Data Processing Agreement

2.1 Subject Matter. The subject matter of the Processing is the provision of the Causel Services as described in the Agreement, including the ingestion, analysis, contradiction detection, communication graph construction, judicial profiling, and adversarial drafting review of Customer Data in connection with Customer's litigation matters.

2.2 Duration. Causel shall Process Personal Data for the duration of the Agreement and for any additional period required by applicable law or expressly authorized by Customer in writing.

2.3 Nature and Purpose. The nature of the Processing includes the operations described in the Agreement and this DPA, undertaken solely for the purpose of providing the Services to Customer.

2.4 Categories of Data Subjects. The Personal Data Processed under this DPA may relate to the following categories of Data Subjects: Customer's employees, contractors, and Authorized Users; opposing parties and their employees in litigation matters; witnesses; deponents; custodians of discovery materials; counsel of record; judicial officers (limited to publicly available rulings and decisions); and any other natural persons whose Personal Data is contained within Customer Data submitted to the Services.

2.5 Categories of Personal Data. The categories of Personal Data may include: names, email addresses, employment information, communications metadata and content, sworn testimony, internal documents, and any other Personal Data contained within discovery materials submitted by Customer.

3.1 Customer as Controller. Customer is the Controller of the Personal Data submitted to the Services. Customer warrants that it has obtained all necessary consents, authorizations, and legal bases required under Applicable Data Protection Laws.

3.2 Causel as Processor. Causel shall Process Personal Data only on behalf of Customer and strictly in accordance with Customer's documented instructions. Causel shall not Process Personal Data for any other purpose, including without limitation for its own commercial benefit, model training, fine-tuning, product improvement, or analytics.

3.3 Customer Instructions. The Agreement and this DPA constitute Customer's complete and final documented instructions to Causel for the Processing of Personal Data.

3.4 Causel Notification. Causel shall promptly notify Customer if, in Causel's opinion, an instruction from Customer infringes Applicable Data Protection Laws.

4.1 Confidentiality. Causel shall ensure that all personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.

4.2 Limitation of Access. Causel shall limit access to Customer Data to those personnel who require such access to perform their duties under the Agreement, applying the principle of least privilege.

4.3 Background Checks. Causel shall perform background checks on personnel who will have access to production Customer Data, to the extent permitted by applicable law.

6.1 General Authorization. Customer grants Causel general authorization to engage Sub-Processors for the Processing of Personal Data.

6.2 Sub-Processor Obligations. Causel shall enter into a written agreement with each Sub-Processor containing data protection obligations no less protective than those set forth in this DPA.

6.3 List of Sub-Processors. A current list of Causel's Sub-Processors is maintained at causel.ai/subprocessors and is available to Customer upon request. The current Sub-Processors include:

• Amazon Web Services, Inc. — Infrastructure hosting (US regions only by default)
• Anthropic, PBC — Inference compute (zero-retention API configuration)
• WorkOS, Inc. — Identity and access management
• Vanta Inc. — Compliance monitoring (metadata only, no Customer Data)

6.4 Notification of Changes. Causel shall provide Customer with at least thirty (30) days' advance notice of any addition or replacement of a Sub-Processor.

6.5 Customer Objection Right. Customer may object to the addition of a new Sub-Processor on reasonable data protection grounds within fifteen (15) days of receiving notice.

7.1 Default Region. Causel shall, by default, store and Process Personal Data within the United States.

7.2 Standard Contractual Clauses. To the extent that Causel transfers Personal Data of Data Subjects located in the EEA, the UK, or Switzerland to a country that has not received an adequacy decision from the relevant authority, the parties agree that such transfers shall be governed by the Standard Contractual Clauses (Module Two: Controller to Processor) approved by the European Commission Implementing Decision (EU) 2021/914.

7.3 Transfer Impact Assessment. Causel shall, upon Customer request, provide reasonable assistance in conducting transfer impact assessments.

7.4 Supplementary Measures. Causel implements supplementary technical measures to protect Personal Data transferred internationally, including end-to-end encryption and single-tenant isolation.

10.1 Audit Rights. Customer shall have the right, no more than once per twelve (12) month period, to audit Causel's compliance with this DPA.

10.2 Audit Reports. Causel shall provide Customer with copies of relevant third-party audit reports (e.g., SOC 2 Type II, penetration test summaries) in lieu of an on-site audit where such reports adequately address the scope of Customer's audit request.

10.3 On-Site Audits. If a third-party report does not adequately address Customer's audit scope, Customer may conduct an on-site audit subject to reasonable conditions including thirty (30) days' notice and execution of an NDA.

10.4 Audit Costs. Each party shall bear its own costs in connection with audits conducted under this Section, except that Customer shall reimburse Causel's reasonable costs if the audit reveals no material non-compliance with this DPA.

10.5 Regulatory Audits. Causel shall provide reasonable cooperation in connection with any audit or investigation conducted by a competent supervisory authority.

11.1 Deletion Upon Termination. Upon termination or expiration of the Agreement, or upon Customer's earlier written request, Causel shall securely delete all copies of Personal Data in its possession or control, and certify such deletion in writing.

11.2 Deletion Timeline. Causel shall complete the deletion of Personal Data, including all copies stored in Sub-Processor systems, within seventy-two (72) hours of receipt of Customer's deletion request or termination of the Agreement.

11.3 Method of Deletion. Deletion shall be performed using cryptographic erasure techniques sufficient to render the Personal Data permanently irrecoverable. Causel shall destroy all encryption keys associated with the deleted Personal Data.

11.5 Legal Retention Exceptions. Causel may retain Personal Data to the extent and for the period required by applicable law.

11.6 Backup Systems. Personal Data contained in routine backup systems shall be deleted in accordance with Causel's standard backup retention schedule, not to exceed thirty (30) days following the primary deletion.

12.1 Term. This DPA shall remain in effect for the duration of the Agreement and shall survive termination of the Agreement to the extent necessary to give effect to the provisions herein.

12.2 Modification. This DPA may be modified only by a written instrument signed by authorized representatives of both parties, except that Causel may update the list of Sub-Processors in accordance with Section 6.

12.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

12.4 Governing Law. This DPA shall be governed by and construed in accordance with the laws specified in the Agreement.

12.5 Conflicts. In the event of any conflict between the terms of this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

12.6 Entire Agreement. This DPA, together with the Agreement and any annexes, constitutes the entire agreement between the parties with respect to the Processing of Personal Data.