Data Processing Agreement (DPA)

Data Processing Agreement under GDPR Art. 28 · Version 2 (2026-04-22)

📄 Template for download: This is a standard DPA that meets GDPR Art. 28. For a signed version, contact support@lexcodex.ai with your registration number.

1. Parties

Data controller: [Customer's company name, registration number, address]

Data processor: LexCodex.ai (Nordicbysight)

2. Nature and purpose of processing

The Processor processes personal data in order to provide AI-driven legal analysis (contract review, NDA triage, compliance, AI Act analysis, legal research, contract drafting and monitoring) on behalf of the Controller.

3. Categories of personal data

Account information: first name, last name, email address, organisation
Authentication: hashed password (bcrypt), optional MFA key (hashed)
Usage data: number of analyses, which tools (without content)
Security logs: IP address, session identifier, sign-in attempts
Content sent for analysis (may contain personal data) — processed only in memory, not stored

4. Obligations of the Processor

The Processor undertakes to:

Process data only in accordance with documented instructions from the Controller
Ensure that personnel are bound by confidentiality
Implement appropriate technical and organisational measures (Art. 32 GDPR) — TLS 1.3, bcrypt, MFA, CSP, HSTS, CSRF, rate limiting
Assist the Controller in exercising data subject rights (Art. 15–21 GDPR)
Notify personal data breaches within 72 hours
Delete or return data upon termination of the agreement
Provide a self-service function for immediate deletion of account and associated data (GDPR Art. 17)

5. Sub-processors

The Processor uses certified third-party providers for AI processing, hosting, payment processing and spam protection. All are certified to industry standards (SOC 2 Type II, ISO 27001, PCI DSS Level 1) and bound by data processing agreements (DPA). A complete sub-processor list with names, function, location and certifications is provided to the Controller under NDA as part of onboarding or upon request.

The AI provider does not use customer data for model training. Contract texts and AI responses are not stored permanently — neither at the AI provider nor at LexCodex.ai (Zero Data Retention).

Changes to sub-processors are notified to the Controller at least 30 days in advance. The Controller has the right to object — if an objection is raised, the parties have 30 days to find a solution, otherwise the Controller has the right to terminate the agreement at no cost.

6. Transfer to third countries

Some sub-processors are established in the US. Transfers take place under the EU-US Data Privacy Framework and Standard Contractual Clauses (SCC) under Commission Decision 2021/914. No transfer takes place without adequate safeguards.

7. Data protection measures

See our Security Whitepaper and Security & Trust page for the full description of technical and organisational measures.

8. Retention period

Contract texts and AI responses: Not stored — processed only in memory during the analysis.
Account information: As long as the account is active. Deleted immediately when the data subject uses the Art. 17 function or when the agreement terminates.
Accounting and invoice data: 7 years under Chapter 6, Section 1 of the Swedish Bookkeeping Act (Swedish statutory retention required even after account deletion).
Server logs: 30 days.
Rate-limit logs: 1 hour (rolling).

9. Governing law

This agreement is governed by Swedish law. Disputes shall be settled by Swedish general courts with Malmö District Court as the first instance.

10. Contact

LexCodex.ai · support@lexcodex.ai