Counsel Crest®

Data Processing Addendum

Legal framework for data processing, subprocessors, and security measures

DATA PROCESSING ADDENDUM

Important Legal Document

This Data Processing Addendum (DPA) forms part of our Terms of Service and governs how Counsel Crest processes your personal data. It includes details about our subprocessors and security measures.

Part 1: Processing Details

Complete the following information to establish the data processing terms between your organization and LawyerDesk Advocacy Pvt Ltd.

Customer name
Customer address
Customer contact
Customer role ☐ Controller / business
☐ Processor / service provider
Categories of personal data stored or processed through the Services • Contact information: first name, last name, email address, phone number
• Professional information: bar number, position, years of experience, education
• Account information: username, password (hashed), preferences, settings
• Usage information: feature usage, session data, interaction logs
• Legal case data: case details, client information, documents, research queries
• Organization data: firm name, address, practice areas, team members
• Billing information: payment details, subscription data, invoices
• Device information: IP address, browser data, device identifiers
Categories of data subjects to whom the personal data mentioned above relates • Authorized Users (lawyers, law firm staff, legal professionals)
• Clients of legal services
• Legal case parties and witnesses
• Organization administrators and team members
• Support ticket requestors
Special categories of personal data Legal case data may contain sensitive information including but not limited to:
• Health information (in personal injury cases)
• Criminal conviction data
• Financial information
• Family and relationship data
• Professional conduct records
Frequency of the transfer Continuous
Nature of the processing Collection, storage, organization, structuring, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, destruction, AI analysis, legal research, document generation, case management
Purpose of the processing The performance of the Services, namely the provision of legal practice management, AI-powered legal research, case management, document analysis, client management, and related legal technology services for law firms and legal professionals.
Retention period The duration of the Agreement, unless earlier deletion is requested by the Customer in accordance with the functionality of the Services. Legal case data may be retained for longer periods as required by legal and professional obligations.
Subprocessors As set out in Schedule 3
Supervisory authority (EU only)

By signing below and returning to {COMPANY_CONFIG.contact.privacy.email}, the Customer agrees to the data processing terms set out in Part 2 of this Data Processing Addendum and warrants that the information in Part 1 of this Data Processing Addendum is complete and accurate.

Signed for and on behalf of the Customer:
Name:
Position:
Date:

Part 2: Data Processing Terms

(Version dated August 18, 2025)

This Data Processing Addendum, comprising Part 1 (Processing Details) and Part 2 (Data Processing Terms) (together, the "DPA") supplements and, from the date on which Customer signs or otherwise agrees to this DPA, forms part of the agreement entered into between the Customer and LawyerDesk Advocacy Pvt Ltd ("Counsel Crest") on the terms set out at https://counselcrest.com/terms (the "Agreement") in relation to the transfer and processing of Covered Data in connection with the performance of the Services.

1. DEFINITIONS

1.1 Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:

"Applicable Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including (without limitation): the GDPR, Swiss Data Protection Laws, the US Data Protection Laws, and Indian Data Protection Laws.

"CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended, including its implementing regulations and the California Privacy Rights Act of 2020.

"Controller Purposes" means: (a) aggregating and anonymizing information for the purpose of undertaking internal research and development to monitor, test, improve and alter the functionality of the Services; (b) monitoring the Customer's and Authorized Users' use of the Services for billing purposes, ensuring the security of the Services and identify fraudulent or malicious use of the Services; (c) administering the Customer's relationship with CounselCrest under the Agreement; and (d) providing AI-powered legal research and analysis services.

"Covered Data" means: (a) Personal Data that is provided by or on behalf of Customer to CounselCrest in connection with Customer's use of the Services, as further described in Part 1 (Processing Details) of this DPA; (b) contact information and access credentials relating to, and support requests submitted by, Authorized Users; (c) legal case data, client information, and related professional data processed through the Services; and (d) any other Personal Data that is otherwise collected, generated or Processed by CounselCrest in connection with the provision of the Services.

"Data Subject" means a natural person whose Personal Data is Processed.

"GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR", as defined in section 3 of the Data Protection Act 2018.

"Indian Data Protection Laws" means the Digital Personal Data Protection Act, 2023 and any related regulations, rules, or guidelines issued thereunder, as amended from time to time.

"Personal Data" means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise "personal data," "personal information," "personally identifiable information," or similarly defined data or information under Applicable Data Protection Laws.

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including AI analysis, legal research, document processing, and case management operations. "Process", "Processes" and "Processed" will be interpreted accordingly.

"Security Incident" means an actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.

"Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

"Sub-processor" means, with respect to any Processing performed by CounselCrest as a processor service provider, an entity appointed by CounselCrest to Process Covered Data on its behalf.

"US Data Protection Laws" means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including (without limitation): the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, Connecticut Senate Bill 6, and other state privacy laws.

1.2 The terms "controller", "processor", "business" and "service provider" have the meanings given to them in the Applicable Data Protection Laws.

2. INTERACTION WITH THE AGREEMENT

2.1 This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.

3. ROLE OF THE PARTIES

The Parties acknowledge and agree that:

(a) save as set out in clause 3(b) or clause 3(c), CounselCrest acts as a processor or service provider in the performance of its obligations under the Agreement and this DPA and Customer acts as a controller or business;

(b) to the extent that Customer acts as a processor in respect of Covered Data on behalf of Customer's Controller, CounselCrest acts as a subprocessor in the performance of its obligations under the Agreement and this DPA;

(c) for the purposes of the GDPR, CounselCrest acts as a controller with respect to the Processing of Usage Data for the Controller Purposes, including AI model training and legal research enhancement;

(d) CounselCrest acts as a controller for anonymous usage analytics and service improvement purposes.

4. DETAILS OF DATA PROCESSING

4.1 The details of the Processing of Personal Data under the Agreement and this DPA (including subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Part 1 (Processing Details) to this DPA.

4.2 CounselCrest shall comply with its obligations under Applicable Data Protection Laws. Save with respect to any Processing of Usage Data for the Controller Purposes, CounselCrest shall only Process Covered Data on behalf of and under the instructions of Customer and in accordance with Applicable Data Protection Laws. The Agreement and this DPA shall constitute Customer's instructions for the Processing of Covered Data.

4.3 CounselCrest will provide Customer with information to enable Customer to conduct and document any data protection assessments required under Applicable Data Protection Laws.

5. COMPLIANCE

5.1 Customer shall comply with its obligations under Applicable Data Protection Laws, including providing appropriate notices to Data Subjects and obtaining necessary consents for Processing, particularly for legal case data and client information.

6. CONFIDENTIALITY AND DISCLOSURE

6.1 CounselCrest shall limit access to Covered Data to personnel who have a business need to have access to such Covered Data and ensure that such personnel are subject to appropriate confidentiality obligations, including attorney-client privilege where applicable.

7. SUB-PROCESSORS

7.1 CounselCrest may Process Covered Data anywhere that CounselCrest or its Sub-processors maintain facilities, subject to the remainder of this clause 7.

7.2 Customer grants CounselCrest general authorization to engage any of the Sub-processors listed in Schedule 3, as amended in accordance with clause 7.3 (the "Authorized Sub-processors"), to Process Covered Data.

7.3 CounselCrest shall provide Customer with at least thirty (30) days' notice of any proposed changes to the Authorized Sub-processors.

8. DATA SUBJECT RIGHTS REQUESTS

8.1 CounselCrest will promptly notify Customer of any request received from a Data Subject to assert their rights in relation to Covered Data under Applicable Data Protection Laws.

8.2 CounselCrest will provide Customer with reasonable assistance as necessary for Customer to fulfill its obligations under Applicable Data Protection Laws to respond to Data Subject Requests.

9. SECURITY

9.1 CounselCrest will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage.

9.2 CounselCrest will implement and maintain as a minimum standard the measures set out in Schedule 1.

10. SECURITY INCIDENTS

10.1 CounselCrest shall notify Customer in writing without undue delay, and in any event within seventy-two (72) hours, after becoming aware of any Security Incident.

10.2 CounselCrest shall take reasonable steps to contain, investigate, and mitigate any Security Incident.

11. TERM, DELETION AND RETURN

11.1 This DPA shall commence on the Effective Date and will remain in effect until CounselCrest's deletion of all Covered Data as described in this DPA.

11.2 Upon termination of the Agreement, CounselCrest shall, at Customer's option, delete or return all Covered Data, except where retention is required by applicable law or professional obligations.

12. STANDARD CONTRACTUAL CLAUSES

12.1 The Standard Contractual Clauses shall apply to the transfer of any Covered Data from Customer to CounselCrest where required by Applicable Data Protection Laws.

13. GENERAL

13.1 The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Applicable Data Protection Laws.

13.2 All notices to be provided by Counsel Crest to Customer under this DPA shall be sent to {COMPANY_CONFIG.contact.privacy.email} unless the Parties agree otherwise in writing.

Last Updated: August 18, 2025
Version: 1.0
Effective Date: August 18, 2025
Legal Entity: LawyerDesk Advocacy Pvt Ltd
Contact: {COMPANY_CONFIG.contact.privacy.email}

SCHEDULE 1: TECHNICAL AND ORGANIZATIONAL MEASURES

Introduction

CounselCrest employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorized access, disclosure or destruction.

Governance and Policies

CounselCrest:

  • Assigns personnel with responsibility for the determination, review and implementation of security policies and measures
  • Reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected
  • Establishes and follows secure configurations for systems and software
  • Implements attorney-client privilege protections where applicable

Breach Response

CounselCrest maintains internal monitoring systems and has a breach response plan that is regularly tested and updated. Special procedures are in place for handling incidents involving attorney-client privileged information.

Access Controls

CounselCrest limits access to personal data by implementing appropriate access controls, including:

  • Access management based on the Principle of Least Privilege
  • Centralized identity management with multi-factor authentication
  • Role-based access controls for different user types (lawyers, staff, administrators)
  • Regular access reviews and automated off-boarding procedures
  • Segregation of client data by organization and case
  • Audit trails for all access to sensitive legal data

Infrastructure Security

CounselCrest's infrastructure security includes:

  • SOC 2 compliant Google Cloud Platform services
  • Network segmentation and firewall protection
  • Regular security assessments and penetration testing
  • Intrusion detection and prevention systems
  • Secure development practices and code reviews

Encryption

Data protection through encryption includes:

  • All data encrypted at rest using AES-256 encryption
  • All data encrypted in transit using TLS 1.3
  • Database-level encryption for sensitive legal data
  • Secure key management using hardware security modules
  • End-to-end encryption for client communications where applicable

Data Segregation

CounselCrest implements data segregation measures including:

  • Logical separation of customer data by organization
  • Case-level data isolation within organizations
  • Separate processing environments for different service levels
  • Network isolation between customer environments

Availability and Backup

Data availability and backup measures include:

  • Daily automated backups with encryption
  • Geographic redundancy for backup storage
  • Regular backup testing and restoration procedures
  • High availability infrastructure with 99.9% uptime target
  • Disaster recovery procedures with defined recovery objectives

Legal and Professional Compliance

Special measures for legal data include:

  • Attorney-client privilege protection protocols
  • Ethical wall implementations for conflicts of interest
  • Legal hold and litigation support capabilities
  • Bar association compliance monitoring
  • Professional liability insurance coverage

Monitoring and Auditing

Continuous monitoring includes:

  • Real-time security monitoring and alerting
  • Comprehensive audit logging for all data access
  • Regular security assessments and compliance audits
  • Employee security training and awareness programs
  • Third-party security certifications and validations

SCHEDULE 3: SUB-PROCESSORS

The following sub-processors are authorized to process Covered Data on behalf of CounselCrest:

Name of Sub-processor Description of Processing Data Location
Supabase, Inc. Database services, user authentication, and data storage United States
Google LLC Cloud infrastructure, AI services (Gemini, Vertex AI), translation services, search API, Cloud Storage United States, Global
OpenRouter Inc. Multi-LLM orchestration and AI processing services United States
Langfuse GmbH AI model observability and performance monitoring Self-hosted (trace.lawyerdesk.ai)
Sentry.io Error tracking and application monitoring United States
Stripe, Inc. Payment processing and billing management United States
Redis Ltd. Caching and session management United States
Qdrant Inc. Vector database for AI search capabilities United States (us-east4-0.gcp.cloud.qdrant.io)
Free Law Project Legal precedent and case law data (CourtListener API) United States
MinIO, Inc. Object storage for documents and files Self-hosted, Various
Ollama Inc. Local LLM hosting and processing On-premises/Local
Mem0 Inc. AI memory management and context preservation United States
BerriAI Inc. (LiteLLM) LLM orchestration and API management United States
Perplexity AI, Inc. AI-powered research and information retrieval United States
Unstructured Technologies Inc. Document parsing and text extraction United States
LangChain Inc. Document processing and AI workflow orchestration United States
Artifex Software Inc. (PyMuPDF) PDF document processing and text extraction Local processing
Twilio Inc. SMS notifications and communication services United States
SendGrid (Twilio Inc.) Email delivery and notification services United States
GitHub, Inc. Code repository and version control (development data only) United States
Vercel Inc. Web application hosting and deployment United States
Cloudflare, Inc. Content delivery network and security services Global
Amazon Web Services (AWS) Cloud storage and computing services United States, EU (region-specific)
Microsoft Corporation Authentication services and cloud services United States, EU (region-specific)
Zapier, Inc. Workflow automation and third-party integrations United States
Docker Inc. Application containerization and deployment United States
Cloud Native Computing Foundation (Kubernetes) Container orchestration and management Google Cloud Platform (us-central1)
Various Domain Registrars Domain validation and WHOIS information retrieval Global

Sub-processor Categories

Essential Services

  • Database & Storage: Supabase, MinIO, Google Cloud Storage, AWS, Redis
  • Infrastructure: Google Cloud Platform, Cloudflare, Vercel, AWS, Kubernetes
  • Authentication: Supabase Auth, Google OAuth, Microsoft OAuth

AI & Machine Learning Services

  • LLM Providers: Google Gemini/Vertex AI, OpenRouter, Ollama, Perplexity AI
  • AI Orchestration: LiteLLM, LangChain, Mem0
  • Vector Search: Qdrant, FastEmbed
  • AI Monitoring: Langfuse

Legal & Research Services

  • Legal Data: CourtListener API, legal research databases
  • Document Processing: PyMuPDF, Unstructured, LangChain
  • Search Services: Google Search API, domain validation services

Business Operations

  • Payments: Stripe
  • Communications: Twilio, SendGrid
  • Workflow Automation: Zapier
  • Development: GitHub, Docker

Security & Monitoring

  • Error Tracking: Sentry
  • Performance Monitoring: Langfuse, system monitoring tools
  • Security Services: Cloudflare, Google Cloud Security, container security
  • Cryptography: Passlib, Python-JOSE

Translation & Localization

  • Translation Services: Google Cloud Translate
  • Language Processing: Various NLP libraries

Data Processing Purposes

Sub-processors process data for the following purposes:

  • Providing the core legal practice management services
  • AI-powered legal research and document analysis
  • Multi-LLM orchestration and intelligent routing
  • Vector database search and semantic matching
  • Document processing, parsing, and text extraction
  • User authentication and access control
  • Payment processing and billing
  • System monitoring and error tracking
  • Email communications and SMS notifications
  • AI model performance monitoring and observability
  • Security monitoring and threat detection
  • Container orchestration and deployment
  • Workflow automation and third-party integrations
  • Translation and localization services
  • Domain validation and network services
  • Memory management and context preservation
  • Legal precedent research and case law analysis
  • Cloud infrastructure and content delivery
  • Development tooling and version control
  • Caching and session management

Data Transfer Mechanisms

Data transfers to sub-processors are protected by:

  • Standard Contractual Clauses (SCCs) where applicable
  • Adequacy decisions for transfers to adequate countries
  • Binding Corporate Rules (BCRs) where available
  • Certification schemes and codes of conduct
  • Contractual safeguards and security requirements
  • Data anonymization and redaction before external processing
  • TLS/SSL encryption for all data in transit
  • Server-side encryption for data at rest
  • Local processing where feasible (e.g., Ollama, PyMuPDF)
  • Self-hosted solutions to minimize external data sharing
  • Access controls and authentication mechanisms
  • API rate limiting and usage monitoring
  • SOC 2 Type II compliance requirements for cloud providers
  • Container isolation and security scanning
  • Regular security audits and penetration testing

Updates to Sub-processors

CounselCrest may add, remove, or change sub-processors from time to time. Customers will be notified of any changes at least 30 days in advance through email notifications and updates to this document.

Current as of: August 18, 2025

Related Legal Documents

Terms of ServicePrivacy PolicyUS-Specific Terms
Questions about this DPA?Request Signed Copy
View Terms of Service

Legal Notice

This Data Processing Addendum is a legal contract between your organization and LawyerDesk Advocacy Pvt Ltd. It governs how we process your personal data and outlines our security measures and subprocessor relationships. By using our services, you agree to these terms. For questions about data processing, contact us at privacy@counselcrest.com.