1. Introduction

1. This data processing agreement (the ”DPA”) governs the processing of Personal Data in the course of the provision of the Services provided by Alice or its Affiliates to the Subscriber and forms part of the Agreement between the Parties.
   ‍
2. This DPA regulates the Subscriber’s rights and obligations in its capacity as data controller or processor as well as Alice’s rights and obligations in its capacity as data processor or sub-processor when Alice processes Personal Data on behalf of the Subscriber under the Agreement.
   ‍
3. The purpose of this DPA is to regulate the processing of Personal Data in accordance with the requirements set forth by Applicable Data Protection Laws. Concepts, terms, and expressions in this DPA shall be interpreted in accordance with Applicable Data Protection Laws (as defined below).
   ‍
4. In case of any conflict between the rest of the Agreement and this DPA (including its appendices), the wording of this DPA shall prevail.
   ‍
5. The following appendices shall form part of the DPA:
   ‍
   1. Appendix A – Specification of data processing
   2. Appendix B – Pre-approved sub-processors
   3. Appendix C – Security measures
      ‍
6. Capitalized terms that are used but not defined in this document shall have the meaning set out in the Order Form or the Terms and Conditions Alice.
   ‍

2. Processing of personal data

1. Alice undertakes to process Personal Data for purposes set forth in this DPA (including Appendix A) and following the Subscriber’s documented instructions, unless otherwise required by Applicable Data Protection Laws. The Subscriber’s instructions to Alice regarding the subject matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects, and the rights and obligations of both Parties are outlined in this DPA and in Appendix A.
   ‍
2. As data processor, Alice shall use its best effors to:
   ‍
   1. comply with all Applicable Data Protection Laws that are applicable to it as a processor of the Personal Data;
   2. cooperate with audits conducted by the Subscriber; and
   3. Inform the Subscriber promptly if Alice determines that an instruction from the Subscriber violates Applicable Data Protection Laws.
      ‍
3. As data controller, Subscriber undertakes that any transfer of Personal Data to Alice using the Services shall be made using secure, reasonable, and appropriate mechanisms for data transfers.
   ‍
4. Alice shall, without undue delay, inform the Subscriber of any communication with any Data Protection Authority that relates to Alice’s processing of Personal Data under this DPA, and Alice will provide reasonable assistance to the Subscriber if the Subscriber receives a request from such authority or is subject to a regulatory investigation. In addition, if data subjects, competent authorities, or any other third parties request information from Alice regarding the processing of Personal Data covered by this DPA, Alice shall refer such requests to the Subscriber to the extent permissible under applicable law.
   ‍
5. Alice shall provide reasonable assistance to the Subscriber, through appropriate technical and organizational measures, with the Subscriber’s compliance obligations to implement reasonable security procedures and practices appropriate to the nature of the Personal Data.
   ‍
6. Alice’s assistance to the Subscriber in accordance with Clause 2.4 and 2.5 will be provided at the Subscriber’s reasonable expense, unless the reason for the assistance is a direct result of an act or omission by Alice or its Affiliates.
   ‍
7. Alice certifies that it will not:
   ‍
   1. retain, use, or disclose Personal Data outside the context of the relationship between Alice and the Subscriber, other than to provide the Services in accordance with the Agreement and this DPA, or as otherwise permitted by Applicable Data Protection Laws;
   2. sell or share Personal Data; or
   3. combine Personal Data Alice obtains in the performance of the Services with any personal information that Alice collects from other sources, except as permitted by Applicable Data Protection Laws.
      ‍

3. Obligations of the subscriber

1. The Subscriber shall ensure that it has a valid legal basis, and all necessary rights, consents, and authorizations, to provide the Personal Data to Alice and to authorize Alice to process that Personal Data in accordance with this DPA, the Agreement and/or other processing instructions provided by the Subscriber to Alice.
   ‍
2. The Subscriber shall comply with all Applicable Data Protection Laws that apply to it as controller of the Personal Data.
   ‍
3. The Subscriber guarantees that it has implemented technical and organisational security measures before processing Personal Data.
   ‍
4. The Subscriber shall limit the provision of Personal Data to Alice to what is necessary for the purpose of the Agreement. For example, the Subscriber shall not include Personal Data, other than technical contact information, in technical support tickets.

‍

4. Sub-processors

1. Alice is, subject to Clauses 4.2 and 4.3, and Clause 5 entitled to engage subcontractors acting as sub-processors, and under the condition that they are bound by a written agreement which materially imposes the same data processing obligations as the obligations under this DPA in respect of data protection.
   ‍
2. A list of sub-processors that Alice already works with at the time of signing this DPA is attached as Appendix B to this DPA. By signing this DPA, the Subscriber approves the list of subprocessors.
   ‍
3. Alice shall inform the Subscriber of any new sub-processors by updating the sub-processor list on www.alice.law/legal and give the Subscriber the opportunity to object to such changes. Such objections by the Subscriber shall be based on reasonable grounds regarding the new sub-processor’s ability to comply with Applicable Data Protection Laws and be made in writing within 10 days from posting. Alice may not engage a new sub-processor before the 10-day period has ended. Alice shall upon request provide the Subscriber with such information available to Alice that the Subscriber may reasonably request to assess the new sub-processor’s ability to comply with Applicable Data Protection Laws. If Alice, despite the Subscriber’s objection, wishes to engage the sub-processor, the Parties shall in good faith discuss and try to find an alternative solution which is reasonably acceptable to both Parties. If the Parties cannot find an alternative solution and the Subscriber still objects to the appointment of the sub-processor, and if the Subscriber’s objection would result in additional costs or expenses for Alice, then Alice is entitled to adjust its fees under the Agreement to ensure that Alice is compensated for such additional and/or increased costs or expenses. Notwithstanding the previous sentence, if the Subscriber’s objection would result in costs or operational consequences which, in Alice’s opinion, would not be commercially reasonable, Alice may terminate the Agreement upon reasonable written notice.

‍

5. Third country transfers

1. The Subscriber acknowledges that it may transfer Personal Data or make Personal Data available by remote access to Alice in the EU, in order for Alice to provide the Services.
   ‍
2. Alice may transfer the Personal Data outside the European Economic Area (EEA) to the extent that this is done in accordance with Chapter V of the AVG (i.e., a European Commission adequacy decision, European Commission standard provisions for the transfer of Personal Data to Processors in third countries (2021/914/EU); binding corporate rules, approved codes of conduct, approved certification mechanisms, or any other valid instrument for transfer as referred to in Art. 46 of the GDPR), and in strict compliance with the obligations that follow from the Schrems-II judgment of 16 July 2020 of the European Court of Justice and the (European and national) guidelines on data transfers outside the EEA that supervisory authorities have adopted in this regard.

‍

6. Information security and confidentiality

1. To maintain an adequate level of security for the protection of Personal Data, and without prejudice to the information security and confidentiality obligations which otherwise follow from the Agreement, Alice commits to the appropriate technical and organizational measures described in Appendix C.
   ‍
2. Alice shall protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. The Personal Data shall also be protected against other forms of unlawful processing.
   ‍
3. Alice shall ensure that only staff and other representatives who require access to Personal Data to fulfil Alice’s obligations under the Agreement have access to such information. Alice shall guarantee that all persons authorized to process the Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

‍

7. Data breach notifications

1. Alice shall inform the Subscriber without undue delay and at the latest within 72 hours from becoming aware of a Personal Data breach.
   ‍
2. Alice shall assist the Subscriber with any information reasonably required to fulfil the Subscriber’s data breach notification requirements under Applicable Data Protection Laws. Any costs associated with such assistance will be subject to the limitations of liability in the General Terms and Conditions.

‍

8. Data protection impact assesesments and prior consultations

Alice shall, at the Subscriber’s reasonable expense, considering the nature of the processing and the information available to Alice, assist the Subscriber in fulfilling the Subscriber’s obligation to, when applicable, carry out data protection impact assessments and prior consultations with the Data Protection Authority.

‍

9. Audit rights

1. Subscriber shall have the right to perform at its own cost audits of Alice’s processing of Subscriber’s Personal Data to verify Alice’s compliance with this DPA. This audit right is limited to once every Term or Renewal Term.
   ‍
2. The Subscriber engages a third-party auditor to conduct the audit. This third-party auditor must be mutually agreed to by the Subscriber and Alice (except if such third party is a Regulator).
   ‍
3. To request an audit, the Subscriber must submit a detailed proposed audit plan to Alice at least on (1) month in advance of the proposed audit date. The proposed audit plan must describe the identity of the proposed third party auditor, the proposed scope, duration, and start date of the audit. Alice will review the proposed audit plan and provide the Subscriber with any concerns or questions. Alice will work cooperatively with the Subscriber to agree on a final audit plan within a reasonable timeframe.
   ‍
4. The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Alice’s health and safety or other relevant policies and may not unreasonably interfere with Alice’s business activities.
   ‍
5. Upon completion of the audit, Subscriber will provide Alice with a copy of the audit report, which is subject to the confidentiality terms of the Agreement. The Subscriber may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement. Alice undertakes to make available to the Subscriber all reasonable information and other assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, conducted by an authorized and reputable auditor mandated by the Subscriber, provided that the individuals performing the audits enter into confidentiality agreements or are bound by statutory obligations of confidentiality.
   ‍
6. In this context, it is noted that among Alice’s customers there may be entities which are subject to statutory and/or bar association rules on confidentiality in relation to client/customer matters (e.g. banks, financial institutions, law firms, etc.). Hence, the Subscriber acknowledges that audits under this DPA shall not include access to information pertaining or belonging to Alice’s other customers.

‍

10. Term of agreement

The provisions of this DPA shall apply as long as Alice processes Personal Data for which the Subscriber is data controller or until such time this DPA is replaced with another data processing agreement.

‍

11. Measures upon completion of processing of personal data

1. Before the expiration of this DPA, Alice shall, at the choice and instruction of the
   ‍
2. Subscriber, securely delete or return all Personal Data to the Subscriber, unless Applicable Data Protection Laws require Alice to store the Personal Data in which case the obligations set out in Clause 11.3 (i)–(iii) shall apply.
   ‍
3. If Alice is legally required to retain archival copies of any specific data belonging to the Subscriber for tax or similar regulatory purposes, Alice shall:
   1. inform the Subscriber thereof in writing specifying the legal obligation and the affected Subscriber data,
   2. not use the archived information for any other purpose than to strictly comply with the applicable legal obligation; and
   3. remain bound by its obligations under the Agreement, including this DPA, including, its confidentiality and security obligations under the Agreement and the obligations under this DPA to protect the information using appropriate safeguards and to notify the Subscriber of any security incident involving the information.

‍

12. Amendments

1. Any amendments to this DPA shall, to be valid, be agreed in writing and duly signed by authorized representatives of both Parties.
   ‍
2. Notwithstanding Clause 12.1, the Subscriber is entitled to make updates to its written instructions regarding the processing set out in Appendix A. Alice shall be entitled to remuneration for any reasonable and verified additional costs that Alice incurs due to the Subscriber having made amendments to its written instructions regarding the processing. Notwithstanding the aforesaid, no remuneration shall be payable due to amendments in the written instructions directly due to, or directly based on, regulatory requirements.

‍

13. Liability

The liability provisions and limitations thereof set out in the Terms and Conditions shall apply to this DPA.

‍

14. Governing law and settlement of disputes

1. Except as otherwise required by Applicable Data Protection Laws, this DPA shall be governed by and construed in accordance with the governing law provision in the Terms and Conditions.
   ‍
2. Any dispute, controversy, or claim arising out of or in connection with this DPA, or the breach, termination, or invalidity thereof, shall be finally settled in accordance with the dispute resolution provision set out in the Terms and Conditions.

‍

13. Liability

“Applicable Data Protection Laws” means any nationally binding data protection laws, case law, and regulations, including those (i) applicable within the European Union (the “EU”), including the EU General Data Protection Regulation (“EU GDPR”), , and all other privacy and data protection laws of the European Economic Area (“EEA”) and applicable subordinate legislation and regulations implementing those laws in (i) and (ii), as amended and supplemented from time to time.

“Data Protection Authority” means a regulatory authority, supervisory authority, or other government agency authorized to enforce Applicable Data Protection Laws.

“Personal Data” means any means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The terms “data controller” and “data processor” have the meanings accorded to them under Applicable Data Protection Laws.

‍

‍

Apendix A - Specifications of data processing

1. Subject matter and purposes of the processing

1. Alice provides teams with an AI workspace for legal work through a SaaS solution. The services means the usage and provision of the Alice AI platform (“Alice Platform”), a web-based legal AI assistant, which comprises a cloud service accessible via a web interface through a browser and/or desktop app (the “Alice Webapp”) and the plugin for Microsoft Word (the “Alice Add-on”), which connects the Subscriber’s Microsoft Word software to Alice’s webapp for case analysis and legal drafting based on input filed on the Alice Webapp.
   ‍
2. Alice shall process Personal Data on behalf of the Subscriber for the purpose of providing the Services under the Agreement. Alice’s processing of Personal Data on behalf of the Subscriber will be as necessary to perform the Services, and as further legal applications based.

‍

2. Data subjects

Individuals included in Subscriber content, i.e. natural persons who are mentioned or otherwise included in the Subscriber’s input data submitted to the Alice Platform.

‍

3. Personal data

Name, title, email or other personal data submitted in search queries, prompt queries, or documents uploaded into the Services.

‍

4. Duration of processing

Alice’s processing of Personal Data on the Subscriber’s behalf will continue until the expiration or termination of the Agreement or as otherwise agreed between the Parties.

‍

‍

Apendix B - Pre-approved sub-processors

‍

For each sub-processor that we use, we apply the principles of least privilege. This means that each third-party system shall only have access to the minimum data required to fulfil its purpose

Apendix C - Security measures

1. Alice is an AI platform

This document describes the technical and organizational security measures and controls implemented by Alice to protect Personal Data and ensure the ongoing confidentiality, integrity and availability of Alice’s products and services. More details on the measures we implement are available upon request. Alice reserves the right to revise these technical and organizational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for Personal Data that Alice processes in providing its products and services.

‍

2. How Alice works

The Alice AI Platform is a legal AI workspace that comprises a cloud service accessible via a web interface through a browser and/or desktop app, plug-ins, add-ins to other software, and any ancillary documentation and modules provided by Alice. The Alice AI Platform is used for streamlining legal work and the Subscriber’s documents. The platform is an all-in-one solution for teams to work with legal inquiries and simplify legal workflows seamlessly.

‍

3. Sub-processors

Alice engages carefully vetted sub-processors for specific purposes. For a list of sub-processors, please see Appendix B Pre-approved Sub-processors.

‍

4. Supplier relationship management

Alice ensures that identified security requirements are met by external suppliers during the procurement process. A contract with a chosen supplier addresses the demands on the supplier's IT environment and information security measures. The supplier shall present and account for their technology, routines, and processes as well as IT and information security policies. Alice conducts regular control of suppliers' access rights and other aspects of the agreement with the supplier. Suppliers agree to carry out assignments in compliance with the provisions specified in applicable laws and regulations in the countries where the assignments are performed.

‍

5. System access control

Measures that prevent unauthorized persons from using IT systems and processes:

1. When provisioning access, Alice adheres to the principle of least privilege and role-based permissions — meaning our employees are only authorized to access data that they reasonably must handle in order to fulfil their job responsibilities.
   ‍
2. Alice utilizes multi-factor authentication for access to systems with highly confidential data, including our production environment which houses Personal Data.

‍

6. Physical access control

Measures to prevent physical access of unauthorized persons to IT systems that handle Personal Data:

1. Alice partners with industry-leading data center and cloud infrastructure providers. Access to all data centers is strictly controlled. All data centers are equipped with 24x7x365 surveillance and biometric access control systems.
   ‍
2. Data centers are equipped with at least N+1 redundancy for power, networking, and cooling infrastructure.
   ‍
3. Alice replicates data across separate, physically independent, and highly secure Microsoft Azure locations, ensuring high availability, and protection from local failures such as power outages and fires.
   ‍
4. Measures to prevent physical access of unauthorized persons to physical office locations:
   ‍
5. Alice ensures that only authorized persons can access physical office locations through comprehensive access management consisting of redundant key-card access points. This is done by third-party office providers.
6. Alice ensures effective and immediate onboarding and offboarding of employees, contractors, and third parties, including the security training of said personnel and immediate return and / or destruction of sensitive documents and access cards upon termination

‍

7. Data access control

Measures to ensure that persons authorized to use Alice have access only to the Personal Data under their access rights:

1. Alice enforces password complexity to match OWASP password recommendations to ensure strong passwords are used.
   ‍
2. Recovery of lost passwords is done by requesting a signed link to the user’s email account — no passwords are sent in plain text over email, chat, phone, or any other communication method.
   ‍
3. Alice ensures passwords are hashed (and salted) securely using bcrypt according to best practices, and upon the Subscriber’s request, requires single sign-on (SSO) powered by SAML 2.0, for secure user authentication.
4. Alice uses best-practice tools for vulnerability scanning, malicious activity detection, and blocks suspicious behavior automatically.
   ‍
5. Alice utilizes firewalls to segregate unwanted traffic from entering the network and keeps internal systems in separate subnetworks with no outside access.

‍

8. Transmission access control

Measures to ensure that Personal Data cannot be read, copied, altered, or deleted by unauthorized persons during electronic transmission or during transport or storage on data media and that those areas can be controlled and identified where transmission of Personal Data is to be done via data transmission systems:

1. The Subscriber data at rest is encrypted with AES-256 or other algorithms with the same encryption strengths, and data in transit is encrypted with at least TLS 1.2.
   ‍
2. Alice is alerted to encryption issues through periodic risk assessments and
   ‍
3. third-party penetration tests. Alice performs third-party penetration tests on an annual basis, or as needed due to changes in the business.
   ‍
4. We also sign the data to ensure its integrity;
5. Entry control
   ‍
6. Measures to ensure that it can be subsequently reviewed and determined if and from whom Personal Data was entered, altered, or deleted in the IT system:
   ‍
7. Systems are monitored for security events to ensure quick resolution.
   ‍
8. Logs are centrally stored and indexed. Critical logs, such as security logs, are retained for at least 12 months. Logs can be traced back to individual unique usernames with timestamps to investigate nonconformities or security events.

‍

9. Availability control

Measures to ensure that Personal Data are protected against accidental destruction or loss:

1. Alice saves a full backup copy of production data every 4 hours to ensure rapid recovery in the event of a large-scale disaster. Incremental/point-in-time recovery is available for all primary databases. Backups are encrypted-in-transit and at rest using strong encryption.
   ‍
2. Alice’s patch management process ensures that systems are patched in time according to threat level. Monitoring, alerting, and routine vulnerability scanning occurs to ensure that all product infrastructure is patched consistently.
   ‍
3. When necessary, Alice patches infrastructure in an expedited manner in response to the disclosure of critical vulnerabilities to ensure system uptime is preserved.
   ‍
4. The Subscriber environments are logically separated at all times. The Subscriber is not able to access accounts other than those given authorization credentials.

‍

10. Separation control

Measures to ensure that Personal Data collected for different purposes can be processed separately:

1. Alice employs different data processing systems for different purposes. These systems are architecturally (logical and physically) separated. All systems require valid authorization to be accessed.
   ‍
2. To ensure against the unintentional amalgamation of data, Alice separates development, testing, staging, and production environments.

‍

11. Risk management

Measures to ensure appropriate risk management include but are not limited to:

1. Alice conducts periodic reviews and assessments of risks, monitoring and maintaining compliance with Alice’s policies and procedures.
   ‍
2. Alice ensures periodic, effective reporting of information security conditions and compliance to senior internal management.
   ‍
3. Alice hosts periodic security risk management training, including but not limited to data protection for all employees, including an initial onboarding training for new employees to review and ensure compliance with up-to-date security risk management procedures and policies.
   ‍
4. Alice maintains a central IT policy covering guidelines for Internet usage.

‍

12. Operations security

Measures to ensure that the appropriate operations security safeguarding against malicious code in place include but are not limited to:

1. Alice has different systems and methods to protect the IT infrastructure against malicious code, including various antivirus scanners, spam filters, security updates, and training.
   ‍
2. Alice uses active monitoring to ensure that antivirus scanners and spam filters are active and updated.
   ‍
3. Alice actively installs the latest security updates on systems and applications to minimize the risk for exploitation of vulnerabilities.

‍

13. Security regarding personnel

Measure to ensure that Alice’s personnel comply with applicable laws and regulations, and ensuring that personnel abides by the relevant terms and conditions of supplier and customer agreements:

1. Alice’s personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Alice conducts reasonably appropriate background checks in relation to the employee’s role to the extent legally permissible.
   ‍
2. Personnel is required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Alice’s confidentiality and privacy policies. Personnel is provided with security training. Alice’s personnel will not process customer data without authorization.

‍

14. Retention of personal data

During the term of the DPA, the Personal Data processed by Alice will be subject to the retention requirements instructed from time to time by the Subscriber. After the termination or expiration of the DPA, Clause 11 of the DPA shall apply.