GC AI Data Processing Agreement

This Data Processing Addendum (“DPA”) forms a part of the GC AI Services Agreement and any Order Form (if applicable) (collectively, the “Agreement”) between you and General Counsel AI, Inc. (“GC AI”). This DPA describes the commitments of GC AI and you concerning the Processing of Your Personal Data in connection with the Service and any Additional Services (individually and collectively, the “Services”) purchased by you. Capitalized terms shall have the meaning provided in the Agreement, except as otherwise set forth in Section 10 of this DPA.

1. Roles of the Parties

1.1 Your Personal Data. GC AI will Process your Personal Data as a Processor in connection with the Services and in accordance with Applicable Data Protection Laws.

1.2 GC AI Account Data. GC AI will Process GC AI Account Data as a Controller for the following purposes: (i) to provide and improve the Services; (ii) to manage its relationship with you (communicating with you, responding to your inquiries and providing technical support, etc.), (iii) to facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery; and (iv) to carry out core business functions such as accounting, billing, and filing taxes.

1.3 GC AI Usage Data. GC AI will Process any Personal Data that is part of Usage Data as a Controller as described in the Agreement.

1.4 Description of the Processing. Details of the Processing of Your Personal Data by GC AI are stated in Schedule 1.

1.5 GC AI Processing of Your Personal Data. GC AI agrees to Process Your Personal Data only for the purposes described in the Agreement and in accordance with any documented lawful instructions from you stated in the Agreement (including this DPA). GC AI will notify you if it becomes aware, or reasonably believes, that your instructions violate Applicable Data Protection Law, in which case GC AI may suspend the instruction until you modify it, confirm its legality or withdraw it.

1.6 Your Responsibilities. Between the parties, you are solely responsible for the accuracy, content, legality and quality of Your Personal Data Processed under or in connection with the Services. You must (i) provide all necessary notices and obtain all consents, permissions, and rights required by Applicable Data Protection Laws for GC AI to lawfully process Your Personal Data as outlined in the Agreement and this DPA; (ii) comply with all Applicable Data Protection Laws related to the collection, provision, and processing of Your Personal Data in connection with the Agreement and this DPA; and (iii) providing GC AI Your Personal Data only to the extent absolutely necessary to perform the Services.

2. Security

2.1 Security Measures. GC AI has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of User Data and protect against Security Incidents. GC AI’s current technical and organizational measures shall include, at a minimum, those described in Schedule 3 of this DPA.. You acknowledge that the Security Measures are subject to technical progress and development and that GC AI may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security originally provided. GC AI shall ensure that any person who is authorized to by GC AI to process User Data shall be under an appropriate level of confidentiality.

2.2 Your Security Responsibilities. You shall implement and maintain reasonable and appropriate technical and organizational security measures designed to protect User Data and your Accounts from Security Incidents. This includes measures that can be selected or configured by you in the Services. GC AI is not responsible for assessing the content or accuracy of Your Personal Data.

2.3 Security Incidents. GC AI must notify you without undue delay after becoming aware of a Security Incident. GC AI must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within GC AI’s reasonable control. GC AI will provide timely information relation to the Security Incident as it becomes available or upon your reasonable request. GC AI’s notification of a Security Incident is not an acknowledgment by GC AI of fault or liability.

3. Sub-processing

3.1 General Authorization. You provide general authorization for GC AI to engage Sub-processors to Process Your Personal Data on GC AI’s behalf. The list of such Sub-processors is set forth at https://www.getgc.ai/subprocessors. GC AI shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set forth in this DPA; and (ii) remain responsible for GC AI’s compliance with the obligations under this DPA and for any acts and omissions of any Sub-processor to the extent an act or omission causes a breach of GC AI’s data protection obligations under this DPA.

3.2 Changes to Sub-processors. GC AI will notify you via email before adding or replacing any Sub-processor. You may object to the appointment of a new Sub-processor by notifying GC AI in writing within thirty (30) days of receiving such notice, stating the reasons for the objection. If the parties cannot agree on a solution within ninety (90) days of GC AI receiving your objection, you may terminate the affected Services (without liability to either party and without prejudice to any fees incurred by you).

4. Requests

4.1 Data Subject Rights. To the extent that you are unable to independently access Your Personal Data and to the extent such information is known to GC AI, GC AI shall, taking into account the nature of the applicable Processing, provide reasonable assistance to you in responding to requests from data subjects and applicable supervisory authorities relating to the processing of Your Personal Data. If GC AI receives a request directly, GC AI shall not respond to such communication without your prior authorization, except to acknowledge receipt of the request and to attempt to redirect to requester to contact you directly. If GC AI is otherwise required to respond or GC AI does not receive a respond from you within the legally required timeframe, GC AI shall respond to the request with the information known to GC AI.

4.2 Third Party Requests. Unless prohibited by law, GC AI will promptly notify you of any valid, enforceable subpoena, warrant, or court order from law enforcement or public authorities compelling GC AI to disclose Your Personal Data to allow you to seek a protective order or other appropriate remedy. In the event that GC AI receives an inquiry or a request for information from any other third party (such as a supervisory authority or data subject) concerning the Processing of Your Personal Data, GC AI shall attempt to redirect such inquiries to you. If GC AI is legally prohibited from providing you with such notice, then, if, after careful assessment, GC AI concludes that there are reasonable grounds to consider the demand or prohibition to be unlawful, GC AI shall take commercially reasonable steps to challenge such demand or prohibition. For the avoidance of doubt, nothing in this DPA shall be interpreted to require GC AI to pursue action or inaction that could result in a civil or criminal penalty for GC AI, Including without limitation a contempt of court.

5. Deletion and Return of Your Personal Data.

You may access, retrieve or delete User Data, Inputs and Outputs at any time during the Subscription Term. Following expiration or termination of the Subscription Term, GC AI will, in accordance with its then in-effect policies, delete all User Data (including Your Personal Data). Notwithstanding the foregoing, GC AI may retain User Data (i) as required by Applicable Data Protection Law or (ii) to the extent such copies are electronically stored in accordance with its standard backup or record retention policies, provided that, in either case, GC AI will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Your Personal Data and not further Process it except as required by Applicable Data Protection Law.

6. Audit

6.1 Audit Reports. The GC AI Service will be regularly audited by independent third-party auditors and/or internal auditors. Upon request, and on the condition that you have entered into an applicable non-disclosure agreement with GC AI, GC AI will supply a summary copy of relevant audit report(s) (“Report”) to you, so you can verify GC AI’s compliance with the audit standards against which it has been assessed, and this DPA. Such Reports are GC AI’s Confidential Information. If you cannot reasonably verify GC AI’s compliance with the terms of this DPA, GC AI will no more than once every twelve (12) months provide written responses (on a confidential basis) to all reasonable requests for information made by you related to GC AI’s Processing of Your Personal Data.

6.2 On-site Audits. Only to the extent you cannot reasonably satisfy GC AI’s compliance with this DPA through the exercise of your rights under Section 7.1 above, or where required by Applicable Data Protection Law, you may request to conduct an audit of GC AI’s applicable controls related to the Processing of Your Personal Data under this DPA. To the extent authorized by law, such audit must (i) be conducted during GC AI’s regular business hours, (ii) with advance written notice of at least sixty (60) calendar days (unless Applicable Data Protection Law or a supervisory authority requires otherwise); (iii) be conducted in a manner to minimize any impact to GC AI’s business, employees or other customers; (iv) be conducted on a confidential basis; (v) occur no more than once every twelve (12) months; and (vi) restrict its findings to only information relevant to the Processing of Your Personal Data. Except where GC AI is found to be in violation of this DPA or Applicable Data Protection Law, you shall reimburse GC AI for all reasonable out of pocket expenses in conducting any such audit.

6.3 Data Protection Impact Assessments. Upon your written request, GC AI shall provide you with reasonable cooperation and assistance needed to fulfill your obligations under Applicable Data Protection Laws to carry out data protection impact assessments related to your use of the Services, to the extent you do not otherwise have access to the relevant information, and to the extent such information is available.

7. Regional Specific Provisions

You acknowledge and agree that GC AI may transfer and Process Your Personal Data to and in the United States and Canada. GC AI may also Process Your Personal Data anywhere else in the world where GC AI or its Sub-processors maintain data Processing operations to the extent reasonably necessary to provide the Services. To the extent GC AI Processes Personal Data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 2 (Region-Specific Terms), the terms specified for the applicable regions will also apply.

8. General

8.1 Applicability of the Agreement. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by the relevant Applicable Data Protection Law, and in such event, then only for purposes of this DPA and only for purposes of that specific jurisdiction. Any ambiguity in this DPA shall be resolved to permit the parties to comply with the Applicable Data Protection Laws. If any express term of this DPA conflicts with the Agreement, then this DPA, if applicable, shall control as to that term. The Agreement shall control in all other instances, including, without limitation, notice, assignment, severability, and relationship of the parties.

8.2 Liability Caps and Damages Waiver. To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.

8.3 Related-Party Claims. Any claims made against GC AI arising out of or related to this DPA may only be brought by the entity that is a party to the Terms pursuant to an Order Form.

9. Definitions

9.1 “Applicable Data Protection Law” means to the extent applicable to a party’s Processing of Customer Personal Data under the Agreement, (i) European Data Protection Laws; (ii) Canadian Privacy Laws; and (iii) US Privacy Laws; in each case as may be amended, superseded, or replaced.

9.2 “Canadian Privacy Laws” means, as applicable, (i) the federal Personal Information Protection and Electronic Documents Act (PIPEDA), the provincial Personal Information Protection Act in place in each of Alberta and British Columbia, and an Act Respecting The Protection of Personal Information In The Private Sector (Québec) as amended by An Act to modernize legislative provisions as regards the protection of personal information (Law 25), and each of their implementing regulations; and (ii) the Canada Anti-Spam Act Legislation (CASL) and its implementing regulations.

9.3 “European Data Protection Laws” means, as applicable, (i) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (e-Privacy Directive); (iii) any applicable national implementations of (i) and (ii); (iv) the Switzerland Federal Act on Data Protection, as amended by the Federal Act of 25 September 2020 on Data Protection (nFADP), and its ordinances (“Swiss DPA”); and (v) the United Kingdom (“UK”) Data Protection Act 2018 and the GDPR as saved into UK law by virtue of Section 3 of the UK’s European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of Section 2 of the UK’s European Union (Withdrawal) Act 2018; in each case as may be amended, superseded, or replaced.

9.4 “GC AI Account Data” means Personal Data relating to your relationship with GC AI, which may include: (i) Users’ account information (e.g. name, email address, or UserID ); (ii) billing and contact information of individual(s) associated with your GC AI account (e.g. billing address, email address, or name); and (iii) Users’ device and connection information (e.g. IP address).

9.5 “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

9.6 “Personal Data” means any information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.

9.7 “Process,” “Processes,” “Processed,” and “Processing” has the meaning attributed to the term in the relevant Applicable Data Protection Law or, if not defined, then means any operation or set of operations performed on Personal Data, including access, storage, and use..

9.8 “Processor” means the entity which Processes Personal Data on behalf of the Controller. When used in the context of CCPA, a reference to Processor to refer to GC AI means “service provider,” as such term is defined in the CCPA.

9.9 “Security Incident'' means any successful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to User Data Processed by GC AI and/or its Sub-processors.

9.10 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses as adopted by the European Union Commission by means of the Implementing Decision EU 2021/914 of June 4, 2021 found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.

9.11 “Sub-processor” means any Processor engaged by GC AI to fulfill GC AI’s obligations under the Agreement with respect to the providing the Services.

9.12 “UK Addendum” means that certain international data transfer addendum to the SCCs issued by the UK Information Commissioner for Parties making transfers of Personal Data from the UK to any other country which is not deemed adequate under Article 46 of the UK GDPR.

9.13 “US Privacy Laws” means all United States state data privacy, information security, and data breach notification laws and implementing regulations to the extent applicable to the Processing of Your Personal Data by GC AI in GC AI’s performance of the Services, excluding the Health Insurance Portability and Accountability Act of 1996.

9.14 “Your Personal Data'' means Personal Data contained in User Data that GC AI Processes under the Agreement solely on behalf of you. For clarity, Your Personal Data includes any Personal Data included in the attachments provided by you, including any information contained in any technical support requests.

9.15 The terms “data subject” and “supervisory authority” shall have the meanings given to them in the applicable European Data Protection Laws.

Schedule 1 – Description of Processing

(a) Categories of data subjects whose Personal Data is Processed: You and Users as it relates to GC AI Account Data. As between the parties, you have the sole discretion to determine and control the categories of data subjects transmitted in connection with the Services and, accordingly, you shall not transmit or otherwise make available to GC AI any categories of data subjects to the extent you do not have the consent to make available to GC AI, unless such information is anonymized in accordance with the requirements of the relevant Applicable Data Protection Laws.

(b) Subject matter of the Processing: Your Personal Data that you elect to transfer to GC AI in connection with performance of the Services as set forth in the Agreement.

(c) Types of Personal Data: Limited to only those types of Personal Data necessary, but may include names, addresses, emails, phone numbers and other identifiable information. You have the sole discretion to determine and control the types of Personal Data transmitted to GC AI.

(d) Duration and frequency of the transfer: Continuous during the performance of the Services.

(e) Nature of the Processing: GC AI will Process Your Personal Data in order to provide the Services.

(f) Purposes of the Processing of Your Personal Data: GC AI will Process Your Personal Data as necessary to provide the Services.

(g) Purposes of the Processing of GC AI Account Data and GC AI Usage Data: GC AI will Process GC AI Account Data and GC AI Usage Data for the limited and specified purposes outlined in Section 1.

Schedule 2 – Regional Specific Terms

1. Personal Data Transfers outside the European Economic Area (EEA). In connection with any transfer of Your Personal Data from the EEA to a country outside of the EEA and/or Switzerland, where such transfer is not governed by an adequacy decision made by the European Commission or the Swiss Federal Data Protection and Information Commission, as applicable, that does not ensure an adequate level of protection under the applicable European Data Protection Law, GC AI agrees to abide by the SCCs, which are hereby incorporated into this DPA by reference as follows:

1.1 Module 2 (Controller to Processor Transfers) shall apply where you are the Controller of Your Personal Data and Module 3 (Processor to Processor Transfers) shall apply where you are the Processor of Your Personal Data;

1.2 For Clause 7, the optional docking clause shall not apply;

1.3 For Clause 9(a), Option 2 shall apply and the time period for prior notice of Sub-processor changes shall be as set out in Section 3.2 of this DPA;

1.4 For Clause 9(c), where confidentiality restrictions prohibit GC AI from providing a copy of a Sub-processor agreement to you, GC AI shall (on a confidential basis) provide all information that it reasonably can in connection with such Sub-processor agreement to you;

1.5 For Clause 11(a), the optional language shall not apply;

1.6 For Clause 13 and Annex I.C of the SCCs, you shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to GC AI upon request;

1.7 For Clause 17, Option 1 shall apply, and the SCCs shall be governed by the law of Ireland;

1.8 For Clause 18(b), disputes shall be resolved before the courts of Ireland;

1.9 For Annex I.A., the “data importer” shall be GC AI and the “data exporter” shall be you;

1.10 For Annex I.B., the description of the transfer is as described in Schedule 1 of this DPA;

1.11 For Annex II, the technical and organizational measures are those measures described in Schedule 3 of this DPA;

1.12 For Annex III, the Sub-processors shall be as described in Section 3.1 of this DPA.

2. UK GDPR. In connection with any transfer of Your Personal Data from the UK to a country outside of the UK, where such transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, GC AI agrees to abide by the SCCs in accordance with Section 1 of this Schedule 1 above, but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which are hereby incorporated into and form an integral part of this DPA but only for purposes of applicable UK transfers. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Schedule 1 of this DPA, and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party.”

3. Standard Contractual Clauses Precedence. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the SCCs. Accordingly, if any express term of this DPA conflicts with the SCCs, then the SCCs, if applicable, shall control as to that term, but only to the extent of an express ambiguity.

4. Alternative Transfer Mechanism. If GC AI adopts an alternative transfer mechanism for any transfer described in Sections 1 and 2 of this Schedule 2 (including any newer version of the SCCs) pursuant to applicable European Data Protection Law, such alternative transfer mechanism shall automatically apply in lies of the SCCs to the extent that such alternative transfer mechanism complies with the applicable European Data Protection Law and the territories into which Your Personal Data is transferred.

5. US Privacy Laws. Compliance. To the extent Your Personal Data includes personal information protected under US Privacy Laws, GC AI will not: (i) retain, use, disclose or otherwise Process such Your Personal Data for a commercial purpose other than for the limited and specified purpose to provide the Services and to meet GC AI’s obligations identified in this DPA and the Agreement; (ii) "sell" or “share” Your Personal Data within the meaning of the US Privacy Laws; and (iii) retain, use, disclose or otherwise Process such Your Personal Data outside the direct business relationship with you and not combine such Your Personal Data with Personal Data that it receives from other sources, except as permitted under US Privacy Laws. GC AI must inform you if it determines that it can no longer meet its obligations under US State Laws, in which case you may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorized Processing of Your Personal Data.

Schedule 3 – Technical and Organization Security Measures Implemented by GC AI

GC AI shall maintain administrative, physical and technical safeguards for the protection of security, confidentiality and integrity of Your Personal Data in connection with the Services, including the following:

1. Data Security Measures

● Implement encryption for data at rest and in transit using industry-standard cryptographic algorithms to protect sensitive legal information.

● Enable security monitoring on all production systems, including activity and file integrity monitoring, vulnerability scanning, and malware detection.

● Use secure cloud platforms with data replication across multiple regions for redundancy and disaster recovery.

● Protect and ensure no unauthorized data access.

2. Access Control Measures

● Limit system access to authorized users based on their role.

● Implement multi-factor authentication for accessing sensitive systems and customer data.

● No less than annually review access permissions and update to reflect changes in roles or employment status.

● Use logging and monitoring to detect unauthorized access attempts and respond promptly.

● Ensure all access control measures comply with Applicable Data Protection Law.

3. Data Deletion Measures

● Allow customers to request data deletion prior to account closure.

● Ensure secure deletion methods are used to prevent data recovery.

4. Employee Training and Awareness

● Conduct regular security awareness training for all employees.

● Provide ongoing updates on security policies and procedures.

● Ensure new hires complete security training as part of their onboarding process.

● Encourage a culture of security awareness and compliance within the organization.

5. Incident Response and Management

● Maintain an incident response plan to quickly identify, contain, and resolve security incidents.

● Require all users to report any perceived or actual security vulnerabilities or incidents immediately.

● Establish clear communication channels for reporting and managing incidents.

● Review the incident response plan no less than annually and update to incorporate lessons learned from past incidents, if any.