Data Processing Agreement
Last updated: January 2025
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Motion Granted, LLC ("Processor") and you ("Controller") and governs the processing of personal data in connection with our Services.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, and disclosure.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
3. Scope and Purpose
The Processor will process Personal Data only for the purpose of providing the Services as described in our Terms of Service and as instructed by the Controller. The types of Personal Data processed include:
- Contact information (name, email, phone number, address)
- Professional information (bar number, firm name)
- Case information submitted with orders
- Documents and files uploaded to our platform
- Communications and messages
- Payment information (processed by Stripe)
4. Data Protection Obligations
4.1 Processor Obligations
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller
- Ensure personnel authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject requests
- Delete or return Personal Data upon termination of Services
- Make available information necessary to demonstrate compliance
4.2 Controller Obligations
The Controller agrees to:
- Ensure lawful basis for processing Personal Data
- Provide necessary information for Data Subject requests
- Comply with applicable data protection laws
- Notify Processor of any changes to processing instructions
5. Security Measures
The Processor implements the following security measures:
- Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
- Access Controls: Role-based access, multi-factor authentication
- Infrastructure: SOC 2 Type II compliant hosting (Vercel, Supabase)
- Monitoring: 24/7 security monitoring and alerting
- Backups: Daily encrypted backups with 30-day retention
- Testing: Regular security assessments and penetration testing
6. Sub-processors
The Controller authorizes the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | United States |
| Vercel | Application hosting | United States |
| Stripe | Payment processing | United States |
| Resend | Email delivery | United States |
| AI Processing Services | AI-assisted document drafting and citation verification | United States |
The Processor will notify the Controller of any intended changes to Sub-processors, allowing 30 days to object.
7. Data Subject Rights
The Processor will assist the Controller in responding to Data Subject requests, including:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure of Personal Data
- Restriction of processing
- Data portability
- Objection to processing
8. Data Breach Notification
In the event of a Personal Data breach, the Processor will:
- Notify the Controller within 72 hours of becoming aware
- Provide details of the breach and affected data
- Describe measures taken to mitigate the breach
- Cooperate with the Controller in any required notifications
9. Data Retention and Deletion
Personal Data will be retained in accordance with our Privacy Policy:
- Account data: Duration of account plus 90 days
- Order data: 7 years after order completion (legal retention)
- Communications: 3 years after last activity
- Payment records: As required by tax/financial regulations
Upon termination, the Processor will delete or return Personal Data within 90 days, unless retention is required by law.
10. International Transfers
Personal Data may be transferred to the United States. The Processor ensures appropriate safeguards for such transfers, including:
- Standard Contractual Clauses (where applicable)
- Sub-processors with adequate data protection commitments
- Technical measures to protect data during transfer
11. AI Processing Addendum
In addition to the above, the following applies to AI processing:
- Purpose Limitation: AI systems process data only to provide the requested drafting services
- No Training: Your data is not used to train AI models
- Human Review: All AI outputs are reviewed by qualified legal professionals before delivery
- Data Minimization: Only necessary data is sent to AI systems
- Logging: AI processing is logged for audit purposes
12. Audit Rights
Upon reasonable notice, the Controller may audit the Processor's compliance with this DPA. The Processor will:
- Provide access to relevant documentation
- Permit on-site inspections (with reasonable notice)
- Make personnel available for questions
Alternatively, the Processor may provide third-party audit reports (SOC 2, ISO 27001) as evidence of compliance.
13. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. The Processor will not be liable for damages arising from the Controller's failure to comply with data protection laws.
14. Term and Termination
This DPA is effective for the duration of the Services. It will automatically terminate when the Services end. Provisions relating to data deletion, liability, and confidentiality survive termination.
15. Contact
For questions about this DPA or to exercise your rights:
Motion Granted, LLC
Data Protection Inquiries
Louisiana-based legal drafting service
privacy@motion-granted.com
Request a Custom DPA
Enterprise clients may request a custom DPA tailored to their specific requirements. Contact our team to discuss your needs.
Contact Enterprise Sales