Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between Nomoaxis ("Processor") and the customer ("Controller") for the provision of the Nomoaxis legal practice management service (the "Service"). It is entered into to comply with Article 28 of Regulation (EU) 2016/679 ("GDPR") and equivalent provisions of the UK GDPR and the Swiss FADP. By creating an account on Nomoaxis you accept this DPA on behalf of your firm.
1. Definitions
Terms not defined here have the meaning given in the GDPR. "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have their GDPR meaning. "Customer Data" means the Personal Data the Controller uploads to or generates in the Service.
2. Subject matter, duration, nature, and purpose
- Subject matter: processing of Customer Data necessary to provide the Service.
- Duration: for as long as the Controller maintains an active Nomoaxis subscription, plus the deletion period in §10.
- Nature and purpose: hosting, storage, transmission, organisation, retrieval, and display of legal practice management data, including authentication, billing, audit logging, and AI-assisted drafting, summarisation, and Q&A over Controller-authorised matter and client context.
3. Categories of Personal Data and data subjects
Categories of Personal Data:
- Identification and contact data (names, emails, phone numbers).
- Matter content (case descriptions, documents, notes, deadlines, tasks).
- Billing and time-tracking data (invoices, time entries, fee agreements, payment records).
- Account and authentication data (passwords are stored only as bcrypt hashes; MFA factors).
- Technical data (IP address, user-agent, audit log entries).
- AI interaction data (prompts, role-filtered context summaries, and model responses generated through Nomoaxis AI, the document AI assistant, and the support chat).
The processing may incidentally include special categories of data (GDPR Art. 9) where the Controller's matters relate to health, criminal proceedings (Art. 10), or other sensitive subjects. The Controller is responsible for ensuring it has a valid legal basis for processing such data.
Categories of data subjects: the Controller's firm members, the Controller's clients, opposing parties, witnesses, and any other natural persons referenced in the Controller's matters.
4. Obligations of the Processor
The Processor shall:
- Process Customer Data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do so by EU or Member State law.
- Ensure that persons authorised to process Customer Data are bound by a duty of confidentiality.
- Implement appropriate technical and organisational measures (see §6).
- Engage Sub-Processors only on the terms in §5.
- Assist the Controller in fulfilling its obligations to respond to data subject requests (§8).
- Notify the Controller of Personal Data Breaches within 72 hours (§7).
- At the Controller's choice, delete or return Customer Data on termination (§10).
- Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits.
5. Sub-processors
The Controller authorises the Processor to engage the following Sub-Processors:
| Sub-processor | Service provided | Region |
|---|---|---|
| Lovable Cloud | Application hosting, edge runtime, CDN, AI Gateway (support chat routing) | EU / Global |
| Supabase | Managed PostgreSQL, authentication, file storage | EU |
| Stripe Payments Europe, Ltd. | Subscription billing and card processing | IE / US |
| Anthropic PBC (160 Eureka Street, San Francisco, CA 94114, USA) | AI language model inference for the Nomoaxis AI panel and document assistant. Ephemeral processing; technical API logs are retained by Anthropic for up to 7 days for security and abuse prevention, after which they are automatically deleted. No training on Customer Data. | USA |
| Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) | Model inference for support chat (gemini-3-flash-preview) via Lovable AI Gateway. Receives only the user's typed message and static KB articles. No workspace data, identifiers, or encrypted content. | USA |
| Brave Software Inc. (via Anthropic) | Web search provider for AI-powered legal research. Processes anonymized search queries generated automatically by the AI — no client names, matter numbers, or personal identifiers are included. Applicable when the Nomoaxis AI Assistant performs web search for legal research (case law, legislation, official gazettes). Data transferred: anonymized search queries only (no personal data). Safeguards: Brave Software is listed on Anthropic's subprocessor register; Anthropic maintains a DPA with Standard Contractual Clauses (SCCs) covering Brave Search. | USA |
| Sentry (sentry.io) | Client-side error monitoring. EU region; no PII, no IP, no session replay, no performance tracing. | EU |
| open.er-api.com | Public FX rate feed for Reports currency conversion. No personal data sent. | US |
The Processor shall give the Controller at least 30 days' prior written notice (including by in-app notice or email) before adding or replacing a Sub-Processor. The Controller may object in writing on reasonable data-protection grounds. If the parties cannot resolve the objection in good faith within 30 days, the Controller may terminate the affected portion of the Service with a prorated refund of any unused prepaid fees. The Processor shall impose data-protection obligations on each Sub-Processor that are no less protective than those in this DPA.
6. Security measures (Art. 32 GDPR)
The Processor implements and maintains the following measures:
- Encryption at rest: XChaCha20-Poly1305 with per-workspace data encryption keys; documents stored in a private bucket; database TDE.
- Encryption in transit: TLS 1.2+ for all client and inter-service traffic.
- Authentication: bcrypt password hashing; HIBP breached-password checks; multi-factor authentication; configurable session limits and idle timeouts; device-bound sessions.
- Access control: PostgreSQL row-level security; role-based access (owner/admin/partner/associate/client); least-privilege service accounts; secrets stored only in the platform secrets manager.
- Audit logging: append-only, hash-chained audit log of all administrative and security-relevant actions; tamper-evident by SHA-256 chain.
- Network and platform: WAF, DDoS protection, strict Content-Security-Policy with per-request nonce, HSTS, COEP/COOP.
- Backups: daily encrypted backups with point-in-time recovery; geographically separated storage.
- Personnel: need-to-know access, confidentiality agreements, background checks where lawful, security training.
- AI access control: server-side role and assignment checks gate which matter and client context can be sent to the model; revenue figures are withheld from context for non-owner/partner roles; per-seat monthly token quotas enforced server-side.
7. Personal Data Breach notification
The Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Data. The notice will, to the extent then known, describe (a) the nature of the breach, (b) the categories and approximate number of data subjects and records concerned, (c) the likely consequences, and (d) the measures taken or proposed to address it. The Processor will cooperate with the Controller's investigation and remediation efforts and provide updates as new information becomes available.
8. Assistance with data subject rights
The Service provides in-product tools to export and delete Customer Data so the Controller can directly respond to access, rectification, erasure, restriction, portability, and objection requests. Where additional Processor assistance is reasonably necessary, the Processor will provide it taking into account the nature of the processing and the information available to it.
9. International transfers
Where Customer Data is transferred outside the EEA, UK, or Switzerland, the parties rely on the European Commission's Standard Contractual Clauses (Decision 2021/914), Module 2 (controller to processor) or Module 3 (processor to processor as applicable), which are deemed incorporated into this DPA by reference. The UK International Data Transfer Addendum and the Swiss FDPIC addendum apply where relevant. The parties agree to the optional docking clause. The Processor maintains a Transfer Impact Assessment which is available to the Controller on request.
10. Return or deletion of data on termination
On termination or expiry of the Service the Controller may export all Customer Data via the in-product JSON export. Unless the Controller requests otherwise within 30 days of termination, the Processor will delete all Customer Data (including from backups, in the backups' ordinary rotation cycle of up to 35 days) and certify deletion on request, save where retention is required by EU or Member State law.
AI conversation history (Nomoaxis AI panel, document AI assistant) is deleted on workspace deletion and can be cleared on demand by each user from the AI panel during the subscription term.
11. Audits
Once per twelve-month period, and more frequently where required by a competent supervisory authority, the Controller may audit the Processor's compliance with this DPA. The Processor will respond to reasonable audit requests by providing available compliance documentation, including security questionnaire responses, penetration test summaries (where available and subject to confidentiality), and descriptions of technical and organisational measures in effect. Where the Processor obtains third-party certifications (e.g. SOC 2, ISO 27001) in the future, such certifications will also be made available to the Controller upon request. On-site audits are at the Controller's cost and subject to reasonable confidentiality and security requirements.
12. Liability and conflicts
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. In the event of a conflict between this DPA and the Terms with respect to the processing of Personal Data, this DPA prevails.
13. Governing law
This DPA is governed by the laws of the Hellenic Republic. Disputes are subject to the exclusive jurisdiction of the courts of Athens, Greece, subject to the SCCs' own governing-law and jurisdiction clauses where they apply to transfers.
15. Records of processing activities (Art. 30 GDPR)
AI Legal Research via Web Search
- Activity: AI-generated anonymized search queries → Anthropic API → Brave Search.
- Legal basis: Article 6(1)(b) GDPR — performance of contract.
- Data subjects: Workspace users (query originators only — no client data).
- Recipients: Anthropic PBC, Brave Software Inc. (anonymized queries only).
- Retention: Not retained — ephemeral processing only.
- Note: Queries do not contain client names, matter references, or personal identifiers.
AI Usage Events (`ai_usage_events` table)
- Activity: Per-API-call usage logging for billing, seat limits, and owner transparency.
- Legal basis: Article 6(1)(b) GDPR — performance of contract.
- Data stored: workspace_id, user_id, model, agent_type, token counts, context_type, matter_id (nullable), search_count.
- Recipients: Nomoaxis (Supabase).
- Retention: Duration of contract + 30 days post-termination (CASCADE DELETE from workspaces).
16. Contact
Privacy enquiries: [contact@nomoaxis.com](mailto:contact@nomoaxis.com). Security incidents: [contact@nomoaxis.com](mailto:contact@nomoaxis.com).