Ourfirm.ai, Inc. (Processor) ↔ Customer (Controller)
Effective Date: October 23, 2025
This DPA governs Ourfirm.ai's processing of personal data provided by Customer in connection with the services. It applies only to US processing and US customers; cross-border transfers are outside scope.
We will process personal data only:
We do not "sell" or "share" personal information (as those terms are defined by US privacy laws) and will not use personal data for any purpose other than providing the services.
Usage Data: We collect and analyze Usage Data (metadata about platform usage such as frequency, duration, features accessed, and session data) to improve the Services. Usage Data does not include Customer Data or Content. Our collection and use of Usage Data is limited to the definition in Section 2 of the Terms of Service and does not include any substantive content, prompts, documents, or generated output.
Customer's personnel, clients, counterparties, experts, opposing counsel, and other case-related individuals.
Identifiers, contact details, case materials, communications, and usage metadata.
Hosting, storage, indexing, retrieval, AI-assisted generation, and support.
Subscription term plus retention required by law or as permitted by the Agreement.
We ensure personnel with access to personal data are bound by confidentiality and receive appropriate privacy/security training.
We implement the technical and organizational measures in the Security Addendum, incorporated here by reference.
Customer authorizes Ourfirm.ai to engage subprocessors necessary to provide the services, subject to written agreements imposing data-protection obligations no less protective than this DPA.
We will:
Customer may object on reasonable privacy/security grounds; if unresolved, Customer may suspend the affected feature or terminate for convenience as to the impacted service in accordance with the Agreement.
We will:
Upon confirmation of unauthorized access to unencrypted personal data maintained by us, we will notify Customer without undue delay and in any event within 72 hours of confirmation, and will provide updates as reasonably available, consistent with the Security Addendum.
At termination or upon Customer request, we will delete or return personal data, subject to backup and legal-hold constraints. Deletion from backups occurs on the next scheduled cycle.
Our processing covered by this DPA occurs within the United States. If Customer later enables features or subprocessors that involve processing outside the US, the parties will execute an appropriate Data Transfer Addendum before such processing begins.
Upon reasonable written request and no more than annually (unless required by a supervisory authority or a verified incident), we will make available information necessary to demonstrate compliance, which may include responses to security questionnaires and available third-party reports.
If there is a conflict between this DPA and the Agreement, this DPA controls with respect to personal-data processing. Otherwise, the Agreement governs.
For questions about data processing, contact:
Ourfirm.ai, Inc.
Privacy: privacy@ourfirm.ai
Legal: legal@ourfirm.ai
Related Documents: