Data Processing Agreement

For the purposes of this Data Processing Agreement ("DPA"), the following definitions apply:

• "Data Controller" means the User (attorney or law firm) who determines the purposes and means of the processing of Personal Data through the Service.
• "Data Processor" means ModernLawOffice ("MLO," "we," "us," or "our"), which processes Personal Data on behalf of the Data Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Data Processor on behalf of the Data Controller through the Service.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates, including website visitors and intake form respondents.
• "Sub-processor" means any third party engaged by the Data Processor to assist in the processing of Personal Data on behalf of the Data Controller.
• "Service" means the ModernLawOffice platform, including website hosting, client intake form management, analytics, and all associated applications and services.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

This DPA applies to all Personal Data processed by MLO on behalf of the Data Controller in connection with the Service. The scope of processing includes:

• Website Hosting — Storing and serving website content created by the Data Controller, including attorney profiles, practice area descriptions, and other published materials.
• Lead and Intake Data — Collecting, storing, and transmitting information submitted by website visitors through intake forms configured by the Data Controller.
• Analytics — Collecting anonymized and aggregated website visitor data (page views, referral sources, device information) to power the analytics dashboard.
• Transactional Communications — Sending notifications (new lead alerts, form submission confirmations) on behalf of the Data Controller.

MLO processes Personal Data solely for the purpose of providing the Service and in accordance with the Data Controller's documented instructions. MLO does not process Personal Data for its own purposes, including marketing, advertising, or data analytics beyond what is necessary to operate the Service.

The Data Controller agrees to:

• Ensure that all collection and processing of Personal Data through the Service complies with applicable data protection laws and regulations.
• Provide appropriate privacy notices to Data Subjects regarding the collection and use of their Personal Data.
• Obtain any necessary consents from Data Subjects before collecting their Personal Data through intake forms or other means on their website.
• Ensure that any instructions given to MLO regarding the processing of Personal Data comply with applicable laws.

MLO, as the Data Processor, agrees to:

• Process Personal Data only on documented instructions from the Data Controller, unless required by applicable law.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 5).
• Not engage another processor (Sub-processor) without prior written authorization of the Data Controller (see Section 6).
• Assist the Data Controller in fulfilling its obligation to respond to Data Subject requests (see Section 7).
• Delete or return all Personal Data to the Data Controller upon termination of the Service, and delete existing copies unless applicable law requires storage (see Section 9).
• Make available to the Data Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, upon reasonable request.

MLO implements and maintains the following technical and organizational security measures to protect Personal Data:

• Encryption in Transit — All data transmitted between the Data Subject's browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest — All Personal Data stored in our database is encrypted at rest using industry-standard AES-256 encryption.
• Access Controls — Role-based access controls restrict internal access to Personal Data on a need-to-know basis. Authentication is managed through Supabase Auth with support for multi-factor authentication.
• Infrastructure Security — Application infrastructure is hosted on Vercel's globally distributed edge network with built-in DDoS protection, WAF, and automated security updates.
• Automated Backups — Regular automated database backups ensure data durability and enable recovery in the event of data loss.
• Monitoring and Logging — Security events are logged and monitored. Suspicious activity triggers alerts for review by authorized personnel.

The Data Controller authorizes MLO to engage the following Sub-processors to assist in providing the Service. Each Sub-processor processes Personal Data only as necessary to perform its designated function:

MLO will notify the Data Controller of any intended changes regarding the addition or replacement of Sub-processors at least 30 days in advance, giving the Data Controller the opportunity to object to such changes. If the Data Controller objects and MLO cannot reasonably accommodate the objection, the Data Controller may terminate the Service.

MLO will assist the Data Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection laws, including:

• Right of Access — Data Subjects may request access to their Personal Data. The Data Controller can export lead and intake data from the platform dashboard.
• Right to Rectification — Data Subjects may request correction of inaccurate Personal Data. The Data Controller can update records directly in the platform.
• Right to Erasure — Data Subjects may request deletion of their Personal Data. The Data Controller can delete individual records from the platform, and MLO will ensure deletion from backups within 90 days.
• Right to Data Portability — Data Subjects may request a copy of their Personal Data in a machine-readable format. The Data Controller can export data via the platform's export features.
• Right to Object — Data Subjects may object to certain types of processing. The Data Controller is responsible for honoring such objections in accordance with applicable law.

If MLO receives a request directly from a Data Subject, MLO will promptly forward the request to the relevant Data Controller and will not respond to the Data Subject directly without the Data Controller's authorization, unless required by law.

In the event of a Data Breach, MLO will:

• Notify the Data Controller within 72 hours of becoming aware of the Data Breach, providing sufficient information to allow the Data Controller to meet its own notification obligations under applicable law.
• Provide the following information in the notification (to the extent known): (a) the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the Data Breach; (c) the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.
• Cooperate with the Data Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach.
• Document the Data Breach, including the facts relating to the Data Breach, its effects, and the remedial action taken.

9.1 Term. This DPA is effective for the duration of the Data Controller's use of the Service and remains in effect until all Personal Data has been deleted or returned as described below.

9.2 Effect of Termination. Upon termination of the Service agreement or at the Data Controller's written request, MLO will:

• Make all Personal Data available for export by the Data Controller for a period of 30 days following termination.
• Permanently delete all Personal Data from its systems, including backups, within 90 days after the 30-day export period, unless retention is required by applicable law.
• Upon request, provide written confirmation that all Personal Data has been deleted.

9.3 Survival. Obligations relating to confidentiality, data security, and breach notification survive the termination of this DPA for as long as MLO retains any Personal Data.

For questions about this DPA or data processing practices, contact us at privacy@modernlawoffice.com.

ModernLawOffice — contact@modernlawoffice.com