1.1. This data processing agreement (the ”DPA”) govern the processing of Personal Data in the course of the provision of the Services provided by Unplex or its Affiliates to the Subscriber and forms part of the Agreement between the Parties.
1.2. This DPA regulates the Subscriber’s rights and obligations in its capacity as data controller as well as Unplex’s rights and obligations in its capacity asdata processor when Unplex processes Personal Data on behalf of the Subscriber under the Agreement.
1.3. The purpose of this DPA is to regulate the processing of Personal Data in accordance with the requirementsset forth by Applicable DataProtection Laws. Concepts, terms, and expressions in this DPA shall be interpreted in accordance with Applicable Data Protection Laws (as defined below).
1.4. In case of any conflict between the rest of the Agreement and this DPA(including its appendices), the wording of this DPA shall prevail.
1.5. The following appendices shall form part of the DPA:
(a) Appendix A –Specification of data processing
(b) Appendix B –Pre-approved sub-processors
(c) Appendix C –Security measures
1.6. Capitalised terms that are used but not definedin this document shall have the meaningset out in the Agreement Order Form or the General Terms and Conditions Unplex AI.
Defined terms:
“Applicable DataProtection Laws” means any nationally orinternationally binding data protection laws, case law, and regulations, applicable within Switzerland, and the European Union (the “EU”), including the EU General Data Protection Regulation (“GDPR”), and applicable subordinate legislation and regulations implementing those laws, asamended and supplemented from time to time.
“Personal Data”means any information defined as personal dataunder the GDPR that Unplex processes on behalf of the Subscriber and/ or its Affiliates in order to provide the Services under the Agreement.
“Restricted Transfer” means as defined in Clause 5.2.
“Standard Contractual Clauses” means as defined in Clause 5.3.
2.1. Unplex undertakes to process Personal Data for purposeset forth in this DPA (including Appendix A) and in accordance with the Subscriber’s written instructions, unless otherwise required by Applicable Data Protection Laws. The Subscriber’s instructions to Unplex regarding the subject-matterand duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects, and the rights and obligations of both Parties are set forthin this DPA and in Appendix A.
2.2. As data processorand a service provider, Unplex undertakes to:
(a) Comply with all Applicable DataProtection Laws that are applicableto it as a processor of the Personal Data;
(b) Cooperate with audits conductedby the Subscriber; and
(c) Inform the Subscriber promptly if,in Unplex’s opinion, an instructionfrom the Subscriber violates Applicable DataProtection Laws;
2.3. Any transfer of Personal Data to Unplex using the Services shall be made using secure, reasonable, and appropriate mechanisms for data transfers.
2.4. Unplex shall, without undue delay, inform the Subscriber of any communication with any Data Protection Authority that relates to Unplex’s processing of Personal Data under this DPA, and Unplex will provide reasonable assistance to the Subscriber if the Subscriber receives a request from such authority or is subject to a regulatory investigation. In addition, if data subjects, competent authorities or any other third parties request information from Unplexregarding the processing of Personal Data covered by this DPA, Unplex shall refer such requests to the Subscriber to the extent permissible under Swiss,EU or EU Member State law.
2.5. Unplexshall provide reasonable assistance to the Subscriber, through appropriate technical and organisationalmeasures, with the Subscriber’scompliance obligations to implement reasonablesecurity procedures and practices appropriate to the nature of the Personal Data.
2.6. Unplex’s assistance to the Subscriber in accordance with Clause 2.4 and 2.5 be provided at the Subscriber’sreasonable expense, unless the reasonfor the assistance is a direct result of an act or omission by Unplex or its Affiliates.
3.1. The Subscriber shall ensure that it has a valid legal basis, and all necessary rights, consents, andauthorisations, to provide the PersonalData to Unplex and to authorise Unplex to process that Personal Data in accordance with this DPA, the Agreement and/or other processing instructions provided by the Subscriber to Unplex.
3.2. The Subscriber shall comply with all Applicable Data Protection Laws that are applicable to it as controller of the Personal Data.
3.3. The Subscriber shall not provide Personal Data to Unplex except through agreed mechanisms. For example,the Subscriber shall not includePersonal Data, other than technical contact information, in technical support tickets.
4.1. Unplex is, subject to this Clause 4.2 and Clause 5, entitled to engage subcontractors acting as sub-processors, and under the condition that theyare bound by a written agreement which impose on them materially the same data processing obligations as theobligations under this DPA in respectof data protection.
4.2. Unplex shall inform the Subscriber of any new sub-processors and give the Subscriber the opportunity to objectto such changes. Such objections bythe Subscriber shall be based on grounds regardingthe new sub-processor’sability to comply with Applicable Data ProtectionLaws and be made in writing within thirty (30) days from receiptof the information. Unplex may not engage a new sub-processor before the 30-day period has ended. Unplex shall upon request provide the Subscriber with such information that the Subscriber may reasonably request to assess the proposed sub-processor’s ability to comply with Applicable Data Protection Laws. If Unplex, despite the Subscriber’s objection, wishes to engage the proposedsub-processor, the Parties shall in good faith discuss and try to find an alternative solution which is reasonably acceptable to both Parties.If the Parties cannot find an alternative solution and the Subscriber still objects to the appointment of the sub-processor, and if the Subscriber’s objection would result in additional costs or expenses for Unplex, then Unplex is entitled to adjust its fees under the Agreement to so as to ensure that Unplex is compensated for such additional and/or increased costs or expenses. Notwithstanding the previous sentence, if the Subscriber’s objection would result in costs or operational consequences which, in Unplex’s opinion, would not be commercially reasonable, Unplex may terminate the Agreement upon reasonable written notice.
5.1. Unplex may not, without the prior written consent of the Subscriber, process Personal Data outside or engagesub-processors processing thepersonal data outside of Switzerland or the EU/EEA. Appendix B contains a completelist of its sub-processors that from the date of entry into force of this DPA have been pre-approved by the Subscriber.
5.2. Any transfer of Personal Data to a country outside of Switzerland and which is not a member state of either the EU orthe EEA (including making the Personal Data availablein such country by e.g., remote access)(a “Restricted Transfer”) requires the prior written approval of the Subscriber. Unplex shall provide all reasonably relevant information regarding the Restricted Transfer to enable the Subscriber to make an informed decision,including details of the country or territory to which the Personal Data will be transferred.
5.3. In the absence of an adequacy decision from the EU Commission the Parties agree and acknowledge that the European Commission’s standard contractual clauses adopted 4th of June 2021 or any clauses thereafter replacing such standard contractual clauses (for the purposesof this DPA, the “StandardContractual Clauses”) will be the relevant appropriate safeguard andshall be implemented as follows:
5.4. Unplex shall ensure that the Restricted Transfer is subject to adequate safeguards as stated in Chapter V of the GDPR and may for this purpose rely onthe Standard Contractual Clauses provided that the clauses, including supplementary security measures, ensure an essentially equivalent level of protection. The Parties acknowledge andagree that Unplex or its Sub-processor, as applicable, shall apply module 3 of the Standard ContractualClauses.
5.5. Unplex represents and warrants that Unplex has no reason to believe that legislation or practices applicable to it or its sub-processors, including in any country to which Personal Data is transferred either by itself or througha sub-processor, prevents it from fulfilling its obligations under Applicable Data Protection Laws, this DPA or its obligations in the StandardContractual Clauses. In the event Unplex is unableto fulfil its obligations in this Clause 5.5, Unplex agrees to immediately notify the Subscriber.
6.1. To maintain an adequate level of security for the protection of Personal Data, and without prejudice tothe information security and confidentiality obligations which otherwise follows from the Agreement, Unplex commits to the following appropriate technical and organisational measures:
(a) Data Encryption: Implement strong encryption for data at rest and in transit.
(b) Access Control: Enforce strict access controls, including multi-factorauthentication and role-based access, to ensure only authorised personnel access personal data.
(c) Data Minimisation: Process and storeonly necessary personal data.
(d) Regular Security Assessments: Conductregular security audits andvulnerability assessments.
(e) IncidentResponse Plan: Establish and maintain a robustincident response plan for data breaches or security incidents.
(f) EmployeeTraining: Provide regular training to all employees on data protection and GDPR compliance.
(g) Data Backup and Recovery: Maintaineffective data backup and recoveryprocedures.
(h) Regular Updates and PatchManagement: Ensure timely updates andpatching of all systems and software.
(i) Data Integrity and Confidentiality:Implement measures to maintain dataintegrity and confidentiality.
(j) Privacy by Design and Default: Adhere to GDPR principles of privacyby design and default in all processes.
6.2. Unplex shall protect the Personal Data against accidental or unlawful destruction, loss, alteration,unauthorised disclosure of, or access to PersonalData transmitted, stored, or otherwise processed. The Personal Data shall also be protected against other forms of unlawful processing.
6.3. Unplex shall ensure that only staff and other representatives who require access to Personal Data to fulfil Unplex’s obligations under the Agreementhave access to such information. Unplex shall guaranteethat all persons authorised toprocess the Personal Data are committed to confidentiality orare under an appropriate statutory obligation of confidentiality. Furthermore, all persons authorised to process Personal Data shall receive sufficient and necessary training covering awareness of GDPR anddata processing agreements.
7.1. Unplex shall inform the Subscriber without undue delay and at the latest within thirty-six (36) hours from becoming aware of a Personal Data breach.
7.2. Unplex shall assist the Subscriber with any information reasonably required to fulfil the Subscriber’s data breach notification requirements under Applicable Data Protection Laws.
Unplex shall, at the Subscriber’s reasonable expense,taking into account the nature of the processing and the information available to Unplex, assist the Subscriber infulfilling the Subscriber’s obligation to,when applicable, carry out data protection impact assessments and prior consultations with the Data Protection Authority.
9.1. Subscriber shall have the right to perform audits of Unplex’s processing of Subscriber’s personal data in order to verify Unplex’s compliance with this DPA and ApplicableData Protection Laws. This audit right is limited to once per (12) twelve month period unless the Subscriber has clear reasons to believe that Unplex has materially breached its obligations under this DPA.
9.2. Unplex undertakes to make available to the Subscriber all information and other assistance necessary to demonstrate compliance with the obligationslaid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by an authorised and reputable auditor mandated by the Subscriber, provided that the individuals performing the audits enter into confidentiality agreements or are bound by statutory obligations of confidentiality.
9.3. In this context, it is noted that among Unplex’s customers there may be entities which are subject to statutoryand/or bar association rules on confidentiality in relation toclient/customer matters (e.g. banks, financialinstitutions, law firms, etc.). Hence, the Subscriber acknowledges that audits under this DPA shall not include access to information pertaining to or belonging to Unplex’s other customers.
9.4. The Subscriber is responsible for all costs associated with audits, including those incurred at Unplex.
The provisions of this DPA shall apply as long as Unplex processes Personal Data for which the Subscriber is data controller or until suchtime as this DPA is replaced with another data processing agreement.
11.1. Before the expiration of this DPA, Unplex shall, at the choice and instruction of the Subscriber, securely elete or return all Personal Data tothe Subscriber, unless Applicable Data Protection Laws require Unplex to store the Personal Data in which case the obligations set out in Clause 11.4(i)–(ii) shall apply.
11.2. If return or destruction is impracticable or incidentally prohibited by a valid legal requirement under Swedish or EU law, Unplex shall take measures to inform the Subscriber and block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required under Swiss or EU law) andshall continue to appropriately protect the Personal Data remaining in its possession, custody, orcontrol and, where any authorised sub-processor continues to possess Personal Data, requirethe authorised sub-processor to take the same measures that would be required of Unplex.
11.3. Upon request by the Subscriber, Unplex shall provide a written notice ofthe measures taken regarding the Personal Data upon completion of the processing as set out in Clause11.1.
11.4. If Unplex is legally required under Swiss, EU or Member State law to retain archival copies of any specific data belonging to the Subscriber for taxor similar regulatory purposes, Unplex shall (i) inform the Subscriber thereof in writing specifying the legal obligation and the affected the Subscriber data, (ii) not use the archived information for any other purpose than to strictly complywith the applicable legal obligation; and (iii) remain bound by its obligations under the Agreement, including this DPA, including, its confidentiality and security obligations under the Agreement and the obligations under this DPA to protect the information using appropriate safeguards and to notify the Subscriber of any security incident involving the information.
12.1. Any amendments to this DPA shall, in order to be valid, be agreed in writing and duly signed by authorised representatives of both Parties.
12.2. Notwithstanding Clause 12.1, the Subscriber is entitled to make updates to its written instructions regarding the processing set out in Appendix A. Unplex shall be entitled to remuneration for any reasonable and verified additional costs that Unplex incurs due to the Subscriber having made amendments to its written instructions regarding the processing. Notwithstanding the aforesaid, no remuneration shall be payable due to amendments in the written instructions directly due to, or directly based on, regulatory requirements.
13.1. Administrative fines: Fines pursuant to Article 83 of the GDPR shall be borne by the Party to the Agreementnamed as recipient of such sanctions.
13.2. Damages to data subjects: In the event of a compensation for damage in connection with processing of PersonalData to be paid to a data subject due to an infringement of a provision in this DPA,instructions and/or an applicable provision in the Applicable Data Protection Laws, Article 82 of the GDPR shall apply.
13.3. Other damages: In relation to all other claims arisingout of a breach of this DPA, the liability provisions and limitations thereof set out in the General Terms and Conditions Unplex AI shall apply to this DPA.
14.1. This DPA shall be governed by and construed in accordance with Swiss law.
14.2. Any dispute, controversy, or claim arising out of or in connection with this DPA, or the breach, termination, or invalidity thereof,shall be finally settled inaccordance with the dispute resolution provision set out in the Terms of Services of Unplex.
1.1. Short description of the service and the purposesof the processing
Unplex provides teams with core legal workflow automation through a SaaS solution. The Services are defined in the Agreement and include i.a. an AI chat interface to interact with public legal sources, as well as the organization and Subscriber data. Unplex shall process Personal Data on behalf of the Subscriber for the purpose of providing legal applications based on artificial intelligence.
1.2. Categories of Personal Data
(a) User Data
(b) Data Subjects in Customer Input Data
(c) Content Data
(d) Performance Data
(e) Device Data
(f) Activity Data
(g) Support Data
1.3. Categories of data subjects
Unplex will process Personal Data regarding
(a) any data subjects in the Subscriber’s inputdata entered into the UnplexPlatform and
(b) the Subscriber’s end-users of the Services, which mayinclude the following categories of data subjects:
(i) Natural persons who are authorized by the Subscriber to administer and use the Services, such as:
(ii) The Subscriber’s employees and partners
(iii) The Subscriber’s third parties, such as contractors, consultants, advisors
(iv) The Subscriber’s customers
(v) Contact persons at the Subscriber’s thirdparties, such as contractors, consultants, advisors
(vi) Contact persons at the Subscriber’s customers
1.4. Processing operations
Unplex will collect, store, organize, and analyze the Personal Data for the purpose indicated above, as included in the Agreement and in accordance with instructions of the Subscriber.
1.5. Location of processing operations
Switzerland and as specified in Appendix B.
For each sub-processor that we use, we apply the principles of least privilege. This means that each third-party system shall only have access to the minimum data required to fulfil its purpose
Our obligations to the Subscriber are to ensure acontinuous high-quality delivery of our services, built on the highest level of security and resilience. We use the latest technology to make sure our infrastructure is reliable, and the Subscriber data is protected. Just as we put hard work into our product, wealso put the same energy and enthusiasm into our security practices.
This document describes the technical and organizational security measures and controls implemented by Unplex to protect Personal Data and ensure the ongoing confidentiality, ntegrity and availability of Unplex’s products and services. More details on the measures we implement are available upon request. Unplex reserves the right to revise these technical and organizational measures at any time, without notice, so long as any such revisions will not materiallyreduce or weaken the protection provided for PersonalData that Unplex processes in providing its products and services.
Unplex is a web and desktop-based core legal workflow automation accessing of public legal information and your own documents. The platform is an all-in-one place for teams to work with legal inquiries and simplifies legal workflows.
Unplex engages carefully vetted sub-processors for specific purposes to enhanceUnplex for our subscribers. For a list of sub-processors, please see Appendix B Pre-approved Sub-processors.
Data backup is one of the pillars of Unplex’s IT continuity plan. Trained personnel manage and follow up on backup execution to ensure the integrity, confidentiality, and accuracy of the backup data.
Another pillar is the IT and management processes and routines that are carried out when a serious incident occurs. Unplex continuallyworks on keeping processes and routines updated. The continuity plan is tested at intervals based on regular risk assessments.
Unplex has a high degree of digitization, and all the services and tools are digitally accessible using Microsot SSO Accounts. As a result, most employees can continue to work from other locations even if Unplex’s offices are closed or not accessible due to an extreme event.
Unplex ensures that identified security requirements are met by external suppliers during the procurement process. A contract with a chosen supplier addresses the demands on the supplier's IT environment and information security measures. The supplier shall present and account for their technology, routines, and processes as well as IT and information security policies. Unplex conducts regular control of suppliers' access rights and other aspects of the agreement with the supplier. Suppliers agree to carry out assignments in accordance with the provisions specified in applicable laws and regulations in the country where the assignments are performed.
Unplex is currently ongoing thecertification and internal audit to receive the certificate. The ISO/IEC 27001 standard provides guidelinesand general principles for planning, implementing, maintaining, and improving information security in anorganization.
Measures that prevent unauthorized persons from using IT systemsand processes:
(a) When provisioning access, Unplex adheres to the principleof least privilegeand role-based permissions - meaning ouremployees are only authorized to access data that they reasonably must handlein order to fulfil their job responsibilities.
(b) Unplex utilizes multi-factor authentication for access to systems with highly confidential data, including our productionenvironment which houses Personal Data.
Measures to prevent physical access of unauthorized persons to IT systems that handle Personal Data:
(a) Unplex partners with industry-leading data center and cloud infrastructure providers. Access to all data centers is strictly controlled. All data centersare equipped with 24x7x365 surveillance and biometric access control systems.
(b) Data centers are equipped with at least N+1 redundancy for power, networking, and cooling infrastructure.
(c) Unplex replicates data across separate, physically independent, and highly secure locations, ensuring high availability, and protection from local failures such as power outages and fires. Measures to prevent physicalaccess of unauthorized persons to physicaloffice locations:
(a) Unplex ensures that only authorized personscan access physical office locations through comprehensive physical and identity access management. This is done by the third-party office provider.
(b) Unplex ensures effective and immediate onboarding and offboarding of employees, contractors, and third parties, including the security trainingof said personnel and immediate return and / or destruction of sensitive documents upon termination.
Measures to ensure that persons authorized to use Unplexhave access only to the Personal Data pursuant to their access rights:
(a) Unplex enforced complexity to match OWASP password recommendations to ensure strong passwords are used by users.
(b) Recovery of lost passwords is done by requesting a signed link to the user’s email account — no passwords are sent in plain text over email, chat,phone, or any other communication method.
(c) Unplex ensures passwords are hashed (and salted) securely using bcrypt, and upon the Subscriber’s request,requires single sign-on (SSO) powered by SAML 2.0, for secure user authentication.
(d) Unplex uses best-practice tools for vulnerability scanning, malicious activitydetection, and blocks suspicious behaviour automatically.
(e) Unplex utilizes firewalls to segregate unwanted traffic from enteringthe network. A DMZ is utilized using firewalls to further protect internal systems protecting sensitive data.
Measures to ensure that Personal Data cannot be read,copied, altered, or deleted by unauthorized persons during electronic transmission or duringtransport or storage on data media and that those areas can be controlled and identified where transmission of PersonalData is to be done via data transmission systems:
(a) The Subscriber data at rest is encrypted with AES-128 and AES-256, and data in transit is encrypted with TLS 1.2.
(b) Unplex is alerted to encryption issues through periodicrisk assessments and
(c) third-party penetration tests. Unplex performs third-party penetration tests on an annual basis, or as needed dueto changes in the business.
(d) We also sign the data to ensureits integrity.
Measures to ensure that it can be subsequently reviewed and determined if and from whom Personal Data was entered, altered, or deleted in the IT system:
(a) Systems are monitored for security eventsto ensure quick resolution.
(b) Logs are centrally stored and indexed. Critical logs, such as security logs,are retained for at least 2 months. Logs can be traced back to individual unique usernames with timestamps to investigate non conformities or security events.
Measures to ensure that Personal Data are protected against accidental destruction or loss:
(a) Unplex saves a full backup copy of production data to ensure rapid recovery in the event of a large-scale disaster. Incremental/point-in-time recoveryis available for all primarydatabases. Backups are encrypted-in-transitand at rest using strong encryption.
(b) Unplex’s patch management processensures that systemsare patched at least once every month. Monitoring, alerting, and routine vulnerabilityscanning occurs to ensure that all product infrastructure is patched consistently.
(c) When necessary, Unplex patches infrastructure in an expedited manner in response to the disclosure of critical vulnerabilities to ensure system uptime is preserved.
(d) The Subscriber environments are logically separated at all times. The Subscriber is not able to access accounts other than those given authorization credentials.
Measures to ensure that Personal Data collected for different purpose scan be processed separately:
(a) Unplex employs different data processing systemsfor different purposes. These systems are architecturally (logical and physically) separated. Allsystems require valid authorization to be accessed.
(b) To ensure against the unintentional amalgamation of data, Unplex separates development, testing, staging, and production environments.
Measures to ensure that the appropriate risk management and security risk management in place include but are not limited to:
(a) Unplex conducts periodic reviewsand assessments of risks, monitoring and maintaining compliance with Unplex’s policiesand procedures.
(b) Unplex ensures periodic, effectivereporting of information security conditions and compliance to senior internalmanagement.
(c) Unplex hosts periodic securityrisk management training, including but not limited to data protection for all employees, including an initial onboarding training for new employees to review and ensure compliance with up-to-date security risk management procedures andpolicies.
(d) Unplex maintains a central IT policy covering guidelines for Internet usage.
Measures to ensure that the appropriate operations security safeguarding against malicious code in place include but are not limited to:
(a) Unplex has different systemsand methods to protect the IT infrastructure against malicious code, including various antivirus scanners, spam filters,security updates, and training.
(b) Unplex uses activemonitoring to ensurethat antivirus scannersand spam filtersare active and updated.
(c) Unplex actively installs the latest securityupdates on systemsand applications to minimize the risk for exploitationof vulnerabilities.
(d) Unplex, as part of basic training, ensures all employees take periodic trainingcovering the identification of malicious code. Measures to ensure that the appropriate operationssecurity safeguarding email in place include but are not limitedto:
(a) Unplex utilizes Google’s world-class email security to protect all inbound and outbound emailsfrom malware.
(b) Unplex leverages Google’semail spam filtering services to guard against spam, virus, and phishing attacks.
(c) Employees of Unplex immediately notify staff of email identified as infected or harmful and ensure that the email sender is blocked and quarantined. The verification and assessment of whether an email is malicious or not is automated and based on the rules but rather based on the competency of each Unplex employee — educated on a periodic basis to identify harmful emails.
Measure to ensure that Unplex’s personnel comply with the laws and regulations of the country, and ensuring that personnel abides by the relevantterms and conditions of supplier and customer agreements:
(a) Unplex’s personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage,and professional standards. Unplex conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labour law and statutory regulations.
(b) Personnel is required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Unplex’s confidentiality and privacy policies. Personnel is provided with security training. Unplex’s personnel will not process customer data without authorization.
During the term of the DPA, the Personal Data processed by Unplex will be subject to the retention requirements instructed from time to time by the Subscriber. After the termination or expiration of the DPA, Clause 11 of the DPA shall apply.