Data Processing Agreement (DPA)

Data Processing Agreement under GDPR Art. 28 · Version 2 (2026-04-22)

📄 Template for download: This is a standard DPA that meets GDPR Art. 28. For a signed version, contact support@lexcodex.ai with your registration number.

1. Parties

Data controller: [Customer's company name, registration number, address]

Data processor: LexCodex.ai (Nordicbysight HB, registration number 969787-0346)

2. Nature and purpose of processing

The Processor processes personal data in order to provide AI-driven legal analysis (contract review, NDA triage, compliance, AI Act analysis, legal research, contract drafting and monitoring) on behalf of the Controller.

3. Categories of personal data

Account information: first name, last name, email address, organisation
Authentication: hashed password (bcrypt), optional MFA key (hashed)
Usage data: number of analyses, which tools (without content)
Security logs: IP address, session identifier, sign-in attempts
Content sent for analysis (may contain personal data) — processed only in memory, not stored

4. Obligations of the Processor

The Processor undertakes to:

Process data only in accordance with documented instructions from the Controller
Ensure that personnel are bound by confidentiality
Implement appropriate technical and organisational measures (Art. 32 GDPR) — TLS 1.3, bcrypt, MFA, CSP, HSTS, CSRF, rate limiting
Assist the Controller in exercising data subject rights (Art. 15–21 GDPR)
Notify personal data breaches within 72 hours
Delete or return data upon termination of the agreement
Provide a self-service function for immediate deletion of account and associated data (GDPR Art. 17)

5. Sub-processors

The Processor uses the following sub-processors:

Provider	Function	Location	Certification
Anthropic PBC	AI processing (Claude API)	US / EU routing	SOC 2 Type II, ISO 27001, ISO 42001, HIPAA, EU-US DPF
Easywebbhotell	Hosting (server + database)	Sweden	GDPR-compliant, Swedish jurisdiction
Stripe Inc.	Payment processing	US / Ireland	PCI DSS Level 1, SCC
Google LLC	reCAPTCHA, Analytics (with consent)	US / EU	ISO 27001, 27017, 27018, SCC

Anthropic does not use customer data for model training. Contract texts and AI responses are not stored permanently — neither at Anthropic nor at LexCodex.ai.

6. Transfer to third countries

Data may be transferred to the US (Anthropic, Stripe, Google) under the EU-US Data Privacy Framework and Standard Contractual Clauses (SCC) under Commission Decision 2021/914. No transfer takes place without adequate safeguards.

7. Data protection measures

See our Security Whitepaper and Security & Trust page for the full description of technical and organisational measures.

8. Retention period

Contract texts and AI responses: Not stored — processed only in memory during the analysis.
Account information: As long as the account is active. Deleted immediately when the data subject uses the Art. 17 function or when the agreement terminates.
Accounting and invoice data: 7 years under Chapter 6, Section 1 of the Swedish Bookkeeping Act (Swedish statutory retention required even after account deletion).
Server logs: 30 days.
Rate-limit logs: 1 hour (rolling).

9. Governing law

This agreement is governed by Swedish law. Disputes shall be settled by Swedish general courts with Malmö District Court as the first instance.

10. Contact

LexCodex.ai · support@lexcodex.ai