Data Processing Agreement

UK GDPR Art. 28(3) controller-processor agreement for Avantwerk Legal AI. Sub-processors listed in Annex A; processing details in Annex B.

Parties

(1) The law firm, chambers, limited company, LLP, sole practice or legal department identified in the Order Form or trial-signup confirmation (the "Controller", "Customer", "you").

(2) Bennovate spółka z ograniczoną odpowiedzialnością, a company incorporated in the Republic of Poland, KRS 0000597272, NIP 7272799328, REGON 363700466, with its registered office at ul. Christiana Andersena 25, 94-118 Łódź, Poland, operating the Avantwerk Legal AI service (the "Processor", "Bennovate", "we").

Background

A. The Controller is an SRA-regulated law firm or other legal-services entity using the Avantwerk Legal AI service (the "Service") under a Trial or paid subscription governed by the Terms of Service.

B. In the course of providing the Service, Bennovate processes certain personal data on behalf of the Controller. The parties set out their respective data-protection obligations in accordance with UK GDPR Art. 28.

C. The Controller remains the controller (UK GDPR Art. 4(7)). Bennovate processes that data only as processor (UK GDPR Art. 4(8)).

D. Scope limitation. As described in Clause 2.3, this DPA covers only the narrow set of account-level personal data Bennovate processes on the Controller's behalf. It does not cover Matter Content, client data or privileged material, which remains on the Controller's own device and disk at all times (Local-First Architecture).

This DPA forms part of the Agreement. Capitalised terms not defined here have the meanings given in the Terms.

1. Definitions

2. Subject matter, nature, purpose and duration

2.1 Subject matter

Bennovate processes personal data relating to the Controller's fee-earners, billing contacts and technical contacts in the course of providing the Service.

2.2 Nature and purpose of processing

2.3 Scope limitation — what is NOT processed

This DPA does not cover, and Bennovate does not process as a processor or otherwise:

1. Matter Content — any case file, client document, privileged material, court paper, correspondence, witness statement or other legal work product belonging to the Controller or its clients. Matter Content is held exclusively on the Controller's own device and disk and never traverses Bennovate's infrastructure;
2. End-client personal data — the personal data of the Controller's clients contained within Matter Content; or
3. AI-processed matter extracts — content submitted by the Controller to the Controller's chosen AI Provider via the BYOK mechanism. The AI Provider is the Controller's own processor for such content; it is not a Bennovate sub-processor.

2.4 Categories of data subjects

Fee-earners and solicitors at the Controller firm; billing contacts; technical contacts.

2.5 Categories of personal data

Name; job title; professional email address; SRA number; IP address (service logs); service-usage events; billing confirmation data.

Special-category data: none in scope. Bennovate instructs the Controller not to transmit special-category data (UK GDPR Art. 9) through the Service except where strictly necessary and disclosed in advance.

2.6 Duration

Processing continues for the duration of the subscription (including any Trial period) and for such further period as is required by applicable law or as set out in the retention table in the Privacy Notice. On termination, Clause 9 governs deletion and return.

3. Controller's instructions and compliance

3.1 Documented instructions. Bennovate shall process personal data only on documented instructions from the Controller. The Controller's instructions are set out in this DPA and in the Terms. Any additional instructions must be given in writing and signed by an authorised representative of the Controller.

3.2 Notification of unlawful instructions. If Bennovate considers that any instruction infringes the UK GDPR or other applicable data-protection law, Bennovate shall immediately notify the Controller in writing. Bennovate shall not be obliged to follow any instruction that it reasonably considers to be unlawful.

3.3 Controller's obligations. The Controller warrants that it: (a) is the controller of the personal data and has all necessary rights, consents and lawful bases; (b) has complied with its own transparency obligations; (c) has assessed and is satisfied that the processing is compatible with its own GDPR compliance; (d) will promptly notify Bennovate of any changes in applicable law materially affecting this DPA.

4. Confidentiality — UK GDPR Art. 28(3)(b)

Bennovate shall ensure that persons authorised to process personal data under this DPA are bound by appropriate obligations of confidentiality — whether statutory, contractual or otherwise — and that they process personal data only as necessary for the performance of the Service.

5. Security — UK GDPR Art. 28(3)(c) and Art. 32

5.1 General obligation

Bennovate shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, having regard to: (a) the state of the art; (b) the cost of implementation; (c) the nature, scope, context and purposes of processing; (d) the risk of varying likelihood and severity to the rights and freedoms of natural persons.

5.2 Minimum security measures

1. TLS 1.2 or higher encryption for all data in transit between the Controller's browser and Bennovate's servers;
2. encryption of the Controller's BYOK key at rest in browser-side IndexedDB — the key is never transmitted to Bennovate's servers;
3. server-side access controls and role-based restrictions on account data;
4. logging of access events with tamper-evident audit chain;
5. fail2ban or equivalent brute-force protection on authenticated endpoints;
6. regular vulnerability scanning and dependency auditing;
7. a documented incident-response procedure consistent with the timelines in Clause 7.

5.3 Security review

Bennovate maintains a Security Review Package available to the Controller for audit purposes. The Controller acknowledges that Bennovate's security posture is that of a sole-operator software company at the current stage of operation, and that ISO 27001 certification and SOC 2 Type II reports are planned but not yet obtained.

6. Sub-processors — UK GDPR Art. 28(3)(d) and Art. 28(2)

6.1 General authorisation. The Controller provides general written authorisation for Bennovate to engage the sub-processors listed in Annex A. Bennovate shall impose data-protection obligations on each sub-processor no less protective than those in this DPA, by written contract.

6.2 Changes to sub-processors. Bennovate shall give the Controller not less than 30 days' written notice before engaging a new sub-processor or materially changing the scope of an existing engagement. Notice shall be given by email to the billing contact address and by a prominent notice within the Service.

6.3 Controller's right to object. Within 14 days of receiving notice under Clause 6.2, the Controller may object in writing, stating the data-protection grounds. If the parties cannot resolve the objection within the notice period, the Controller may terminate the Agreement with immediate effect, with a pro-rated refund of prepaid fees for the unexpired subscription period. If the Controller does not object within 14 days, the Controller is deemed to have accepted the change.

6.4 Liability for sub-processors. Bennovate remains liable to the Controller for the performance of sub-processors' obligations under this DPA to the same extent as if Bennovate were performing those obligations directly.

6.5 AI Provider — not a Bennovate sub-processor. The Controller's chosen AI Provider (accessed via the BYOK mechanism) is not a Bennovate sub-processor for the purposes of this DPA or UK GDPR Art. 28. Matter content submitted by the Controller to the AI Provider via BYOK is processed under the Controller's own relationship with the AI Provider, and token usage is billed to the Controller directly by that AI Provider. The Controller is responsible for its own UK GDPR compliance in that processing chain.

7. Data subject rights assistance — UK GDPR Art. 28(3)(e)

Bennovate shall, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures, in responding to requests from data subjects exercising their rights under UK GDPR Chapter III (Arts. 15–22: access, rectification, erasure, restriction, portability, objection, automated decision-making).

Specifically:

1. Bennovate shall notify the Controller within 5 working days of receiving a data-subject rights request directed to Bennovate that relates to data processed under this DPA;
2. Bennovate shall provide the Controller with information it reasonably requires to respond, within 15 working days of the Controller's written request;
3. Bennovate shall not respond substantively to a data-subject rights request on the Controller's behalf without the Controller's prior written instruction, except where required to do so by law.

8. Assistance with Art. 32–36 obligations — UK GDPR Art. 28(3)(f)

Bennovate shall assist the Controller in ensuring compliance with:

1. Art. 32 — security obligations, by maintaining the measures in Clause 5 and providing the Controller with relevant technical information on request;
2. Art. 33 — Personal Data Breach notification to the ICO: Bennovate shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach affecting data processed under this DPA. Notification shall include: (i) the nature of the breach including categories and approximate numbers of data subjects and records affected; (ii) the name and contact details of the DPO; (iii) the likely consequences; (iv) measures taken or proposed to mitigate effects. The Controller is responsible for notifying the ICO within the 72-hour window under UK GDPR Art. 33(1);
3. Art. 34 — communication of a breach to affected data subjects, by providing the Controller with information needed to assess whether notification is required and to draft it;
4. Art. 35 — DPIA: Bennovate shall, on request, provide relevant technical information to assist the Controller in completing a DPIA in respect of the processing described in this DPA;
5. Art. 36 — prior consultation: where a DPIA indicates a high residual risk that requires prior consultation with the ICO, Bennovate shall cooperate with the Controller to the extent the consultation relates to Bennovate's processing.

9. Deletion and return of data — UK GDPR Art. 28(3)(g)

9.1 On termination. On expiry or termination of the Agreement for any reason, Bennovate shall, at the Controller's election:

1. delete all personal data processed under this DPA within 30 days of the termination date; or
2. return all personal data to the Controller in a structured, commonly used and machine-readable format within 30 days, after which Bennovate shall delete all copies.

9.2 Legal retention exceptions. Bennovate may retain personal data beyond the period in Clause 9.1 to the extent retention is required by applicable law (including accounting and tax obligations). In such cases Bennovate shall: (a) notify the Controller of the data retained and the legal basis; (b) cease all processing for any purpose other than compliance; (c) delete the data as soon as the legal obligation ceases.

9.3 Matter content not affected. Matter Content on the Controller's own device and disk is unaffected by termination — it was never held by Bennovate.

10. Audit rights — UK GDPR Art. 28(3)(h)

10.1 Bennovate's obligation. Bennovate shall make available to the Controller all information necessary to demonstrate compliance with UK GDPR Art. 28 and shall allow for and contribute to audits and inspections conducted by the Controller or a third-party auditor mandated by the Controller.

10.2 Practical audit procedure.

1. The Controller shall give Bennovate at least 30 days' written notice of an audit request, specifying scope and proposed dates.
2. Audits shall be conducted during normal business hours and shall not unreasonably disrupt Bennovate's operations.
3. The Controller may inspect: documentation of Bennovate's security policies and procedures; sub-processor list; DPA and security review documents; and relevant logs — subject to Bennovate redacting third-party confidential information.
4. The Controller shall not audit more than once per 12-month period unless: (i) a Personal Data Breach has occurred; (ii) the ICO requires it; or (iii) the Controller has reasonable grounds to suspect a material breach of this DPA.
5. The Controller shall bear its own costs of any audit. Bennovate may charge a reasonable fee for management time beyond one day.
6. Where a recent third-party audit report is available (e.g. ISO 27001 certification), Bennovate may satisfy the audit obligation by making that report available, subject to confidentiality.

11. International transfers

11.1 Transfer mechanism. Where Bennovate (or a sub-processor) transfers personal data outside the UK that is not covered by UK adequacy regulations, Bennovate shall ensure the transfer is subject to one of:

1. the International Data Transfer Agreement (IDTA) under s.119A DPA 2018; or
2. the UK Addendum to EU Standard Contractual Clauses; or
3. another mechanism approved by the ICO.

11.2 Transfer impact assessment. Where a restricted transfer takes place, Bennovate shall have conducted or make available the results of a transfer impact assessment (TIA). Where the TIA identifies a risk that cannot be mitigated, Bennovate shall notify the Controller and not proceed without written consent.

11.3 Current transfer positions:

12. Term

This DPA is co-terminous with the Agreement. It comes into force on the Effective Date and terminates automatically when the Agreement terminates, subject to the survival provisions at Clause 9.

13. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

14. Order of precedence

In the event of any conflict between this DPA and the Terms of Service on data-protection matters, this DPA prevails. In the event of any conflict between this DPA and any applicable standard contractual clauses (IDTA or UK Addendum) incorporated by reference, the standard contractual clauses prevail.

Annex A — Authorised Sub-Processors

AI Provider is not listed. The Controller's chosen AI Provider (accessed via BYOK) is the Controller's own processor for matter content. It is not a Bennovate sub-processor. See Clause 6.5.

Sub-processor additions and changes are subject to the 30-day notice procedure in Clause 6.2.

Annex B — Processing Details Summary (UK GDPR Art. 30 record)