

LexVault acknowledges that Customer Content may include information protected by attorney-client privilege or other professional duty of confidentiality. LexVault operates as a service provider — it does not access, review, or use Customer Content except as automated processing strictly necessary to provide the Service (document indexing, AI query processing, storage). LexVault's personnel do not read customer documents.

The Customer is solely responsible for: (a) reviewing applicable bar association guidance on the use of cloud and AI services with client data; (b) obtaining any required client consent; and (c) ensuring the Service is used in a manner consistent with all professional responsibility obligations. LexVault will provide reasonable documentation of its security and confidentiality practices to assist with any required client disclosure or ethics review.

13. Term and amendments

This DPA is effective from the date the Customer first accepts the Terms of Service and remains in effect until the Customer's subscription terminates. LexVault may update this DPA from time to time. Material changes will be communicated by email or by notice within the Service at least 14 days before taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated DPA.

14. Governing law

This DPA is governed by the same governing law as the Terms of Service. Any dispute arising under this DPA will be resolved through the dispute resolution mechanism set out in the Terms of Service.

Questions about this DPA

For data protection inquiries, to exercise Data Subject rights, or to request security documentation, contact our privacy team:

Email: privacy@lexvault.legal

General: hello@lexvault.legal

We aim to respond to all privacy-related inquiries within 5 business days.