Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between LexAI, Inc. ("LexAI") and the Customer ("Controller") for the use of the LexAI platform. This DPA reflects the parties' agreement with respect to the processing of Personal Data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

This DPA is incorporated by reference into LexAI's Terms of Service. Terms not defined herein have the meaning given in the Terms of Service or applicable data protection laws.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, whether automated or not.

"Controller" means the Customer — the entity that determines the purposes and means of processing Personal Data.

"Processor" means LexAI — which processes Personal Data on behalf of the Controller.

"Sub-processor" means any third party engaged by LexAI to process Personal Data.

"Data Subject" means the individual to whom Personal Data relates.

"Applicable Data Protection Law" means GDPR, CCPA, UK GDPR, and any other applicable national or regional data protection legislation.

LexAI processes Personal Data as a Processor on behalf of the Controller solely to provide the Service as described in the Terms of Service.

Categories of Personal Data processed:

Categories of Data Subjects:

Purpose of processing:

Duration: For the duration of the Customer's subscription, and as described in the retention provisions below.

LexAI agrees to:

Process only on documented instructions. LexAI will process Personal Data only in accordance with the Customer's documented instructions, including those set out in this DPA and the Terms of Service.

Ensure confidentiality. All authorized persons processing Personal Data are subject to binding confidentiality obligations.

Implement appropriate security. LexAI implements and maintains appropriate technical and organizational measures to protect Personal Data, as described in Schedule 1.

Assist with Data Subject rights. LexAI will promptly assist the Customer in responding to Data Subject requests to exercise rights under Applicable Data Protection Law.

Notify of breaches. LexAI will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.

Delete or return data. Upon termination of the agreement, LexAI will delete or return all Personal Data as instructed by the Customer.

Provide audit assistance. LexAI will provide the Customer with all information necessary to demonstrate compliance with this DPA and allow for audits, subject to reasonable notice and confidentiality protections.

The Customer authorizes LexAI to engage the following sub-processors:

|---|---|---|

LexAI will enter into data processing agreements with each sub-processor that impose data protection obligations no less protective than this DPA.

LexAI will notify the Customer at least 30 days before adding or replacing a sub-processor. The Customer may object to changes within 14 days of notification on reasonable grounds relating to data protection.

Where the processing of Personal Data involves a transfer from the European Economic Area (EEA), UK, or Switzerland to a country without an adequacy decision, LexAI will ensure that such transfers are made pursuant to appropriate safeguards, including:

LexAI's sub-processors that are US-based operate under the EU-US Data Privacy Framework where applicable.

LexAI implements the following technical and organizational security measures:

Encryption. All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256.

Access controls. Access to production systems is restricted to authorized personnel via multi-factor authentication. Access rights are reviewed quarterly.

Network security. Production infrastructure is isolated behind firewalls. Regular vulnerability scanning and penetration testing are conducted.

Incident response. LexAI maintains a documented incident response plan and conducts annual drills.

Data minimization. LexAI collects only the data necessary to provide the Service.

Backups. Automated daily backups with point-in-time recovery. Backups are encrypted and stored in geographically separate regions.

Personal Data is retained for the duration of the Customer's subscription. Upon account termination or written request:

The Customer may export their data at any time via the LexAI export feature before account termination.

LexAI will assist the Customer in fulfilling Data Subject requests for:

Upon receiving a Data Subject request that relates to the Customer's data, LexAI will forward it to the Customer within 5 business days. The Controller remains responsible for responding to Data Subjects.

LexAI will provide the Customer with information necessary to demonstrate compliance with this DPA, including:

On-site audits may be conducted with at least 60 days written notice, no more than once per year, during business hours, and subject to reasonable confidentiality obligations.

This DPA is governed by the laws applicable to the agreement between LexAI and the Customer. For EU Customers, GDPR requirements take precedence. For UK Customers, UK GDPR requirements take precedence.

If any provision of this DPA conflicts with Applicable Data Protection Law, the requirements of Applicable Data Protection Law shall prevail.

Enterprise customers on the Team plan who require a countersigned DPA for GDPR compliance may contact us at legal@lexai.app to request a fully executed copy.

For customers not requiring a countersigned copy, this DPA forms part of the Terms of Service and is binding upon your use of the Service.