Data Processing Addendum

• "Applicable Data Protection Law" means GDPR, UK GDPR, CCPA, and any other data protection legislation applicable to processing of personal data under this DPA.
• "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
• "Controller" means the law firm and/or licensed attorney(s) using the Asolo platform who determine the purposes and means of processing.
• "Processor" means Grantley Holdings LLC d/b/a Asolo, acting on the Controller's instructions.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Applicable Data Protection Law.
• "Processing" and "Process" have the meanings given in Applicable Data Protection Law.
• "Sub-Processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.
• "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Controller determines the purposes and means of processing Personal Data of its clients, contacts, and firm personnel through the Asolo platform. Processor processes Personal Data only on Controller's documented instructions, as set out in this DPA and in the Terms of Service.

Processor shall promptly notify Controller if, in Processor's opinion, an instruction infringes Applicable Data Protection Law. In such cases, Processor may suspend processing of the affected data pending Controller's further instruction.

Processor shall:

• Process Personal Data only on Controller's documented instructions, including those in this DPA and the Terms of Service.
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain the technical and organizational security measures described in Section 6.
• Engage Sub-Processors only in accordance with Section 7 and flow down equivalent data protection obligations.
• Assist Controller, insofar as possible given the nature of the processing, with Controller's obligations to respond to data subject requests under Applicable Data Protection Law.
• Assist Controller in meeting its obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and information available to Processor.
• Delete or return Personal Data upon termination of the subscription, as described in Section 9.
• Make available to Controller all information reasonably necessary to demonstrate compliance with this DPA, subject to Section 10.
• Promptly notify Controller of any Security Incident affecting Controller's Personal Data, in accordance with Section 8.

Controller is responsible for:

• Ensuring it has a lawful basis under Applicable Data Protection Law for processing the Personal Data shared with Processor.
• Providing data subjects with appropriate privacy notices describing Asolo's processing.
• Exercising professional judgment about which client data to connect to the Asolo platform, including privilege and confidentiality assessments under applicable professional responsibility rules.
• Ensuring that any instructions provided to Processor comply with Applicable Data Protection Law.
• Notifying Processor promptly if Controller becomes aware of a Security Incident affecting Processor's systems.

Processor implements and maintains the following technical and organizational measures to protect Personal Data:

• Encryption at rest: AES-256 encryption of all data in Supabase.
• Encryption in transit: TLS 1.3 for all data transmitted between clients and Processor's systems.
• Token and credential protection: OAuth tokens and API keys encrypted in Supabase Vault; not stored in plaintext in the database.
• Scope minimization: OAuth integrations use read-only or minimum-necessary scopes wherever applicable.
• Access controls: Row-level security in the Supabase database; employee access to production data restricted to minimum necessary for support and operations.
• Application security monitoring: Error monitoring via Sentry; uptime and log monitoring via BetterStack.
• SOC 2 Type 1 audit in progress (target completion Q3 2026).

Processor shall maintain these measures and shall notify Controller of any material reduction in the security standard.

Controller provides general authorization for Processor to engage the sub-processors listed at asolo.ai/sub-processors.

Processor shall: (a) impose data protection obligations on each Sub-Processor at least equivalent to those in this DPA; (b) remain liable to Controller for the performance of Sub-Processors' obligations under this DPA; and (c) provide Controller with at least 30 days' advance notice before engaging a new Sub-Processor that will process Personal Data, by updating the sub-processors page and notifying Firm tier customers by email.

Controller may object to a new Sub-Processor within 30 days of receiving notice. If Controller objects on reasonable data protection grounds and Processor cannot reasonably accommodate the objection, Controller may terminate the subscription without penalty on written notice.

Processor will notify Controller without undue delay — and in any event within 72 hours — of becoming aware of a Security Incident affecting Controller's Personal Data. The notification will include, to the extent then known:

• A description of the nature of the Security Incident, including the categories and approximate number of data subjects and records affected.
• Contact details for the Processor's data protection point of contact.
• The likely consequences of the Security Incident.
• Measures taken or proposed to address the Security Incident, including mitigation measures.

Processor may provide information in phases where not all details are immediately available. Controller is responsible for determining whether any notification to supervisory authorities or data subjects is required under Applicable Data Protection Law and for making any such notifications.

Upon expiration or termination of the subscription, Processor will, within 30 days:

• Delete all Personal Data processed on behalf of Controller from Processor's production systems and from Sub-Processor systems, to the extent technically feasible; or
• If requested by Controller in writing prior to termination, return Personal Data in machine-readable format (JSON or CSV export), after which Processor will delete it.

Processor may retain Personal Data beyond this period to the extent required by applicable law, regulation, or court order. Processor will notify Controller of any such retention and its legal basis. Backup retention follows a 30-day rolling deletion window.

Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and with Article 28 GDPR. Processor shall permit and contribute to audits and inspections conducted by Controller or a Controller-appointed auditor, subject to the following conditions:

• Controller provides at least 30 days' prior written notice specifying the scope of the audit.
• Audits are conducted during normal business hours and no more than once per 12-month period, unless a Security Incident or regulator investigation requires otherwise.
• The auditor agrees to Processor's reasonable confidentiality requirements before accessing Processor's systems or documentation.
• Controller bears the cost of any audit conducted by a Controller-appointed third party.

Processor's primary data processing location is the United States. Sub-Processors also process data in the United States and, in the case of certain sub-processors (PostHog, BetterStack, Crisp), within the European Union.

To the extent processing involves transfer of Personal Data from the European Economic Area (EEA) or United Kingdom to the United States or another third country not recognized as providing an adequate level of data protection, such transfers are subject to appropriate safeguards as follows:

This DPA remains in effect for the duration of the subscription agreement between the parties. It terminates automatically upon termination of the Terms of Service, subject to the data deletion obligations in Section 9 and any obligations that survive by their nature.

DPA-related inquiries: legal@asolo.ai
Grantley Holdings LLC d/b/a Asolo

This DPA is governed by the same governing law as the underlying Terms of Service (State of Delaware), except to the extent Applicable Data Protection Law requires otherwise.