Data Processing Addendum (DPA)
Enterprise data terms for CounselGrid.
Version: 1.0
This DPA applies where CounselGrid processes personal data on behalf of an enterprise customer under a subscription agreement. It supplements the Terms of Service and the main agreement. If there is a conflict, the DPA controls for data processing terms.
1. Roles
- Customer (enterprise/tenant) determines purposes and means of processing and acts as data fiduciary/controller (as applicable).
- CounselGrid processes personal data on behalf of Customer and acts as data processor (as applicable).
2. Processing instructions
CounselGrid will process personal data only on documented instructions from Customer, including to provide and support the Services, unless required by law to which CounselGrid is subject.
3. Security measures
CounselGrid will implement reasonable technical and organizational measures designed to protect personal data. See Security & Trust for an overview.
4. Subprocessors
CounselGrid may engage subprocessors (e.g., cloud hosting providers, AI services) to provide the Services. CounselGrid will impose contractual obligations on subprocessors to protect personal data.
Current Subprocessors:
| Subprocessor | Service | Location | Safeguards |
|---|---|---|---|
| Google Cloud Platform | Infrastructure, Database (Firestore), Storage | India (asia-south1), Multi-region | Google Cloud DPA, SOC 2, ISO 27001 |
| OpenAI | AI analysis, document generation | United States | Enterprise API terms, no training on data |
| Anthropic | Legal research, AI analysis | United States | Commercial terms, 30-day retention only |
| Razorpay (if applicable) | Payment processing | India | PCI-DSS Level 1, RBI regulated |
We will notify enterprise customers of any changes to subprocessors with reasonable notice. Contact legal@counselgrid.com for subprocessor change notifications.
5. Data subject requests and assistance
CounselGrid will provide reasonable assistance to Customer to respond to requests from data principals/data subjects, where applicable, considering the nature of processing and available information.
6. Data breach notification
CounselGrid will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and will provide information reasonably required to support Customer’s response obligations.
7. Return / deletion
Upon termination of the Services, CounselGrid will return or delete Customer personal data as agreed, subject to retention required by law.
8. Advocates Act / confidentiality
Where Customer users are advocates or legal professionals, Customer is responsible for ensuring that use of the Services aligns with professional duties and confidentiality. Nothing in this DPA limits those obligations; if additional safeguards are needed, Customer should configure the platform accordingly and/or negotiate enterprise controls.
9. Contact
Enterprise privacy: privacy@counselgrid.com
Legal: legal@counselgrid.com