Data Processing Addendum

For a counter-signed copy, email [email protected].

1. Subject matter

TempusLex (“Processor”) processes personal data on behalf of the customer (“Controller”) in connection with the deadline-computation, case-file management, and reminder service. This DPA forms part of the Terms of Service.

2. Nature and purpose of processing

Authenticate the Controller's users (lawyers and firm staff); store the case-file and deadline data entered by the Controller; compute procedural deadlines via the deterministic rules registry; send email reminders and receipts; generate PDF reminders and iCalendar exports; provide customer support.

3. Categories of data subjects and personal data

Data subjects: lawyers and staff of the Controller who use the Service; optionally, names of parties, counter-parties, and other persons listed in case files (only if the Controller enters them). Personal data: email address, name (optional), case references and party identifiers entered into the case file. The Controller remains responsible for minimising the data entered relative to the deadline-management purpose.

4. Sub-processors

See the sub-processors page for the up-to-date list. By signing this DPA the Controller authorises the listed sub-processors; new additions will be notified at least 30 days in advance, with a right of reasoned objection.

5. Security measures

• Encryption in transit (TLS 1.2+) on all endpoints.
• Encryption at rest for PDFs in Cloudflare R2 and for database backups.
• Authentication via magic-link with no persistent passwords.
• Role-based access controls for internal staff; audit log of administrative changes.
• Daily database backups with 90-day rotation.
• Annual review of security posture and sub-processors.

6. Data subject rights

Processor assists Controller in fulfilling data subject requests. For data directly accessible to the Controller (case files, deadlines, contact details), the Controller acts autonomously via the settings panel. For full exports or erasure, email [email protected]: first two requests per year free of charge.

7. Breach notification

Processor notifies Controller within 48 hours of becoming aware of a personal data breach affecting the Controller, providing the information necessary for any notification to the Garante under Art. 33 GDPR.

8. Retention & deletion

On termination, Processor keeps Controller data in read-only mode for 30 days, then deletes or returns it in exportable format on written request. Legal retention obligations apply (invoicing, accounting: typically 10 years).

9. International transfers

Where data is transferred outside the EEA (e.g. Stripe back-office in the US, R2 dual-region), Processor relies on the European Commission's Standard Contractual Clauses (Decision 2021/914) with the relevant sub-processors.

10. Audits

Processor provides, on reasoned written request, the information reasonably necessary to demonstrate compliance (security architecture, current sub-processor list, test outcomes). On-site audits are allowed subject to scheduling at least 30 days in advance and at Controller's expense, except in cases of confirmed breach.