Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Abalmon Inc. ("Processor", "Abalmon", "we", "us"), which operates Lawty, and the customer or user of the Service ("Controller", "Customer").
This DPA applies when the Customer processes personal data through the Lawty platform, a product operated by Abalmon Inc., and Abalmon processes such data on behalf of the Customer.
This agreement is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation.
1. Definitions
For the purposes of this DPA:
Controller
The entity that determines the purposes and means of processing personal data.
Processor
The entity that processes personal data on behalf of the Controller.
Personal Data
Any information relating to an identified or identifiable natural person.
Processing
Any operation performed on personal data including collection, storage, organization, analysis, transmission, or deletion.
Service
The Lawty platform and any associated applications, APIs, or integrations.
2. Subject and Scope of Processing
Abalmon will process personal data only on behalf of the Controller and solely to provide the Service described in the Terms of Service.
Processing may include:
- storage of data submitted by users
- management of contacts, documents, notes, and communications
- analysis of documents through software features
- AI-assisted processing requested by users
- synchronization with third-party integrations
- automation workflows triggered by user activity
Abalmon does not process personal data for its own purposes.
3. Nature and Purpose of Processing
The purpose of processing is to enable the functionality of the Lawty platform, which may include:
- document storage and management
- workflow automation
- email and calendar synchronization
- task and matter management
- financial records and invoicing
- AI-assisted document analysis or text generation
Processing occurs only to provide the services requested by the Customer.
4. Categories of Personal Data
Depending on how the Service is used, personal data processed may include:
- names
- email addresses
- phone numbers
- contact details
- identification numbers
- professional information
- billing information
- documents uploaded by users
- information contained in emails or files processed through integrations
The Controller determines which personal data is submitted to the Service.
5. Categories of Data Subjects
Personal data processed under this DPA may relate to:
- customers or clients of the Controller
- employees or contractors of the Controller
- individuals referenced in documents uploaded by the Controller
- users of the Service
6. Controller Responsibilities
The Controller is responsible for:
- ensuring that it has a lawful basis for processing personal data
- ensuring that personal data submitted to the Service complies with applicable laws
- providing appropriate notices to data subjects where required
- responding to requests from data subjects
The Controller determines the purposes and means of processing personal data.
7. Processor Obligations
Abalmon agrees to:
- process personal data only on documented instructions from the Controller
- ensure that personnel with access to personal data are subject to confidentiality obligations
- implement appropriate technical and organizational security measures
- assist the Controller with data subject rights requests where reasonably possible
- notify the Controller without undue delay if a personal data breach affecting the Service is detected
- delete or return personal data upon termination of the Service unless retention is required by law
8. Security Measures
Abalmon implements reasonable administrative, technical, and organizational safeguards designed to protect personal data, including:
- encrypted connections using HTTPS
- infrastructure access controls
- monitoring of infrastructure security
- restricted internal access to customer data
- logical isolation between customer accounts
Security measures are reviewed periodically and may evolve as the Service develops.
9. Artificial Intelligence Processing
Certain features of the Service may use artificial intelligence or automated processing.
AI processing occurs only to provide the requested service functionality.
Abalmon does not use customer data, documents, or third-party content submitted through the Service to train generalized artificial intelligence models unless explicitly authorized by the Customer.
10. Subprocessors
The Controller authorizes Abalmon to engage third-party subprocessors to support the delivery of the Service.
These may include providers of:
- cloud infrastructure
- authentication services
- analytics
- communication services
- storage systems
Abalmon ensures that subprocessors are subject to data protection obligations consistent with this DPA.
A list of subprocessors may be provided upon request.
10.1 Current Subprocessors (Encargados/Subencargados de Tratamiento)
The table below reflects the subprocessors currently used by default or when a customer enables the related feature.
| Provider | Role | Purpose | Region |
|---|---|---|---|
| Laravel Cloud (AWS EU infrastructure) | Infrastructure subprocessor | Application hosting, storage, and platform operations | EEA-hosted infrastructure by default |
| OpenAI | AI subprocessor | Assistant completion and document intelligence features | Regional handling depends on configured provider controls and enabled model features |
| Anthropic | AI subprocessor | Alternative assistant model processing when selected | Regional handling depends on configured provider controls and enabled model features |
| Google (Workspace APIs / OAuth) | Integration subprocessor | Mail, calendar, and drive integrations authorized by the customer | Regional handling depends on customer workspace configuration and Google services used |
| Microsoft (Graph / OAuth) | Integration subprocessor | Outlook/mail/calendar integrations authorized by the customer | Regional handling depends on customer tenant configuration and Microsoft services used |
| Stripe | Payments subprocessor | Subscription billing and payment operations | Regional handling depends on payment flows, provider routing, and applicable terms |
| Postmark / Resend (if configured) | Transactional email subprocessor | System notifications and service emails | Regional handling depends on delivery routing, provider setup, and applicable terms |
| Google Analytics / Meta Pixel (marketing site) | Analytics/marketing subprocessor | Website analytics and attribution events | EU; consent-driven where legally required |
| ElevenLabs (if voice features enabled) | Voice AI subprocessor | Voice generation or audio workflows | Regional handling depends on enabled voice features and provider configuration |
We will update this section when subprocessors materially change.
11. Data Processing Location
Lawty's primary hosted application environment is intended to run in the EEA, and Abalmon seeks to use providers that offer European data residency or regional controls where practical.
Actual processing locations may vary depending on customer-enabled integrations, selected providers, delivery routing, and legal requirements. Where personal data is transferred outside the EEA, Abalmon will rely on an appropriate transfer mechanism and update documentation or customer terms as needed.
12. Assistance to the Controller
Where reasonably possible, Abalmon will assist the Controller in fulfilling its obligations related to:
- responding to data subject requests
- data protection impact assessments
- security incident notifications
- regulatory inquiries
13. Data Retention and Deletion
Abalmon retains personal data only for the duration necessary to provide the Service.
Upon termination of the Customer account, Abalmon will delete or anonymize customer data within a reasonable period unless retention is required for legal or security purposes.
14. Record of Processing Activities (RAT)
Abalmon maintains and periodically reviews its internal Record of Processing Activities (Article 30 GDPR). The summary below reflects key processing activity categories relevant to the Service:
| Activity | Purpose | Data Categories | Retention Baseline |
|---|---|---|---|
| Account administration | User registration, authentication, and account security | Identity and account credentials | For account lifetime + limited legal/security retention |
| Core legal workspace processing | Matter/document/contact/task operations requested by customer | Customer-submitted workspace data | Customer-controlled lifecycle; deleted/anonymized after termination |
| Integration sync processing | Sync user-authorized mail, drive, and calendar content | Integration metadata and synchronized content | For active integration period + operational logs |
| Assistant/AI inference processing | Generate or refine user-requested outputs | Prompt content and model responses | Conversation lifecycle; no model training unless expressly authorized |
| Billing and invoicing | Process subscriptions and financial records | Billing contacts and transaction metadata | Statutory accounting retention where applicable |
| Security and compliance logging | Detect abuse, investigate incidents, and evidence compliance | Access logs, audit logs, security events | Defined rolling security retention windows |
15. Audits
Upon reasonable request, Abalmon may provide information necessary to demonstrate compliance with this DPA.
Requests must be reasonable in scope and frequency and must not compromise the security or confidentiality of other customers.
16. Duration
This DPA remains in effect for as long as Abalmon processes personal data on behalf of the Customer through the Service.
17. Governing Law
This DPA is governed by the laws applicable to the Terms of Service, except where mandatory data protection laws require otherwise.
18. Acceptance
By creating an account or using the Service, the Customer acknowledges and agrees to this Data Processing Agreement as part of the Terms governing the use of the Service.