Data Processing Agreement

Data Processing Agreement / Article 28 Terms

Last updated: 4 June 2026

Website: https://staging.mylawtools.co.uk/stg/

Operator: myLawTools part of QMConsultancy.uk trading as My Law Tools

Contact: admin@myLawTools.co.uk

1. Purpose

This Data Processing Agreement applies where you are the controller and we process personal data on your behalf as processor in connection with My Law Tools.

This Data Processing Agreement forms part of our agreement with you.

2. Roles

You are the controller where you determine the purposes and means of processing personal data contained in documents, files, client materials, case materials, user content or uploaded content.

We are the processor where we process that personal data only on your documented instructions to provide the tools or services.

In some circumstances, we may be an independent controller for account, billing, security, support, analytics and administration data.

3. Subject matter

The subject matter of processing is the provision of software tools for document processing, bundle creation, PDF production, redaction assistance, chronology building, deadline calculation, account management, subscription management, support and related services.

4. Duration

Processing continues for the duration of your account, subscription, use of the services and any retention period required for support, security, legal, tax, accounting or compliance purposes.

5. Nature and purpose of processing

Processing may include collection, upload, receipt, storage, access, viewing, organisation, extraction, conversion, indexing, pagination, redaction assistance, OCR, AI-assisted processing, export, deletion, support, transmission and troubleshooting.

6. Types of personal data

Personal data may include names, addresses, emails, telephone numbers, dates of birth, case references, employment data, financial data, health data, legal matter data, litigation data, criminal offence data, special category data, client data, witness data, staff data, user account data and any other personal data contained in user-uploaded documents.

7. Categories of data subjects

Data subjects may include users, clients, customers, employees, contractors, witnesses, opponents, solicitors, barristers, experts, judges, court staff, suppliers, directors, shareholders, creditors, debtors, family members, vulnerable individuals and any other individuals identified in uploaded or processed materials.

8. Your obligations as controller

You must have a lawful basis for processing, provide required privacy information where applicable, ensure personal data is accurate and lawful, avoid uploading unnecessary personal data, assess whether special category or criminal offence data is involved, ensure appropriate safeguards are in place, comply with data subject rights, comply with confidentiality and professional obligations, keep backups of your files and ensure your users comply with this agreement.

9. Our processor obligations

Where we act as processor, we will process personal data only on your documented instructions unless required by law, ensure persons authorised to process personal data are subject to confidentiality obligations, take appropriate technical and organisational security measures, assist you where reasonably possible with data subject requests, security, breach and compliance obligations, use subprocessors only as permitted under this agreement, help with deletion or return of personal data where required and technically possible, make available information reasonably necessary to demonstrate compliance and notify you if we believe an instruction infringes data protection law.

10. Subprocessors

You authorise us to use subprocessors to provide hosting, storage, security, email, payment, analytics, support, OCR, AI, document processing and other operational services.

We will ensure subprocessors are subject to appropriate contractual obligations. We remain responsible for subprocessors as required by applicable data protection law.

A live subprocessor list should be maintained on the Subprocessor List page.

11. Security measures

Security measures may include, as appropriate, access controls, authentication controls, encryption in transit, encryption at rest where available, logging and monitoring, least-privilege access, backups where applicable, malware protection, secure hosting, vulnerability management, staff confidentiality, incident response procedures and separation of environments where appropriate.

No system is guaranteed secure.

12. Personal data breaches

Where we become aware of a personal data breach affecting personal data we process as your processor, we will notify you without undue delay after becoming aware of it.

You are responsible for deciding whether notification to the ICO, affected individuals, clients, regulators, courts or others is required.

13. Data subject rights

Where we act as processor, we will provide reasonable assistance with data subject rights requests where technically possible and proportionate.

We may charge reasonable fees for excessive, complex or manual assistance unless the law prevents this.

14. International transfers

Where international transfers occur, we will use appropriate safeguards required by applicable data protection law.

15. Return or deletion

At the end of processing, we will delete or return personal data where required and technically possible, unless retention is required by law or legitimate business need.

You are responsible for exporting and backing up your own files before closing your account.

16. Audits

We will provide reasonable information to demonstrate compliance. On-site audits are not permitted unless legally required or separately agreed in writing. We may satisfy audit obligations by providing policies, summaries, security information, certificates, subprocessors list or written responses.

17. Liability

Liability under this Data Processing Agreement is subject to the limitations and exclusions in our Terms and Conditions, except where such limits are not permitted by law.