ico-au AU
ico-nz NZ
SG
UK

A Legal Ready Product

Become ebrief ready:

Book a demo
Sign in

Data Processing Addendum (Customers)

This Data Processing Addendum (including its annexes, the “DPA“) is incorporated into the Agreement(s) as defined below) between Ebrief Ready Limited (“Legal Ready“) and Customer. This DPA describes the parties’ obligations, including under applicable privacy, data security, and data protection laws, with respect to the processing and security of Customer Personal Data (as defined below). This Addendum will be effective on the Addendum Effective Date (as defined below), and will replace any terms previously applicable to the processing and security of Customer Data.

  1. DEFINITIONS
    1. Addendum Effective Date” means the date on which Customer accepted or agreed to the Agreement;
    2. Agreement” means the contract or Terms and Conditions under which Legal Ready has agreed to provide the applicable services to the Customer;
    3. Customer Personal Data” means the Personal Data processed by Customer pursuant to, and in connection with this Agreement, as further described in Annex 1 to this DPA;
    4. Data Protection Legislation” means any applicable legislation in force from time to time relating to privacy or the protection of personal data including, without limitation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), together with the laws of any EU Member States or the United Kingdom which implement, incorporate or supplement the GDPR;
    5. EU Standard Contractual Clauses” means the Standard Contractual Clauses forming part of Decision 2021/914/EC, including their appendices and with the relevant Modules, Options and content as set out under this DPA as set out in Annex 4 to this DPA as amended or replaced from time to time by a competent authority).
    6. UK Addendum” means the Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner in accordance with S119A Data Protection Act 2018.
    7. The terms “Controller“, “Data Subject“, “Personal Data“, “Personal Data Breach“, “process“, “Processor“, “Supervisory Authority” and “Special Categories of Personal Data” have the meanings given to those terms in the GDPR.
  2. GENERAL
    1. The parties agree and acknowledge that for the purposes of Data Protection Legislation, Customer is the Controller and Legal Ready (or a relevant affiliate) is the Processor of the Customer Personal Data.
    2. Each of Legal Ready and Customer shall comply with their respective obligations under Data Protection Legislation with respect to their processing of the Customer Personal Data.
  3. DATA PROCESSING OBLIGATIONS
    1. Legal Ready shall:
      1. process the Customer Personal Data in accordance with the documented instructions of Customer, to perform the Services and as otherwise necessary to fulfil its obligations under this Agreement, unless required by applicable law to which Legal Ready is subject in which case Legal Ready shall, to the extent permitted by that applicable law, inform Customer before commencing such processing;
      2. as soon as reasonably practicable, notify Customer in writing, if in Legal Ready’s opinion, the processing instructions given by Customer infringe Data Protection Laws;
      3. ensure that any Legal Ready employees, agents or contractors who have access to the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      4. have in place appropriate technical and organisational measures as required by Data Protection Legislation to protect the Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the Customer Personal Data to be protected;
      5. notify Customer, as soon as reasonably practicable, and in any event within 72 hours, upon becoming aware of any Personal Data Breach and cooperate with Customer and provide such assistance as Customer may reasonably request to enable Customer to comply with its obligations under the Data Protection Legislation to:
        1. notify a Personal Data Breach to the Supervisory Authority; and
        2. communicate a Personal Data Breach to the Data Subject.
      6. promptly notify Customer of any communication received by Legal Ready relating to Customer’s obligations under Data Protection Legislation with respect to the Customer Personal Data, including any data subject right request from a Data Subject or a communication from a Supervisory Authority;
      7. cooperate with Customer and provide such assistance (including, taking into account the nature of the processing, assisting Customer by appropriate technical and organisational measures insofar as this is possible) as Customer may reasonably request to enable Customer (or a relevant affiliate) to satisfy its obligations with respect to responding to any exercise by a Data Subject of his or her rights in respect of Customer Personal Data under the Data Protection Legislation;
      8. provide such assistance as Customer may reasonably request to enable Customer to comply with its obligations under the Data Protection Legislation to:
        1. carry out data protection impact assessments; and
        2. in connection with prior consultations with a Supervisory Authority, in each case solely in relation to processing of the Customer Personal Data by Legal Ready and taking into account the nature of the processing and information available to Legal Ready;
      9. when engaging any subprocessor, Legal Ready will ensure via a written contract that:
        1. the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the applicable Agreement (including this Addendum); and
        2. if required under Data Protection Legislation, the data protection obligations described in this Addendum are imposed on the subprocessor,

        and Legal Ready shall remain liable to Customer for the processing of that Customer Personal Data by the subprocessor.

      10. when engaging any subprocessor to process Customer Personal Data, Legal Ready will notify Customer of its intention to appoint that subprocessor and provide Customer with a reasonable opportunity to object on reasonable data protection grounds prior to such appointment (in which case such subprocessor shall not be used to process Customer Personal Data). Customer provides approval for all subprocessors listed at Annex 3 of this DPA.
      11. not transfer any Customer Personal Data outside of the European Union to a jurisdiction that has not been determined by the European Commission as providing adequate protection for personal data, without the prior written consent of Customer, and where such consent is given, only provided that the Legal Ready has in place appropriate measures (including entering into any processor-to-processor standard contractual clauses) to enable such transfer to be made in compliance with Data Protection Legislation;
      12. as soon as reasonably practicable upon termination or expiry of the Agreement or otherwise on request by Customer, and at the option of Customer, return all Customer Personal Data to Customer or delete all Customer Personal Data, except to the extent that Legal Ready is required by applicable law to retain such Customer Personal Data; and
      13. make available to Customer on request all reasonable information necessary to demonstrate compliance with this Data Processing Agreement and allow for and contribute to audits, including inspections, conducted by Customer or an auditor appointed by Customer.
    2. Annex 1 to this DPA sets out a description of the Customer Personal Data. For the avoidance of doubt, Annex 1 does not create any obligation or rights for any party to this DPA.
  4. INTERNATIONAL TRANSFERS
    1. (Legal Ready EU Transfer) In the event of any transfer of Customer Personal Data from Customer in the EU to Legal Ready in a jurisdiction that has not been determined as providing adequate protection for personal data, Customer on behalf of itself and as agent for each relevant affiliate (each as “data exporter”) and Legal Ready (as “data importer”) hereby enter into the EU Standard Contractual Clauses.
    2. (Legal Ready UK Transfer) In the event of any transfer of Customer Personal Data from Customer in the UK to Legal Ready in a jurisdiction that has not been determined as providing adequate protection for personal data, Customer on behalf of itself and as agent for each relevant affiliate (each as “data exporter”) and Legal Ready (as “data importer”) hereby enter into the EU Standard Contractual Clauses and the UK Addendum, incorporating:
      1. the party details as set out in this DPA, inserted in Table 1 (Parties) of such UK Addendum;
      2. the first option in Table 2 to clarify that the UK Addendum incorporates the 2021 EU Standard Contractual Clauses;
      3. the list of parties and the description of the transfer of personal data, each as set out in Annex I of the EU Standard Contractual Clauses, inserted in Table 3 (Appendix Information) of such UK Addendum;
      4. the description of the technical and organisational security measures as set out in Annex 2 to this DPA inserted in Table 3 (Appendix Information) of such UK Addendum;
      5. the option the Exporter as set out in Table 4 of such UK Addendum.
  5. MISCELLANEOUS
    1. Any obligation imposed on Legal Ready under this DPA in relation to the processing of Customer Personal Data shall survive any termination or expiration of the Agreement.
    2. The provisions of this DPA are supplemental to the Agreement. In the event of inconsistencies between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail. In the event of any conflict or inconsistency between this DPA and the EU Standard Contractual Clauses or the UK Addendum, the EU Standard Contractual Clauses or UK Addendum (as applicable) shall prevail.
    3. Without prejudice to EU Standard Contractual Clauses and the UK Addendum, Legal Ready and Customer hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA and this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.

ANNEX 1

DATA PROCESSING DETAILS

This Annex 1 includes certain details of the Processing of Customer Personal Data.

Subject matter and duration of the Processing of the Personal Data: The subject matter and duration of the Processing of the Customer Personal Data are as set out in the Agreement.

The nature and purpose of the Processing of the Personal Data: The nature and purpose of the Processing of the Customer Personal Data are as set out in the Agreement.

The categories of Data Subject to whom the Customer Personal Data relates: Data subjects include the individuals about whom data is provided to Legal Ready via the Services by (or at the direction of) Customer or by its affiliates. 

The types of Customer Personal Data to be Processed: Data relating to individuals provided by Customer via the Services, by (or at the direction of) Customer or its affiliates.

The obligations and rights of the Legal Ready: The obligations and rights of Legal Ready are as set out in the Agreement.

ANNEX 2

SECURITY MEASURES

The technical and organisational measures are set out in the information security policies, standards and procedures that apply to Legal Ready and to the Customer, in accordance with the Agreement.

ANNEX 3

APPROVED SUBPROCESSORS

In accordance with Clause 3.1.10 of this DPA, Customer provides approval for Legal Ready to engage the following Subprocessors to process Customer Personal Data. Legal Ready shall maintain an up-to-date list of its Subprocessors and will inform Customer of any intended changes to this list by providing prior written notice of the engagement of any new Subprocessor, in accordance with Clause 3.1.10.

These cookies allow us to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.

Purpose of Processing

Location of Processing

Subprocessor Name

Amazon Web Services (AWS) EMEA SARL
Hosting infrastructure, storage (S3), database services (RDS), compute (ECS), key management (KMS), load balancing (ELB), web application firewall (WAF) supporting the Ebrief Ready and Disclosure Ready platforms.

Europe (London) EU-West-2

Google Ireland Limited / Google LLC (Google Workspace)
Internal company email communications (Gmail), internal document storage and collaboration (Google Drive), internal meetings (Google Meet); processing customer contact information (emails, names, titles, company information) and any other information provided by customers to Legal Ready via email.

United States

Linear Orbit, Inc. (Linear.app)
Internal project and task management for software development; processing customer identity data (names, usernames, company information), technical & usage data (IP addresses, login data, browser data, how users interact with the Legal Ready platforms), and profile data.

United States

Slack Technologies, LLC
Internal company communications; processing customer identity data, technical & usage data, and profile data shared for support or operational purposes.

United States

HubSpot, Inc.
Customer Relationship Management (CRM) and marketing activities, processing customer identity data (names, emails, address, phone numbers, company information).

United States East

Zendesk, Inc.
Customer support ticketing and communication; processing customer identity data (names, email addresses), technical & usage data, and profile data (where needed to provide assistance).

Asia Pacific (Sydney) region

Xero Limited
Invoicing, financial management, and accounting; processing customer billing information (names, addresses, contact details, transaction history).

Australia

Stripe, Inc.
Payment processing for platform services; processing customer payment details (cardholder names, card numbers (tokenised), billing addresses, transaction history).

United States

Twilio Inc.
SMS delivery for two-factor authentication (2FA); processing customer identity data (name, phone number) and profile data.

United States

OpenAI
Provision of artificial intelligence and machine learning models and services for AI-powered features within the Services (subject to customer use of such features and submission of data by the Controller via Legal Ready).

London

Anthropic
Provision of artificial intelligence and machine learning models and services for AI-powered features within the Services (subject to customer use of such features and submission of data by the Controller via Legal Ready).

United States

ANNEX 4

EU STANDARD CONTRACTUAL CLAUSES

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data Exporter:
Name: as set out in the DPA for Legal Ready.
Address: as set out in the DPA for Legal Ready.
Contact person’s name, position and contact details: as set out in the Agreement or as notified to the Data Importer by the Data Exporter from time to time.
Activities relevant to the data transferred under these Clauses: as set out in the Agreement.
Signature and Date: the Addendum Effective Date
Role: processor

Data importer:
Name: as set out in the DPA for the Customer.
Address: as set out in the DPA for the Customer.
Contact person’s name, position and contact details: as set out in the Agreement, or as notified to the Data Exporter by the Data Importer from time to time.
Activities relevant to the data transferred under these Clauses: as set out in the Agreement.
Signature and Date: the Addendum Effective Date
Role: controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

as per the categories of Data Subject to whom the Personal Data relates as set out in Annex 1 to the DPA.

Categories of personal data transferred:

as per the types of Personal Data to be processed set out in Annex 1 to the DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

as per the special categories of personal data set out in Annex 1 to the DPA., and as per the Agreement including without limitation and where relevant Annex 2 to the DPA.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

continuous unless otherwise specified in the Agreement.

Nature of the processing:

as per the nature of the Processing set out in Annex 1 to the DPA.

Purpose(s) of the data transfer and further processing:

as per the purpose as set out in Annex 1 to the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

as set out in the Agreement, including Clause 3.1.11 of the Agreement where applicable.

For transfers to (sub-) processors, also specify the subject matter, nature and duration of the processing:

as per the subject matter, nature and duration set out in Annex 1 to the DPA.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: The competent supervisory authority in the UK or EU Member State (or, where applicable, the relevant region of that EU Member State) in which the Data Exporter is established.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

As per Annex 2 of the DPA.

ANNEX III – LIST OF SUB-PROCESSORS

As set out in Annex 3 to the DPA, as may be updated from time to time.
Start your free trial
Sign in
  • 71-75 Shelton Street
    Covent Garden
    London
    WC2H 9JQ
Copyright © Litigation Ready 2025
eBrief Ready is now Litigation Ready in the UK. Learn more.

Cookies & Privacy

This website uses cookies to ensure you get the best experience on our website.

Accept
More Information