Data Processing Agreement (DPA)

Data Processing Agreement under GDPR Art. 28 · Version 2 (2026-04-22)

📄 Template for download: This is a standard DPA that meets GDPR Art. 28. For a signed version, contact support@lexcodex.ai with your registration number.

1. Parties

Data controller: [Customer's company name, registration number, address]

Data processor: LexCodex.ai (Nordicbysight)

2. Nature and purpose of processing

The Processor processes personal data in order to provide AI-driven legal analysis (contract review, NDA triage, compliance, AI Act analysis, legal research, contract drafting and monitoring) on behalf of the Controller.

3. Categories of personal data

Account information: first name, last name, email address, organisation
Authentication: hashed password (bcrypt), optional MFA key (hashed)
Usage data: number of analyses, which tools (without content)
Security logs: IP address, session identifier, sign-in attempts
Content sent for analysis (may contain personal data) — processed only in memory, not stored

4. Obligations of the Processor

The Processor undertakes to:

Process data only in accordance with documented instructions from the Controller
Ensure that personnel are bound by confidentiality
Implement appropriate technical and organisational measures (Art. 32 GDPR) — TLS, bcrypt, MFA, CSP, HSTS, CSRF, rate limiting
Assist the Controller in exercising data subject rights (Art. 15–21 GDPR)
Notify personal data breaches within 72 hours
Delete or return data upon termination of the agreement
Provide a self-service function for immediate deletion of account and associated data (GDPR Art. 17)

5. Sub-processors

The Processor uses certified third-party providers for AI processing, hosting, payment processing and spam protection. All are certified to industry standards (SOC 2 Type II, ISO 27001, PCI DSS Level 1) and bound by data processing agreements (DPA). A complete sub-processor list with names, function, location and certifications is provided to the Controller under NDA as part of onboarding or upon request.

The AI provider does not use customer data for model training. Contract texts and AI responses are not stored permanently — neither at the AI provider nor at LexCodex.ai (Zero Data Retention).

Changes to sub-processors are notified to the Controller at least 30 days in advance. The Controller has the right to object — if an objection is raised, the parties have 30 days to find a solution, otherwise the Controller has the right to terminate the agreement at no cost.

6. Data protection measures

See Security & Trust for the full description of technical and organisational measures.

7. Retention period

Contract texts and AI responses: Not stored — processed only in memory during the analysis.
Account information: As long as the account is active. Deleted immediately when the data subject uses the Art. 17 function or when the agreement terminates.
Accounting and invoice data: 7 years under Chapter 6, Section 1 of the Swedish Bookkeeping Act (Swedish statutory retention required even after account deletion).
Server logs: 30 days.
Rate-limit logs: 1 hour (rolling).

8. Governing law and dispute resolution

Swedish law applies, excluding conflict-of-law rules. Disputes shall first be resolved through negotiation. Thereafter, disputes shall be settled by Swedish general courts with Helsingborg District Court as the first instance.

Consumers always have the right to bring proceedings in their place of residence and to use the EU online dispute resolution platform (ec.europa.eu/consumers/odr).

9. Contact

LexCodex.ai · support@lexcodex.ai