Data Processing Agreement (DPA) � Lex Partis

This Data Processing Agreement (hereinafter, the �DPA�) regulates the obligations of the parties in relation to the processing of personal data carried out by LexPartis Technology Services S.L. (www.lexpartis.com), in its capacity as Data Processor, on behalf of the Client, who holds the status of Data Controller. This DPA is an integral part of the Terms and Conditions accepted by the Client upon contracting the Service and complies with the requirements of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (GDPR), as well as, where applicable, with Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

1. Parties

On one part, the Client identified in their account within the Lex Partis platform, in their capacity as Data Controller (hereinafter, the �Controller�).

On the other part, LexPartis Technology Services S.L., with CIF B44741924, registered office at Av. Diagonal 468, 08006 Barcelona, España, Inscrita en el Registro Mercantil de Barcelona, CIF B44741924., in its capacity as Data Processor (hereinafter, the �Processor� or �Lex Partis�).

2. Purpose of the engagement

This DPA aims to regulate the conditions under which the Processor will process personal data on behalf of the Controller in execution of the main contract for the provision of SaaS services subscribed between the parties (the �Terms�). The Processor shall act solely in accordance with the documented instructions of the Controller and as provided in this DPA, without using the data for any other purpose, nor transferring it, even for safekeeping, to other parties.

3. Duration

This DPA shall come into effect on the date of acceptance by the Client and shall remain in force for as long as the Processor provides the Service to the Controller. Upon its termination, the obligations of the Processor regarding the return, deletion, and, where applicable, mandatory legal retention of personal data shall survive in accordance with the terms set out in the corresponding clause.

4. Nature, purpose, data and data subjects

Nature of the processing: hosting, storage, processing, consultation, modification, export and deletion of personal data as necessary for the provision of the Lex Partis platform.

Purpose of the processing: to enable the Controller to manage succession, judicial and notarial files, coordinate with their clients, generate documentation, electronically sign acts, ensure evidential traceability and, in general, the functionalities of the Service described at www.lexpartis.com.

Categories of personal data processed

Identifying and contact data of the Controller, their users, their clients (causants and heirs) and other participants (representatives, counterparts, professionals).
Professional data (registration, protocol number, practitioners).
Economic and asset data related to the estate.
Data contained in submitted documents (wills, certificates of last wishes, deeds, invoices, communications).
When the Controller inputs them, data relating to special categories under Article 9 GDPR (for example, health data relevant for incapacitations or substitutions) or data relating to criminal convictions and offences (Article 10 GDPR).
Data on the use of the platform (activity logs, IP addresses, technical headers) processed for security and traceability purposes.

Categories of data subjects

Users of the Controller (partners, lawyers, paralegals, administrative staff).
Clients and counterparts of the Controller (causants, heirs, legitimaries, legatees, creditors, debtors, experts).
Third parties mentioned in the documentation processed in the Service.

5. Obligations of the Data Controller

The Data Controller, as the Data Controller, guarantees to the Processor that:

It has the appropriate legal basis for each processing carried out through the platform.
It has informed the data subjects in accordance with Articles 13 and 14 of the GDPR and, where applicable, has obtained their informed, free and specific consent.
It complies with its obligations as Data Controller, in particular those relating to the exercise of data subjects' rights, information obligations, and conducting impact assessments when required.
It will only input personal data into the platform that is adequate, relevant and limited to what is necessary in relation to the purposes of the processing (principle of minimisation).

6. Obligations of the Processor

The Processor undertakes to:

Process personal data only in accordance with the documented instructions of the Data Controller, including when it involves international transfers, unless required to do so by Union law or the applicable Member State law, in which case it will inform the Data Controller of the legal obligation unless prohibited by law.
Ensure that persons authorised to process personal data are committed to confidentiality or are under a legal obligation of confidentiality.
Implement and maintain appropriate technical and organisational measures as provided for in Article 32 of the GDPR.
Assist the Data Controller, to the extent possible and through appropriate technical and organisational measures, in complying with its obligation to respond to requests concerning the exercise of data subjects' rights.
Assist the Data Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR (security, breach notification, impact assessments and prior consultations).
Provide the Data Controller with all necessary information to demonstrate compliance with the obligations of Article 28 of the GDPR, as well as to enable and contribute to audits, as provided for in the relevant clause.
Immediately inform the Data Controller if, in its opinion, any instruction infringes data protection regulations.

7. Confidentiality

The Processor shall maintain the duty of confidentiality regarding the personal data subject to processing, even after the provision of the Service has ended. It shall ensure that personnel authorised to process such data are subject to a documented obligation of confidentiality, equivalent to the professional secrecy obligation where applicable, and have received the necessary training in data protection.

8. Technical and organisational measures

The Processor implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons. In particular:

Encryption in transit using TLS 1.3 and encryption at rest (AES-256) on stored data.
Role-based access control (RBAC), principle of least privilege, and multi-factor authentication available for users.
Logical multi-tenant segregation: the data of each Data Controller is isolated by organisation identifiers in each read and write operation.
Cryptographic traceability with timestamping (TSA) on critical operations (creation, modification, signing).
Regular backups with verified recovery, stored in infrastructure located within the EEA.
Automated security tests on each deployment, continuous monitoring, and formal procedures for incident and vulnerability management.
Periodic training of staff on data protection and information security.

The detailed description of the current technical and organisational measures can be consulted, upon reasonable request, by contacting dpo@lexpartis.com.

9. Notification of security breaches

The Processor shall notify the Controller, without undue delay and in any event within seventy-two (72) hours of becoming aware, of any breach of security of personal data affecting data processed on behalf of the Controller, in accordance with Article 33.2 GDPR.

The notification shall include, to the extent that the information is available, the nature of the breach, the categories and approximate number of data subjects affected, the possible consequences, the measures taken or proposed to address the breach and, where applicable, the measures to mitigate any potential negative effects. If the information cannot be provided simultaneously, the Processor shall provide it in a staggered manner without undue delay.

10. Sub-processors

The Controller authorises the Processor, generally and upon prior communication, to engage the sub-processors identified at www.lexpartis.com/legal/subprocessors. The list will be kept updated on that page, which forms an integral part of this DPA for the purposes of Article 28.2 GDPR.

The Processor shall enter into a written contract with each sub-processor imposing data protection obligations equivalent to those contained in this DPA. The Processor shall remain fully liable to the Controller for the compliance of the sub-processor with its obligations.

When the Processor intends to engage new sub-processors or replace existing ones with substantial effect, it shall notify the Controller at least fifteen (15) calendar days in advance, by updating the sub-processors page and, where appropriate, through specific communication. The Controller may object on justified grounds related to data protection, directing its objection to dpo@lexpartis.com. If the parties do not reach a satisfactory solution, the Controller may terminate the contract without penalty.

11. International transfers

When, for the provision of the Service, it is necessary to carry out international transfers of personal data outside the European Economic Area, these shall be carried out exclusively under the mechanisms provided for in Chapter V of the GDPR: (i) adequacy decision of the European Commission; (ii) Standard Contractual Clauses approved by Implementing Decision (EU) 2021/914; (iii) binding corporate rules; or (iv) any other legally admissible instrument, with the additional technical and organisational measures that may be necessary in each case.

The identity of the sub-processors involved in international transfers and the specific guarantees applicable are published at www.lexpartis.com/legal/subprocessors. The Controller may obtain a copy of the guarantees adopted by contacting dpo@lexpartis.com.

12. Data subject rights

The Processor shall assist the Controller, through appropriate technical and organisational measures, to ensure that the Controller can respond in a timely manner to requests for the exercise of rights made by data subjects (access, rectification, erasure, restriction of processing, data portability and objection; and, where applicable, the right not to be subject to automated individual decision-making).

If the Processor receives a request for the exercise of rights directly from a data subject regarding data processed on behalf of the Controller, it shall forward it to the Controller without undue delay and, unless expressly instructed otherwise, shall not respond directly to the data subject.

13. Return or deletion upon termination

Upon termination of the contract, the Processor, at the Controller's choice, shall return or delete all personal data processed on behalf of the Controller, as well as any existing copies, unless the retention of the data is required by Union or applicable Member State law. To this end, the Processor shall make available to the Controller, within a maximum period of thirty (30) calendar days from termination, the export functionalities provided in the platform.

After this period, if the Controller has not requested the return, the Processor shall proceed to securely delete or, where applicable, irreversibly anonymise the personal data, documenting compliance with this obligation for the Controller when requested.

14. Audits

The Processor shall make available to the Controller, upon reasonable request and with a maximum frequency of once (1) a year (unless there are reasonable indications of non-compliance or required by a supervisory authority), the information necessary to demonstrate compliance with this DPA, including, where applicable, certifications, external audit reports or assurance reports (SOC 2, ISO 27001, European certification schemes).

When such information is insufficient and there is reasonable justification, the Controller may conduct, directly or through an independent auditor bound by confidentiality obligations, an audit of the technical and organisational measures implemented. The audit shall be conducted during business hours, without significantly affecting the Processor's operations, and the costs shall be borne by the Controller unless the audit reveals substantial non-compliance by the Processor.

15. Liability

Each party shall be liable to the other and to data subjects for any damages caused as a result of the breach of their respective obligations, under the terms provided in Article 82 GDPR and applicable legislation. The economic liability of the Processor to the Controller arising from this DPA is subject to the limits set out in the Terms, to the extent compatible with mandatory regulations.

16. Applicable law and jurisdiction

This DPA is governed by Derecho español and, in particular, by the GDPR and the LOPDGDD. For the resolution of any disputes, the parties submit to the Tribunales competentes de Barcelona, España, expressly waiving any other jurisdiction, without prejudice to the mandatory submission that may apply when the Controller is a consumer.