Trust & Compliance / Data Processing Addendum
Data Processing Addendum
Version 1.0 · Effective 8 May 2026
Preamble
This Data Processing Addendum (the "DPA") forms part of the agreement between the customer ("Customer") and Legalink Tech Solutions LLP, a limited liability partnership registered in India with its registered office at House No. 43, Sector 7A, Ballabgarh, Faridabad – 121006, Haryana, India and operating as "LegalInk AI" ("LegalInk"), under which LegalInk provides the LegalInk AI services (the "Services") to the Customer (the "Agreement").
This DPA reflects the parties' agreement on the processing of Customer Personal Data in connection with the Services and is aligned with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and, where applicable, comparable international data-protection laws. In the event of any conflict between this DPA and the Agreement on the subject of data protection, this DPA prevails.
1. Definitions
1.1 "Customer Personal Data" means any Personal Data that LegalInk processes on behalf of the Customer in connection with the Services.
1.2 "Data Principal" has the meaning given in the DPDP Act — the natural person to whom Personal Data relates.
1.3 "Data Fiduciary" has the meaning given in the DPDP Act — the person who determines the purpose and means of processing.
1.4 "Data Processor" means a person who processes Personal Data on behalf of a Data Fiduciary.
1.5 "Personal Data" has the meaning given in the DPDP Act and, where applicable, in any other data-protection law to which the Customer is subject.
1.6 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
1.7 "Processing" means any operation performed on Personal Data, whether automated or not.
1.8 "Subprocessor" means any third party engaged by LegalInk to process Customer Personal Data in connection with the Services.
1.9 "TOMs" means the technical and organisational measures set out in Exhibit C.
2. Roles and scope
2.1 The parties acknowledge that, in respect of Customer Personal Data, the Customer acts as the Data Fiduciary and LegalInk acts as the Data Processor.
2.2 LegalInk shall process Customer Personal Data only on the documented instructions of the Customer, including those set out in the Agreement, the Services configuration, and this DPA, except where required to do otherwise by Indian law.
2.3 Where LegalInk processes data of its visitors and account holders for its own purposes (account administration, billing, security, product analytics), LegalInk acts as a Data Fiduciary in its own right. That processing is governed by LegalInk's Privacy Policy and is outside the scope of this DPA.
2.4 This DPA applies only for so long as LegalInk processes Customer Personal Data on the Customer's behalf.
3. Subject matter, nature, and duration of processing
3.1 Subject matter. LegalInk's processing of Customer Personal Data for the purpose of providing the Services to the Customer.
3.2 Nature and purpose. Generation, drafting, analysis, storage, and delivery of legal documents and conversational AI assistance, together with related account, billing, and security operations.
3.3 Categories of Data Principals. The Customer's authorised users, the Customer's clients and counterparties named in documents the Customer creates, and any other natural persons whose Personal Data the Customer chooses to include in inputs to the Services.
3.4 Categories of Personal Data. Identification data (names, contact details), professional data (firm, role), document content (which may contain any category of Personal Data the Customer chooses to include), authentication metadata, and usage logs.
3.5 Duration. For the term of the Agreement, plus the residual periods set out in the LegalInk Document Retention Policy and Exhibit B to this DPA.
4. LegalInk's obligations as Data Processor
4.1 Documented instructions. LegalInk shall process Customer Personal Data only on the Customer's documented instructions, and shall promptly inform the Customer if, in its opinion, an instruction infringes the DPDP Act or any other applicable data-protection law.
4.2 Confidentiality. LegalInk shall ensure that personnel authorised to process Customer Personal Data are bound by written confidentiality obligations.
4.3 Security. LegalInk shall implement and maintain the TOMs set out in Exhibit C, designed to provide a level of security appropriate to the risk.
4.4 No training on customer data. LegalInk shall not, and shall ensure its Subprocessors shall not, use Customer Personal Data to train, fine-tune, or improve any AI model. Enterprise API tiers with contractual no-training terms are used with all model providers.
4.5 Assistance to the Customer. Taking into account the nature of the processing, LegalInk shall provide reasonable assistance to the Customer in fulfilling the Customer's obligations to respond to Data Principal requests under DPDP §11, and in meeting the Customer's security, breach-notification, and data-protection-impact-assessment obligations.
4.6 Records. LegalInk shall maintain reasonable records of its processing activities under this DPA and make them available to the Customer on reasonable written request.
4.7 Notification of regulatory contact. LegalInk shall notify the Customer without undue delay if it receives a binding order from a regulator or law-enforcement authority requiring disclosure of Customer Personal Data, unless legally prohibited from doing so.
5. Subprocessors
5.1 General authorisation. The Customer provides general written authorisation for LegalInk to engage Subprocessors to process Customer Personal Data, subject to this Section 5.
5.2 Current list. The current list of Subprocessors is published at legalink.co.in/trust/subprocessors and reproduced in summary form in Exhibit A. The published list is the live source of truth.
5.3 Notice of change. LegalInk shall provide Enterprise customers with at least 30 days' prior notice of any intended addition or replacement of a Subprocessor.
5.4 Right to object. The Customer may object on reasonable data-protection grounds within the notice period. The parties shall work in good faith to resolve the objection. If unresolved, the Customer may terminate the affected portion of the Services on written notice without further liability.
5.5 Subprocessor terms. LegalInk shall impose on each Subprocessor data-protection obligations no less protective than those in this DPA, and shall remain liable to the Customer for any failure of a Subprocessor to perform those obligations.
6. Cross-border transfer
6.1 The Customer acknowledges that, as of the Effective Date, Customer Personal Data is processed and stored on Supabase infrastructure in the Tokyo region (ap-northeast-1).
6.2 AI reasoning and voice transcription Subprocessors process Customer Personal Data in the United States (see Exhibit A).
6.3 LegalInk shall conduct any cross-border transfer in accordance with the DPDP Act §16 and any rules notified by the Central Government, and shall apply contractual safeguards equivalent to those used by leading enterprise SaaS providers.
6.4 India (Mumbai) data residency is on LegalInk's Q4 2026 roadmap. LegalInk shall offer Enterprise customers an option to migrate to the India region within a reasonable period after general availability.
7. Personal Data Breach notification
7.1 LegalInk shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of a confirmed Personal Data Breach affecting Customer Personal Data.
7.2 The notification shall describe, to the extent then known: the nature and scope of the breach; the categories and approximate number of Data Principals and records affected; the likely consequences; and the measures taken or proposed to address the breach.
7.3 LegalInk shall provide a written post-mortem to the Customer within 7 days of containment.
7.4 LegalInk shall provide reasonable assistance to the Customer in fulfilling the Customer's own breach-notification obligations to the Data Protection Board of India and to affected Data Principals.
7.5 LegalInk does not currently maintain a formal CERT-In incident-notification framework; this is on the Q3 2026 roadmap and is disclosed openly.
8. Audits and inspections
8.1 LegalInk shall make available to the Customer on reasonable written request all information necessary to demonstrate compliance with this DPA.
8.2 Where the Customer reasonably requires further assurance, LegalInk shall respond in writing to the Customer's security and compliance questionnaires within a reasonable period (target: 48 hours for first response on substantive questionnaires).
8.3 Once LegalInk obtains a SOC 2 Type 1 report (Q3 2026 target) or equivalent independent attestation, the report shall be made available to Enterprise customers under NDA in lieu of on-site audit.
8.4 Any on-site audit prior to such attestation shall be conducted at the Customer's expense, on at least 30 days' written notice, no more than once in any 12-month period, and subject to reasonable scope, confidentiality, and security restrictions.
9. Return or deletion of Customer Personal Data
9.1 On termination of the Agreement, the Customer may, within 30 days, request export of Customer Personal Data in a machine-readable format. After that period, LegalInk shall delete Customer Personal Data in accordance with the Document Retention Policy.
9.2 Detailed retention periods, including statutory minimums, are set out in Exhibit B and in the live Document Retention Policy at legalink.co.in/trust/retention.
9.3 Where Indian statute (notably the Income Tax Act §44AA, the CGST Act §35, and the Companies Act §128) requires longer retention of billing and corporate records, the statutory minimum prevails.
9.4 Encrypted database backups operate on a 30-day rolling window. Residual copies in backups expire on that cycle and are not restored except in a verified disaster-recovery event. This limitation is disclosed openly.
9.5 On written request, LegalInk shall confirm in writing that deletion has been completed.
10. Liability
10.1 Each party's liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
10.2 Nothing in this DPA limits or excludes either party's liability where such limitation or exclusion is prohibited by applicable law.
10.3 The parties agree that any regulatory penalty levied on one party as a result of the other party's breach of this DPA shall be apportioned in proportion to fault.
11. Term and termination
11.1 This DPA takes effect on the Effective Date and continues for the term of the Agreement.
11.2 Provisions which by their nature should survive termination — including obligations on confidentiality, deletion, statutory record retention, and liability — shall survive termination.
12. Governing law and jurisdiction
12.1 This DPA is governed by the laws of India.
12.2 The courts at Mumbai, Maharashtra shall have exclusive jurisdiction over any dispute arising under this DPA, subject to either party's right to seek interim or injunctive relief in any court of competent jurisdiction.
12.3 Where applicable foreign data-protection law imposes a more protective standard on a category of Customer Personal Data, that standard shall apply to that category to the extent required by law.
13. Notices
All data-protection notices to LegalInk shall be sent in writing to support@legalink.ai, marked for the attention of the Data Protection contact. Notices to the Customer shall be sent to the email address on the Customer's account or to such other address as the Customer notifies in writing.
14. Update history
| Date | Version | Change | Reason |
|---|---|---|---|
| 8 May 2026 | 1.0 | Initial publication of Data Processing Addendum. | Trust & Compliance program launch. |
Exhibit A
Subprocessor List — summary
The live source of truth is published at legalink.co.in/trust/subprocessors.
| Category | Subprocessor | Region |
|---|---|---|
| AI Reasoning | Anthropic (Claude) | United States |
| AI Reasoning | Google (Gemini via Lovable AI Gateway) | United States |
| AI Reasoning / Voice | Groq (Whisper transcription) | United States |
| Infrastructure | Supabase | Tokyo, Japan (ap-northeast-1) |
| Infrastructure | Lovable | European Union |
| Payments | Razorpay | India |
| Resend | United States | |
| Analytics | Google Analytics 4 | United States |
| Error Monitoring | Internal (Supabase-hosted) | Tokyo, Japan |
Exhibit B
Document Retention Schedule — summary
Full schedule, statutory bases, and disclosures are published at legalink.co.in/trust/retention.
| Data Category | Retention Period |
|---|---|
| Drafts (saved documents) | Until customer deletes; 90 days post-closure |
| Chat history (Inka) | Until customer deletes thread; 90 days post-closure |
| Uploaded files (transient) | Purged within 24 hours unless attached to a draft |
| Voice audio | Not retained — discarded after transcription |
| Account profile | Lifetime + 90 days post-closure |
| Authentication metadata | 12 months rolling |
| Audit logs | 24 months |
| Application error logs (PII redacted) | 90 days |
| Edge function logs | 30 days |
| Invoices, GST records | 7 years (statutory minimum) |
| Support correspondence | 24 months |
| Encrypted database backups | 30-day rolling window |
Exhibit C
Technical and Organisational Measures
C.1 Access controls
Role-based access control across the application; row-level security policies in the database; least-privilege production access limited to authorised LegalInk personnel; access reviews on personnel change.
C.2 Encryption
TLS 1.2 or higher in transit; AES-256 at rest for primary database and backups; encryption keys managed by the infrastructure provider with provider-side rotation.
C.3 Network security
Edge termination at hardened endpoints; WAF and DDoS protection at the edge; restricted egress for production workloads.
C.4 Application security
Email verification and Google OAuth; password complexity rules; protection against common web vulnerabilities (OWASP Top 10) at framework and review level.
C.5 Operational security
Encrypted backups on a 30-day rolling window; monitored edge function execution; environment separation between development, preview, and production.
C.6 Incident management
72-hour customer notification target on confirmed breaches; written post-mortem within 7 days; centralised error logging with PII redacted server-side.
C.7 Personnel
Written confidentiality obligations for all personnel with production access; security awareness expectations communicated on engagement; access revoked promptly on departure.
C.8 Subprocessor management
Subprocessor due diligence on engagement; contractual data-protection obligations no less protective than this DPA; published Subprocessor list with 30 days' notice of change for Enterprise customers.
C.9 Roadmap measures
The following measures are on the published compliance roadmap. They are disclosed openly so the Customer can plan procurement against realistic dates.
| Measure | Target |
|---|---|
| India data residency (Mumbai region) | Q4 2026 |
| SOC 2 Type 1 audit | Q3 2026 (initiation) |
| ISO 27001 readiness | Q4 2026 |
| CERT-In incident-notification framework | Q3 2026 |
| SSO / SAML for Enterprise | Q4 2026 |
| SOC 2 Type 2 attestation | 2027 |
Acceptance
By accepting LegalInk's Terms of Service or executing a separate Master Services Agreement, the Customer accepts this DPA as part of the Agreement. For Enterprise customers requiring counter-signature, a counter-signed copy is available on written request to support@legalink.ai.