GC AI Data Processing Agreement

This Data Processing Addendum (“DPA”) is a part of the GC AI Services Agreement and any Order Form (if applicable) (collectively, the “Agreement”) between you/Customer ("Customer") and General Counsel AI, Inc. (“GC AI”). This DPA describes the commitments of GC AI and Customer concerning the Processing of Personal Data in connection with the Services purchased by Customer. Capitalized terms not defined herein shall have the meaning provided in the Agreement.

1. Definitions

1.1 “Applicable Data Protection Law” means to the extent applicable to a party’s Processing of Customer Personal Data under the Agreement, (i) European Data Protection Laws; (ii) Canadian Privacy Laws; and (iii) US Privacy Laws; in each case as may be amended, superseded, or replaced.

1.2 “Canadian Privacy Laws” means, as applicable, (i) the federal Personal Information Protection and Electronic Documents Act (PIPEDA); (ii) the provincial Personal Information Protection Act in place in each of Alberta and British Columbia; (iii) an Act Respecting The Protection of Personal Information In The Private Sector (Québec) as amended by Law 25; and (iv) the Canada Anti-Spam Act Legislation (CASL) and their implementing regulations.

1.3 “European Data Protection Laws” means, as applicable, (i) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (e-Privacy Directive); (iii) any applicable national implementations of (i) and (ii); (iv) the Switzerland Federal Act on Data Protection, as amended by the Federal Act of 25 September 2020 on Data Protection (nFADP), and its ordinances (“Swiss DPA”); and (v) the United Kingdom (“UK”) Data Protection Act 2018 and the GDPR as saved into UK law by virtue of Section 3 of the UK’s European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of Section 2 of the UK’s European Union (Withdrawal) Act 2018; in each case as may be amended, superseded, or replaced.

1.4 “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.5 “Customer Personal Data” means Personal Data contained in User Data that GC AI Processes under the Agreement solely on behalf of Customer. For clarity, Customer Personal Data includes any Personal Data included in the attachments provided by Customer, including any information contained in any technical support requests.

1.6 “Personal Data” means any information about an identified or identifiable natural person, or which otherwise constitutes “personal data,” “personal information,” “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.

1.7 “Process,” “Processes,” “Processed,” and “Processing” have the meaning attributed to the term in the relevant Applicable Data Protection Law or, if not defined, then means any operation or set of operations performed on Personal Data, including access, storage, and use.

1.8 “Processor” means the entity which Processes Personal Data on behalf of the Controller. When used in the context of CCPA, a reference to Processor to refer to GC AI means “service provider,” as such term is defined in the CCPA.

1.9 “Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to User Data Processed by GC AI and/or its Sub-processors.

1.10 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses as adopted by the European Union Commission by means of the Implementing Decision EU 2021/914 of June 4, 2021 found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.

1.11 “Sub-processor” means any Processor engaged by GC AI to fulfill GC AI’s obligations under the Agreement with respect to the providing the Services.

1.12 “UK Addendum” means that certain international data transfer addendum to the SCCs issued by the UK Information Commissioner for Parties making transfers of Personal Data from the UK to any other country which is not deemed adequate under Article 46 of the UK GDPR.

1.13 “US Privacy Laws” means all United States state data privacy, information security, and data breach notification laws and implementing regulations to the extent applicable to the Processing of Customer Personal Data by GC AI in GC AI’s performance of the Services, excluding the Health Insurance Portability and Accountability Act of 1996.

1.14 The terms “data subject” and “supervisory authority” shall have the meanings given to them in the applicable European Data Protection Laws.

2. Roles of the Parties

2.1 GC AI as a Processor. As a Processor GC AI will Process Customer Personal Data only on behalf of Customer and in accordance with Customer’s lawful instructions as set forth in this DPA and the Agreement. The details of the Processing of Customer Personal Data are described in Schedule 1. GC AI will notify Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate Applicable Data Protection Law, in which case GC AI may suspend the instruction until Customer modifies it, confirms its legality or withdraws it.

2.2 GC AI as a Controller. For Personal Data related to each User’s Account and Personal Data within Usage Data, GC AI acts as a Controller and Processes such data to manage its relationship with Customer, provide and improve the Services, and for other business purposes such as billing, account management, and security, as further described in the Agreement.

2.3 Customer. Between the parties, Customer is solely responsible for the accuracy, content, legality and quality of Customer Personal Data. Customer represents and warrants that it has provided all necessary notices and obtained all consents, permissions, and rights required by Applicable Data Protection Laws for GC AI to lawfully Process Customer Personal Data for the purposes contemplated by the Agreement and this DPA.

3. Security

3.1 Security Measures. GC AI has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of User Data and protect against Security Incidents. GC AI’s current technical and organizational measures shall include, at a minimum, those described in Schedule 3 of this DPA. Customer acknowledges that the Security Measures are subject to technical progress and development and that GC AI may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security originally provided by GC AI. GC AI shall ensure that any person who is authorized by GC AI to Process User Data shall be under an appropriate level of confidentiality.

3.2 Customer Security Responsibilities. Customer shall implement and maintain reasonable and appropriate technical and organizational security measures designed to protect User Data and Customer’s Accounts from Security Incidents. This includes measures that can be selected or configured by Customer from within the Services. GC AI is not responsible for assessing the legality or accuracy of Customer Personal Data.

3.3 Security Incidents. GC AI must notify Customer without undue delay after becoming aware of a Security Incident. GC AI will investigate the Security Incident and must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within GC AI’s reasonable control. GC AI will provide timely information relating to the Security Incident as it becomes available or upon Customer’s reasonable request. GC AI’s notification of or response to a Security Incident is not an acknowledgment by GC AI of fault or liability.

4. Sub-processing

4.1 General Authorization. Customer provides a general authorization for GC AI to engage Sub-processors to Process Customer Personal Data on GC AI’s behalf. The list of such Sub-processors is set forth at https://www.gc.ai/subprocessors. GC AI shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set forth in this DPA; and (ii) remain responsible for GC AI’s compliance with the obligations under this DPA and for any acts and omissions of any Sub-processor to the extent an act or omission causes a breach of GC AI’s data protection obligations under this DPA.

4.2 Changes to Sub-processors. GC AI will notify Customer via email before adding or replacing any Sub-processor. Customer may object to the appointment of a new Sub-processor by notifying GC AI in writing within thirty (30) days of receiving such notice, stating the reasons for the objection. If the parties cannot agree on a solution within ninety (90) days of GC AI receiving Customer’s objection, Customer may terminate the affected Services (without liability to either party and without prejudice to any fees incurred by Customer).

5. Requests

5.1 Data Subject Rights. To the extent that Customer is unable to independently access Customer Personal Data from within the Services and to the extent such information is known to GC AI, GC AI shall, taking into account the nature of the applicable Processing, provide reasonable assistance in responding to requests from data subjects and applicable supervisory authorities relating to the Processing of Customer Personal Data. If GC AI receives a request directly, GC AI shall not respond to such communication without Customer’s prior authorization, except to acknowledge receipt of the request and to attempt to redirect the requester to contact Customer directly. If GC AI is otherwise required to respond, or GC AI does not receive a response from Customer within the legally required timeframe, GC AI shall respond to the request with the information known to GC AI.

5.2 Third Party Requests. Unless prohibited by law, GC AI will promptly notify Customer of any valid, enforceable subpoena, warrant, or court order from law enforcement or public authorities compelling GC AI to disclose Customer Personal Data to allow Customer to seek a protective order or other appropriate remedy. In the event that GC AI receives an inquiry or a request for information from any other third party (such as a supervisory authority or data subject) concerning the Processing of Customer Personal Data, GC AI shall attempt to redirect such inquiries to Customer. If GC AI is legally prohibited from providing Customer with such notice, then, if, after careful assessment, GC AI concludes that there are reasonable grounds to consider the demand or prohibition to be unlawful, GC AI shall take commercially reasonable steps to challenge such demand or prohibition. For the avoidance of doubt, nothing in this DPA shall be interpreted to require GC AI to pursue action or inaction that could result in a civil or criminal penalty for GC AI, including without limitation a contempt of court.

6. Deletion and Return of Customer Personal Data. Customer may access, retrieve or delete User Data, Inputs and Outputs at any time during the Subscription Term. Following expiration or termination of the Subscription Term, GC AI will, in accordance with its then in-effect policies, delete all User Data (including Customer Personal Data). Notwithstanding the foregoing, GC AI may retain User Data (i) as required by Applicable Data Protection Law or (ii) to the extent such copies are electronically stored in accordance with its standard backup or record retention policies, provided that, in either case, GC AI will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Customer Personal Data and not further Process it except as required by Applicable Data Protection Law.

7. Audit

7.1 Audit Reports. The Platform will be regularly audited by independent third-party auditors and/or internal auditors. Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with GC AI, GC AI will make available a summary copy of relevant audit report(s) (“Report”) to Customer via GC AI’s Trust Center located at https://gc.ai.trust, so Customer can verify GC AI’s compliance with the audit standards against which it has been assessed, and this DPA. Such Reports are GC AI’s Confidential Information. If Customer cannot reasonably verify GC AI’s compliance with the terms of this DPA, GC AI will no more than once every twelve (12) months provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to GC AI’s Processing of Customer Personal Data.

7.2 On-Site Audits. Only to the extent Customer cannot reasonably satisfy GC AI’s compliance with this DPA through the exercise of Customer’s rights under Section 7.1 above, or where required by Applicable Data Protection Law, Customer may request to conduct an audit of GC AI’s applicable controls related to the Processing of Customer Personal Data under this DPA. To the extent authorized by law, such audit must (i) be conducted during GC AI’s regular business hours, (ii) with advance written notice of at least sixty (60) calendar days (unless Applicable Data Protection Law or a supervisory authority requires otherwise); (iii) be conducted in a manner to minimize any impact to GC AI’s business, employees or other customers; (iv) be conducted on a confidential basis; (v) occur no more than once every twelve (12) months; and (vi) restrict its findings to only information relevant to the Processing of Customer Personal Data. Except where GC AI is found to be in violation of this DPA or Applicable Data Protection Law, Customer shall reimburse GC AI for all reasonable out-of-pocket expenses in conducting any such audit.

7.3 Data Protection Impact Assessments. Upon Customer’s written request, GC AI shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligations under Applicable Data Protection Laws to carry out data protection impact assessments related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available.

8. Regional Specific Provisions. Customer acknowledges and agrees that GC AI may transfer and Process Customer Personal Data to and in the United States and Canada. GC AI may also Process Customer Personal Data anywhere else in the world where GC AI or its Sub-processors maintain data Processing operations to the extent reasonably necessary to provide the Services. To the extent GC AI Processes Customer Personal Data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 2 (Region-Specific Terms), the terms specified for the applicable regions will also apply.

9. General

9.1 Applicability of the Agreement. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by the relevant Applicable Data Protection Law, and in such event, then only for purposes of this DPA and only for purposes of that specific jurisdiction. Any ambiguity in this DPA shall be resolved to permit the parties to comply with the Applicable Data Protection Laws. If any express term of this DPA conflicts with the Agreement, then this DPA, if applicable, shall control as to that term. The Agreement shall control in all other instances, including, without limitation, notice, assignment, severability, and relationship of the parties.

9.2 Liability Caps and Damages Waiver. To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.

9.3 Related-Party Claims. Any claims made against GC AI arising out of or related to this DPA may only be brought by the entity that is a party to the Agreement pursuant to an Order Form.

Schedule 1 – Description of Processing

1. Categories of data subjects whose Personal Data is Processed: As between the parties, Customer has the sole discretion to determine and control the categories of data subjects transmitted in connection with the Services and, accordingly, Customer shall not transmit or otherwise make available to GC AI any categories of data subjects to the extent Customer does not have the consent to make such Customer Personal Data available to GC AI, unless such information is anonymized in accordance with the requirements of the relevant Applicable Data Protection Laws.

2. Subject matter of the Processing: Personal Data that Customer elects to transfer to GC AI in connection with performance of the Services as set forth in the Agreement.

3. Types of Personal Data: Limited to only those types of Personal Data necessary, but may include names, addresses, emails, phone numbers and other identifiable information. Customer has the sole discretion to determine and control the types of Personal Data transmitted to GC AI.

4. Duration and frequency of the transfer: Continuous during the performance of the Services.

5. Nature of the Processing: GC AI will Process Customer Personal Data in order to provide the Services.

6. Purposes of the Processing of Customer Personal Data: GC AI will Process Customer Personal Data as necessary to provide the Services.

Schedule 2 – Regional Specific Terms

1. Personal Data Transfers outside the European Economic Area (EEA). In connection with any transfer of Customer Personal Data from the EEA to a country outside of the EEA and/or Switzerland, where such transfer is not governed by an adequacy decision made by the European Commission or the Swiss Federal Data Protection and Information Commission, as applicable, that does not ensure an adequate level of protection under the applicable European Data Protection Law, GC AI agrees to abide by the SCCs, which are hereby incorporated into this DPA by reference as follows:

1.1 Module 2 (Controller to Processor Transfers) shall apply where Customer is the Controller of Customer Personal Data and Module 3 (Processor to Processor Transfers) shall apply where Customer is the Processor of Customer Personal Data;

1.2 For Clause 7, the optional docking clause shall not apply;

1.3 For Clause 9(a), Option 2 shall apply and the time period for prior notice of Sub-processor changes shall be as set out in Section 4.2 of this DPA;

1.4 For Clause 9(c), where confidentiality restrictions prohibit GC AI from providing a copy of a Sub-processor agreement to Customer, GC AI shall (on a confidential basis) provide all information that it reasonably can in connection with such Sub-processor agreement to Customer;

1.5 For Clause 11(a), the optional language shall not apply;

1.6 For Clause 13 and Annex I.C of the SCCs, Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to GC AI upon request;

1.7 For Clause 17, Option 1 shall apply, and the SCCs shall be governed by the law of Ireland;

1.8 For Clause 18(b), disputes shall be resolved before the courts of Ireland;

1.9 For Annex I.A., the “data importer” shall be GC AI and the “data exporter” shall be Customer;

1.10 For Annex I.B., the description of the transfer is as described in Schedule 1 of this DPA;

1.11 For Annex II, the technical and organizational measures are those measures described in Schedule 3 of this DPA;

1.12 For Annex III, the Sub-processors shall be as described in Section 4.1 of this DPA.

2. UK GDPR. In connection with any transfer of Customer Personal Data from the UK to a country outside of the UK, where such transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, GC AI agrees to abide by the SCCs in accordance with Section 1 of this Schedule 2 above, but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which are hereby incorporated into and form an integral part of this DPA but only for purposes of applicable UK transfers. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Schedule 1 of this DPA, and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party.”

3. Standard Contractual Clauses Precedence. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the SCCs. Accordingly, if any express term of this DPA conflicts with the SCCs, then the SCCs, if applicable, shall control as to that term, but only to the extent of an express ambiguity.

4. Alternative Transfer Mechanism. If GC AI adopts an alternative transfer mechanism for any transfer described in Sections 1 and 2 of this Schedule 2 (including any newer version of the SCCs) pursuant to applicable European Data Protection Law, such alternative transfer mechanism shall automatically apply in lieu of the SCCs to the extent that such alternative transfer mechanism complies with the applicable European Data Protection Law and the territories into which Customer Personal Data is transferred.

5. US Privacy Laws. Compliance. To the extent Customer Personal Data includes personal information protected under US Privacy Laws, GC AI will not: (i) retain, use, disclose or otherwise Process such Customer Personal Data for a commercial purpose other than for the limited and specified purpose to provide the Services and to meet GC AI’s obligations identified in this DPA and the Agreement; (ii) "sell" or “share” Customer Personal Data within the meaning of the US Privacy Laws; and (iii) retain, use, disclose or otherwise Process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with Personal Data that it receives from other sources, except as permitted under US Privacy Laws. GC AI must inform Customer if it determines that it can no longer meet its obligations under US Privacy Laws, in which case Customer may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorized Processing of Customer Personal Data.

Schedule 3 – Technical and Organizational Security Measures Implemented by GC AI

GC AI shall maintain administrative, physical and technical safeguards for the protection of security, confidentiality and integrity of Customer Personal Data in connection with the Services, including the following:

1. Data Security Measures

• Implement encryption for data at rest and in transit using industry-standard cryptographic algorithms to protect sensitive legal information.

• Enable security monitoring on all production systems, including activity and file integrity monitoring, vulnerability scanning, and malware detection.

• Use secure cloud platforms with data replication across multiple regions for redundancy and disaster recovery.

• Protect and ensure no unauthorized data access.

2. Access Control Measures

• Limit system access to authorized users based on their role.

• Implement multi-factor authentication for accessing sensitive systems and customer data.

• No less than annually review access permissions and update to reflect changes in roles or employment status.

• Use logging and monitoring to detect unauthorized access attempts and respond promptly.

• Ensure all access control measures comply with Applicable Data Protection Law.

3. Data Deletion Measures

• Allow customers to request data deletion prior to account closure.

• Ensure secure deletion methods are used to prevent data recovery.

4. Employee Training and Awareness

• Conduct regular security awareness training for all employees.

• Provide ongoing updates on security policies and procedures.

• Ensure new hires complete security training as part of their onboarding process.

• Encourage a culture of security awareness and compliance within the organization.

5. Incident Response and Management

• Maintain an incident response plan to quickly identify, contain, and resolve security incidents.

• Require all users to report any perceived or actual security vulnerabilities or incidents immediately.

• Establish clear communication channels for reporting and managing incidents.

• Review the incident response plan no less than annually and update to incorporate lessons learned from past incidents, if any.