Data Processing Addendum
Standard Form - Effective June 2026
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement ("MSA") between GetCounsel, Inc. (trading as Context Systems) ("GetCounsel") and the customer entity identified in the MSA ("Customer"). GetCounsel and Customer are referred to individually as a "Party" and collectively as the "Parties". In the event of a conflict between this DPA and the MSA with respect to the processing of Customer Data, this DPA controls. Capitalized terms used but not defined in this DPA have the meanings given in the MSA.
Article 1 - Definitions
In this DPA, the following terms have the meanings below:
- Customer Data means any Personal Data that Customer or its End Users submit to the Services, or that GetCounsel processes on Customer's behalf in the course of providing the Services.
- Data Protection Law means all applicable privacy, data protection, and data security laws and regulations, including where applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, "CCPA"); (b) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (c) the UK GDPR and Data Protection Act 2018; and (d) any other applicable US state or national privacy laws.
- Personal Data has the meaning given under applicable Data Protection Law, and includes "personal information" as defined under the CCPA.
- Permitted Purposes means providing, maintaining, and supporting the Services as described in the MSA and any applicable SOW.
- Security Incident means any unauthorized access to, disclosure of, alteration of, or destruction of Customer Data, whether or not such event has been confirmed, and including any personal data breach as that term is used under applicable Data Protection Law.
- Sub-Processor means any third party engaged by GetCounsel to process Customer Data in connection with the Services.
- Technical and Organizational Measures (TOMs) means the security controls described in Exhibit A to this DPA.
Article 2 - Roles
With respect to Customer Data: (a) Customer is the controller (or equivalent role under applicable Data Protection Law) and determines the purposes and means of processing; and (b) GetCounsel is the processor (or equivalent role) and processes Customer Data solely on Customer's behalf, in accordance with Customer's instructions, and only for the Permitted Purposes. GetCounsel shall not process Customer Data for any other purpose without Customer's prior written consent.
To the extent required under applicable Data Protection Law, this DPA constitutes the written data processing agreement between the Parties. For the avoidance of doubt, GetCounsel acts as a controller, not a processor, with respect to Product Usage Data (as defined in the MSA), and the obligations in this DPA apply solely to Customer Data. To the extent the GDPR or UK GDPR applies, this DPA is intended to satisfy the requirements of Article 28 of the GDPR and the equivalent provision of the UK GDPR.
Where Customer is itself acting as a processor on behalf of a third party (for example, where Customer is a law firm processing the personal data of its own end clients), GetCounsel acknowledges that it acts as a Sub-Processor with respect to that Personal Data. In such cases, Customer represents and warrants that it has authority from the relevant controller to appoint GetCounsel as Sub-Processor and to bind GetCounsel to the obligations set out in this DPA, and GetCounsel shall process such Personal Data only in accordance with the controller's instructions as communicated to GetCounsel through Customer.
Article 3 - Processing Instructions
GetCounsel shall process Customer Data only: (a) for the Permitted Purposes; (b) as otherwise instructed by Customer in writing from time to time; and (c) as required by applicable law, in which case GetCounsel shall, to the extent permitted by law, notify Customer before such processing. GetCounsel shall promptly inform Customer if, in its reasonable opinion, any instruction from Customer would infringe applicable Data Protection Law.
GetCounsel shall ensure that all personnel authorized to access or process Customer Data are subject to binding obligations of confidentiality consistent with Section 12.5 of the MSA.
GetCounsel shall not use Customer Data or any content submitted by Customer or its End Users to train, fine-tune, or otherwise improve any generative AI model, whether by GetCounsel or through any Sub-Processor. This prohibition includes, without limitation: (a) training or retraining any generative AI model on Customer Data; (b) fine-tuning or adapting a pre-existing generative AI model using Customer Data; and (c) transfer learning that applies knowledge derived from Customer Data to any generative AI model.
For the avoidance of doubt, this prohibition does not restrict GetCounsel from: (a) using Customer Data to provide, operate, or improve the Services for that Customer alone; (b) using aggregated, anonymized, or de-identified data that cannot reasonably be attributed to any individual customer to improve the Services generally; (c) using insights or signals derived from Customer's use of the Services to develop or improve general product features or capabilities, provided that no Customer Data is disclosed to or made accessible by any other customer; or (d) fine-tuning or developing a generative AI model exclusively for the use of that Customer, where the Customer has given prior written consent and such activity is governed by a separate written agreement between the Parties.
Article 4 - Customer Obligations
- 4.1 Customer shall ensure that it has a valid legal basis, and all necessary rights, consents, and authorizations, to provide Personal Data to GetCounsel and to authorize GetCounsel to process that Personal Data in accordance with this DPA, the MSA, and any processing instructions provided by Customer.
- 4.2 Customer shall comply with all applicable Data Protection Law in its capacity as controller (or processor, as applicable) with respect to the Personal Data it provides to GetCounsel.
- 4.3 Customer shall limit the Personal Data it provides to GetCounsel to what is strictly necessary for the Permitted Purposes. Customer shall not submit to the Services any Personal Data beyond what is required for GetCounsel to perform the Services.
- 4.4 Customer shall ensure that any privacy notices provided to the individuals whose Personal Data is submitted to the Services adequately describe the processing carried out by GetCounsel as processor or Sub-Processor, to the extent required by applicable Data Protection Law.
Article 5 - CCPA Service Provider Terms
To the extent the CCPA applies, the Parties acknowledge and agree that GetCounsel is a service provider with respect to Customer Data. GetCounsel certifies that it understands and shall comply with the following restrictions:
- (a) GetCounsel shall not sell or share Customer Data.
- (b) GetCounsel shall not retain, use, or disclose Customer Data outside the direct business relationship with Customer, or for any commercial purpose other than providing the Services.
- (c) GetCounsel shall not combine Customer Data with Personal Data received from or about individuals outside of Customer's End Users, or collected from GetCounsel's own interactions with individuals, except as permitted under the CCPA.
- (d) GetCounsel shall not use Customer Data to build or modify consumer profiles, or to augment any data acquired from another source, for purposes other than providing the Services.
- (e) GetCounsel shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA.
Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Data by GetCounsel.
Article 6 - AI Model Inference Providers
GetCounsel uses third-party AI model inference providers and cloud AI services (currently Anthropic, OpenAI, AWS Bedrock, Azure OpenAI Service, and Google Vertex AI, as listed in Exhibit B) to generate AI-driven outputs as part of the Services. With respect to each such provider, GetCounsel represents and warrants that:
- (a) GetCounsel operates under zero data retention ("ZDR") agreements with AI model inference providers by default, such that Customer Data transmitted for inference purposes is not used for any purpose beyond serving the immediate inference request and is not retained for model training or any other secondary purpose, except where Customer has explicitly opted into a non-ZDR model variant in accordance with this Article 6.
- (b) GetCounsel's agreements with each AI model inference provider contractually prohibit those providers from using Customer Data to train, fine-tune, or otherwise improve their underlying AI models.
- (c) GetCounsel shares with each AI model inference provider only the minimum Customer Data necessary to generate the requested output.
- (d) GetCounsel's agreements with each AI model inference provider prohibit those providers from permitting their personnel to access, read, or conduct human review of Customer Data, except where strictly required by applicable law or to investigate a confirmed Security Incident, in which case GetCounsel shall promptly notify Customer to the extent permitted by law.
GetCounsel shall notify Customer in writing within thirty (30) days if any AI model inference provider ceases to satisfy the ZDR conditions set out in this Article 6, and shall, at Customer's request, promptly transition to an alternative provider that satisfies those conditions.
Certain model variants may be offered by providers under custom retention terms that do not satisfy ZDR requirements (including Anthropic's Fable family). GetCounsel makes those non-ZDR variants available only as a strict opt-in at both the organization level and the individual user level. Before any such opt-in is enabled, GetCounsel provides clear links to the relevant provider data policies and retention terms.
This Article 6 applies to providers engaged solely to perform AI model inference on GetCounsel's behalf. Sub-Processors that are AI platforms or that process Customer Data for purposes beyond inference (including document analysis, agent orchestration, or workflow processing) are governed by Article 8. The no-training prohibition in Article 3 applies to all such Sub-Processors by virtue of Article 8(a).
Article 7 - Technical and Organizational Measures
GetCounsel shall implement and maintain the Technical and Organizational Measures described in Exhibit A to this DPA. GetCounsel may update the TOMs from time to time provided that no such update materially reduces the overall level of protection afforded to Customer Data. GetCounsel shall make available to Customer its then-current SOC 2 Type II report upon written request.
Article 8 - Sub-Processors
GetCounsel's current Sub-Processors are listed in Exhibit B to this DPA and are also maintained at contextsystems.com/privacy. GetCounsel shall:
- (a) impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA;
- (b) remain fully liable to Customer for the acts and omissions of its Sub-Processors to the extent of GetCounsel's obligations under this DPA;
- (c) provide Customer with no less than thirty (30) days' prior written notice before adding or replacing any Sub-Processor that will process Customer Data;
- (d) ensure that any Sub-Processor that processes Customer Data using artificial intelligence or machine learning systems is contractually prohibited from using Customer Data to train, fine-tune, or otherwise improve any AI or machine learning model, consistent with the prohibition in Article 3 of this DPA; and
- (e) share with each Sub-Processor only the minimum Customer Data necessary for that Sub-Processor to perform its designated function.
Customer may object to any new Sub-Processor by written notice within fifteen (15) days of receiving such notification. The Parties shall negotiate in good faith to resolve any reasonable objection. If the Parties are unable to resolve the objection within thirty (30) days, Customer may terminate the MSA for convenience on written notice without penalty.
Article 9 - Security Incidents
In the event of a Security Incident affecting Customer Data, GetCounsel shall notify Customer without undue delay and in any event no later than seventy-two (72) hours after becoming aware of the incident, regardless of whether the incident has been fully investigated or confirmed at the time of notification. Such notification shall include, to the extent then known:
- (a) a description of the nature of the Security Incident, including the categories and approximate number of individuals and records affected;
- (b) the name and contact details of GetCounsel's data protection contact;
- (c) the likely consequences of the Security Incident; and
- (d) the measures taken or proposed to address the Security Incident and to mitigate its effects.
GetCounsel shall supplement the initial notification with further information as it becomes available. Security Incident notifications shall be sent to the Customer contact designated in the MSA. GetCounsel shall cooperate with Customer and take such reasonable steps as Customer directs to investigate, remediate, and mitigate the Security Incident.
For the avoidance of doubt, Customer, as controller, bears primary responsibility for notifying the relevant supervisory authorities and affected data subjects of any Security Incident as required under applicable Data Protection Law. GetCounsel shall provide Customer with such cooperation and information as Customer reasonably requests to fulfill those obligations.
Article 10 - Data Subject Rights
GetCounsel shall provide Customer with reasonable cooperation and assistance, within five (5) business days of Customer's written request, to enable Customer to respond to requests from individuals exercising their rights under applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection. GetCounsel shall forward to Customer, within three (3) business days of receipt, any request received directly from an individual and shall not respond to such requests directly except on Customer's written instructions or as required by applicable law.
Article 11 - Data Protection Impact Assessments
Where required under applicable Data Protection Law, GetCounsel shall provide Customer with reasonable assistance in conducting data protection impact assessments and, where applicable, in carrying out prior consultations with supervisory authorities, in each case in relation to the processing of Customer Data by GetCounsel under this DPA.
Article 12 - Deletion and Return
Upon termination or expiration of the MSA, or at Customer's written request, GetCounsel shall, at Customer's election, securely delete or return all Customer Data (including copies held by Sub-Processors) within ten (10) days, consistent with Section 10.3 of the MSA, except to the extent GetCounsel is required to retain Customer Data under applicable law. Where retention is legally required, GetCounsel shall continue to protect such data in accordance with this DPA and shall notify Customer of the legal basis and anticipated duration of such retention.
Article 13 - International Transfers
GetCounsel operates infrastructure in both the United States and the European Union and seeks to localize Customer Data in the region appropriate to the Customer's location. Where the Customer is established in the EEA, the United Kingdom, or Switzerland, GetCounsel shall store and process Customer Data in its EU-region infrastructure and shall not transfer that data to the United States or any other third country unless: (a) the destination country has been recognized as providing an adequate level of protection under applicable Data Protection Law; (b) appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Agreement or Addendum, or equivalent transfer mechanisms under applicable law; or (c) Customer has provided prior written consent to such transfer.
Where the Customer is established in the United States, GetCounsel shall store and process Customer Data in its US-region infrastructure, and this Article imposes no restriction on such processing. GetCounsel shall implement technical and organizational measures designed to prevent Customer Data from being routinely transferred between regions without a lawful basis. For the avoidance of doubt, nothing in this Article restricts GetCounsel from engaging AI model inference providers or Sub-Processors that operate in multiple regions, provided that appropriate transfer safeguards are in place as required by this Article.
Article 14 - Audit Rights
Upon reasonable prior written notice of not less than fifteen (15) business days, GetCounsel shall make available to Customer such information and records as are reasonably necessary to demonstrate compliance with this DPA. GetCounsel may satisfy this obligation by providing Customer with its then-current SOC 2 Type II report. Customer or its authorized auditor may conduct a direct audit of GetCounsel's data processing activities no more than once per calendar year, at Customer's expense, provided that such audit does not unreasonably interfere with GetCounsel's business operations.
Article 15 - Term and Governing Law
This DPA is effective as of the effective date of the MSA and remains in force for the duration of the MSA. The obligations in this DPA survive termination or expiration of the MSA for so long as GetCounsel processes or retains any Customer Data. This DPA is governed by the law of the State of New York, without regard to its conflict of law principles, consistent with Section 16.1 of the MSA.
GetCounsel may update this DPA from time to time to reflect changes in applicable Data Protection Law or GetCounsel's data processing practices. GetCounsel shall provide Customer with no less than thirty (30) days' prior written notice of any material change to this DPA. The then-current version of this DPA is available at contextsystems.com/legal/dpa. Continued use of the Services following the effective date of any update constitutes acceptance of the updated DPA.
Exhibit A - Technical and Organizational Measures
GetCounsel, Inc. - June 2026
The following Technical and Organizational Measures describe the security controls GetCounsel implements to protect Customer Data. These measures are consistent with GetCounsel's SOC 2 Type II report.
| Category | Measure |
|---|---|
| Infrastructure | Production workloads are distributed across AWS, GCP, and Microsoft Azure, providing geographic redundancy and high availability. Frontend workloads are served via globally distributed CDN infrastructure. |
| Encryption in Transit | All data in transit between clients and GetCounsel's infrastructure is encrypted using TLS 1.2 or higher. Connections that do not support TLS are rejected. |
| Encryption at Rest | All Customer Data stored on GetCounsel's infrastructure is encrypted at rest using AES-256 or equivalent encryption, including database storage, object storage, and backup media. |
| Access Controls | Access to production systems is restricted to authorized personnel on a need-to-know basis. GetCounsel enforces role-based access control, multi-factor authentication for all production system access, and regular access reviews. Privileged access is subject to additional controls and logging. |
| Network Security | The production environment is protected by firewalls, network segmentation, and intrusion detection systems. External and internal network traffic is monitored for anomalous activity. |
| Vulnerability Management | GetCounsel conducts regular vulnerability scans and periodic penetration testing of its production environment. Critical and high-severity findings are remediated within commercially reasonable timeframes based on severity. Patch management processes are in place for operating systems, libraries, and dependencies. |
| Security Monitoring and Logging | GetCounsel maintains centralized security logging and monitoring of its production infrastructure. Logs are retained for a minimum of ninety (90) days and are reviewed for anomalous activity. |
| Incident Response | GetCounsel maintains a written incident response plan that is reviewed and tested at least annually. The plan covers detection, containment, eradication, recovery, and post-incident review, and includes notification procedures consistent with Article 9 of this DPA. |
| Business Continuity and Backups | Customer Data is backed up on a regular schedule. Backup integrity is tested periodically. GetCounsel maintains a business continuity and disaster recovery plan designed to minimize service disruption. |
| Personnel Security | All personnel with access to Customer Data are subject to background screening (where permitted by law), confidentiality obligations, and annual security awareness training. |
| Sub-Processor Controls | GetCounsel conducts due diligence on Sub-Processors prior to engagement and requires Sub-Processors to maintain security standards consistent with this DPA. Sub-Processor agreements include appropriate data protection obligations. |
| Physical Security | GetCounsel relies on cloud infrastructure providers (AWS, GCP, Azure) for physical data center security. Those providers maintain ISO 27001, SOC 2, and equivalent certifications covering physical and environmental controls. |
Exhibit B - Sub-Processors
GetCounsel, Inc. - June 2026
The following Sub-Processors are currently authorized to process Customer Data in connection with the Services. This list is also maintained at contextsystems.com/privacy and updated as Sub-Processors are added or removed.
| Sub-Processor | Purpose | Data Protection Framework |
|---|---|---|
| Anthropic1 | AI model inference (ZDR-capable endpoints and optional non-ZDR model variants such as Fable) | ZDR agreement for supported endpoints; CCPA service provider terms; SCCs where applicable for EU/UK data subjects; provider data policy: anthropic.com/legal/privacy |
| OpenAI1 | AI model inference (zero data retention) | ZDR agreement; CCPA service provider terms; SCCs where applicable for EU/UK data subjects |
| Amazon Web Services (Bedrock)1 | AI model inference and cloud infrastructure | ZDR agreement; AWS DPA; SCCs where applicable |
| Microsoft Azure (Azure OpenAI Service)1 | AI model inference and cloud infrastructure | ZDR agreement; Microsoft DPA; SCCs where applicable |
| Google Cloud (Vertex AI)1 | AI model inference and cloud infrastructure | ZDR agreement; Google DPA; SCCs where applicable |
| Additional Sub-Processors | Listed on the public sub-processor page | See contextsystems.com/privacy |
1. GetCounsel maintains infrastructure in both the United States and the European Union. Region locking to the region matching the location of the Customer is available upon request.