Legalify — Y-tunnus: 3610308-7

Data Processing Agreement

Last updated: 9 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Legalify ("Processor") and the customer ("Controller") and governs the processing of personal data by Legalify on behalf of the Controller, in accordance with GDPR Article 28.

1. Definitions

Controller: the customer entity that determines the purposes and means of processing personal data submitted to Legalify.
Processor: Legalify (Finnish sole trader / toiminimi, Y-tunnus 3610308-7, c/o Muuvlaw Oy, Junakatu 9, 20100 Turku, Finland), which processes personal data on behalf of the Controller.
Personal Data, Processing, Data Subject: as defined in GDPR Art. 4.

2. Scope and Nature of Processing

Legalify processes personal data submitted by the Controller solely to provide the scan analysis service described in the Terms of Service. Processing includes:

Transmission of submitted text to the OpenAI API for AI-mode analysis (text is not retained by Legalify after processing).
Storage of scan metadata: scan ID, risk level, flagged sentences, rewrite suggestions, SHA-256 hash of submitted text, character count, and timestamps.
Account and authentication data required to operate the service.

Legalify does not store submitted marketing copy in full. Raw submitted text is discarded immediately after scan execution.

3. Controller Instructions

Legalify processes personal data only on documented instructions from the Controller, as set out in these Terms of Service and this DPA, unless required to do so by applicable law. Legalify will inform the Controller if it believes an instruction infringes GDPR.

4. Confidentiality

Legalify ensures that persons authorised to process personal data are bound by confidentiality obligations.

5. Security Measures

Legalify implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Authenticated access controls and session management.
Secure password hashing (bcrypt).
Transport layer security (TLS) for all API traffic.
Server-side authorisation for billing and scan logic.
Rate limiting to prevent abuse.

6. Sub-processors

The Controller provides general authorisation for Legalify to engage the following sub-processors. Legalify will inform the Controller of any intended changes to this list with reasonable advance notice.

Vercel Inc. (hosting and deployment; US; SCCs apply) — vercel.com/legal/dpa
OpenAI Inc. (AI-mode scan processing; US; SCCs apply) — openai.com/policies/data-processing-addendum
Stripe Inc. (payment processing; US; SCCs apply) — stripe.com/legal/dpa
Resend Inc. (transactional email; US; SCCs apply)
Upstash Inc. (rate-limiting infrastructure; US; SCCs apply)
Neon Technologies Inc. (database hosting; US; SCCs apply) — neon.tech/dpa
Google LLC (business email via Google Workspace; US; SCCs apply) — workspace.google.com/terms/dpa_terms.html

Legalify imposes data protection obligations on sub-processors equivalent to those in this DPA. Legalify remains liable for sub-processor compliance.

7. Data Subject Rights

Legalify will assist the Controller in fulfilling obligations to respond to data subject requests (access, rectification, erasure, restriction, portability, objection) by providing the Controller with relevant information held about that data subject within a reasonable timeframe upon written request to privacy@uselegalify.com.

8. Data Breach Notification

Legalify will notify the Controller without undue delay — and within 48 hours where feasible — after becoming aware of a personal data breach affecting data processed under this DPA. Notification will include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

9. Data Protection Impact Assessment

Legalify will provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities where required under GDPR Art. 35–36, to the extent such assistance relates to data processed by Legalify under this DPA.

10. Audit Rights

Legalify will make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28 and will allow for and contribute to audits conducted by the Controller or a mandated auditor, upon reasonable written notice and subject to reasonable confidentiality requirements.

11. International Transfers

Where Legalify transfers personal data to sub-processors outside the EEA (Vercel, OpenAI, Stripe, Resend, Upstash — all US-based), such transfers are governed by Standard Contractual Clauses (SCCs) adopted under GDPR Art. 46(2)(c) as the appropriate safeguard.

12. Deletion on Termination

Upon termination of the service agreement, Legalify will delete or return all personal data processed under this DPA within 90 days, except where retention is required by applicable law (e.g. Finnish accounting records retained for 7 years under Kirjanpitolaki).

13. Governing Law

This DPA is governed by Finnish law and forms part of the Terms of Service between the parties.

14. Contact

For DPA enquiries or to request a countersigned copy: legal@uselegalify.com