Data Processing Agreement

Last updated: March 9, 2026

Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Tutelr ("Processor") and the customer ("Controller") and governs the processing of personal data by Tutelr on behalf of the customer. This DPA is designed to ensure compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "Service" means the Tutelr contract analysis platform and related services as described in the Terms of Service.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only to the extent necessary to provide the Service to the Controller, as described in this DPA and the Terms of Service. The details of processing are as follows:

  • Subject matter: Provision of AI-powered contract analysis services
  • Duration: For the term of the service agreement between Controller and Processor
  • Nature and purpose: Processing contract documents for automated risk analysis, storage of analysis results, user account management, and payment processing
  • Types of Personal Data: Names, email addresses, contract content (which may contain personal data of third parties), payment information, usage data
  • Categories of Data Subjects: Controller's employees, contractors, and end users; third parties named in contracts uploaded to the Service

3. Roles and Responsibilities

Data Controller

The Controller determines the purposes and means of processing Personal Data. The Controller is responsible for:

  • Ensuring a lawful basis for processing Personal Data
  • Providing any required notices to Data Subjects
  • Obtaining any necessary consents from Data Subjects
  • Ensuring that the content uploaded to the Service does not violate applicable laws

Data Processor

The Processor processes Personal Data on behalf of the Controller. The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Not process Personal Data for any purpose other than providing the Service
  • Inform the Controller if, in the Processor's opinion, an instruction infringes applicable data protection laws

4. Processor Obligations

The Processor shall:

  • Process Personal Data only in accordance with the Controller's documented instructions
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation
  • At the Controller's choice, delete or return all Personal Data upon termination of the Service
  • Make available all information necessary to demonstrate compliance with this DPA

5. Sub-processing

The Controller provides general authorization for the Processor to engage Sub-processors. The current list of Sub-processors is available at tutelr.com/subprocessors.

The Processor shall:

  • Notify the Controller at least 30 days before adding or replacing a Sub-processor
  • Impose data protection obligations on Sub-processors that are no less protective than those in this DPA
  • Remain fully liable for the acts and omissions of its Sub-processors

If the Controller objects to a new Sub-processor, the Controller may terminate the affected Service by providing written notice within 30 days of receiving notification of the new Sub-processor.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection laws, including the right to:

  • Access their Personal Data
  • Rectify inaccurate Personal Data
  • Erase their Personal Data ("right to be forgotten")
  • Restrict processing of their Personal Data
  • Data portability
  • Object to processing of their Personal Data

If the Processor receives a request from a Data Subject directly, it shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless legally required to do so.

7. International Data Transfers

The Processor may transfer Personal Data outside the European Economic Area (EEA) or the United Kingdom only where appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Transfers to countries with an adequacy decision from the European Commission
  • The EU-US Data Privacy Framework, where applicable

The Processor shall ensure that any Sub-processors located outside the EEA or UK are subject to equivalent data protection safeguards. See our Subprocessor List for the location of each Sub-processor.

8. Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access control: Role-based access controls with least privilege principle
  • Authentication: Multi-factor authentication for infrastructure access
  • Network security: Cloudflare DDoS protection, WAF, and network isolation
  • Monitoring: Continuous security monitoring and logging
  • Incident response: Documented incident response procedures
  • Employee training: Regular security awareness training for all personnel
  • Vulnerability management: Regular security assessments and patching

9. Data Breach Notification

In the event of a Data Breach, the Processor shall:

  • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide sufficient information to allow the Controller to meet its obligations to report the breach to supervisory authorities and Data Subjects
  • Take immediate steps to contain, investigate, and remediate the breach
  • Cooperate with the Controller and provide all reasonable assistance in connection with the breach

The notification shall include, to the extent available:

  • The nature of the breach, including categories and approximate number of Data Subjects affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach
  • The contact details of the Processor's data protection point of contact

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws.

The Controller (or an independent third-party auditor appointed by the Controller) may conduct audits of the Processor's data processing activities, subject to the following conditions:

  • The Controller shall provide at least 30 days' prior written notice
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
  • Audits shall be limited to once per year, unless required by a supervisory authority or following a Data Breach
  • The auditor shall be bound by confidentiality obligations
  • The Controller shall bear the costs of the audit

11. Termination and Data Deletion

Upon termination of the Service agreement, the Processor shall, at the Controller's choice:

  • Delete all Personal Data processed on behalf of the Controller, including all copies, within 30 days of termination
  • Return all Personal Data to the Controller in a commonly used, machine-readable format before deletion

The Processor shall certify in writing that all Personal Data has been deleted. The Processor may retain Personal Data only to the extent required by applicable law, in which case the Processor shall inform the Controller and continue to protect such data in accordance with this DPA.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such limitation is not permitted under applicable law.

13. Governing Law

This DPA shall be governed by and construed in accordance with the governing law provisions of the Terms of Service, except where applicable data protection laws require otherwise.

14. Contact

For questions about this DPA or to exercise your rights:

For details on our privacy practices, please see our Privacy Policy.