Legal

Data Processing Addendum

Last updated: February 24, 2026

1. Definitions

As used in this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that KrisLegal processes on behalf of Customer, including client names, contact information, and information contained in case-related documents.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, or deletion.
• "Controller" means the Customer (the law firm), which determines the purposes and means of processing Personal Data.
• "Processor" means KrisLegal, which processes Personal Data on behalf of Customer under this DPA.
• "Subprocessor" means a third-party service provider engaged by KrisLegal to process Personal Data in the course of delivering the Services.
• "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Role of the Parties

Customer is the Controller of Personal Data entered into or generated through the KrisLegal platform on behalf of the firm and its clients. KrisLegal is the Processor, acting only on Customer's documented instructions as described in the Terms of Service and this DPA.

This DPA applies to all Personal Data processed by KrisLegal in connection with the Services, including matter data, client portal data, and any documents uploaded for processing.

3. Processing Instructions

KrisLegal will process Personal Data only as necessary to provide the Services and only in accordance with Customer's documented instructions, which are set out in the Terms of Service and this DPA. KrisLegal will not process Personal Data for any other purpose, including:

• Advertising or marketing to Customer's clients
• Training or improving artificial intelligence models
• Cross-customer analysis or benchmarking that could identify Customer or its clients
• Sale or transfer to any third party for independent use

If KrisLegal is required by applicable law to process Personal Data in a manner inconsistent with these instructions, KrisLegal will notify Customer before processing unless prohibited by law from doing so.

4. Confidentiality

KrisLegal will treat all Personal Data processed under this DPA as confidential. KrisLegal will ensure that personnel authorized to process Personal Data are subject to binding confidentiality obligations and have received appropriate data protection training.

KrisLegal will not disclose Personal Data to any third party except as necessary to provide the Services (through authorized Subprocessors listed in Section 7), as required by applicable law, or with Customer's prior written consent.

This confidentiality obligation satisfies the requirement for a written confidentiality agreement between attorneys and cloud-based software vendors under Tennessee Ethics Opinion 2015-F-159.

5. Security Measures

KrisLegal will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized access, loss, destruction, or alteration. These measures include:

• All data transmitted over encrypted HTTPS/TLS connections (TLS 1.2 or higher)
• Encryption of sensitive credentials and tokens at rest using AES-256-GCM
• Multi-tenant data isolation ensuring each firm's data is strictly separated from others
• Session authentication cookies that are HttpOnly, Secure, and SameSite-protected
• Access to customer data restricted to employees who require it to provide the Services
• All employees with access to customer data bound by confidentiality obligations
• Regular internal review of access controls and security practices
• Cloud infrastructure hosted on DigitalOcean with SOC 2 Type II certification

KrisLegal will review these measures regularly and update them as the state of the art and applicable best practices evolve.

6. Security Incident Notification

Upon becoming aware of a confirmed Security Incident affecting Personal Data, KrisLegal will:

• Notify Customer without undue delay, with a target of providing initial notice within 72 hours of confirming the incident;
• Provide written notification to Customer within 45 days as required by the Tennessee Information Protection Act and T.C.A. § 47-18-2107;
• Include in the notification (to the extent then known): a description of the nature of the incident, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the incident;
• Cooperate with Customer's reasonable requests for information to assist Customer in meeting any notification obligations to its clients or regulators.

Notification of a Security Incident does not constitute an acknowledgment of fault or liability.

7. Subprocessors

Customer authorizes KrisLegal to engage the following Subprocessors to assist in delivering the Services. Each Subprocessor is bound by data protection obligations no less protective than those in this DPA.

Subprocessor	Purpose	Location
Anthropic, Inc. (document field extraction, KrisLegal platform key)	AI-assisted extraction of form fields from uploaded documents. KrisLegal's own Anthropic commercial API account is used for this purpose. Anthropic does not use API data to train its models.	United States
OpenAI, LLC	Dictation transcription (Whisper API) only. Not used for document generation or the AI assistant. Audio is deleted after transcription. OpenAI does not use API data to train its models.	United States
DigitalOcean, LLC	Cloud hosting and encrypted file storage	United States
Stripe, Inc.	Payment and subscription processing	United States
Resend, Inc.	Transactional email delivery	United States
Clio (Themis Solutions Inc.)	Practice management integration (optional, when enabled by Customer). KrisLegal accesses Customer's own Clio account via OAuth. May also write notes, tasks, and time entries back to Clio at authorized user direction.	United States / Canada
Free Law Project (CourtListener)	Public case law and federal court docket research. Built into the platform. Receives search queries only. No Personal Data is sent.	United States

8. AI Services: Additional Terms

8.1 Anthropic: Bring Your Own Key Model (AI Assistant)

KrisLegal uses a bring-your-own-key (BYOK) model for the AI assistant. Customer configures its own Anthropic commercial API key (obtained via console.anthropic.com) in platform Settings. When Customer uses the AI assistant, KrisLegal acts as a technical intermediary, transmitting Customer's requests to Anthropic using Customer's own API credentials.

Anthropic is Customer's own service provider, not KrisLegal's subprocessor, for the AI assistant. The data protection obligations governing Anthropic's handling of data transmitted via Customer's own API key are those in Customer's own Anthropic commercial API agreement. KrisLegal makes no representations and assumes no responsibility for Anthropic's data handling practices with respect to data transmitted using Customer's API key.

Customer is responsible for:

• Obtaining an Anthropic commercial API key via console.anthropic.com and maintaining it in an active, valid state
• Compliance with Anthropic's commercial API usage policies and terms of service

Under Anthropic's commercial API terms, Anthropic does not use data submitted via its API to train its models. KrisLegal stores Customer's Anthropic API key encrypted at rest (AES-256-GCM) and transmits it only to Anthropic's API endpoint over encrypted connections. KrisLegal does not log, access, or use the API key for any purpose other than forwarding Customer's requests.

8.2 Anthropic: Platform Key (Document Field Extraction)

When Customer uploads a document to a document generator for AI-assisted field extraction, KrisLegal's own Anthropic commercial API account processes the OCR-extracted text to populate form fields. In this context, Anthropic is KrisLegal's subprocessor (listed in Section 7). Under Anthropic's commercial API terms, Anthropic does not use this data to train its models.

8.3 OpenAI Whisper: Dictation Only

KrisLegal uses its own OpenAI API account for the dictation transcription (Whisper) feature only. OpenAI is not used for document generation, document field extraction, or the AI assistant. OpenAI does not use API data to train its models. Audio recordings are not retained by OpenAI after transcription is complete. KrisLegal has entered into data processing terms with OpenAI consistent with this DPA.

8.4 Clio Integration: Data Access and Write-Back

The Clio integration is optional and must be enabled by Customer. When enabled, KrisLegal accesses Customer's Clio account via OAuth on Customer's behalf. The data flows are:

• Read from Clio: Matters, contacts, attorneys, documents, communications, notes, tasks, time entries, and calendar events associated with Customer's Clio account.
• Write to Clio: Notes, tasks, and time entries may be created in Customer's Clio account when an authorized user explicitly instructs the AI assistant to take that action. KrisLegal will not write to Clio autonomously.
• Local storage: Matter, contact, and attorney data synced from Clio is stored in KrisLegal's database for the duration of the subscription and is subject to all protections in this DPA.

Customer may disconnect the Clio integration and revoke access at any time from Settings. Upon disconnection, locally stored Clio-sourced data is deleted within 30 days.

8.5 CourtListener Integration: Search Queries Only

The AI assistant submits search queries to CourtListener (operated by the Free Law Project) on Customer's behalf to retrieve publicly available court opinions and dockets. Search queries may include case names, party names, or citation strings. KrisLegal does not transmit attorney-client privileged content or Personal Data to CourtListener. Results consist of publicly available court records only.

8.6 Attorney Professional Responsibility

Customer acknowledges that attorneys using AI features remain responsible under applicable rules of professional conduct for: supervising AI-generated work product, verifying accuracy of generated documents before filing or reliance, maintaining competence with AI tools (ABA Model Rule 1.1 Comment 8), and complying with jurisdiction-specific ethics guidance regarding AI and cloud computing. KrisLegal provides tools; Customer's attorneys are responsible for the legal work.

9. Data Subject Rights

As Controller, Customer is responsible for responding to data rights requests from its clients and employees (data subjects). KrisLegal will, to the extent technically feasible:

• Notify Customer within 5 business days if KrisLegal receives a data rights request directly from a data subject whose data is processed under this DPA;
• Provide Customer with reasonable cooperation and assistance in responding to verified data rights requests, including access, correction, deletion, and portability requests;
• Not respond to data subjects directly on Customer's behalf without Customer's prior written authorization.

10. Data Return and Deletion

Upon termination or expiration of the Agreement:

• Customer's data will remain accessible for export for 30 days following the end of the subscription;
• KrisLegal will permanently delete all Personal Data within 30 days after the export period, except as required to be retained by applicable law (e.g., billing records retained 7 years);
• Upon written request, KrisLegal will provide Customer with written certification of deletion within 30 days of completing the deletion.

Customer may export case data, documents, and contact information at any time through the platform's export functionality.

11. Audit Rights

KrisLegal will make available to Customer, upon written request no more than once per calendar year, information reasonably necessary to demonstrate compliance with this DPA, including:

• A summary of KrisLegal's current security practices;
• Copies of relevant certifications or third-party audit reports (such as SOC 2 reports for DigitalOcean), to the extent available to KrisLegal;
• Written responses to Customer's reasonable security questionnaires.

If Customer requires an on-site audit or inspection of KrisLegal's processing facilities, the parties will negotiate the scope, timing, and cost in good faith. Customer must give at least 30 days' written notice, and any audit must be conducted during business hours with reasonable advance notice and in a manner that does not disrupt KrisLegal's operations or compromise the security or confidentiality of other customers' data.

12. International Transfers

All Personal Data is processed and stored in the United States. KrisLegal does not transfer Personal Data to countries outside the United States. If this changes, KrisLegal will update this DPA and notify Customer at least 30 days in advance.

13. Data Retention During Term

During the term of the Agreement, KrisLegal retains Personal Data as set forth in the Privacy Policy's retention schedule:

• Active subscription data (cases, documents, contacts): duration of subscription
• AI conversation history (chat sessions and messages): duration of subscription
• AI tool usage logs (token counts, tool call records): 90 days
• Security and audit logs: 90 days (automatically purged)
• Audio recordings (dictation): deleted after transcription is delivered
• Billing records: 7 years (accounting and legal obligation)

14. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. This DPA does not expand either party's liability beyond what is set out in the Terms of Service.

15. Term and Termination

This DPA is effective for the duration of the Agreement and terminates automatically upon termination or expiration of the Agreement, subject to the data return and deletion obligations in Section 10, which survive termination.

16. Order of Precedence

In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA will govern. In all other respects, the Terms of Service govern.

17. Updates to This DPA

KrisLegal may update this DPA from time to time to reflect changes in applicable law, regulatory guidance, or its processing practices. Material changes will be communicated to Customer with at least 30 days' prior written notice. Continued use of the Services after the effective date of an updated DPA constitutes acceptance.

18. Contact

For questions about this DPA, data rights requests, or to request documentation for your due diligence file:

KrisLegal
Email: hello@krislegal.com
Website: krislegal.com