Data Processing Agreement
Last updated Aug 2024
This DPA is entered into between Uncover Legal B.V., hereafter referred to as “Uncover” or “Data Processor” and the individual accepting this DPA on their own behalf, on behalf of any other individuals for whom they obtain, or in the future obtain, a subscription, and on behalf of the legal entity they represent, hereafter referred to as the “Customer” or “Controller”.
By accepting this DPA, the Customer acknowledges that they are entering into this agreement in connection with the use of Uncover’s Services.
Uncover and the Customer each a “Party” and together the “Parties”.
1. Definitions and interpretation
1.1
Unless otherwise defined herein, capitalised terms and expressions used in this DPA shall have the following meaning:
Data Breach” means a breach related to Personal Data as referred to in article 4.12 of the GDPR’;
“DPA” means this agreement, which, together with its annexes, constitute a Data Processing Agreement within the meaning of article 28.3 of the GDPR;
“Data Protection Authority” means a supervisory authority defined in article 4.21 of the GDPR;
“Data Subject” means a natural person who can be identified, directly or indirectly;
“DPIA” means Data Protection Impact Assessments;
“EEA” means the European Economic Area;
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
"Personal Data" means all information referred to in article 4.1 of the GDPR, processed by Data Processor on the basis of the T&C and/or DPA for the benefit of Controller;
“Services” means the services provided by Uncover to the Customer under the terms of the T&C, which may include, but are not limited to, access to and use of Uncover's platform, provision of data processing, storage, and other related services as described in the T&C accepted by the Customer. These Services involve the processing of Personal Data on behalf of the Customer by the Data Processor.
“Sub Processor” means a third-party processor engaged by Data Processor, processing Personal Data on behalf of Controller;
“T&C” means the terms and conditions, being the contractual document outlining the general terms, conditions, obligations, and responsibilities governing the provision of services by Uncover to the Customer. The Terms and Conditions set forth the rights and duties of both Parties, including but not limited to the terms of use of Uncover's platform, payment terms, service levels, and any other relevant provisions. The Customer accepts these Terms and conditions upon subscribing to Uncover's Services, and they form an integral part of the agreement between the Parties
Any capitalised terms and expressions not defined herein, shall have the meaning ascribed to them in the T&C (defined above).
2. General provisions
2.1
This DPA applies to the Personal Data processed by Uncover, acting as a Data Processor, on behalf of the Customer, acting as a Data Controller, as described in this DPA.
2.2
Data Processor shall process Personal Data strictly in accordance with the Controller’s documented instructions, as detailed in Appendix 1. Data Processor shall not process, transfer, modify, amend, or alter the Personal Data, nor disclose or permit access to any third party, except as directed by the Controller’s documented instructions or as required by applicable Union or Member State law to which Data Processor is subject. In such cases, Data Processor shall inform Controller of the legal requirement before processing, unless prohibited by law on substantial public interest grounds. In such case, Data Processor shall inform Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.
2.3
Data Processor provides Controller with all reasonable information in its possession that Controller requires to comply with the GDPR.
2.4
Controller and Data Processor both guarantee that they act in accordance with the GDPR and other applicable data protection laws and that the nature, use and/or processing of the Personal Data are not unlawful and that they doe not violate any third party's rights.
2.5
Data Processor will inform Controller if Data Processor finds that the instructions of Controller conflict with the applicable data protection laws and regulations in force.
2.6
Administrative fines imposed on Controller by a Data Protection Authority cannot be recovered from Data Processor, unless such a fine is imposed on Controller due to breach of the obligations of Data Processor under this DPA which cause the Controller to be unable to comply with the GDPR.
3. Term and Termination
3.1
This DPA will be in force as long as Customer is making use of the Services. Upon termination of the Subscription, or at the end of the Subscription Term, this DPA ends by operation of law without any further (legal) act being required.
3.2
If the DPA is terminated, Data Processor shall delete all Personal Data it stores and which it has obtained from Controller, except, to the extent applicable, for Personal Data that is processed by the machine learning models from Uncover and that is anonymized, fragmented and not traceable to any individual, group of individuals or company, unless Data Processor is prevented from removing the Personal Data in full or in part by applicable law.
4. Security
4.1
Data Processor shall implement the technical and organizational security measures set out in Appendix 2 to this DPA in order to assist Controller in ensuring compliance with Article 32 GDPR. In determining appropriate technical and organisational security measures, the Parties will take account of the current reasonable possibilities for technical and organisational protection, the implementation costs and the nature, scope and context of the Personal Data processing.
4.2
While the Data Processor will implement the security measures outlined in Appendix 2, it does not warrant that these measures will be effective in all circumstances. Controller acknowledges that no method of transmission over the Internet, or method of electronic storage, is completely secure. Therefore, Data Processor cannot guarantee absolute security but commits to continually assess and improve its security practices.
4.3
Controller acknowledges and confirms that the technical and organisational security measures set forth in Appendix 2 provide an appropriate level of security as required under the GDPR and ISO 27001 certificate Data Processor holds.
4.4
Data Processor shall be entitled to adjust the technical and organisational security measures it has implemented if, to its discretion, such is necessary for a continued provision of an appropriate level of security. Such adjustments are deemed to become part of Appendix 2.
5. Data Breaches
5.1
If the Data Processor discovers a Data Breach, it shall notify Controller without undue delay upon becoming aware of the Data Breach, and, where feasible, within 72 hours. In doing so, Data Processor will indicate as soon as possible what events and circumstances have led to the Data Breach and what measures have been taken to remedy the Data Breach.
5.2
The Controller retains the sole discretion to determine whether a Data Breach necessitates notification to a Data Protection Authority and/or to Data Subjects, in compliance with GDPR requirements. Data Processor will provide all necessary information and assistance to enable Controller to make this determination promptly. Any such notification will be submitted by Controller and not by Data Processor.
5.3
Upon Controller’s request, Data Processor shall assist Controller to meet its notification obligations under the GDPR by providing all the necessary information available to Data Processor.
6. The Rights of Data Subjects, Data Protection Impact Assessments
6.1
Data Processor will provide Controller all reasonable assistance to enable Controller to satisfy requests from Data Subjects for the exercise of their rights under the GDPR. If Data Processor is directly approached by a Data Subject, it shall refer the Data Subject to Controller.
6.2
If the Controller is required to perform a DPIA pursuant to the GDPR, or if the DPIA indicates that the Data Protection Authority must be consulted, Data Processor will provide Controller with reasonable assistance that may be expected from Data Processor in this respect.
6.3
Data Processor is entitled to charge Controller for the costs associated with providing reasonable assistance as stipulated in this article 6 after submitting a prior written statement of the costs to Controller.
7. Confidentiality
7.1
Data Processor shall ensure that the persons processing Personal Data acting under its authority have committed themselves to confidentiality.
7.2
Data Processor shall be entitled to provide third parties with Personal Data if and insofar as such is necessary due to a court order, statutory provision, order issued by a competent government authority or for the performance of the Service Agreement and/or DPA.
8. Sub-Processing
8.1
In Appendix 1 to this DPA, Data Processor has specified the Sub-Processors it engages. Controller grants Data Processor permission to hire the Sub-Processors listed in Appendix 1 and authorises Data Processor to replace Sub-Processors and/or add other Sub-Processors. Data Processor shall notify Controller of any changes concerning the addition or replacement of the Sub-Processors hired by Data Processor. Controller reserves the right to object to any changes regarding Sub-Processors. Should the Controller raise a substantiated objection, the Controller may terminate the Service Agreement and this DPA effective as of the date the Sub-Processor change becomes effective.
8.2
Data Processor will enter into an agreement with a Sub-Processor in which the Sub-Processor, in particular with regard to security obligations, is subject to similar requirements as laid down in this DPA.
8.3
When engaging a Sub-Processor, the Data Processor remains responsible for the fulfilment of its obligations arising from this DPA.
9. International aspects
9.1
Data Processor processes the Personal Data exclusively within the EEA.
10. Auditing rights
10.1
Controller is entitled, with prior written notification with due observance of a period of two weeks and no more than once per calendar year, or whenever a Data Breach has occurred on the side of Data Processor, to conduct an investigation at Data Processor (hereinafter referred to as an Audit), to check whether the applicable laws and regulations and the provisions of this DPA are complied with. For this, Controller has the right to engage an independent third party, provided that this third party maintains confidentiality.
10.2
Data Processor will provide Controller reasonable cooperation, if and insofar as required for the Audit conducted by or on behalf of the Controller.
10.3
Controller will share the Audit-results with Data Processor within a reasonable period after completion of the Audit. If irregularities are found, the Parties will decide by mutual agreement in which manner and within which period these will be adjusted and remedied.
10.4
Data Processor shall be entitled to invoice Controller for any costs related to the Audit and/or any costs resulting from implementing the measures referred to in this article 10, except where it concerns an Audit due to a Data Breach which has occurred on the side of Data Processor.
11. Liability
The limitations and exclusions of liability outlined in the T&C shall apply to any claims arising under or in connection with this DPA and the Services provided. This includes but is not limited to, liability for data breaches, non-compliance with GDPR obligations, and any other liabilities associated with the processing of Personal Data under this DPA. This means that the total liability arising from the T&C and DPA jointly, will never exceed the maximum liability set forth in the T&C.
12. No Third-Party Beneficiaries
12.1
This DPA is made solely for the benefit of the Parties hereto, namely the Controller and the Data Processor. Nothing in this DPA shall be construed as conferring any rights or benefits to any third party, nor shall it entitle any third party to enforce any term or condition of this DPA. The Parties expressly agree that no third party shall have any rights, whether under the Contracts (Rights of Third Parties) Act 1999 (if applicable) or any other applicable law, to enforce any provision of this DPA or to rely on any term or condition contained herein.
13. General Terms
13.1
In the event of any contradiction between the provisions of this DPA and the T&C, the provisions of this DPA will prevail, unless the Parties expressly agree otherwise in writing.
13.2
The Parties may only amend this DPA in writing.
13.3
Obligations pursuant to this DPA, which by their nature are intended to continue even after termination of this DPA, such as but not limited to the article on liability, will continue to exist after termination of this DPA.
14. Governing Law and Jurisdiction
14.1
This DPA is exclusively governed by Dutch law.
14.2
Any disputes that may arise from this DPA will be submitted exclusively to the competent court in Amsterdam.
The remainder of this page is intentionally left blank
Appendix 1 – General Information
1. Purpose and Duration of Processing
1.1
Data Processor processes Personal Data on behalf of Controller in the performance of Data Processor’s Services for the duration of the Subscription Term. These services include Controller’s right to use and access the Uncover platform which uses the Personal Data to provide the Services.
1.2
In order to provide the Services, Data Processor uses Personal Data provided by Controller and uses detection methods (such as machine learning models). Data Processor uses the results of activities performed by Controller and its Authorised Users in order to continuously improve the Services in order to provide Customer with the best possible support including the most accurate insights and recommendations for Controller.
1.3
Data Processor also uses the Personal Data provided by Controller in order to generate insights for Controller on its commercial performance. Processing on behalf of the Controller shall continue for the duration of the Subscription Term, unless earlier terminated or extended by mutual agreement of the Parties in writing.
2. Type of Personal Data
2.1
The Personal Data that Customer imports to the Uncover Platform.
3. Categories of Data Subjects
The below list is an indication of possible Data Subjects and is not intended to be complete.
  • Controller’s clients
  • Directors and employees of Controller’s Clients
  • Other natural persons whose Personal Data is processed by using the services due to the nature of these persons’ relationship with the Controller’s clients or other Data Subjects
4. Sub Processor(s)
Data Processor has engaged the following Sub-Processors:
  • Amazon Web Services, Inc. for cloud infrastructure services.
  • Microsoft Azure for artificial intelligence services.
Appendix 2 – Security measures
1. Organisational security
1.1
Uncover maintains the level of maturity required to remain ISO 27001 certified. In practice this means:
  • Authorizations are explicitly documented as a matter of procedure;
  • Authorizations are reviewed periodically;
  • All changes to applications, systems, and networks shall be tracked in a manner that ensures they are auditable and attributable to specific individuals;
1.2
Access to Client data or systems is awarded to a strictly limited number of staff that have committed to confidentiality
1.3
A threat model/risk assessment for the Services is performed by an independent third party organisation on a yearly basis
2. Data security
2.1
Customer data is classified by Uncover as the highest level of sensitivity and treated accordingly.
3. Network security
3.1
All data is encrypted both at rest and in transit using the latest industry standards. Servers handling personal data are isolated within a VPC (Virtual Private Cloud) with no public internet access, and traffic is strictly controlled by security groups based on IP address, protocol, and port. Access to Data Processor’s user interface is restricted by geographic whitelisting, allowing content delivery only to approved regions.
4. Validation
4.1
Yearly, Uncover has an independent, adequate third party specialised in security testing perform an external and internal security test to validate security measures, in the scope of the penetration test.
4.2
Critical and high severity findings are resolved in a timely manner. A retest is performed to confirm the resolution of the findings.
no. 1 platform on the market
Find out how Uncover benefits your legal practice now.
Subscribe
newsletter
Join our mailing list
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Book a demo
After learning as much about your practice as we can, your Uncover representative will recommend how Uncover can best help you boost your practice. We will walk you through our features and give you the relevant information and explanations so you can determine which features benefit your practice the most. Together we will enable you to do just what lawyers are supposed to do.
"I'm immensely impressed by this system. I think you have a world-beater on your hands. It's very intelligently designed; it is the best system I have seen yet which can absorb and process a reasonably large amount of data and provide structured, accurate and usable analysis and reports."
Mike Lennard
|
Stout Street Chambers