Data Processing Agreement

1. Roles and Definitions

2. Subject Matter and Nature of Processing

LexBridge processes personal data on behalf of the Controller to provide:

• Case and matter management (case records, status, notes)
• Client portal access and messaging
• Document storage and retrieval
• Hearing scheduling and notifications
• Invoice generation and billing records
• KYC/AML documentation storage
• Time tracking and reporting

3. Types of Personal Data Processed

• Identity data (full name, date of birth, nationality)
• Contact data (email, phone, address)
• Identity documents (passport, Emirates ID, Iqama) — stored for KYC
• Financial data (billing amounts, payment status)
• Legal matter data (case descriptions, correspondence, hearing outcomes)
• Login and audit logs (IP addresses, timestamps)

4. Processor Obligations

LexBridge (as Processor) agrees to:

• Process personal data only on documented instructions from the Controller
• Ensure staff with access to personal data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see Security page)
• Assist the Controller in responding to data subject rights requests within 5 business days
• Notify the Controller of any personal data breach without undue delay (within 72 hours of becoming aware)
• Provide all information necessary to demonstrate compliance with this DPA
• Delete or return all personal data upon termination of the subscription
• Not engage any Sub-Processor without prior written authorisation from the Controller

5. Controller Obligations

The Controller (subscribing law firm) agrees to:

• Ensure a lawful basis exists for processing each category of personal data
• Obtain necessary consents from data subjects before entering their data into LexBridge
• Ensure the accuracy of personal data entered into the Platform
• Comply with applicable data protection laws in their jurisdiction(s) of operation
• Inform LexBridge promptly of any data subject complaints or regulatory enquiries

6. Sub-Processors

By using LexBridge, the Controller provides general authorisation for us to engage the following approved Sub-Processors:

We will notify Controllers of any material changes to Sub-Processors with at least 14 days' notice, giving them the opportunity to object.

7. International Data Transfers

Data is stored primarily in the AWS UAE region. Where any transfer outside the UAE is required (e.g., to EU-based email providers), we ensure that appropriate safeguards are in place including Standard Contractual Clauses or adequacy decisions.

8. Data Breach Notification

In the event of a personal data breach, LexBridge will notify the Controller without undue delay and in any event within 72 hours of becoming aware. Notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address it.

9. Duration and Termination

This DPA remains in effect for the duration of the subscription. Upon termination, LexBridge will make data available for export for 30 days, after which it will be securely deleted. We will provide a certificate of deletion upon request.

10. Contact