This Data Processing Addendum (“DPA”) forms a part of the GC AI Service Agreement/Terms (Terms) and any Order Form entered into between you (as defined in the Terms) and General Counsel AI, Inc. (GC AI). Capitalized terms shall have the meaning provided in the Terms, except as set forth in Section 11 (Definitions) of this DPA. 

1. Roles of the Parties & Term 

(a) Your Personal Data. GC AI will Process your Personal Data as a Processor in accordance with your instructions as outlined in Section 2(a) (Your Instructions). 

(b) GC AI Account Data. GC AI will Process GC AI Account Data as a Controller for the following purposes: (i) to provide and improve the Services; (ii) to manage its relationship with you (communicating with you, responding to your inquiries and providing technical support, etc.), (iii) to facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery; and (iv) to carry out core business functions such as accounting, billing, and filing taxes. 

(c) GC AI Usage Data. GC AI will Process GC AI Usage Data as a Controller for the following purposes: (i) to provide, optimize, secure, and maintain GC AI’s Products; (ii) to optimize user experience; and (iii) to inform GC AI’s business strategy. 

(d) Description of the Processing. Details regarding the Processing of Personal Data by GC AI are stated in Schedule 1 (Description of Processing). 

(e) Term of the DPA. The term of this DPA coincides with the term of the Terms and terminates upon expiration or earlier termination of the Terms and any Order Form (or, if later, the date on which GC AI ceases all Processing of Your Personal Data). 

(f) Your Responsibilities. You agree that except as provided in this DPA, you are responsible for securing use of the Services, including securing its account authentication credentials, using the Services strictly as permitted under the Terms, and using features and functionalities made available by GC AI to maintain appropriate security in light of the nature of the data processed. 

(g) Order of Precedence. If there is any conflict or inconsistency among the following documents, the order of precedence is: (1) the applicable terms stated in Schedule 2 (Region-Specific Terms including any transfer provisions); (2) the main body of this DPA; and (3) the Terms (including GC AI’s Privacy Policy). 

2. Processing of Personal Data 

(a) Your Instructions. GC AI must Process Your Personal Data in accordance with the documented lawful instructions from you as stated in the Terms (including this DPA) and respective Order Forms, as necessary to (i) provide the Services or (ii) comply with its legal obligations. GC AI will notify you if it becomes aware, or reasonably believes, that your instructions violate Applicable Data Protection Law. 

(b) Confidentiality. GC AI must ensure personnel authorized to Process Personal Data are bound by written or statutory obligations of confidentiality. 

3. Security 

(a) Security Measures. GC AI has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of User Data and protect against Security Incidents. GC AI’s current technical and organizational measures are described here. You acknowledge that the Security Measures are subject to technical progress and development and that GC AI may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security originally provided. 

(b) Security Incidents. GC AI must notify you promptly after becoming aware of a Security Incident. It is your responsibility to ensure you provide GC AI accurate contact information under the Terms at all times. GC AI must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within GC AI’s reasonable control. Upon your request and taking into account the nature of the Processing and the information available to GC AI, GC AI must assist you by providing information reasonably necessary for you to meet its Security Incident notification obligations under Applicable Data Protection Law. GC AI’s notification of a Security Incident is not an acknowledgment by GC AI of its fault or liability. 

4. Sub-processing 

(a) General Authorization. By entering into this DPA, you provide general authorization for GC AI to engage Sub-processors to Process Your Personal Data. GC AI must: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Your Personal Data to the standard required by Applicable Data Protection Law and to the same standard provided by this DPA; and (ii) remain liable to you if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the Terms. 

(b) Notice of New Sub-processors. GC AI maintains an up-to-date list of its Sub-processors here. GC AI will provide notice, to those who request it, before allowing any new Sub-processor to Process Your Personal Data (the “Sub-processor Notice Period”). If you object to any Sub-processor you shall provide GC AI notice within thirty (30) days stating the reasons for the objection. 

5. Data Subject Requests 

(a) Data Subject Rights. Taking into account the nature of the Processing, GC AI must provide reasonable and timely assistance to you to enable you to respond to requests for exercising a data subject’s rights (including rights of access, rectification, erasure, restriction, objection, and data portability) in respect to Your Personal Data. 

(b) Cooperation Obligations. Upon your reasonable request, and taking into account the nature of the applicable Processing, GC AI will provide reasonable assistance to you in fulfilling your obligations under Applicable Data Protection Law (including data protection impact assessments and consultations with regulatory authorities), provided that you cannot reasonably fulfill such obligations independently with help of available information only GC AI possesses.

(c) Third Party Requests. Unless prohibited by law, GC AI will promptly notify you of any valid, enforceable subpoena, warrant, or court order from law enforcement or public authorities compelling GC AI to disclose Your Personal Data. GC AI will follow its Terms in responding to such requests. In the event that GC AI receives an inquiry or a request for information from any other third party (such as a regulator or data subject) concerning the Processing of Your Personal Data, GC AI will redirect such inquiries to you, and will not provide any information unless required to do so under applicable law. 

6. Deletion and Return of Your Personal Data 

(a) During the Term. While the Terms are in effect, you may access, retrieve or delete Your Personal Data. 

(b) Post Termination. Following expiration or termination of the Terms, GC AI must, in accordance with its then in-effect policies, delete all Your Personal Data. Notwithstanding the foregoing, GC AI may retain Your Personal Data (i) as required by Applicable Data Protection Law or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, GC AI will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Your Personal Data and not further Process it except as required by Applicable Data Protection Law. 

7. Audit 

(a) Audit Reports. Starting in July 2024, GC AI will be regularly audited by independent third-party auditors and/or internal auditors. Upon request, and on the condition that you have entered into an applicable non-disclosure agreement with GC AI, GC AI will supply a summary copy of relevant audit report(s) (“Report”) to you, so you can verify GC AI’s compliance with the audit standards against which it has been assessed, and this DPA. If you cannot reasonably verify GC AI’s compliance with the terms of this DPA, GC AI will provide written responses (on a confidential basis) to all reasonable requests for information made by you related to its Processing of Your Personal Data, provided that such right may only be exercised no more than once every twelve (12) months. 

(b) On-site Audits. Only to the extent you cannot reasonably satisfy GC AI’s compliance with this DPA through the exercise of its rights under Section 7(a) above, or where required by Applicable Data Protection Law or a regulatory authority, you, or your authorized representatives, may, at your expense, conduct audits (including inspections) during the term of the Terms to assess GC AI’s compliance with the terms of this DPA. To the extent authorized by law, you shall reimburse GC AI for its reasonable out of pocket expenses in conducting any such audit. Any audit must (i) be conducted during GC AI’s regular business hours, with reasonable advance written notice of at least sixty (60) calendar days (unless Applicable Data Protection Law or a regulatory authority requires a shorter notice period); (ii) be subject to reasonable confidentiality controls obligating You (and its authorized representatives) to keep confidential any information disclosed that, by its nature, should be confidential; (iii) occur no more than once every twelve (12) months; and (iv) restrict its findings to only information relevant to you. 

8. Regional Specific Provisions 

To the extent GC AI Processes Personal Data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 2 (Region-Specific Terms), the terms specified for the applicable regions will also apply.

9. Limitation of Liability 

(a) Liability Caps and Damages Waiver. To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Terms. 

(b) Related-Party Claims. Any claims made against GC AI arising out of or related to this DPA may only be brought by the entity that is a party to the Terms pursuant to an Order Form. 

(c) Exceptions. This DPA does not limit any liability to an individual about the individual’s data protection rights under Applicable Data Protection Laws. 

10. Modification 

GC AI may update this DPA pursuant to Section 16(b) of the Terms. 

11. Definitions 

(d) “Applicable Data Protection Law” means all laws, regulations, orders, and otherwise applicable to the Processing of Personal Data under the Terms and this DPA. It includes US State Privacy Laws, as defined in Schedule 2, as well as the Canadian Personal Information Protection and Electronic Documents Act. 

(e) “GC AI Account Data” means Personal Data relating to your relationship with GC AI, which may include: (i) Users’ account information (e.g. name, email address, or UserID ); (ii) billing and contact information of individual(s) associated with your GC AI account (e.g. billing address, email address, or name); and (iii) Users’ device and connection information (e.g. IP address). 

(f) “GC AI Usage Data” means Personal Data relating to or obtained in connection with the use, performance, operation, support or use of the Products. GC AI Usage Data may include event name (i.e. what action Users performed), event timestamps, browser information, and diagnostic data. For clarity, GC AI Usage Data does not include Your Personal Data. 

(g) “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. 

(h) “Your Personal Data'' means Personal Data contained in User Data and/or other materials that GC AI Processes under the Terms solely on behalf of you. For clarity, Your Personal Data includes any Personal Data included in the attachments provided by you or your Users in any technical support requests. 

(i) “Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law. 

(j) “Processing” (and “Process”) means any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. 

(k) “Processor” means the entity which Processes Personal Data on behalf of the Controller. GC AI DPA - 4

(l) “Security Incident'' means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to User Data Processed by GC AI and/or its Sub-processors. This does not include unsuccessful attempts at unauthorized access were no unauthorized access to User Data or to any of GC AI’s equipment or facilities storing User Data and could include, without limitation, pings and other broadcast attacks on firewalls, port scans, unsuccessful log-in attempts or invalid URLs, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents. 

(m) “Sub-processor” means any third party engaged by GC AI to Process Your Personal Data.\

12. Schedule 1 – Description of Processing 

(a) Categories of data subjects whose Personal Data is Processed: You and Users. 

(b) Categories of Personal Data Processed: GC AI Account Data, GC AI Usage Data, and Your Personal Data. 

(c) Sensitive data transferred: GC AI Account Data and GC AI Usage Data do not contain data (i) revealing confidential or privileged information about you (altogether “Sensitive Data”). 

(d) The frequency of the transfer: Continuous. 

(e) Nature of the Processing: GC AI will Process Personal Data in order to provide the Services in accordance with the Terms, including this DPA. Additional information regarding the nature of the Processing (including transfer) is described in respective Order Forms. 

(f) Purposes of the Processing of Your Personal Data: GC AI will Process Your Personal Data as Processor in accordance with Your instructions as set out in Section 2(a) (Your Instructions). 

(g) Purposes of the Processing of GC AI Account Data and GC AI Usage Data: GC AI will Process GC AI Account Data and GC AI Usage Data for the limited and specified purposes outlined in Section 1(a) (Roles of the Parties & Term). 

(h) Duration of Processing Your Personal Data: GC AI will Process Your Personal Data for the term of the Terms as outlined in Section 6 (Deletion and Return of Your Personal Data). 

(i) Duration of Processing GC AI Account Data and GC AI Usage Data: GC AI will Process GC AI Account Data and GC AI Usage Data only as long as required (a) to provide the Services; (b) for GC AI’s legitimate business purposes outlined in Section 1 (Roles of the Parties & Term); or (c) by applicable law(s). 

(j) Transfers to (Sub-)processors: GC AI will transfer Your Personal Data to Sub-processors as permitted in Section 4 (Sub-processing). 

13. Schedule 2 – Regional Specific Terms (individual states in the United States) 

(a) To the extent Your Personal Data includes personal information protected under all state laws existing now or in the future relating to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Texas Data Privacy and Security Act, and the Utah Consumer Privacy Act (“US State Privacy Laws”) that GC AI Processes as a Service Provider (as such term is defined in the CCPA) or Processor, on behalf of you, GC AI will Process such Personal Data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with You's written instructions, as necessary for the limited and specified purposes identified in Section 1.1(a) (Your Personal Data) and Schedule 1 (Description of Processing) of this DPA. GC AI will not: 

(i) retain, use, disclose or otherwise Process such Your Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Terms, and/or any related Order, or as otherwise permitted under US State Privacy Laws; 

(ii) "sell" or “share” your Personal Data within the meaning of the US State Privacy Laws; and 

(iii) retain, use, disclose or otherwise Process such Your Personal Data outside the direct business relationship with you and not combine such Your Personal Data with personal information that it receives from other sources, except as permitted under US State Privacy Laws. 

(b) GC AI must inform you if it determines that it can no longer meet its obligations under US State Privacy Laws within the timeframe specified by such laws, in which case you may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorized Processing of Your Personal Data. 

(c) To the extent you disclose or otherwise make available Deidentified Data to GC AI or to the extent GC AI creates Deidentified Data from Your Personal Data, in each case in its capacity as a Service Provider, GC AI will: 

(i) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household; 

(ii) publicly commit to maintain and use such Deidentified Data in a de-identified form and to not attempt to re-identify the Deidentified Data, except that GC AI may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with the US State Privacy Laws; and 

(iii) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this DPA.