Skip to main content
LawFuzeICO registered
For SolicitorsMethodologyTrustPricing
Sign inRequest access→

UK GDPR · Article 28

Data Processing Agreement (customer template)

This DPA applies between LawFuze AI Systems Limited (Processor) and your firm (Controller) whenever LawFuze processes personal data on your behalf under UK GDPR Article 28. A pre-filled, counter-signed copy is available for every firm — including beta participants — within two working days of request to legal@lawfuze.com.

Last updated: 17 May 2026·Next review: 17 May 2027

How to use this template

Email legal@lawfuze.com with the subject "Customer DPA request" and the legal name of your firm. We send back a pre-filled DPA (DocuSign) within two working days. Customers do not need to add the SCCs to this template — UK IDTAs sit underneath via Schedule 3.

1. Subject matter, duration, nature & purpose

LawFuze processes personal data submitted by Controller to provide the LawFuze platform: legal-research AI assistance, document drafting, matter management, time recording, audit logging and related services. Processing lasts for the duration of the underlying service agreement plus a grace period for export and deletion under Section 8 of this DPA.

2. Types of personal data & categories of data subject

  • Solicitor users: name, email, SRA number, firm name, role, login metadata, audit-log entries.
  • Client matter parties (uploaded by Controller): name, contact details, any personal data necessary for the matter, including potentially special-category data such as health or biometric data where the matter requires.

3. Controller obligations

Controller warrants that it has a lawful basis for processing each item of personal data and has provided the necessary privacy information to data subjects. Controller is responsible for responding to data-subject requests in the first instance and may instruct Processor to assist via dpo@lawfuze.com.

4. Processor obligations

  • Process personal data only on documented instructions from Controller, including the Controller's prompts and uploads to the platform.
  • Ensure persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures, as described in Schedule 2 (Security Measures).
  • Assist Controller in responding to data-subject requests under UK GDPR Articles 12 to 23.
  • Notify Controller without undue delay (within 24 hours of discovery) of any personal data breach.
  • Make available to Controller all information necessary to demonstrate compliance with Article 28 and allow for audits with reasonable notice.

5. Sub-processors

Controller grants general authorisation for the sub-processors listed at /privacy/sub-processors. Processor gives at least 30 days' notice on that page of any new sub-processor handling personal data. Controller may object by emailing dpo@lawfuze.com.

6. International transfers

Where personal data is transferred outside the UK or EEA, Processor relies on the ICO International Data Transfer Agreement (IDTA), supported by a published Transfer Risk Assessment. Specific transfers are listed in Schedule 3 (Cross-Border Transfers).

7. Security measures (Schedule 2 summary)

  • UK data residency on Microsoft Azure UK South.
  • TLS 1.3 in transit, AES-256 at rest, Azure Key Vault for secrets.
  • Tenant isolation at database and search-index level.
  • Append-only audit log with DB-level triggers blocking UPDATE/DELETE.
  • Role-based access control: three fully-shipped firm-facing access tiers (Admin / Solicitor / Staff) plus minimum-scaffold Client and Guest tiers; four SRA compliance designations (COLP / COFA / Barrister / CILEX Legal Executive) wired into the permissions JWT and gated behind mandatory MFA; least-privilege defaults throughout.
  • Daily encrypted backups, quarterly restore tests.
  • SSO with optional SAML / OIDC; MFA mandatory for admin tiers.
  • Vulnerability scanning on every deployment; pen test annually.

8. Return or deletion of personal data

On termination, Processor returns or deletes all personal data within 30 days, except for records Processor is legally required to retain (such as immutable audit-log entries for 6 years under SRA guidance).

9. Liability & indemnity

Liability under this DPA is subject to the limitations in the underlying service agreement.

10. Governing law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.

This page is a summary. The countersigned DPA Controller receives is the legally operative document.

Related

  • Privacy Policy
  • Sub-processors
  • Trust Center
LawFuze

An AI co-worker for UK solicitors — research and drafting support, supervised by the solicitor on the file. Hosted in Microsoft Azure UK South.

Product

  • Chat AI
  • Document Intelligence
  • Matter Management
  • Time & Billing
  • Compliance & Audit
  • Security
  • Legal Research (Phase 2)
  • Judge Intelligence (Phase 2)
  • War Room (Phase 2)
  • Methodology

Company

  • About
  • For Solicitors
  • Request beta access
  • Contact

Trust & Legal

  • Trust Center
  • Privacy Policy
  • Sub-processors
  • Terms of Service
  • Acceptable Use
  • DPA Template
  • Beta Agreement
  • Complaints
  • Cookies
  • Accessibility
  • DPO
  • Disclaimers
AI Disclaimer

LawFuze provides AI tools that support qualified legal professionals with research and drafting. AI outputs are not legal advice. Every AI output carries a confidence indicator and source citations, and must be reviewed by a qualified solicitor before reliance. The supervising solicitor — not the AI — remains responsible to the client under the SRA Code of Conduct.

Regulatory Notice

LawFuze is a technology platform and is not a law firm. We do not provide legal advice or legal services. Solicitors using LawFuze remain individually responsible for compliance with the SRA Standards and Regulations and the SRA Code of Conduct. Use of AI tools does not diminish a solicitor's duty to their clients or professional obligations.

Data Protection

LawFuze processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Customer data is stored in the UK on Microsoft Azure (UK South region). AI inference uses named sub-processors in the EU and US; where data flows outside the UK/EEA we rely on ICO International Data Transfer Agreements (IDTAs) supported by published Transfer Risk Assessments — treat IDTA execution as an in-progress control until each is signed and filed. The current sub-processor list and IDTA status of each is published on our sub-processor register. For data subject rights including access, rectification, erasure, and portability, contact legal@lawfuze.com.

Security & Compliance Roadmap
ICO controller registration· LiveUK GDPR aligned· LiveDPIA + ROPA published· Livelegislation.gov.uk + TNA Find Case Law (OGL v3.0, read use)· LiveCyber Essentials Plus· In progressComputational Analysis Licence (case law AI/search index use)· In progressPII / Cyber / D&O insurance· In progressISO 27001· On roadmapSOC 2 Type II· On roadmap

Certifications in progress or on the roadmap are not current attestations. We publish certificate references only once an accredited body has issued them.

© 2026 LawFuze Ltd. All rights reserved.

Registered in England & Wales • Company No. 16800372 • Registered Office: 4 Enriqueta Rylands Close, Stretford, Manchester, M32 0NW

Founded by Sake Nagarjuna Naidu — built in Manchester for UK solicitors.

ICO controller registration ZC147676 (14 May 2026 — 13 May 2027) — listed on the Trust Center. VAT registration in progress; reference will be added on receipt.

Data Protection Officer: dpo@lawfuze.com · Security: security@lawfuze.com · Complaints: /complaints