Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the subscriber (the law firm or individual lawyer holding the account, the "Controller") and the operator of Rescriptum (the "Processor"). It governs the Processor's processing of personal data on the Controller's behalf under Article 28 of the General Data Protection Regulation (Regulation EU 2016/679, "GDPR"). Where it conflicts with the Terms of Service on data protection, this DPA prevails.
1. Roles of the parties
In respect of the documents and client data the Controller uploads to or creates in Rescriptum, the subscriber is the data controller and Rescriptum is the data processor. In respect of the Controller's own account and billing data, Rescriptum acts as a controller — that processing is described in the Privacy Policy, not this DPA. Where the Controller is itself a processor for its own clients, Rescriptum acts as a sub-processor and the same obligations apply.
2. Subject matter, nature and purpose
The Processor processes personal data solely to provide the Rescriptum service: version-controlled storage, amendment tracking, collaboration, template management, and export of legal documents. Processing lasts for the duration of the subscription and the return/deletion period in section 9.
3. Categories of data subjects and personal data
- Data subjects: the Controller's clients, counterparties, and any natural persons named in the documents; the Controller's own staff invited to a workspace.
- Personal data: any personal data the Controller chooses to place in a document — typically names, contact details, and the substance of legal matters. The Controller determines what it uploads and must not include special-category data (Art. 9) unless it has a lawful basis to do so.
4. The Controller's instructions
The Processor processes personal data only on the Controller's documented instructions, which comprise this DPA, the Terms of Service, and the settings the Controller configures in the application (sharing, roles, retention, deletion). The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR. The Processor will not process the data for its own purposes and will not use any document to train an AI model.
5. Confidentiality
The Processor ensures that persons authorised to process the personal data are bound by confidentiality and are trained on their obligations. Staff will not access document content except on the Controller's explicit request or under a binding legal obligation, in which case the Controller will be notified unless prohibited by law.
6. Security of processing (Art. 32)
The Processor implements appropriate technical and organisational measures, detailed in Annex II, including encryption in transit and at rest, mandatory two-factor authentication, strong password hashing, access controls, and audit logging.
7. Sub-processors (Art. 28(2), (4))
The Controller gives general authorisation for the Processor to engage the sub-processors listed in Annex III. Each is bound by data protection obligations no less protective than this DPA. The Processor will give the Controller at least 30 days' notice of any intended change (by email and in-app), during which the Controller may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Controller may terminate and export its data.
8. Assistance to the Controller
- Data-subject rights (Art. 12–23): the service lets the Controller access, rectify, export, and erase data directly; the Processor provides reasonable additional assistance for requests it cannot fulfil.
- Security, breach, and impact assessments (Art. 32–36): the Processor assists the Controller taking into account the nature of processing and the information available to it.
- Personal data breach (Art. 33): the Processor notifies the Controller without undue delay and in any event within 72 hours of becoming aware, with the information the Controller needs to meet its own notification duties.
9. Return and deletion (Art. 28(3)(g))
On termination the Controller may export all data via Settings → Export. Unless Union or Member State law requires retention, the Processor deletes or returns the personal data within 30 days of termination, including from backups on their normal rotation cycle.
10. Audits (Art. 28(3)(h))
The Processor makes available the information necessary to demonstrate compliance and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable notice, no more than once per year (or after a breach), subject to confidentiality and without compromising other customers' data.
11. International transfers
Personal data is hosted in Switzerland, which benefits from a European Commission adequacy decision. Where any sub-processor would transfer data outside the EEA/adequacy area, the transfer is covered by Standard Contractual Clauses or another Art. 46 safeguard.
12. Liability and governing law
Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by French law, with jurisdiction as set out in the Terms.
Annex I — Details of processing
| Subject matter | Hosted version-controlled drafting and collaboration on legal documents. |
|---|---|
| Duration | The subscription term, plus the deletion period in section 9. |
| Nature and purpose | Storage, patch/amendment tracking, collaboration, templating, export. |
| Types of personal data | Identification and contact data and any personal data contained in the Controller's documents. |
| Data subjects | The Controller's clients, counterparties, persons named in documents, and invited staff. |
Annex II — Technical and organisational measures (Art. 32)
- TLS 1.3 for all data in transit; encrypted storage at rest.
- Mandatory two-factor authentication (TOTP or WebAuthn) on every account.
- Passwords hashed with PBKDF2-SHA256 (≥ 200 000 iterations); TOTP secrets encrypted at rest.
- Role-based access control; documents shared only with explicitly invited members.
- Append-only activity/audit logging of access and accept/reject actions.
- Segregation of customer data; least-privilege administrative access.
- Regular backups; annual security reviews.
Annex III — Authorised sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Infomaniak Network AG | Infrastructure hosting | Switzerland (adequacy decision) |
| Infomaniak Mail | Transactional email | Switzerland (adequacy decision) |
| Stripe Inc. | Payment processing | EU data stored in the EU |
Contact
To execute a countersigned copy of this DPA or exercise any right under it, email privacy@rescriptum.io.