Data Processing Agreement

This Data Processing Agreement ('DPA') forms part of the Terms of Service between Mowly, Lda. ('Processor') and the customer ('Controller') and governs the processing of personal data by the Processor on behalf of the Controller. This DPA applies to all processing of personal data carried out by the Processor in connection with the provision of the Services, as defined in the Terms of Service. This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (General Data Protection Regulation, 'GDPR') and the Portuguese Lei n.º 58/2019 implementing the GDPR.

In addition to the definitions in the Terms of Service, the following definitions apply to this DPA:

• 'Personal Data' means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services
• 'Processing' means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction
• 'Data Subject' means the identified or identifiable natural person to whom the Personal Data relates
• 'Sub-processor' means any third party engaged by the Processor to process Personal Data on behalf of the Controller
• 'Data Breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data
• 'Supervisory Authority' means the Comissão Nacional de Proteção de Dados (CNPD) or any other competent data protection authority
• 'Standard Contractual Clauses' means the standard contractual clauses for the transfer of personal data adopted by the European Commission
• 'Technical and Organizational Measures' means the security measures described in Annex II of this DPA and the Security Policy

The Processor processes Personal Data on behalf of the Controller as follows:

• Subject matter and purpose: Processing is carried out for the purpose of providing the Services as described in the Terms of Service, including AI-powered legal research, document analysis, document production, and document processing
• Duration: Processing continues for the duration of the service agreement plus any applicable retention period specified in the Privacy Policy
• Nature of processing: Automated processing including storage, retrieval, analysis by AI systems, translation, pseudonymization, and transcription of documents and data submitted by the Controller
• Categories of data subjects: Legal professionals (lawyers, paralegals, legal assistants), clients of the Controller whose data appears in submitted documents, and other individuals referenced in legal documents
• Types of personal data: Names, contact information, identification numbers, legal case details, financial information, health data (when contained in legal documents), criminal records data (when contained in legal documents), and any other personal data contained in documents submitted for processing

The Controller shall:

• Ensure that it has a lawful basis for the processing of Personal Data and that all necessary consents have been obtained or other legal bases established
• Provide the Processor with documented instructions for the processing of Personal Data. The Terms of Service and this DPA constitute the Controller's initial processing instructions
• Ensure that Personal Data submitted for processing is accurate, relevant, and limited to what is necessary for the purposes of processing (data minimization)
• Inform the Processor without undue delay of any changes to applicable data protection laws that may affect the Processor's obligations
• Conduct Data Protection Impact Assessments where required by GDPR Article 35, and consult with the Processor where necessary for such assessments

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by EU or Member State law
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in the Security Policy
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller, as detailed in the Sub-processors section
• Assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR Chapter III, taking into account the nature of the processing
• Assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of processing and information available to the Processor
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless EU or Member State law requires storage
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits

The following terms apply to the engagement of sub-processors:

• General authorization: The Controller provides general written authorization for the Processor to engage sub-processors. A current list of sub-processors is maintained and available upon request
• Notification of changes: The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 30 days
• Objection right: If the Controller objects to a new sub-processor on reasonable grounds related to data protection, the parties shall discuss the Controller's concerns in good faith. If no resolution is reached, the Controller may terminate the affected Services
• Sub-processor agreements: The Processor ensures that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA
• Liability: The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations

Regarding the transfer of Personal Data outside the EEA:

• EU processing: Mowly primarily processes all Personal Data within the European Economic Area (EEA). Our primary infrastructure is hosted in EU data centers
• Transfer mechanisms: Where transfers outside the EEA are necessary (e.g., for AI processing by providers with global infrastructure), such transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) adopted by the European Commission
• Adequacy decisions: Where the European Commission has issued an adequacy decision for a third country, transfers to that country may be made in reliance on such decision
• Transfer impact assessment: The Processor conducts transfer impact assessments for transfers to countries without adequacy decisions to evaluate whether the legal framework of the receiving country provides adequate protection

The Processor implements the following categories of technical and organizational measures:

• Encryption: AES-256 encryption at rest and TLS 1.3 in transit for all Personal Data, as detailed in the Security Policy
• Access controls: Role-based access control, principle of least privilege, multi-factor authentication for administrative access, and regular access reviews
• Data segregation: Logical separation of customer data using row-level security policies to prevent unauthorized cross-tenant access
• Monitoring: Continuous security monitoring, intrusion detection systems, automated anomaly detection, and comprehensive security logging
• Temporary processing: Document content submitted for AI processing is processed in memory and not persisted to permanent storage
• Business continuity: Automated encrypted backups, disaster recovery procedures, and defined recovery time and recovery point objectives

In the event of a Data Breach:

• Notification to Controller: The Processor shall notify the Controller without undue delay and in any event within 48 hours after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller
• Notification content: The notification shall include: (a) the nature of the breach; (b) categories and approximate number of Data Subjects affected; (c) likely consequences; (d) measures taken or proposed to address the breach; and (e) contact details for further information
• Assistance: The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach
• Regulatory notification: The Processor shall assist the Controller in complying with its notification obligations to the supervisory authority under GDPR Article 33 and to Data Subjects under Article 34
• Documentation: The Processor shall document all Data Breaches, including the facts, effects, and remedial action taken, and make this documentation available to the Controller

Regarding requests from Data Subjects:

• Assistance: The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under GDPR Articles 15 to 22 (access, rectification, erasure, restriction, portability, objection, and automated decision-making)
• Notification: If the Processor receives a request directly from a Data Subject, it shall promptly redirect the request to the Controller and shall not respond to the request independently unless instructed to do so
• Technical measures: The Processor shall implement appropriate technical measures to enable the Controller to fulfill Data Subject requests, including the ability to export, rectify, and delete Personal Data
• Response timeframe: The Processor shall respond to the Controller's instructions regarding Data Subject requests within 10 business days

The Controller has the right to verify compliance with this DPA:

• Audit right: The Controller may audit the Processor's compliance with this DPA up to once per year, with at least 30 days' prior written notice, during normal business hours, and subject to reasonable confidentiality obligations
• Third-party audits: The Controller may appoint an independent third-party auditor to conduct the audit, provided the auditor enters into appropriate confidentiality agreements
• Audit reports: The Processor shall make available relevant audit reports, certifications, and compliance documentation upon request to demonstrate compliance with its obligations
• Cost allocation: Each party shall bear its own costs in connection with audits, except where an audit reveals material non-compliance by the Processor

This DPA shall remain in effect for the duration of the service agreement:

• Duration: This DPA shall continue in force as long as the Processor processes Personal Data on behalf of the Controller
• Data return: Upon termination of the service agreement, the Processor shall, at the Controller's election, return or delete all Personal Data within 30 days, unless EU or Member State law requires continued storage
• Data export: The Controller may request an export of all Personal Data in a structured, commonly used, and machine-readable format prior to or within 30 days of termination
• Certification: Upon completion of data deletion, the Processor shall provide written certification confirming that all Personal Data has been securely deleted

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that such limitations shall not apply to: (a) either party's liability for breaches of data protection law caused by its own non-compliance; (b) either party's liability to Data Subjects; or (c) either party's indemnification obligations for fines imposed by supervisory authorities to the extent caused by the indemnifying party's breach of this DPA.

This DPA shall be governed by the laws of your country of residence and the directly applicable provisions of EU law, including the GDPR. Any disputes arising from this DPA shall be subject to the jurisdiction of the courts of your country of residence, without prejudice to the rights of Data Subjects to lodge complaints with supervisory authorities or bring proceedings before the courts of the Member State where they reside.