Skip to main content
LawFuzeICO registered
For SolicitorsMethodologyTrustPricing
Sign inRequest access→

UK GDPR · Article 28

Data Processing Agreement (customer template)

This DPA template applies between LawFuze AI Systems Limited (the Processor) and your firm (the Controller) when LawFuze processes personal data on your behalf. A counter-signed copy is available on request for any firm, including beta participants.

Last updated: 17 May 2026·Next review: 17 May 2027

How to use this template

Email legal@lawfuze.com with the subject "Customer DPA request" and the legal name of your firm. We send back a pre-filled DPA (DocuSign) within two working days. Customers do not need to add the SCCs to this template — UK IDTAs sit underneath via Schedule 3.

1. Subject matter, duration, nature & purpose

LawFuze processes personal data submitted by Controller to provide the LawFuze platform: legal-research AI assistance, document drafting, matter management, time recording, audit logging and related services. Processing lasts for the duration of the underlying service agreement plus a grace period for export and deletion under Section 8 of this DPA.

2. Types of personal data & categories of data subject

  • Solicitor users: name, email, SRA number, firm name, role, login metadata, audit-log entries.
  • Client matter parties (uploaded by Controller): name, contact details, any personal data necessary for the matter, including potentially special-category data such as health or biometric data where the matter requires.

3. Controller obligations

Controller warrants that it has a lawful basis for processing each item of personal data and has provided the necessary privacy information to data subjects. Controller is responsible for responding to data-subject requests in the first instance and may instruct Processor to assist via dpo@lawfuze.com.

4. Processor obligations

  • Process personal data only on documented instructions from Controller, including the Controller's prompts and uploads to the platform.
  • Ensure persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures, as described in Schedule 2 (Security Measures).
  • Assist Controller in responding to data-subject requests under UK GDPR Articles 12 to 23.
  • Notify Controller without undue delay (within 24 hours of discovery) of any personal data breach.
  • Make available to Controller all information necessary to demonstrate compliance with Article 28 and allow for audits with reasonable notice.

5. Sub-processors

Controller grants general authorisation for the sub-processors listed at /privacy/sub-processors. Processor gives at least 30 days' notice on that page of any new sub-processor handling personal data. Controller may object by emailing dpo@lawfuze.com.

6. International transfers

Where personal data is transferred outside the UK or EEA, Processor relies on the ICO International Data Transfer Agreement (IDTA), supported by a published Transfer Risk Assessment. Specific transfers are listed in Schedule 3 (Cross-Border Transfers).

7. Security measures (Schedule 2 summary)

  • UK data residency on Microsoft Azure UK South.
  • TLS 1.3 in transit, AES-256 at rest, Azure Key Vault for secrets.
  • Tenant isolation at database and vector-store level.
  • Append-only audit log with DB-level triggers blocking UPDATE/DELETE.
  • Role-based access control with six tiers, least-privilege defaults.
  • Daily encrypted backups, quarterly restore tests.
  • SSO with optional SAML / OIDC; MFA mandatory for admin tiers.
  • Vulnerability scanning on every deployment; pen test annually.

8. Return or deletion of personal data

On termination, Processor returns or deletes all personal data within 30 days, except for records Processor is legally required to retain (such as immutable audit-log entries for 6 years under SRA guidance).

9. Liability & indemnity

Liability under this DPA is subject to the limitations in the underlying service agreement.

10. Governing law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.

This page is a summary. The countersigned DPA Controller receives is the legally operative document.

Related

  • Privacy Policy
  • Sub-processors
  • Trust Center
LawFuze

AI-powered legal practice management for UK solicitors. Augmenting legal expertise with intelligent technology.

Product

  • Chat AI
  • Document Intelligence
  • Matter Management
  • Time & Billing
  • Compliance & Audit
  • Security
  • Legal Research (Phase 2)
  • Judge Intelligence (Phase 2)
  • War Room (Phase 2)
  • Methodology

Company

  • About
  • For Solicitors
  • Request beta access
  • Contact

Trust & Legal

  • Trust Center
  • Privacy Policy
  • Sub-processors
  • Terms of Service
  • Acceptable Use
  • DPA Template
  • Beta Agreement
  • Complaints
  • Cookies
  • Accessibility
  • DPO
  • Disclaimers
AI Disclaimer

LawFuze provides AI-powered tools designed to assist qualified legal professionals. AI outputs are for informational purposes only and do not constitute legal advice. All AI-generated analysis includes confidence scores and source citations and should be independently verified by a qualified solicitor before reliance. LawFuze does not replace the professional judgement of a regulated legal practitioner.

Regulatory Notice

LawFuze is a technology platform and is not a law firm. We do not provide legal advice or legal services. Solicitors using LawFuze remain individually responsible for compliance with the SRA Standards and Regulations and the SRA Code of Conduct. Use of AI tools does not diminish a solicitor's duty to their clients or professional obligations.

Data Protection

LawFuze processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Customer data is stored in the UK on Microsoft Azure (UK South region). AI inference uses named sub-processors in the EU and US; where data flows outside the UK/EEA we rely on ICO International Data Transfer Agreements (IDTAs) supported by published Transfer Risk Assessments — treat IDTA execution as an in-progress control until each is signed and filed. The current sub-processor list and IDTA status of each is published on our sub-processor register. For data subject rights including access, rectification, erasure, and portability, contact legal@lawfuze.com.

Security & Compliance Roadmap
ICO controller registration· LiveUK GDPR aligned· LiveDPIA + ROPA published· LiveCyber Essentials Plus· In progressComputational Analysis Licence (case law)· In progressPII / Cyber / D&O insurance· In progressISO 27001· On roadmapSOC 2 Type II· On roadmap

Certifications in progress or on the roadmap are not current attestations. We publish certificate references only once an accredited body has issued them.

© 2026 LawFuze Ltd. All rights reserved.

Registered in England & Wales • Company No. 16800372 • Registered Office: 4 Enriqueta Rylands Close, Stretford, Manchester, M32 0NW

ICO data-protection registration confirmed (May 2026) — registration number published on the Trust Center. VAT registration in progress; reference will be added on receipt.

Data Protection Officer: dpo@lawfuze.com · Security: security@lawfuze.com · Complaints: /complaints