Data Processing Agreement

Effective Date: September 21, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "you," or "your") and VUGA Enterprises LLC d/b/a LegalPrizm ("LegalPrizm," "we," "us," or "our"), a Florida limited liability company, for the use of the LegalPrizm service, website, mobile applications, and related services (collectively, the "Service"). This DPA applies when LegalPrizm processes personal data on your behalf as a data processor under the General Data Protection Regulation (GDPR) or equivalent laws (e.g., UK GDPR).

1. DEFINITIONS

  • Personal Data: Any information relating to an identified or identifiable natural person processed by LegalPrizm on your behalf as part of the Service.
  • Data Subject: An individual to whom Personal Data relates (e.g., your clients, employees).
  • Controller: You, the Customer, who determines the purposes and means of processing Personal Data.
  • Processor: LegalPrizm, who processes Personal Data on your behalf.
  • Sub-Processor: A third party engaged by LegalPrizm to process Personal Data.
  • Applicable Data Protection Laws: GDPR, UK GDPR, and other applicable privacy laws.

2. SCOPE AND ROLES

  • Controller: You are the data controller responsible for ensuring compliance with Applicable Data Protection Laws for Personal Data you upload or process via the Service.
  • Processor: LegalPrizm acts as a data processor, processing Personal Data solely on your instructions and in accordance with this DPA and the Terms of Service.

3. PROCESSING OF PERSONAL DATA

3.1 Purpose and Nature

LegalPrizm will process Personal Data to provide the Service, including:

  • Storing and managing documents, case information, and client data
  • Processing calendar events, deadlines, and communications
  • Providing customer support and analytics
  • Ensuring security and compliance

3.2 Types of Personal Data

  • Identifiers (e.g., name, email, phone number, bar number)
  • Client and case data (e.g., documents, notes, annotations)
  • Usage data (e.g., search queries, page views)
  • Device information (e.g., IP address, browser type)

3.3 Categories of Data Subjects

  • Customers (e.g., attorneys, paralegals)
  • Clients of Customers
  • Other individuals included in documents or communications

3.4 Duration

Personal Data is processed for the duration of your account or as instructed by you, subject to the retention periods in the Privacy Policy (https://legalprizm.com/privacy).

4. OBLIGATIONS OF LEGALPRIZM

4.1 Compliance with Instructions

LegalPrizm will process Personal Data only on your documented instructions, unless required otherwise by Applicable Data Protection Laws. You may provide instructions via the Service or by emailing [email protected].

4.2 Confidentiality

LegalPrizm ensures that all employees and contractors processing Personal Data are bound by confidentiality obligations.

4.3 Security Measures

LegalPrizm implements technical and organizational measures to protect Personal Data, including:

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Multi-factor authentication
  • Regular security audits and penetration testing
  • Role-based access controls
  • Incident response plan

4.4 Data Breach Notification

In the event of a Personal Data breach, LegalPrizm will:

  • Notify you within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to data subjects
  • Provide details of the breach, affected data, and mitigation steps
  • Cooperate with you to address the breach

4.5 Sub-Processors

LegalPrizm may engage Sub-Processors listed at https://legalprizm.com/subprocessors. We will:

  • Inform you of any new Sub-Processors with at least 14 days' notice
  • Allow you to object within 7 days
  • Ensure Sub-Processors are bound by equivalent data protection obligations

4.6 Data Subject Requests

LegalPrizm will assist you in responding to data subject requests (e.g., access, erasure, portability) by providing relevant tools or information within 30 days, subject to reasonable fees for significant efforts.

4.7 Audits and Inspections

LegalPrizm will make available information necessary to demonstrate compliance with this DPA. Upon reasonable notice, you may conduct an audit (once per year) through a third-party auditor, subject to confidentiality agreements.

4.8 Data Deletion or Return

Upon termination of your account or your request, LegalPrizm will delete or return Personal Data within 90 days, unless required to retain it by law.

5. OBLIGATIONS OF THE CUSTOMER

You agree to:

  • Provide lawful instructions for processing Personal Data
  • Ensure compliance with Applicable Data Protection Laws
  • Obtain necessary consents or legal bases for processing
  • Notify LegalPrizm of any restrictions or requirements for Personal Data

6. INTERNATIONAL DATA TRANSFERS

For transfers of Personal Data outside the EEA or UK, LegalPrizm uses Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary measures to ensure compliance. You authorize such transfers as necessary for the Service.

7. LIABILITY

LegalPrizm's liability for breaches of this DPA is subject to the limitations in Section 2.3 of the Terms of Service. You agree to indemnify LegalPrizm for any claims arising from your instructions or non-compliance with Applicable Data Protection Laws.

8. TERMINATION

This DPA remains in effect until termination of your use of the Service. Provisions that should survive termination (e.g., confidentiality, liability) will remain in effect.

9. INSURANCE AND COMPLIANCE

9.1 Cyber Liability Insurance

LegalPrizm maintains cyber liability insurance coverage of at least $5,000,000 USD to cover data breaches, security incidents, and related claims.

9.2 Compliance Certifications

We maintain or are working toward:

  • SOC 2 Type II certification (in progress)
  • ISO 27001 certification (planned)
  • HIPAA compliance (where applicable)

10. DATA DELETION CERTIFICATE

10.1 Certificate Provision

Upon deletion of Personal Data pursuant to Section 4.8, we will provide a Data Deletion Certificate confirming:

  • Date of deletion
  • Scope of data deleted
  • Method of deletion (secure erasure)
  • Confirmation that backups will be purged per retention schedule
  • Authorized signature from our Data Protection Officer

10.2 Exceptions

Deletion certificates exclude data we must retain for legal compliance, active litigation, or legitimate business purposes as documented.

11. TECHNICAL AND ORGANIZATIONAL MEASURES

11.1 Technical Measures (See Appendix A)

We implement technical security measures including but not limited to those detailed in Appendix A.

11.2 Organizational Measures

  • Background checks for employees with data access
  • Confidentiality agreements for all personnel
  • Annual security training
  • Access controls based on least privilege principle
  • Regular security audits and penetration testing

12. GOVERNING LAW

This DPA is governed by the laws of the State of Florida, excluding conflict of law principles, consistent with the Terms of Service.

13. CONTACT INFORMATION

VUGA Enterprises LLC d/b/a LegalPrizm

Address: 18117 Biscayne Blvd Unit 1039, Aventura, FL 33160, United States
Email: [email protected]
Phone: 786-967-6544

APPENDIX A: TECHNICAL SECURITY MEASURES

Encryption

  • At Rest: AES-256 encryption for all databases and file storage
  • In Transit: TLS 1.3 minimum for all data transmission
  • Field-Level: Client-side encryption for PII using AWS KMS
  • Key Management: AWS Key Management Service with automatic rotation

Access Controls

  • Authentication: Multi-factor authentication (MFA) required for administrative access
  • Authorization: Role-based access control (RBAC) with least privilege
  • Session Management: Automatic timeout after 15 minutes of inactivity
  • Password Policy: Minimum 12 characters, complexity requirements, 90-day rotation

Network Security

  • Firewalls: AWS Web Application Firewall (WAF)
  • DDoS Protection: Cloudflare DDoS mitigation
  • Network Segmentation: VPC with private subnets
  • Intrusion Detection: AWS GuardDuty and CloudWatch

Data Protection

  • Backup: Daily automated backups with 30-day retention
  • Disaster Recovery: Cross-region replication with RTO of 4 hours, RPO of 1 hour
  • Data Isolation: Logical separation of customer data
  • Secure Deletion: DoD 5220.22-M standard (3-pass overwrite)

Monitoring and Logging

  • Audit Logs: Immutable logs of all data access and modifications
  • Security Monitoring: 24/7 automated monitoring with Datadog
  • Incident Response: Documented incident response plan with 1-hour response time
  • Vulnerability Scanning: Weekly automated scans, quarterly penetration testing

Physical Security

  • Data Centers: AWS SOC 2 certified facilities
  • Access Control: Biometric authentication and 24/7 surveillance
  • Environmental Controls: Redundant power, cooling, and fire suppression
  • Media Destruction: Secure disposal of hardware per NIST 800-88

Development Security

  • Code Review: All code peer-reviewed before deployment
  • Security Testing: SAST/DAST in CI/CD pipeline
  • Dependency Scanning: Automated vulnerability scanning of dependencies
  • Secure Development: OWASP Top 10 compliance

Last Updated: September 21, 2025

Version: 1.0

Legal Documents

Privacy PolicyTerms of ServiceCookie PolicyAcceptable Use PolicyDMCA PolicyData Processing AgreementSub-Processors