XYCORA
Try it Contact sales
LEGAL

Data Processing Addendum (DPA)

Last reviewed: April 2026. For redlines against your template, contact [email protected].

1. Definitions

The following terms have the meanings given under GDPR Article 4 and applicable UK data protection law. In the event of conflict, the definitions in the applicable regulation prevail:

  • "Controller" — the Customer, as the natural or legal person which determines the purposes and means of processing personal data contained in Firm Data.
  • "Processor" — Xycora, Inc., processing personal data on behalf of the Controller only on documented instructions.
  • "Sub-processor" — any sub-contractor engaged by Xycora to process personal data on the Controller's behalf in connection with delivering the platform.
  • "Personal Data" — any information relating to an identified or identifiable natural person within Firm Data.
  • "Processing" — any operation or set of operations performed on Personal Data, whether or not by automated means.
  • "Firm Data" — all content, documents, and data submitted by the Customer to the platform, as further defined in the Privacy Policy.

2. Subject Matter and Duration

This DPA governs Xycora's processing of Personal Data contained in Firm Data for the purpose of delivering the Xycora platform services under the main subscription agreement. The DPA takes effect on the date the subscription agreement is entered into and remains in force for the duration of that agreement, including any renewal terms.

3. Nature and Purpose of Processing

Xycora processes Personal Data for the following purposes, in each case only to the extent necessary to provide the contracted service:

  • AI-assisted analysis, classification, and summarisation of legal documents submitted by the Customer.
  • Document processing including OCR, indexing, discrepancy detection, and clause analysis.
  • AI-assisted drafting of work product based on matter documents and firm precedents.
  • Maintenance of immutable audit logs recording AI calls, document accesses, and platform activity.
  • Platform security monitoring and incident response.

4. Type of Personal Data

The Personal Data processed under this DPA may include: names; email addresses; professional roles and firm identifiers; and personal data of any category contained within matter documents uploaded by the Customer, which may include financial information, medical information, communications, and other personal data depending on the nature of the Customer's legal practice.

5. Categories of Data Subjects

Personal Data processed under this DPA may relate to the following categories of data subjects: the Customer's firm personnel; the Customer's clients; and third parties (including opposing parties, witnesses, and other individuals) referenced in documents uploaded to the platform.

6. Processor Obligations (Article 28(3))

Xycora commits to the following obligations as Processor:

  • Instructions — Xycora will process Personal Data only on the documented instructions of the Controller. Where Xycora is required by applicable law to process Personal Data for other purposes, it will notify the Controller before such processing unless legally prohibited from doing so.
  • Confidentiality — Xycora will ensure that all persons authorised to process the Personal Data are subject to binding confidentiality obligations.
  • Security — Xycora will implement and maintain the technical and organisational security measures set out in Annex A of this DPA.
  • Sub-processors — Xycora will not engage Sub-processors without the prior authorisation of the Controller, either specific or general. General authorisation is provided by the Customer's acceptance of this DPA, subject to the sub-processor change process in section 7 of this DPA.
  • Data subject rights — Xycora will provide reasonable assistance to the Controller in responding to data subject access and other rights requests, taking into account the nature of processing and information available to Xycora.
  • Breach notification — Xycora will notify the Controller within 24 hours of becoming aware of an actual or reasonably suspected personal data breach affecting Firm Data, and will provide a detailed written report within 72 hours.
  • DPIA assistance — Xycora will provide reasonable assistance to the Controller in connection with any data protection impact assessment required by Article 35 GDPR.
  • Deletion and return — Upon termination of the subscription agreement, Xycora will make Firm Data available for export for 30 days and will permanently delete all copies of Firm Data from its systems within 60 days of the termination date, unless a longer retention period is required by applicable law.
  • Audit assistance — Xycora will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for, and contribute to, audits and inspections as provided in section 10 of this DPA.

7. Sub-processors (Annex B)

The Customer provides general authorisation for Xycora to engage the following Sub-processors to process Firm Data in connection with providing the platform:

Sub-processor Location Processing activity
Anthropic United States LLM inference (zero-retention API)
OpenAI United States LLM inference (zero-retention Enterprise API)
Google (Gemini) United States LLM inference (no training on customer data under API terms)

Xycora will notify the Customer at least 30 days before engaging any new Sub-processor that will process Firm Data, providing details of the processing to be carried out. The Customer may object to a new Sub-processor within 14 days of such notice on reasonable data-protection grounds. If the parties cannot resolve the objection, either party may terminate the subscription agreement on 30 days' written notice.

8. Security Measures (Annex A)

Xycora implements and maintains the following technical and organisational measures to protect Personal Data:

  • Encryption at rest — AES-256 encryption of all Firm Data stored on Xycora infrastructure. BYO-key option available to Firm tier customers via AWS KMS or Azure Key Vault.
  • Encryption in transit — TLS 1.3 (minimum) for all data in transit between clients and the platform and between the platform and Sub-processors.
  • Access controls — Role-based access control (RBAC) with the principle of least privilege applied at platform and infrastructure levels. All access authenticated via JWT tokens (60-minute expiry, 7-day refresh cycle).
  • Penetration testing — Annual third-party penetration testing of all production infrastructure, with critical findings remediated within 72 hours of identification.
  • SOC 2 Type II — Annual SOC 2 Type II assessment by an independent third-party auditor covering the Security trust services criteria, with reports available to customers under NDA.
  • Incident response — Documented incident response procedures with 24-hour initial notification and 72-hour detailed report commitments for personal data breaches.
  • Vulnerability management — Automated dependency scanning on every build; quarterly infrastructure vulnerability assessments; OWASP top-10 review on every release.

9. International Transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to Xycora or its Sub-processors located in countries without an adequacy decision, such transfers are governed by:

  • The EU Standard Contractual Clauses (Commission Decision 2021/914), Module Two (Controller to Processor), for transfers from the EEA.
  • The UK International Data Transfer Addendum (IDTA) to the EU SCCs, for transfers from the UK.
  • The Swiss-US Data Privacy Framework and/or Swiss SCCs, as applicable, for transfers from Switzerland.

Executed copies of the applicable SCCs and the IDTA are incorporated into this DPA by reference and are available to the Customer on request by contacting [email protected].

10. Audit Rights

Upon at least 30 days' written notice, the Customer may conduct (or instruct a suitably qualified third party to conduct) an audit of Xycora's data processing activities and technical and organisational measures to verify compliance with this DPA, no more than once per 12-month period and subject to reasonable confidentiality obligations. At the Customer's request, and in lieu of a Customer-conducted audit, Xycora may provide its current SOC 2 Type II report under a mutual NDA as evidence of compliance with the relevant security measures.

11. DPA Term

This DPA is coterminous with the main subscription agreement between the parties. Obligations relating to the deletion and return of Personal Data, and obligations of confidentiality, survive termination of the main agreement.

This document was last reviewed on April 2026. For redlines against your template, contact [email protected].

XYCORA

Welcome back

Log in to your workspace.

Forgot password?

No account yet? Contact sales  →