Data Processing Agreement

For the purposes of this Agreement:

• Agreement: this Data Processing Agreement together with the LexMT Terms & Conditions.
• Controller: the Customer, being the natural or legal person who determines the purposes and means of processing personal data submitted to LexMT.
• Processor: LexMT, operated by Thomas Kemp, processing personal data on behalf of the Controller.
• Data Subject: any identified or identifiable natural person whose personal data is processed through the LexMT platform.
• Personal Data: any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
• Special Category Data: personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, data concerning sex life or sexual orientation, genetic data, biometric data, or criminal offence data (Articles 9-10 GDPR).
• Processing: any operation performed on personal data, including collection, recording, storage, retrieval, consultation, use, disclosure, erasure, or destruction.
• GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
• Sub-Processor: any third party engaged by LexMT to process personal data on behalf of the Controller.

LexMT provides an AI-powered legal research and drafting platform. In providing the Service, LexMT may process personal data submitted by the Customer, including:

• Query text and search questions entered by users
• Documents uploaded by users for analysis or drafting assistance (PDFs, DOCX, images, and other supported formats)
• Query history associated with the Customer's account (Pro subscribers)
• Bookmarked case references, parties, and snippets (Pro subscribers)
• Shared answer content (question, AI response, source list) linked to a public permalink
• User account information (name, email address, professional sector)

Important: document handling. Documents uploaded to LexMT are processed entirely in working memory for the purpose of generating an AI response. Document contents are transmitted to our AI sub-processor (Anthropic) and are not stored by LexMT after the query is completed. Query history records contain only the user's typed question. Uploaded document contents are never written to persistent storage by LexMT.

The Customer acknowledges that uploaded documents may contain personal data, including Special Category Data (for example, legal case files, medical reports, or criminal proceedings documents). The Customer is responsible for ensuring they have a lawful basis under Article 9 GDPR before submitting Special Category Data to LexMT.

This Agreement commences on the date the Customer first uses the LexMT platform and remains in force for the duration of the Customer's subscription or access to LexMT. Upon termination, this Agreement shall continue to apply until all personal data has been deleted or returned in accordance with Clause 9.

LexMT, as Processor, shall:

1. Process personal data only on documented instructions from the Controller (i.e. providing the LexMT service) and not for any other purpose, unless required to do so by EU or Member State law.
2. Ensure that persons authorised to process personal data have committed themselves to confidentiality.
3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
   • Encryption of data in transit (TLS 1.2+)
   • Encrypted storage volumes (AWS EBS encryption) for data at rest
   • Access controls limited to authorised personnel only
   • No storage of uploaded document contents beyond the active query session
4. Respect the conditions set out in Clause 5 for engaging Sub-Processors.
5. Assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, portability, restriction, objection).
6. Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation).
7. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
8. Make available to the Controller all information necessary to demonstrate compliance with this Agreement.

The Controller grants LexMT general authorisation to engage Sub-Processors to assist in providing the Service. LexMT currently engages the following Sub-Processors:

LexMT shall notify the Controller of any intended changes to Sub-Processors (additions or replacements) by updating this page with at least 30 days' prior notice. If the Controller objects to a new Sub-Processor, it may terminate its subscription in accordance with the Terms & Conditions.

LexMT shall impose data protection obligations equivalent to those in this Agreement on all Sub-Processors, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

Where personal data is transferred to Sub-Processors located outside the European Economic Area (EEA), specifically Anthropic and Resend both located in the United States, such transfers are made subject to the Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) GDPR (Commission Decision 2021/914), or such other appropriate safeguards as may apply.

Hetzner Online GmbH is an EU-based provider (Germany/Finland) and processing on Hetzner infrastructure does not constitute a third-country transfer.

LexMT has implemented and maintains the following technical and organisational security measures:

In the event of a personal data breach affecting data processed under this Agreement, LexMT shall notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach, providing at minimum:

• A description of the nature of the breach, including categories and approximate number of Data Subjects and records concerned
• The name and contact details of the data protection contact point
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach

Breach notifications shall be sent to the Customer's registered email address and to hello@lex.mt.

Upon termination or expiry of the Customer's account, or upon written request, LexMT shall:

• Delete all personal data associated with the Customer's account from LexMT's systems within 30 days
• Procure deletion of Customer personal data held by Sub-Processors where LexMT has the contractual right to do so
• Provide written confirmation of deletion upon request

Customers may delete their own account and all associated query history at any time via the My Account page.

LexMT may retain data in anonymised or aggregated form that does not identify any individual.

LexMT shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Chapter III GDPR. To exercise rights of access, rectification, erasure, portability, or restriction, Data Subjects should contact the Controller in the first instance. Where LexMT receives a direct request from a Data Subject, it shall promptly forward the request to the Controller.

Users of the LexMT platform may exercise the following rights directly via their account:

• Access & portability: query history is available via the dashboard
• Erasure: account deletion (including all query history) available via My Account → Delete Account
• Rectification: name and sector editable via My Account
• Other requests: contact hello@lex.mt

The Customer, as Controller, represents and warrants that:

1. It has a lawful basis under GDPR Articles 6 and, where applicable, Article 9 for submitting personal data (including Special Category Data) to LexMT.
2. It has provided, or will provide, appropriate notice to Data Subjects regarding the processing of their personal data via LexMT, including the use of Sub-Processors.
3. It shall not submit to LexMT any personal data that it is not lawfully permitted to process.
4. It is responsible for the accuracy and legality of all personal data submitted to LexMT.
5. Where the Customer is a law firm or regulated entity, it is responsible for ensuring that its use of LexMT complies with its professional obligations regarding client confidentiality and data protection.

Each party shall be liable for and shall indemnify the other in respect of any damage caused to the other party by its breach of this Agreement. LexMT's total liability under this Agreement shall not exceed the fees paid by the Customer in the 12 months preceding the event giving rise to the claim. Neither party shall be liable for indirect, consequential, or punitive damages.

LexMT is not liable for processing carried out by the Customer in breach of this Agreement or GDPR, including submission of personal data without a lawful basis.

This Agreement is governed by the laws of Malta and the European Union. Any disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Malta. This Agreement reflects and supplements the requirements of GDPR and shall be interpreted in accordance with it.

In the event of any conflict or inconsistency between this Agreement and the LexMT Terms & Conditions, the provisions of this Agreement shall prevail with respect to data protection matters.