Law Dog AI

Data Processing Addendum

Back to app

Law Dog AI - Data Processing Addendum (DPA)

Effective Date: March 4, 2026
Last Updated: March 4, 2026

This Data Processing Addendum ("DPA") forms part of the Law Dog AI Terms of Service ("Terms") between DocuDash Inc. ("Processor" or "DocuDash") and the entity or individual using the Services ("Customer" or "Controller").

If there is a conflict between this DPA and the Terms regarding processing of Customer Data, this DPA controls.

1. Definitions

  • Customer Data means Customer Content and any personal data DocuDash processes on Customer's behalf in connection with the Services.
  • Personal Data has the meaning given under applicable data protection laws.
  • Process and Processing have the meaning given under applicable data protection laws.
  • Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

2. Roles and Scope

Customer is the Controller (or business) and DocuDash is the Processor (service provider) of Customer Data processed to provide the Services.

DocuDash will Process Customer Data only:

  • to provide, maintain, secure, and support the Services; and
  • in accordance with Customer's documented instructions as reflected in the Terms, this DPA, and Customer's use/configuration of the Services.

3. Details of Processing (Annex A)

The subject matter, duration, nature and purpose of Processing, categories of data, and categories of data subjects are described in Annex A.

4. Confidentiality

DocuDash will ensure persons authorized to Process Customer Data are under an obligation of confidentiality.

5. Security Measures

DocuDash will implement and maintain reasonable technical and organizational measures designed to protect Customer Data against Security Incidents, as described in Annex B.

6. Subprocessors

6.1 Authorization

Customer authorizes DocuDash to use subprocessors to provide the Services. Current subprocessors are listed in Annex C.

6.2 Subprocessor Obligations

DocuDash will impose contractual obligations on subprocessors that are designed to protect Customer Data consistent with this DPA.

6.3 Changes

DocuDash may update subprocessors as needed. If Customer requires advance notice for enterprise arrangements, Customer may request a written subprocessor notice process by contacting support.

7. No Model Training

DocuDash will not use Customer Data to train or fine-tune machine learning models.

DocuDash does not use a separate OCR-only subprocessor. If OCR is enabled for a workflow, it is handled by DocuDash's primary AI infrastructure provider.

8. Assistance

Taking into account the nature of the Processing, DocuDash will provide reasonable assistance to Customer in responding to:

  • requests from data subjects (where applicable), and
  • regulatory inquiries,

in each case to the extent Customer cannot reasonably fulfill such requests without DocuDash's assistance.

9. Security Incidents

DocuDash will notify Customer without undue delay after confirming a Security Incident affecting Customer Data and will provide information reasonably necessary for Customer to meet any breach-notification obligations. DocuDash will cooperate reasonably with Customer's investigation and remediation.

10. Deletion and Return

10.1 During the Term

Customer may delete conversations and associated data through the Services. DocuDash will delete Customer Data from primary systems associated with deleted conversations and delete associated AI file/vector assets used for those conversations as part of the deletion process.

10.2 Upon Termination

Upon termination of the Services, DocuDash will delete or return Customer Data within a reasonable period, subject to:

  • legal obligations,
  • security requirements, and
  • residual retention in backups/logs for limited periods.

11. Customer Responsibilities

Customer is responsible for:

  • obtaining all necessary rights and permissions to provide Customer Data to the Services (including client confidential information),
  • ensuring Customer's use complies with applicable law and professional obligations,
  • configuring optional features appropriately (e.g., CourtListener citation checks/searches).

12. Liability

Liability under this DPA is subject to the limitations and exclusions in the Terms.

Annex A - Processing Details

Subject matter: Provision of AI-assisted drafting, research support, file search, and related features.

Duration: For the term of the Services and up to applicable retention periods.

Nature of processing: Collection, storage, transmission, retrieval, deletion.

Purpose: Provide, maintain, secure, and support the Services; generate outputs requested by Customer; troubleshoot and prevent abuse.

Categories of data subjects: Customer users; Customer clients and other individuals referenced in Customer Data.

Categories of Personal Data: May include names, contact details, matter facts, communications, documents, and other data Customer uploads or references.

Special categories/sensitive data: Customer may upload sensitive data at its discretion; Customer is responsible for permissions and compliance.

Annex B - Security Measures (Summary)

DocuDash maintains safeguards designed to protect Customer Data, including:

  1. Encryption in transit: TLS for data transmissions.
  2. Encryption at rest: Encryption at rest for stored data (database and object storage used for processing).
  3. Access controls: Administrative access restricted to the service owner; least privilege where feasible.
  4. Network security: Firewalling and IP allowlisting for database access paths.
  5. Session security: Secure/HttpOnly cookies in production; session timeouts.
  6. Logging: Operational logging (including filenames/titles) with retention limits; access restricted.
  7. Deletion controls: Ability to delete conversations and associated AI assets; automated retention purge (where configured).
  8. Incident response: Procedures to investigate and notify upon confirmed incidents.

No system can be guaranteed 100% secure.

Annex C - Subprocessors (Current)

Depending on enabled features, DocuDash may use:

  • OpenAI - primary AI infrastructure provider (AI processing and file search/vector stores, and OCR when enabled).
  • Neon - managed PostgreSQL database hosting.
  • Vercel - application hosting and upload blob/object storage used during file ingestion.
  • Auth0 (Okta) - authentication and identity management.
  • CourtListener / Free Law Project - citation checks and legal search (optional, when enabled).
  • Payment processor - subscription billing and payment processing (if and when subscriptions are offered).

Customer may avoid optional CourtListener lookups to prevent data transfer for that feature.