Data Processing Addendum

1. IMPORTANT TERMS

1.1. This Data Processing Addendum (the "DPA") governs Stern Bench's processing of DPA Data that is required to provide Paid Services under the Platform Agreement or another written agreement between You and Stern Bench that requires Stern Bench to process DPA Data on Your behalf (the "Agreement"). This DPA forms part of the applicable Terms only to the extent Stern Bench acts as a processor of DPA Data on Your behalf. In the event of any conflicting language between the Agreement or the other Terms, the terms of this DPA control with respect to DPA Data. You and Stern Bench each agree to comply with their respective obligations under Data Protection Law.

1.2. Data Processing Roles. As between You and Stern Bench, You are the Data Controller, and Stern Bench is the Data Processor, processing DPA Data on Your behalf only with respect to DPA Data covered by this DPA. For the avoidance of doubt, Stern Bench acts as an independent Data Controller with respect to publicly sourced case law and judicial decisions that Stern Bench independently collects, processes, and makes available through the Service, and with respect to operational, security, analytics, and similar processing described in the Privacy Policy that is not performed on Your behalf.

1.3. Data Processing Purposes. Stern Bench will process DPA Data as Your Data Processor for the purpose of providing or maintaining the Service and in accordance with the Instructions. Stern Bench acknowledges that You are disclosing DPA Data for these limited and specific purposes.

1.4. Categories of Personal Data. Personal Data contained within DPA Data is limited to account information (name, email address, authentication metadata) and other Personal Data that Stern Bench expressly agrees in writing to process on Your behalf in connection with Paid Services. Search queries and case browsing activity are not DPA Data unless the parties expressly agree otherwise in writing.

1.5. Categories of Data Subjects. Individuals identified in Customer Data, primarily users of Stern Bench's applications.

1.6. Duration of Processing. Subject to the Terms and Section 14 of this DPA, DPA Data will be processed for the term of the Agreement.

2. DEFINITIONS

The definitions in Section 15 (Defined Terms) apply to this DPA. All terms in quotation marks in the body of this DPA are also defined terms. Capitalised terms not defined in this DPA have the meanings given to them in the Agreement.

3. PROCESSING REQUIREMENTS

As a Data Processor, Stern Bench will:

3.1. process DPA Data on Your behalf, according to the Instructions, and only in a manner necessary for the performance of the Service;

3.2. promptly notify You in writing if it cannot comply with the requirements of this DPA;

3.3. promptly inform You if, in Stern Bench's opinion, an instruction from You infringes applicable Data Protection Law; and

3.4. ensure that all persons authorised by Stern Bench to process DPA Data are subject to a duty of confidentiality.

4. SUBPROCESSORS

Stern Bench will:

4.1. engage the organisations or persons listed at /legal/subprocessors (the "Subprocessor List") as necessary to perform the Service. You consent to Stern Bench's use of its existing Subprocessors and You grant Stern Bench a general written authorisation to engage Subprocessors to perform all or part of the processing activities required to provide the Service. Stern Bench will update the Subprocessor List if Stern Bench intends to add one or more Subprocessors before the change takes effect. You may, within fifteen (15) days of the update, reasonably object to Stern Bench's use of a Subprocessor on reasonable grounds relating to the protection of DPA Data by contacting founder@sternbench.com (the "Objection Notice"). In such case, Stern Bench shall have the right to cure the objection through one of the following options: (i) Stern Bench will offer an alternative to provide its Service without such Subprocessor; (ii) Stern Bench will take reasonable corrective steps and proceed to use the Subprocessor; (iii) Stern Bench may cease to provide, or You may agree not to use, whether temporarily or permanently, the particular aspect or feature of the Service that would involve the use of such Subprocessor; or (iv) You may cease providing DPA Data to Stern Bench for processing. If none of the above options are commercially feasible, in Stern Bench's reasonable judgement, and the objection has not been resolved to the satisfaction of the parties within thirty (30) days of Stern Bench's receipt of the Objection Notice, then either party may terminate any subscriptions regarding the Service for cause and in such case, You will be refunded any prepaid but unused fees for the applicable subscriptions to the extent they cover periods or terms following the date of such termination. Other than accepting such cure as may be offered by Stern Bench, such termination right is Your sole and exclusive remedy if You object to any new Subprocessor;

4.2. enter into contractual arrangements with each Subprocessor binding them to provide the same level of data protection and information security to that provided for in this DPA. Stern Bench will remain fully liable to You for the performance of each Subprocessor to the extent the Subprocessor fails to fulfil its data protection obligations under the applicable data processing agreement with Stern Bench.

5. NOTICE TO CUSTOMER

Stern Bench will inform You, to the extent legally permitted, if Stern Bench receives:

5.1. any legally binding request for disclosure of DPA Data by a law enforcement authority. If Stern Bench is legally prohibited from notifying You, Stern Bench will use its best efforts to request a waiver of the prohibition and will document that request. Stern Bench will notify You once the prohibition expires or has been lifted with the aim of providing as much relevant information to You as reasonably possible;

5.2. any notice, inquiry, or investigation by a Supervisory Authority with respect to DPA Data; or

5.3. any complaint or request from a Data Subject (including "verifiable consumer requests" as defined by CCPA) exercising their right under Data Protection Law to (i) access their DPA Data; (ii) have their DPA Data corrected or erased; (iii) restrict or object to the Processing of their DPA Data; or (iv) data portability (collectively "Data Subject Request"). Other than to request further information or identify the Data Subject, Stern Bench will not respond to any Data Subject Request without prior written authorisation from You.

6. PERSONAL DATA BREACH

If Stern Bench experiences a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to DPA Data ("Personal Data Breach"), Stern Bench will notify You without undue delay, and in any event within 72 hours of becoming aware of the Personal Data Breach. Stern Bench will provide You with all information about the Personal Data Breach as required by Data Protection Law, including:

6.1. a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and personal data records concerned;

6.2. the name and contact details of Stern Bench's point of contact from whom more information can be obtained;

6.3. a description of the likely consequences of the Personal Data Breach; and

6.4. a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

7. ASSISTANCE TO CUSTOMER AND AUDITS

Upon Your written request, Stern Bench will provide reasonable assistance to You regarding:

7.1. Your obligations to respond to Data Subject Requests relating to Stern Bench's Processing of DPA Data;

7.2. Your preparation of data protection impact assessments with respect to the processing of DPA Data by Stern Bench and, where necessary, carrying out consultations with any Supervisory Authority with jurisdiction over the Processing; and

7.3. information, assessments or audits, to the extent required by Data Protection Law, and as necessary to confirm that Stern Bench is processing Personal Data in a manner consistent with this DPA. All audits and assessments will be conducted upon reasonable notice during normal business hours, with scope limited to matters relevant to this DPA, and conducted no more than once per year unless required by Data Protection Law or in response to a Personal Data Breach. All reports and documentation provided to You are Stern Bench's Confidential Information.

8. REQUIRED PROCESSING

If Stern Bench is required by applicable law to Process DPA Data outside of Your Instructions, Stern Bench will inform You of this requirement in advance of any processing, unless Stern Bench reasonably believes it is legally prohibited from informing You of such processing.

9. SECURITY

Stern Bench will:

9.1. implement and maintain appropriate technical and organisational measures to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of DPA Data and to protect the rights of the Data Subject, including but not limited to: encryption of data in transit and at rest, access controls, regular security testing, and incident response procedures; and

9.2. take appropriate steps to confirm that all Stern Bench personnel and persons or entities authorised to Process DPA Data on Stern Bench's behalf are protecting the security, privacy and confidentiality of DPA Data consistent with the requirements of this DPA.

10. US SPECIFIC DATA PROTECTION OBLIGATIONS

To the extent applicable under US State Privacy Law, Stern Bench certifies that it understands and will comply with its obligations under US State Privacy Law to:

10.1. only process DPA Data for the purposes set out in this DPA, the Agreement, or the Terms, unless otherwise permitted by law;

10.2. not "sell" or "share" (as defined by CCPA) DPA Data;

10.3. not retain, use or disclose DPA Data outside of the direct business relationship between Stern Bench and Customer unless otherwise required or permitted by law;

10.4. Process DPA Data in a manner that provides no less than the level of privacy protection required by US State Privacy Law;

10.5. not combine any DPA Data with Personal Data that Stern Bench receives from or on behalf of a third party other than You or collects from Stern Bench's own interactions with individuals, provided that Stern Bench may combine Personal Data as permitted under US State Privacy Laws or if directed to do so by Customer;

10.6. not attempt to reidentify any deidentified data You provide to Stern Bench, except for the sole purpose of determining whether the deidentification processes are compliant with applicable Data Protection Law; and

10.7. grant You the right to take reasonable and appropriate steps to (i) ensure that Stern Bench uses DPA Data in a manner consistent with Data Protection Law and (ii) stop and remediate unauthorised use of DPA Data.

11. CANADIAN DATA PROTECTION OBLIGATIONS

To the extent applicable under Canadian Data Protection Law, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial legislation, Stern Bench certifies that it will:

11.1. only collect, use, and disclose DPA Data for purposes that a reasonable person would consider appropriate in the circumstances and as set out in this DPA and the Agreement;

11.2. implement safeguards appropriate to the sensitivity of the DPA Data;

11.3. upon request, provide You with information about Stern Bench's policies and practices relating to the management of DPA Data; and

11.4. respond to any access or correction requests from Data Subjects in accordance with Your instructions and applicable Canadian Data Protection Law.

12. OBLIGATIONS OF CUSTOMER

12.1. You represent, warrant and covenant that You have and shall maintain throughout the term all necessary rights, consents and authorisations to provide the DPA Data to Stern Bench and to authorise Stern Bench to Process DPA Data as contemplated by this DPA, the Agreement, the Terms and/or other Instructions provided to Stern Bench. Where this DPA applies, Your use of the applicable Paid Services, Agreement, or other written Instructions constitutes Your instruction to Stern Bench to process DPA Data as reflected in the Documentation.

12.2. You shall reasonably cooperate with Stern Bench to assist Stern Bench in performing any of its obligations under Data Protection Law in relation to DPA Data.

12.3. You acknowledge and agree that You, rather than Stern Bench, are responsible for certain configurations and design decisions for the Service and that You are responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Law. Without limitation to the above, You represent, warrant and covenant that You shall only transfer DPA Data to Stern Bench using secure, reasonable and appropriate mechanisms.

12.4. You shall not provide DPA Data to Stern Bench except through agreed mechanisms. For example, You shall not include DPA Data in technical support tickets or transmit DPA Data to Stern Bench by email.

13. CROSS-BORDER DATA TRANSFERS

13.1. You acknowledge that, unless You and Stern Bench have agreed in writing to process and store DPA Data exclusively in a different geographic location, DPA Data may be processed in Canada, the United States, or other jurisdictions where Stern Bench's Subprocessors operate, in order for Stern Bench to provide the Service.

13.2. Where DPA Data originating from the EEA, UK, or Switzerland is transferred to a jurisdiction that has not been deemed to provide an adequate level of data protection, Stern Bench will ensure that appropriate safeguards are in place, including the use of Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission, and where applicable, the UK International Data Transfer Addendum.

13.3. Stern Bench will, upon request, provide You with copies of the relevant transfer mechanisms in place.

14. FUTURE REGULATIONS

14.1. In the event that new legislation or regulations are implemented that specifically govern automated processing, search infrastructure, or other technology used in connection with the Service, both parties agree to review this DPA to ensure compliance with such legislation and regulations.

14.2. If substantial modifications are required to the terms and conditions of this DPA to render it or the parties' performance under it compliant with any regulations implemented following its Effective Date, both parties shall negotiate in good faith to make necessary amendments.

14.3. Should new regulations render the continued provision of services under this contract infeasible or unlawful, either party may initiate termination by providing written notice to the other party. Termination shall be effective after a reasonable notice period, as agreed upon by both parties.

14.4. The termination of this DPA due to the aforementioned regulations shall not relieve either party from any outstanding obligations or liabilities incurred prior to the termination.

14.5. If any provision of this DPA is found to be inconsistent with future regulations, such provision shall be interpreted in a manner consistent with the applicable laws, or if necessary, deemed null and void without affecting the validity of the remaining provisions.

15. RETENTION PERIOD

This DPA shall remain in effect until (i) the Service is terminated and (ii) Stern Bench no longer processes DPA Data on Your behalf. Within 30 days following termination of the Service or upon Your reasonable request, Stern Bench shall, and shall direct each Subprocessor to, return to You or delete the DPA Data, unless Stern Bench is required by law to retain DPA Data. For the avoidance of doubt, the deletion obligation in this section applies to DPA Data (Personal Data) and does not apply to data that has been anonymised or aggregated such that it can no longer be used to identify a natural person, as such data is no longer Personal Data within the meaning of this DPA.

16. DEFINED TERMS

"Data Controller" means the person or entity that determines the purposes and means of Processing DPA Data, which may include, as applicable, equivalent concepts under Data Protection Law (for example, "Business" as defined by CCPA).

"Data Processor" means the person or entity that Processes DPA Data on behalf of the Data Controller, which may include, as applicable, equivalent concepts under Data Protection Law (for example, "Service Provider" as defined by CCPA).

"Data Protection Law" means privacy and data protection law applicable in connection with Your use of the Service. Data Protection Law may include, depending on the circumstances, the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable Canadian provincial privacy legislation, Cal. Civ. Code §§ 1798.100 et seq., as amended and its implementing regulations ("CCPA"), the European Union General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), and the UK Data Protection Act 2018.

"Data Subject" means an identified or identifiable natural person to which DPA Data relates, to the extent their Personal Data is protected by Data Protection Law.

"Data Transfer Mechanism" means a transfer mechanism that enables the lawful cross-border transfer of DPA Data under Data Protection Law. This includes transfer mechanisms that are required under Data Protection Law in the EEA, UK, and Switzerland such as the Data Privacy Framework, the EEA SCCs, the UK International Data Transfer Addendum and any data transfer mechanism available under Data Protection Law that is incorporated into this DPA.

"DPA Data" means Customer Data or Your Content that is Personal Data and that Stern Bench processes on Your behalf as a processor in connection with Paid Services or another written agreement that expressly applies this DPA.

"EEA" means the European Economic Area.

"EEA SCCs" means Module 2 (Controller to Processor) of the standard contractual clauses set out in the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries according to the GDPR.

"Instructions" means any (i) documented communication from You which includes actions taken or input provided through the Service; or (ii) agreement between You and Stern Bench that requires Stern Bench to provide the Service; or (iii) the Documentation.

"Personal Data" means any information relating to an identifiable natural person which is protected under Data Protection Law and Processed in connection with Your use of the Service. This includes equivalent concepts as defined by Data Protection Law (for example, "personal information" as defined under the CCPA or PIPEDA).

"Platform Agreement" means the Platform Agreement located at /terms.

"Processing" means any operation or set of operations which is performed on Your behalf on DPA Data, whether or not by automated means, such as collecting, recording, organisation, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, or dissemination. "Process", "Processes" and "Processed" will be interpreted accordingly.

"Subprocessor" means an entity Stern Bench engages to Process DPA Data on Stern Bench's behalf, to carry out specific processing activities on Your behalf.

"Supervisory Authority" means an independent public authority which is (i) established by a member state pursuant to Article 51 of the GDPR; (ii) the public authority governing data protection that has supervisory jurisdiction over You; or (iii) the Office of the Privacy Commissioner of Canada or applicable provincial privacy commissioner.

"UK International Data Transfer Addendum" means the international data transfer addendum to the EEA SCCs issued by the United Kingdom's Information Commissioner's Office which came into force in accordance with s119A of the UK Data Protection Act on 21 March 2022.

"You" means the organisation or individual contracting for the use of the Service.

"US State Privacy Law" means all state laws relating to the protection and processing of Personal Data in effect in the United States of America, which may include, without limitation, the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.