DPA

This DPA is an addendum to and forms an integral part of the GlobalLegalCheck Oy Terms and Conditions. By accepting the Terms or using the Service, the User ("Data Controller") and GlobalLegalCheck Oy ("Data Processor") agree to the following terms regarding the processing of Customer Content.

1. SCOPE AND PURPOSE OF PROCESSING

1.1 Role of the Parties: For personal data uploaded or generated within the Service (e.g., in contracts or legal documents), the User is the Data Controller, and GlobalLegalCheck Oy is the Data Processor.

1.2 Purpose: The Data Processor shall process Personal Data solely to provide the Service (the AI Suite and Marketplace) as documented in the Terms and Conditions.

1.3 AI Training Restriction: The Data Processor shall not use the Data Controller's Personal Data to train foundational AI models unless the Data Controller has provided explicit, opt-in consent.

1.4 Special Category Data (GDPR Art. 9): The Data Controller bears the primary legal responsibility for establishing a valid legal basis (e.g., explicit consent or employment law obligations) under GDPR Article 9 prior to uploading documents containing special categories of personal data. To mitigate secondary risks, the Service Provider (acting as Data Processor) applies automated, best-effort obfuscation protocols to Customer Content prior to AI processing. While the Service Provider cannot guarantee the flawless automated detection of all unstructured special category data, it warrants that all Customer Content, regardless of its sensitivity, is continuously protected by the rigorous Technical and Organizational Measures (TOMs) detailed in Appendix B.

2. OBLIGATIONS OF THE DATA PROCESSOR

2.1 Documented Instructions: The Data Processor shall process Personal Data only on documented instructions from the Data Controller.

2.2 Confidentiality: The Data Processor shall ensure all personnel authorized to process Personal Data are under a strict statutory or contractual obligation of confidentiality.

2.3 Security Measures: The Data Processor shall implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk.

2.4 "Zero-Touch" Confidentiality Guarantee: The Data Processor acts strictly on the documented instructions of the Data Controller. The Data Processor shall not access, view, modify, or delete the Customer Content (including any personal data contained therein) without the Data Controller's explicit consent, except where strictly required by law. In the event such access is legally mandated, it will be fully documented, and the Data Controller will be notified, unless such notification is legally prohibited.

3. SUB-PROCESSORS

The Data Controller grants the Data Processor general written authorization to engage Sub-Processors to provide the Service. The Data Processor will inform the Data Controller of intended changes to Sub-processors at least 30 days in advance and ensure all Sub-processors are bound by equivalent data protection obligations.

4. ASSISTANCE AND BREACH NOTIFICATION

4.1 Data Subject Requests: The Data Processor shall assist the Data Controller by appropriate technical and organizational measures to respond to requests exercising Data Subject rights.

4.2 Breach Notification: In the event of a Personal Data Breach affecting the Data Controller's data, the Data Processor shall notify the Data Controller without undue delay, and no later than forty-eight (48) hours after becoming aware of it.

5. DELETION OR RETURN OF DATA AND AUDIT RIGHTS

5.1 Post-Termination: Upon termination of the Agreement, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data, unless EU or Finnish law requires further storage.

5.2 Audit Rights: The Data Processor shall make available all information necessary to demonstrate compliance with this DPA and contribute to audits mandated by the Data Controller.

APPENDIX A: DETAILS OF PROCESSING

• Subject Matter: Processing Personal Data to provide the SaaS and Marketplace platform.
• Duration: For the duration of the User's active subscription.
• Nature and Purpose: Cloud storage, algorithmic matching, and AI-assisted document drafting and analysis.
• Categories of Data Subjects: The Data Controller's employees, clients, opposing counsel, contracting parties, or individuals whose data is included in the uploaded Customer Content.
• Types of Personal Data: Names, contact details, ID numbers, financial details, and any other Personal Data intentionally or inadvertently embedded within the uploaded legal documents.
• Approved Sub-Processors: The Data Controller grants general authorization for the use of selected sub-processors in the following core categories: Data Hosting and Infrastructure (e.g., Hetzner Finland Oy), Payment Processing (e.g., Stripe Inc.), AI/LLMs (e.g., Anthropic PBC), and E-Signatures (e.g., Signicat). The complete, up-to-date master list of all specific Sub-processors utilized by the Data Processor is available to the Data Controller upon written request.

APPENDIX B: TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

The Data Processor implements the following baseline security measures: industry-standard encryption for data at rest and data in transit, strict Role-Based Access Control (RBAC), multi-factor authentication for administrative access, and automated data obfuscation prior to AI processing.