Terms
Data Processing Agreement
Last Updated: 16th December 2025
This Data Processing Agreement (the “DPA”) is entered into between:
LawForm AI Ltd of 61-63 St John Street, London, EC1M 4AN (“LawForm”); and
the customer identified in the applicable order form / subscription agreement (“Subscriber”),
together, the “Parties”.
1. Definitions
1.1 Applicable Data Protection Law means the UK GDPR, the Data Protection Act 2018, and any applicable UK privacy or data protection legislation and regulatory guidance, in each case as amended from time to time.
1.2 Controller, Processor, Personal Data, Personal Data Breach, Processing, Process, and Data Subject have the meanings given in Applicable Data Protection Law.
1.3 Subscriber Content means data and content submitted to the Services by or on behalf of the Subscriber, including documents, text, prompts, matter information, and outputs generated through the Services, to the extent any of the foregoing contains Personal Data.
1.4 Services means the LawForm platform and related services provided under the Agreement.
1.5 Sub-processor means any Processor engaged by LawForm to Process Personal Data on behalf of the Subscriber in connection with the Services.
1.6 Restricted Transfer means a transfer of Personal Data to a country or international organisation outside the United Kingdom that is restricted under Applicable Data Protection Law.
2. Roles of the Parties
2.1 Subscriber as Controller / Processor. The Parties acknowledge that, depending on the Subscriber’s use of the Services:
(a) the Subscriber is a Controller and LawForm is a Processor; or
(b) the Subscriber is a Processor acting on behalf of a third-party Controller, and LawForm is a Sub-processor.
2.2 Subscriber responsibility. The Subscriber is responsible for ensuring it has all necessary rights, lawful bases, notices, consents (where applicable), and authorisations to provide Personal Data to LawForm and to permit LawForm to Process Personal Data in accordance with the Agreement and this DPA (including where the Subscriber acts as a Processor, ensuring it is authorised by the relevant Controller to engage LawForm).
2.3 LawForm responsibility. LawForm shall Process Personal Data only as set out in this DPA and in accordance with Applicable Data Protection Law requirements applicable to it as a Processor (or Sub-processor).
3. Scope, instructions, and details of Processing
3.1 Documented instructions. LawForm shall Process Personal Data only on documented instructions from the Subscriber, including as set out in:
(a) the Agreement;
(b) this DPA; and
(c) Annex 1 (Details of Processing), unless Processing is required by applicable law. Where Processing is required by law, LawForm shall (to the extent permitted) inform the Subscriber before Processing.
3.2 Unlawful instruction. If LawForm reasonably believes a Subscriber instruction infringes Applicable Data Protection Law, LawForm shall promptly inform the Subscriber and may suspend the relevant Processing until the Parties resolve the issue.
3.3 Processing details. The subject-matter, duration, nature and purpose of Processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.
3.1 Documented instructions. LawForm shall Process Personal Data only on documented instructions from the Subscriber, including as set out in:
(a) the Agreement;
(b) this DPA; and
(c) Annex 1 (Details of Processing), unless Processing is required by applicable law. Where Processing is required by law, LawForm shall (to the extent permitted) inform the Subscriber before Processing.
3.2 Unlawful instruction. If LawForm reasonably believes a Subscriber instruction infringes Applicable Data Protection Law, LawForm shall promptly inform the Subscriber and may suspend the relevant Processing until the Parties resolve the issue.
3.3 Processing details. The subject-matter, duration, nature and purpose of Processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.
3.1 Documented instructions. LawForm shall Process Personal Data only on documented instructions from the Subscriber, including as set out in:
(a) the Agreement;
(b) this DPA; and
(c) Annex 1 (Details of Processing), unless Processing is required by applicable law. Where Processing is required by law, LawForm shall (to the extent permitted) inform the Subscriber before Processing.
3.2 Unlawful instruction. If LawForm reasonably believes a Subscriber instruction infringes Applicable Data Protection Law, LawForm shall promptly inform the Subscriber and may suspend the relevant Processing until the Parties resolve the issue.
3.3 Processing details. The subject-matter, duration, nature and purpose of Processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.
4. Confidentiality and personnel
4.1 LawForm shall ensure that any person it authorises to Process Personal Data:
(a) is bound by an appropriate duty of confidentiality (contractual or statutory);
(b) receives appropriate training relevant to data protection and information security; and
(c) accesses Personal Data only to the extent necessary to perform the Services (least-privilege / need-to-know).
4.2 LawForm shall not disclose Personal Data to any third party except as permitted under this DPA, required by law, or instructed by the Subscriber.
5. Security measures
5.1 Appropriate measures. Taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of Processing as well as the risks to Data Subjects, LawForm shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data (a “Security Incident”). Measures are described in Annex 2 (Technical and Organisational Measures).
5.2 Maintenance. LawForm shall review its security measures periodically and as reasonably required by changes in risk, technology, or service architecture, without materially reducing the overall level of protection provided for Personal Data under the Services.
5.3 Support access controls. Where LawForm personnel access Subscriber accounts for support purposes, such access shall be controlled and limited to what is necessary, and subject to confidentiality obligations and appropriate logging/oversight, in line with Annex 2.
6. Sub-processors
6.1 General authorisation. The Subscriber authorises LawForm to engage Sub-processors to provide the Services.
6.2 Flow-down. LawForm shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA (including appropriate security measures). LawForm remains responsible for its Sub-processors’ acts and omissions in connection with Processing under this DPA.
6.3 Sub-processor list. LawForm shall maintain a list of Sub-processors in Annex 3 (or, where the Parties agree, at a URL or other written location referenced in Annex 3).
6.4 Notice and objection. LawForm will provide at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor by updating Annex 3 (or by written notice). The Subscriber may object in writing within that period on reasonable grounds relating to the Sub-processor’s data protection or security posture.
6.5 Resolution. If the Subscriber objects, the Parties shall discuss in good faith a commercially reasonable solution, which may include (where feasible) (a) the use of an alternative Sub-processor, (b) a configuration change to avoid the Sub-processor for the affected Processing, or (c) equivalent safeguards.
6.6 If no solution. If no commercially reasonable solution can be agreed, then the Subscriber may terminate the affected part of the Services (or, if the affected part is integral, the Agreement) on written notice. Where the Subscriber terminates under this clause, LawForm shall refund any prepaid fees for the terminated portion covering the period after the effective termination date (if and to the extent prepaid under the Agreement).
7. International transfers
7.1 Primary location. LawForm will Process Personal Data in the United Kingdom, and will use UK-hosted infrastructure where feasible and consistent with the Services architecture.
7.2 Restricted transfers via Sub-processors. The Subscriber acknowledges that some Sub-processors may Process Personal Data outside the UK. LawForm shall not effect a Restricted Transfer unless:
(a) it has implemented an appropriate lawful transfer mechanism under Applicable Data Protection Law (such as the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses); and
(b) the Sub-processor and transfer details are disclosed via Annex 3 (or notified under clause 6.4).
7.3 Transfer information. On request, LawForm shall provide the Subscriber with reasonably relevant information regarding transfer safeguards for Restricted Transfers.
7.4 No hidden transfers. LawForm shall not introduce new Restricted Transfers for Personal Data without providing notice under clause 6.4 (where the transfer is driven by a new or replacement Sub-processor).
8. Data Subject rights assistance
8.1 Assistance. Taking into account the nature of Processing, LawForm shall provide reasonable assistance (through appropriate technical and organisational measures) to enable the Subscriber to respond to Data Subject requests under Applicable Data Protection Law, to the extent such requests relate to Personal Data Processed by LawForm on behalf of the Subscriber.
8.2 Direct requests. If LawForm receives a Data Subject request relating to Subscriber Personal Data, LawForm shall (to the extent legally permitted) promptly notify the Subscriber and shall not respond substantively except on the Subscriber’s documented instructions or where required by law.
8.3 Costs. Assistance under this clause is included unless it requires material, repeated, or bespoke work outside the ordinary operation of the Services, in which case LawForm may charge reasonable fees on prior notice.
9. Personal Data Breach notification
9.1 Notification timeline. LawForm shall notify the Subscriber without undue delay and, where feasible, within 48 hours after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA.
9.2 Content of notice. The notification shall include, to the extent available:
(a) a description of the nature of the Personal Data Breach;
(b) the categories and approximate number of Data Subjects concerned (where known);
(c) the categories and approximate number of Personal Data records concerned (where known);
(d) likely consequences of the breach; and
(e) measures taken or proposed to address the breach and mitigate potential harm.
9.3 Co-operation. LawForm shall take reasonable steps to investigate, contain, and remediate the breach, and shall co-operate with the Subscriber as reasonably required to support the Subscriber’s notification obligations.
10. DPIAs, prior consultation, and regulatory engagement
10.1 LawForm shall provide reasonable assistance to the Subscriber with data protection impact assessments and prior consultations with the ICO (or other competent authority) where required, to the extent related to LawForm’s Processing under this DPA and based on information available to LawForm.
10.2 If LawForm receives a binding request or investigation notice from a supervisory authority relating to Processing under this DPA, LawForm shall (to the extent legally permitted) notify the Subscriber promptly and provide reasonable co-operation.
10.3 Costs. Assistance under this clause is included unless it requires material, repeated, or bespoke work outside ordinary service delivery, in which case clause 8.3 applies.
11. Audits and compliance information
11.1 Compliance evidence. On request, LawForm shall make available information reasonably necessary to demonstrate compliance with this DPA, which may include security summaries, relevant policies, and third-party assurance materials where available.
11.2 Audit right. The Subscriber may conduct an audit of LawForm’s compliance with this DPA no more than once in any 12-month period, unless:
(a) required by a competent regulator;
(b) following a Personal Data Breach affecting Subscriber Personal Data; or
(c) the Subscriber has reasonable grounds to suspect material non-compliance.
11.3 Audit conditions. Audits must:
(a) be conducted during normal business hours on reasonable notice;
(b) be limited to the Processing under this DPA;
(c) be carried out by the Subscriber or an independent, reputable auditor bound by confidentiality; and
(d) avoid compromising the security, confidentiality, or rights of other LawForm customers.
11.4 Costs. Each Party bears its own costs of an audit, unless the audit identifies a material breach of this DPA by LawForm, in which case LawForm shall reimburse the Subscriber’s reasonable, evidenced audit costs.
12. Return and deletion of Personal Data
12.1 During the Agreement. The Subscriber may access, export, or retrieve Subscriber Content using the Services features.
12.2 On termination / expiry. Upon termination or expiry of the Agreement, LawForm shall, at the Subscriber’s written instruction and choice:
(a) return Subscriber Content containing Personal Data in a commonly used, machine-readable format; and/or
(b) securely delete Subscriber Content containing Personal Data,
unless LawForm is required by law to retain certain information.
12.3 Backups. Personal Data may remain in encrypted backups for a limited period in accordance with LawForm’s standard backup retention schedule (see Annex 2), provided it is not actively Processed except for backup retention and disaster recovery, and is securely deleted/overwritten in due course.
12.4 Legal retention. Where LawForm is legally required to retain Personal Data, LawForm shall (to the extent legally permitted):
(a) inform the Subscriber of the obligation and the affected data;
(b) retain the data only for the required period;
(c) restrict further Processing; and
(d) continue to protect the retained data under this DPA.
12.5 Deletion confirmation. On request, LawForm shall provide a written confirmation describing the deletion measures taken (recognising clause 12.3).
13. Use of data; analytics; model training
13.1 Service provision only. LawForm shall not sell Personal Data and shall Process Personal Data only for the purpose of providing, securing, maintaining, and supporting the Services, or as otherwise instructed by the Subscriber or required by law.
13.2 No training on Subscriber Content. LawForm will not use Subscriber Content (including Personal Data) to train general-purpose AI models. Any optional customer-specific training, fine-tuning, or similar activity (if offered) shall be subject to a separate written agreement.
13.3 Aggregated/de-identified analytics. LawForm may collect and use aggregated and/or de-identified usage analytics to operate and improve the Services, provided such analytics do not identify the Subscriber or Data Subjects and cannot reasonably be re-identified.
14. Subscriber minimisation and support communications
14.1 The Subscriber shall take reasonable steps to minimise Personal Data uploaded to the Services to what is necessary for its intended use.
14.2 The Subscriber should not include Personal Data (other than necessary contact information) in support tickets or general communications to LawForm unless necessary; where feasible, the Subscriber should redact or anonymise such information.
15. Liability
15.1 Liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except to the extent liability cannot lawfully be limited under Applicable Data Protection Law.
16. Term and changes
16.1 This DPA remains in force for as long as LawForm Processes Personal Data on behalf of the Subscriber under the Agreement.
16.2 Except for updates to Annex 3 in accordance with clause 6.4, any amendment to this DPA must be in writing and signed by authorised representatives of both Parties.
16.3 This DPA is governed by the governing law and dispute resolution provisions of the Agreement (or, if silent, the laws of England and Wales and the courts of England and Wales).
Ready to experience LawForm?
Book a call with a specialist and see how LawForm gives your firm time back.
Ready to experience LawForm?
Book a call with a specialist and see how LawForm gives your firm time back.
Ready to experience LawForm?
Book a call with a specialist and see how LawForm gives your firm time back.
Terms
Data Processing Agreement
Last Updated: 16th December 2025
This Data Processing Agreement (the “DPA”) is entered into between:
LawForm AI Ltd of 61-63 St John Street, London, EC1M 4AN (“LawForm”); and
the customer identified in the applicable order form / subscription agreement (“Subscriber”),
together, the “Parties”.
1. Definitions
1.1 Applicable Data Protection Law means the UK GDPR, the Data Protection Act 2018, and any applicable UK privacy or data protection legislation and regulatory guidance, in each case as amended from time to time.
1.2 Controller, Processor, Personal Data, Personal Data Breach, Processing, Process, and Data Subject have the meanings given in Applicable Data Protection Law.
1.3 Subscriber Content means data and content submitted to the Services by or on behalf of the Subscriber, including documents, text, prompts, matter information, and outputs generated through the Services, to the extent any of the foregoing contains Personal Data.
1.4 Services means the LawForm platform and related services provided under the Agreement.
1.5 Sub-processor means any Processor engaged by LawForm to Process Personal Data on behalf of the Subscriber in connection with the Services.
1.6 Restricted Transfer means a transfer of Personal Data to a country or international organisation outside the United Kingdom that is restricted under Applicable Data Protection Law.
2. Roles of the Parties
2.1 Subscriber as Controller / Processor. The Parties acknowledge that, depending on the Subscriber’s use of the Services:
(a) the Subscriber is a Controller and LawForm is a Processor; or
(b) the Subscriber is a Processor acting on behalf of a third-party Controller, and LawForm is a Sub-processor.
2.2 Subscriber responsibility. The Subscriber is responsible for ensuring it has all necessary rights, lawful bases, notices, consents (where applicable), and authorisations to provide Personal Data to LawForm and to permit LawForm to Process Personal Data in accordance with the Agreement and this DPA (including where the Subscriber acts as a Processor, ensuring it is authorised by the relevant Controller to engage LawForm).
2.3 LawForm responsibility. LawForm shall Process Personal Data only as set out in this DPA and in accordance with Applicable Data Protection Law requirements applicable to it as a Processor (or Sub-processor).
3. Scope, instructions, and details of Processing
3.1 Documented instructions. LawForm shall Process Personal Data only on documented instructions from the Subscriber, including as set out in:
(a) the Agreement;
(b) this DPA; and
(c) Annex 1 (Details of Processing), unless Processing is required by applicable law. Where Processing is required by law, LawForm shall (to the extent permitted) inform the Subscriber before Processing.
3.2 Unlawful instruction. If LawForm reasonably believes a Subscriber instruction infringes Applicable Data Protection Law, LawForm shall promptly inform the Subscriber and may suspend the relevant Processing until the Parties resolve the issue.
3.3 Processing details. The subject-matter, duration, nature and purpose of Processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.
3.1 Documented instructions. LawForm shall Process Personal Data only on documented instructions from the Subscriber, including as set out in:
(a) the Agreement;
(b) this DPA; and
(c) Annex 1 (Details of Processing), unless Processing is required by applicable law. Where Processing is required by law, LawForm shall (to the extent permitted) inform the Subscriber before Processing.
3.2 Unlawful instruction. If LawForm reasonably believes a Subscriber instruction infringes Applicable Data Protection Law, LawForm shall promptly inform the Subscriber and may suspend the relevant Processing until the Parties resolve the issue.
3.3 Processing details. The subject-matter, duration, nature and purpose of Processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.
3.1 Documented instructions. LawForm shall Process Personal Data only on documented instructions from the Subscriber, including as set out in:
(a) the Agreement;
(b) this DPA; and
(c) Annex 1 (Details of Processing), unless Processing is required by applicable law. Where Processing is required by law, LawForm shall (to the extent permitted) inform the Subscriber before Processing.
3.2 Unlawful instruction. If LawForm reasonably believes a Subscriber instruction infringes Applicable Data Protection Law, LawForm shall promptly inform the Subscriber and may suspend the relevant Processing until the Parties resolve the issue.
3.3 Processing details. The subject-matter, duration, nature and purpose of Processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.
4. Confidentiality and personnel
4.1 LawForm shall ensure that any person it authorises to Process Personal Data:
(a) is bound by an appropriate duty of confidentiality (contractual or statutory);
(b) receives appropriate training relevant to data protection and information security; and
(c) accesses Personal Data only to the extent necessary to perform the Services (least-privilege / need-to-know).
4.2 LawForm shall not disclose Personal Data to any third party except as permitted under this DPA, required by law, or instructed by the Subscriber.
5. Security measures
5.1 Appropriate measures. Taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of Processing as well as the risks to Data Subjects, LawForm shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data (a “Security Incident”). Measures are described in Annex 2 (Technical and Organisational Measures).
5.2 Maintenance. LawForm shall review its security measures periodically and as reasonably required by changes in risk, technology, or service architecture, without materially reducing the overall level of protection provided for Personal Data under the Services.
5.3 Support access controls. Where LawForm personnel access Subscriber accounts for support purposes, such access shall be controlled and limited to what is necessary, and subject to confidentiality obligations and appropriate logging/oversight, in line with Annex 2.
6. Sub-processors
6.1 General authorisation. The Subscriber authorises LawForm to engage Sub-processors to provide the Services.
6.2 Flow-down. LawForm shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA (including appropriate security measures). LawForm remains responsible for its Sub-processors’ acts and omissions in connection with Processing under this DPA.
6.3 Sub-processor list. LawForm shall maintain a list of Sub-processors in Annex 3 (or, where the Parties agree, at a URL or other written location referenced in Annex 3).
6.4 Notice and objection. LawForm will provide at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor by updating Annex 3 (or by written notice). The Subscriber may object in writing within that period on reasonable grounds relating to the Sub-processor’s data protection or security posture.
6.5 Resolution. If the Subscriber objects, the Parties shall discuss in good faith a commercially reasonable solution, which may include (where feasible) (a) the use of an alternative Sub-processor, (b) a configuration change to avoid the Sub-processor for the affected Processing, or (c) equivalent safeguards.
6.6 If no solution. If no commercially reasonable solution can be agreed, then the Subscriber may terminate the affected part of the Services (or, if the affected part is integral, the Agreement) on written notice. Where the Subscriber terminates under this clause, LawForm shall refund any prepaid fees for the terminated portion covering the period after the effective termination date (if and to the extent prepaid under the Agreement).
7. International transfers
7.1 Primary location. LawForm will Process Personal Data in the United Kingdom, and will use UK-hosted infrastructure where feasible and consistent with the Services architecture.
7.2 Restricted transfers via Sub-processors. The Subscriber acknowledges that some Sub-processors may Process Personal Data outside the UK. LawForm shall not effect a Restricted Transfer unless:
(a) it has implemented an appropriate lawful transfer mechanism under Applicable Data Protection Law (such as the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses); and
(b) the Sub-processor and transfer details are disclosed via Annex 3 (or notified under clause 6.4).
7.3 Transfer information. On request, LawForm shall provide the Subscriber with reasonably relevant information regarding transfer safeguards for Restricted Transfers.
7.4 No hidden transfers. LawForm shall not introduce new Restricted Transfers for Personal Data without providing notice under clause 6.4 (where the transfer is driven by a new or replacement Sub-processor).
8. Data Subject rights assistance
8.1 Assistance. Taking into account the nature of Processing, LawForm shall provide reasonable assistance (through appropriate technical and organisational measures) to enable the Subscriber to respond to Data Subject requests under Applicable Data Protection Law, to the extent such requests relate to Personal Data Processed by LawForm on behalf of the Subscriber.
8.2 Direct requests. If LawForm receives a Data Subject request relating to Subscriber Personal Data, LawForm shall (to the extent legally permitted) promptly notify the Subscriber and shall not respond substantively except on the Subscriber’s documented instructions or where required by law.
8.3 Costs. Assistance under this clause is included unless it requires material, repeated, or bespoke work outside the ordinary operation of the Services, in which case LawForm may charge reasonable fees on prior notice.
9. Personal Data Breach notification
9.1 Notification timeline. LawForm shall notify the Subscriber without undue delay and, where feasible, within 48 hours after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA.
9.2 Content of notice. The notification shall include, to the extent available:
(a) a description of the nature of the Personal Data Breach;
(b) the categories and approximate number of Data Subjects concerned (where known);
(c) the categories and approximate number of Personal Data records concerned (where known);
(d) likely consequences of the breach; and
(e) measures taken or proposed to address the breach and mitigate potential harm.
9.3 Co-operation. LawForm shall take reasonable steps to investigate, contain, and remediate the breach, and shall co-operate with the Subscriber as reasonably required to support the Subscriber’s notification obligations.
10. DPIAs, prior consultation, and regulatory engagement
10.1 LawForm shall provide reasonable assistance to the Subscriber with data protection impact assessments and prior consultations with the ICO (or other competent authority) where required, to the extent related to LawForm’s Processing under this DPA and based on information available to LawForm.
10.2 If LawForm receives a binding request or investigation notice from a supervisory authority relating to Processing under this DPA, LawForm shall (to the extent legally permitted) notify the Subscriber promptly and provide reasonable co-operation.
10.3 Costs. Assistance under this clause is included unless it requires material, repeated, or bespoke work outside ordinary service delivery, in which case clause 8.3 applies.
11. Audits and compliance information
11.1 Compliance evidence. On request, LawForm shall make available information reasonably necessary to demonstrate compliance with this DPA, which may include security summaries, relevant policies, and third-party assurance materials where available.
11.2 Audit right. The Subscriber may conduct an audit of LawForm’s compliance with this DPA no more than once in any 12-month period, unless:
(a) required by a competent regulator;
(b) following a Personal Data Breach affecting Subscriber Personal Data; or
(c) the Subscriber has reasonable grounds to suspect material non-compliance.
11.3 Audit conditions. Audits must:
(a) be conducted during normal business hours on reasonable notice;
(b) be limited to the Processing under this DPA;
(c) be carried out by the Subscriber or an independent, reputable auditor bound by confidentiality; and
(d) avoid compromising the security, confidentiality, or rights of other LawForm customers.
11.4 Costs. Each Party bears its own costs of an audit, unless the audit identifies a material breach of this DPA by LawForm, in which case LawForm shall reimburse the Subscriber’s reasonable, evidenced audit costs.
12. Return and deletion of Personal Data
12.1 During the Agreement. The Subscriber may access, export, or retrieve Subscriber Content using the Services features.
12.2 On termination / expiry. Upon termination or expiry of the Agreement, LawForm shall, at the Subscriber’s written instruction and choice:
(a) return Subscriber Content containing Personal Data in a commonly used, machine-readable format; and/or
(b) securely delete Subscriber Content containing Personal Data,
unless LawForm is required by law to retain certain information.
12.3 Backups. Personal Data may remain in encrypted backups for a limited period in accordance with LawForm’s standard backup retention schedule (see Annex 2), provided it is not actively Processed except for backup retention and disaster recovery, and is securely deleted/overwritten in due course.
12.4 Legal retention. Where LawForm is legally required to retain Personal Data, LawForm shall (to the extent legally permitted):
(a) inform the Subscriber of the obligation and the affected data;
(b) retain the data only for the required period;
(c) restrict further Processing; and
(d) continue to protect the retained data under this DPA.
12.5 Deletion confirmation. On request, LawForm shall provide a written confirmation describing the deletion measures taken (recognising clause 12.3).
13. Use of data; analytics; model training
13.1 Service provision only. LawForm shall not sell Personal Data and shall Process Personal Data only for the purpose of providing, securing, maintaining, and supporting the Services, or as otherwise instructed by the Subscriber or required by law.
13.2 No training on Subscriber Content. LawForm will not use Subscriber Content (including Personal Data) to train general-purpose AI models. Any optional customer-specific training, fine-tuning, or similar activity (if offered) shall be subject to a separate written agreement.
13.3 Aggregated/de-identified analytics. LawForm may collect and use aggregated and/or de-identified usage analytics to operate and improve the Services, provided such analytics do not identify the Subscriber or Data Subjects and cannot reasonably be re-identified.
14. Subscriber minimisation and support communications
14.1 The Subscriber shall take reasonable steps to minimise Personal Data uploaded to the Services to what is necessary for its intended use.
14.2 The Subscriber should not include Personal Data (other than necessary contact information) in support tickets or general communications to LawForm unless necessary; where feasible, the Subscriber should redact or anonymise such information.
15. Liability
15.1 Liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except to the extent liability cannot lawfully be limited under Applicable Data Protection Law.
16. Term and changes
16.1 This DPA remains in force for as long as LawForm Processes Personal Data on behalf of the Subscriber under the Agreement.
16.2 Except for updates to Annex 3 in accordance with clause 6.4, any amendment to this DPA must be in writing and signed by authorised representatives of both Parties.
16.3 This DPA is governed by the governing law and dispute resolution provisions of the Agreement (or, if silent, the laws of England and Wales and the courts of England and Wales).
Ready to experience LawForm?
Book a call with a specialist and see how LawForm gives your firm time back.
Ready to experience LawForm?
Book a call with a specialist and see how LawForm gives your firm time back.
Ready to experience LawForm?
Book a call with a specialist and see how LawForm gives your firm time back.
Terms
Data Processing Agreement
Last Updated: 16th December 2025
This Data Processing Agreement (the “DPA”) is entered into between:
LawForm AI Ltd of 61-63 St John Street, London, EC1M 4AN (“LawForm”); and
the customer identified in the applicable order form / subscription agreement (“Subscriber”),
together, the “Parties”.
1. Definitions
1.1 Applicable Data Protection Law means the UK GDPR, the Data Protection Act 2018, and any applicable UK privacy or data protection legislation and regulatory guidance, in each case as amended from time to time.
1.2 Controller, Processor, Personal Data, Personal Data Breach, Processing, Process, and Data Subject have the meanings given in Applicable Data Protection Law.
1.3 Subscriber Content means data and content submitted to the Services by or on behalf of the Subscriber, including documents, text, prompts, matter information, and outputs generated through the Services, to the extent any of the foregoing contains Personal Data.
1.4 Services means the LawForm platform and related services provided under the Agreement.
1.5 Sub-processor means any Processor engaged by LawForm to Process Personal Data on behalf of the Subscriber in connection with the Services.
1.6 Restricted Transfer means a transfer of Personal Data to a country or international organisation outside the United Kingdom that is restricted under Applicable Data Protection Law.
2. Roles of the Parties
2.1 Subscriber as Controller / Processor. The Parties acknowledge that, depending on the Subscriber’s use of the Services:
(a) the Subscriber is a Controller and LawForm is a Processor; or
(b) the Subscriber is a Processor acting on behalf of a third-party Controller, and LawForm is a Sub-processor.
2.2 Subscriber responsibility. The Subscriber is responsible for ensuring it has all necessary rights, lawful bases, notices, consents (where applicable), and authorisations to provide Personal Data to LawForm and to permit LawForm to Process Personal Data in accordance with the Agreement and this DPA (including where the Subscriber acts as a Processor, ensuring it is authorised by the relevant Controller to engage LawForm).
2.3 LawForm responsibility. LawForm shall Process Personal Data only as set out in this DPA and in accordance with Applicable Data Protection Law requirements applicable to it as a Processor (or Sub-processor).
3. Scope, instructions, and details of Processing
3.1 Documented instructions. LawForm shall Process Personal Data only on documented instructions from the Subscriber, including as set out in:
(a) the Agreement;
(b) this DPA; and
(c) Annex 1 (Details of Processing), unless Processing is required by applicable law. Where Processing is required by law, LawForm shall (to the extent permitted) inform the Subscriber before Processing.
3.2 Unlawful instruction. If LawForm reasonably believes a Subscriber instruction infringes Applicable Data Protection Law, LawForm shall promptly inform the Subscriber and may suspend the relevant Processing until the Parties resolve the issue.
3.3 Processing details. The subject-matter, duration, nature and purpose of Processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.
3.1 Documented instructions. LawForm shall Process Personal Data only on documented instructions from the Subscriber, including as set out in:
(a) the Agreement;
(b) this DPA; and
(c) Annex 1 (Details of Processing), unless Processing is required by applicable law. Where Processing is required by law, LawForm shall (to the extent permitted) inform the Subscriber before Processing.
3.2 Unlawful instruction. If LawForm reasonably believes a Subscriber instruction infringes Applicable Data Protection Law, LawForm shall promptly inform the Subscriber and may suspend the relevant Processing until the Parties resolve the issue.
3.3 Processing details. The subject-matter, duration, nature and purpose of Processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.
3.1 Documented instructions. LawForm shall Process Personal Data only on documented instructions from the Subscriber, including as set out in:
(a) the Agreement;
(b) this DPA; and
(c) Annex 1 (Details of Processing), unless Processing is required by applicable law. Where Processing is required by law, LawForm shall (to the extent permitted) inform the Subscriber before Processing.
3.2 Unlawful instruction. If LawForm reasonably believes a Subscriber instruction infringes Applicable Data Protection Law, LawForm shall promptly inform the Subscriber and may suspend the relevant Processing until the Parties resolve the issue.
3.3 Processing details. The subject-matter, duration, nature and purpose of Processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.
4. Confidentiality and personnel
4.1 LawForm shall ensure that any person it authorises to Process Personal Data:
(a) is bound by an appropriate duty of confidentiality (contractual or statutory);
(b) receives appropriate training relevant to data protection and information security; and
(c) accesses Personal Data only to the extent necessary to perform the Services (least-privilege / need-to-know).
4.2 LawForm shall not disclose Personal Data to any third party except as permitted under this DPA, required by law, or instructed by the Subscriber.
5. Security measures
5.1 Appropriate measures. Taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of Processing as well as the risks to Data Subjects, LawForm shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data (a “Security Incident”). Measures are described in Annex 2 (Technical and Organisational Measures).
5.2 Maintenance. LawForm shall review its security measures periodically and as reasonably required by changes in risk, technology, or service architecture, without materially reducing the overall level of protection provided for Personal Data under the Services.
5.3 Support access controls. Where LawForm personnel access Subscriber accounts for support purposes, such access shall be controlled and limited to what is necessary, and subject to confidentiality obligations and appropriate logging/oversight, in line with Annex 2.
6. Sub-processors
6.1 General authorisation. The Subscriber authorises LawForm to engage Sub-processors to provide the Services.
6.2 Flow-down. LawForm shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA (including appropriate security measures). LawForm remains responsible for its Sub-processors’ acts and omissions in connection with Processing under this DPA.
6.3 Sub-processor list. LawForm shall maintain a list of Sub-processors in Annex 3 (or, where the Parties agree, at a URL or other written location referenced in Annex 3).
6.4 Notice and objection. LawForm will provide at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor by updating Annex 3 (or by written notice). The Subscriber may object in writing within that period on reasonable grounds relating to the Sub-processor’s data protection or security posture.
6.5 Resolution. If the Subscriber objects, the Parties shall discuss in good faith a commercially reasonable solution, which may include (where feasible) (a) the use of an alternative Sub-processor, (b) a configuration change to avoid the Sub-processor for the affected Processing, or (c) equivalent safeguards.
6.6 If no solution. If no commercially reasonable solution can be agreed, then the Subscriber may terminate the affected part of the Services (or, if the affected part is integral, the Agreement) on written notice. Where the Subscriber terminates under this clause, LawForm shall refund any prepaid fees for the terminated portion covering the period after the effective termination date (if and to the extent prepaid under the Agreement).
7. International transfers
7.1 Primary location. LawForm will Process Personal Data in the United Kingdom, and will use UK-hosted infrastructure where feasible and consistent with the Services architecture.
7.2 Restricted transfers via Sub-processors. The Subscriber acknowledges that some Sub-processors may Process Personal Data outside the UK. LawForm shall not effect a Restricted Transfer unless:
(a) it has implemented an appropriate lawful transfer mechanism under Applicable Data Protection Law (such as the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses); and
(b) the Sub-processor and transfer details are disclosed via Annex 3 (or notified under clause 6.4).
7.3 Transfer information. On request, LawForm shall provide the Subscriber with reasonably relevant information regarding transfer safeguards for Restricted Transfers.
7.4 No hidden transfers. LawForm shall not introduce new Restricted Transfers for Personal Data without providing notice under clause 6.4 (where the transfer is driven by a new or replacement Sub-processor).
8. Data Subject rights assistance
8.1 Assistance. Taking into account the nature of Processing, LawForm shall provide reasonable assistance (through appropriate technical and organisational measures) to enable the Subscriber to respond to Data Subject requests under Applicable Data Protection Law, to the extent such requests relate to Personal Data Processed by LawForm on behalf of the Subscriber.
8.2 Direct requests. If LawForm receives a Data Subject request relating to Subscriber Personal Data, LawForm shall (to the extent legally permitted) promptly notify the Subscriber and shall not respond substantively except on the Subscriber’s documented instructions or where required by law.
8.3 Costs. Assistance under this clause is included unless it requires material, repeated, or bespoke work outside the ordinary operation of the Services, in which case LawForm may charge reasonable fees on prior notice.
9. Personal Data Breach notification
9.1 Notification timeline. LawForm shall notify the Subscriber without undue delay and, where feasible, within 48 hours after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA.
9.2 Content of notice. The notification shall include, to the extent available:
(a) a description of the nature of the Personal Data Breach;
(b) the categories and approximate number of Data Subjects concerned (where known);
(c) the categories and approximate number of Personal Data records concerned (where known);
(d) likely consequences of the breach; and
(e) measures taken or proposed to address the breach and mitigate potential harm.
9.3 Co-operation. LawForm shall take reasonable steps to investigate, contain, and remediate the breach, and shall co-operate with the Subscriber as reasonably required to support the Subscriber’s notification obligations.
10. DPIAs, prior consultation, and regulatory engagement
10.1 LawForm shall provide reasonable assistance to the Subscriber with data protection impact assessments and prior consultations with the ICO (or other competent authority) where required, to the extent related to LawForm’s Processing under this DPA and based on information available to LawForm.
10.2 If LawForm receives a binding request or investigation notice from a supervisory authority relating to Processing under this DPA, LawForm shall (to the extent legally permitted) notify the Subscriber promptly and provide reasonable co-operation.
10.3 Costs. Assistance under this clause is included unless it requires material, repeated, or bespoke work outside ordinary service delivery, in which case clause 8.3 applies.
11. Audits and compliance information
11.1 Compliance evidence. On request, LawForm shall make available information reasonably necessary to demonstrate compliance with this DPA, which may include security summaries, relevant policies, and third-party assurance materials where available.
11.2 Audit right. The Subscriber may conduct an audit of LawForm’s compliance with this DPA no more than once in any 12-month period, unless:
(a) required by a competent regulator;
(b) following a Personal Data Breach affecting Subscriber Personal Data; or
(c) the Subscriber has reasonable grounds to suspect material non-compliance.
11.3 Audit conditions. Audits must:
(a) be conducted during normal business hours on reasonable notice;
(b) be limited to the Processing under this DPA;
(c) be carried out by the Subscriber or an independent, reputable auditor bound by confidentiality; and
(d) avoid compromising the security, confidentiality, or rights of other LawForm customers.
11.4 Costs. Each Party bears its own costs of an audit, unless the audit identifies a material breach of this DPA by LawForm, in which case LawForm shall reimburse the Subscriber’s reasonable, evidenced audit costs.
12. Return and deletion of Personal Data
12.1 During the Agreement. The Subscriber may access, export, or retrieve Subscriber Content using the Services features.
12.2 On termination / expiry. Upon termination or expiry of the Agreement, LawForm shall, at the Subscriber’s written instruction and choice:
(a) return Subscriber Content containing Personal Data in a commonly used, machine-readable format; and/or
(b) securely delete Subscriber Content containing Personal Data,
unless LawForm is required by law to retain certain information.
12.3 Backups. Personal Data may remain in encrypted backups for a limited period in accordance with LawForm’s standard backup retention schedule (see Annex 2), provided it is not actively Processed except for backup retention and disaster recovery, and is securely deleted/overwritten in due course.
12.4 Legal retention. Where LawForm is legally required to retain Personal Data, LawForm shall (to the extent legally permitted):
(a) inform the Subscriber of the obligation and the affected data;
(b) retain the data only for the required period;
(c) restrict further Processing; and
(d) continue to protect the retained data under this DPA.
12.5 Deletion confirmation. On request, LawForm shall provide a written confirmation describing the deletion measures taken (recognising clause 12.3).
13. Use of data; analytics; model training
13.1 Service provision only. LawForm shall not sell Personal Data and shall Process Personal Data only for the purpose of providing, securing, maintaining, and supporting the Services, or as otherwise instructed by the Subscriber or required by law.
13.2 No training on Subscriber Content. LawForm will not use Subscriber Content (including Personal Data) to train general-purpose AI models. Any optional customer-specific training, fine-tuning, or similar activity (if offered) shall be subject to a separate written agreement.
13.3 Aggregated/de-identified analytics. LawForm may collect and use aggregated and/or de-identified usage analytics to operate and improve the Services, provided such analytics do not identify the Subscriber or Data Subjects and cannot reasonably be re-identified.
14. Subscriber minimisation and support communications
14.1 The Subscriber shall take reasonable steps to minimise Personal Data uploaded to the Services to what is necessary for its intended use.
14.2 The Subscriber should not include Personal Data (other than necessary contact information) in support tickets or general communications to LawForm unless necessary; where feasible, the Subscriber should redact or anonymise such information.
15. Liability
15.1 Liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except to the extent liability cannot lawfully be limited under Applicable Data Protection Law.
16. Term and changes
16.1 This DPA remains in force for as long as LawForm Processes Personal Data on behalf of the Subscriber under the Agreement.
16.2 Except for updates to Annex 3 in accordance with clause 6.4, any amendment to this DPA must be in writing and signed by authorised representatives of both Parties.
16.3 This DPA is governed by the governing law and dispute resolution provisions of the Agreement (or, if silent, the laws of England and Wales and the courts of England and Wales).
Ready to experience LawForm?
Book a call with a specialist and see how LawForm gives your firm time back.
Ready to experience LawForm?
Book a call with a specialist and see how LawForm gives your firm time back.
Ready to experience LawForm?
Book a call with a specialist and see how LawForm gives your firm time back.