# Data Processing Agreement (template)

**Version:** March 28, 2026  
**Status:** Template for legal review before signature  
**Important:** This template is a starting point only and is not legal advice.

This Data Processing Agreement ("DPA") is entered into between:

- **Controller / Customer:** `[Insert customer legal name]`
- **Processor / Provider:** `[Insert StrataIndex legal entity name]`

This DPA forms part of and is incorporated into the applicable order form, master services agreement, or other written agreement between the parties covering the StrataIndex service (the **"Main Agreement"**).

## 1. Purpose and scope

This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with the StrataIndex service, including document intake, extraction workflows, requirements indexing, review tooling, exports, support, security monitoring, and related processing described in the Main Agreement.

## 2. Roles

- The **Controller** determines the purposes and means of the Controller Data submitted to the service.
- The **Processor** processes Controller Data on behalf of the Controller and in accordance with the Main Agreement, this DPA, and documented instructions from the Controller.

## 3. Details of processing

The parties agree that the following processing details apply unless otherwise set out in the Main Agreement or an annex:

- **Subject matter:** Provision of the StrataIndex service.
- **Duration:** For the term of the Main Agreement, plus any limited retention period required for security, backup, legal compliance, or orderly deletion.
- **Nature and purpose:** Hosting, storage, organization, extraction, indexing, review support, export, support, monitoring, security, and related service operations.
- **Categories of data subjects:** Controller personnel, end users, customer representatives, and any individuals whose Personal Data appears in uploaded documents or related records.
- **Categories of Personal Data:** Contact details, account identifiers, uploaded document content, extracted text, source traces, review actions, and other Personal Data included in service inputs or outputs by the Controller.

## 4. Controller instructions

The Processor will:

- process Personal Data only on documented instructions from the Controller, including with respect to transfers, unless otherwise required by applicable law;
- promptly inform the Controller if, in the Processor's opinion, an instruction infringes applicable data protection law, unless prohibited by law from doing so; and
- ensure personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.

## 5. Security

The Processor will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature of the processing and the risks involved.

These measures should address, where appropriate:

- access controls and role-based restriction;
- authentication and credential management;
- encryption in transit and, where appropriate, at rest;
- logging and monitoring;
- backup and recovery controls;
- incident response processes; and
- vendor and environment security practices reasonably appropriate to the service.

## 6. Subprocessors

The Controller authorizes the Processor to use subprocessors in connection with the service, provided that:

- the Processor remains responsible for the performance of its subprocessors to the extent required by law;
- the Processor imposes data protection obligations on subprocessors that are no less protective than the obligations in this DPA, as applicable to the services provided; and
- where required by applicable law or contract, the Processor gives notice of material subprocessor changes and a reasonable opportunity to object.

The Processor should maintain an up-to-date subprocessor list or equivalent notice mechanism.

## 7. Assistance to the Controller

Taking into account the nature of the processing and information available to the Processor, the Processor will provide reasonable assistance to the Controller with respect to:

- responding to data subject requests;
- security incident response;
- data protection impact assessments;
- prior consultation with supervisory authorities, where required; and
- demonstrating compliance with applicable processor obligations.

## 8. Personal data breaches

The Processor will notify the Controller without undue delay after becoming aware of a confirmed Personal Data Breach affecting Controller Data. The notification should include, to the extent then available:

- the nature of the incident;
- the categories of affected data and, where feasible, affected data subjects;
- likely consequences;
- measures taken or proposed; and
- contact details for follow-up.

## 9. Data subject requests

If the Processor receives a request directly from a data subject relating to Controller Data, the Processor will:

- not respond substantively except as legally required or authorized by the Controller;
- promptly direct the request to the Controller where appropriate; and
- provide reasonable assistance so the Controller can respond lawfully.

## 10. Audit and information rights

Upon reasonable written request, the Processor will make available information reasonably necessary to demonstrate compliance with this DPA. If the Controller requires an audit, the parties will cooperate in good faith on a reasonable scope, timing, confidentiality protections, and cost allocation, taking into account existing audit reports, certifications, questionnaires, or equivalent materials that may satisfy the request.

## 11. International transfers

Where Controller Data is transferred across borders in a manner regulated by applicable data protection law, the parties will implement an appropriate lawful transfer mechanism, which may include standard contractual clauses or other approved safeguards, supplemented where required.

## 12. Return and deletion

Upon termination or expiry of the Main Agreement, the Processor will, at the Controller's choice and subject to applicable law and legitimate operational constraints, delete or return Controller Data. The Processor may retain limited copies only where required for security, backup rotation, legal compliance, dispute resolution, or enforcement of rights, provided that retained data remains protected under this DPA.

## 13. Conflict with the Main Agreement

If there is a conflict between this DPA and the Main Agreement on data protection matters, this DPA will control to the extent of the conflict.

## 14. Annex guidance for signature version

Before signature, complete or attach the following:

- legal names and notices addresses of the parties;
- detailed technical and organizational measures;
- subprocessor list or reference URL;
- transfer mechanism details, if relevant;
- any regional law addenda (for example UK or Swiss addenda); and
- commercial or audit-process specifics required by the parties.