DATA PROCESSING ADDENDUM

Effective Date

February 17, 2026

Primary Processing Region

United States

1. Purpose & Scope

This DPA governs Ourfirm.ai's processing of personal data provided by Customer in connection with the services. It applies only to US processing and US customers; cross-border transfers are outside scope.

2. Roles of the Parties

• Ourfirm.ai acts as "service provider"/"processor" under applicable US laws (e.g., CCPA/CPRA, state analogs).
• Customer determines the purposes and means of processing and is the "business"/"controller."

3. Processing Instructions

We will process personal data only:

1. Per documented, lawful instructions from Customer
2. Per the Agreement and this DPA
3. To provide, maintain, and secure the services

We do not "sell" or "share" personal information (as those terms are defined by US privacy laws) and will not use personal data for any purpose other than providing the services.

Usage Data: We collect and analyze Usage Data (metadata about platform usage such as frequency, duration, features accessed, and session data) to improve the Services. Usage Data does not include Customer Data or Content. Our collection and use of Usage Data is limited to the definition in Section 2 of the Terms of Service and does not include any substantive content, prompts, documents, or generated output.

4. Categories & Nature of Processing

All personal data described in this Section 4 is processed solely in accordance with the processing instructions and restrictions set forth in Section 3 above.

4.1 Data Subjects

Customer's personnel, clients, counterparties, experts, opposing counsel, and other case-related individuals.

4.2 Categories

Identifiers, contact details, case materials, communications, and usage metadata.

4.3 Nature

Hosting, storage, indexing, retrieval, AI-assisted generation, and support.

4.4 Duration

Subscription term plus retention required by law or as permitted by the Agreement.

5. Confidentiality & Personnel

We ensure personnel with access to personal data are bound by confidentiality and receive appropriate privacy/security training.

6. Security

We implement the technical and organizational measures in the Security Addendum, incorporated here by reference.

7. Subprocessors

Customer authorizes Ourfirm.ai to engage subprocessors necessary to provide the services, subject to written agreements imposing data-protection obligations no less protective than this DPA.

We will:

• Provide advance notice of material changes
• Maintain a public Subprocessor List

Customer may object on reasonable privacy/security grounds; if unresolved, Customer may suspend the affected feature or terminate for convenience as to the impacted service in accordance with the Agreement.

8. Assistance & Cooperation

We will:

1. Provide information necessary to demonstrate compliance with this DPA
2. Assist with security assessments reasonably related to the services
3. Assist with responding to verifiable requests from individuals under applicable US privacy laws

9. Security Incidents

Upon confirmation of unauthorized access to unencrypted personal data maintained by us, we will notify Customer without undue delay and in any event within 72 hours of confirmation, and will provide updates as reasonably available, consistent with the Security Addendum.

10. Return or Deletion

At termination or upon Customer request, we will delete or return personal data, subject to backup and legal-hold constraints. Deletion from backups occurs on the next scheduled cycle.

11. No Cross-Border Transfers

Our processing covered by this DPA occurs within the United States. If Customer later enables features or subprocessors that involve processing outside the US, the parties will execute an appropriate Data Transfer Addendum before such processing begins.

12. Audits

Upon reasonable written request and no more than annually (unless required by a supervisory authority or a verified incident), we will make available information necessary to demonstrate compliance, which may include responses to security questionnaires and available third-party reports.

13. Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls with respect to personal-data processing. Otherwise, the Agreement governs.

For questions about data processing, contact: