Data Processing Agreement

This Data Processing Agreement (“DPA”) specifies the obligations of the contracting parties in relation to the processing of personal data described in detail in the principal agreement concluded between the Customer (“Controller”) and Flank (“Processor”) (the “Agreement”). It shall apply to all processing activities in connection with the Agreement and through which employees or persons commissioned by the Processor may come into contact with personal data of the Controller (“Personal Data”). 


Data Protection Legislation”:

  • To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data including without limitation the Data Protection Act 2018 (and regulations made thereunder) (“DPA 2018”) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
  • To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Controller or Processor is subject, which relates to the protection of Personal Data.

EU GDPR”: means the General Data Protection Regulation ((EU) 2016/679).

Standard Contractual Clauses” or “SCCs”:  the Information Commissioner’s Office's (“ICO”) International Data Transfer Agreement for the transfer of personal data from the UK and/or the ICO's International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and/or the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as adapted for the UK, or such alternative clauses as may be approved by the European Commission or by the UK from time to time.

UK GDPR”: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1. Subject matter, duration and specification of the Personal Data processing 

1.1. The term of this DPA is based on the term of the Agreement. The Personal Data will be securely deleted after termination of the Agreement, provided that they are not subject to any retention obligations.

1.2. The nature and subject matter of the processing are described in the Agreement and include in particular the provision of a software to support the digitized creation of legal documents with the support of artificial intelligence models.

1.3. The purpose of the processing is described in the Agreement and includes, in particular the creation and management of user rights and the processing of Personal Data entered by users when using the software.

1.4. The following types of Personal Data may be processed:

  • data of clients and customers of the clients, as far as they are actively entered or uploaded as sources 
  • contact data of contact persons 
  • usage data
  • data that Controller actively enters, e.g. in free text fields

1.5. The following categories of data subjects may be processed:

  • Controller, contact person at Controller 
  • clients of Controller, contact persons at clients of customers 
  • employees / users at Contoller
  • third parties designated by the Controller, insofar as they are given the opportunity by Controller to enter Personal Data (e.g. via input link).
2. Scope and responsibility

2.1. The Customer and Flank agree and acknowledge that for the purpose of the Data Protection Legislation the Customer is the controller and Flank is the processor.

2.2. The Processor processes Personal Data on behalf of the Controller. This includes activities that are specified in the Agreement. Regarding the processing of the Personal Data, the Controller shall be responsible for compliance with the Data Protection Legislation, in particular for the lawfulness of the Personal Data processing.

2.3. The Controller’s instructions shall initially be stipulated by this DPA and may thereafter be amended, supplemented or replaced by the Controller in writing to the Processor. Instructions that go beyond the contractually agreed performance shall be treated as a request for a change in performance.

3. Duties of the Processor

3.1. The Processor may only process Personal Data of data subjects within the scope of the Agreement and the documented instructions of the Controller. If the Processor is obligated by national or European law (including the Data Protection Legislation) to process Personal Data in a manner that deviates from this, the Processor shall, insofar as this is legally permissible, inform the Controller of this circumstance prior to the start of the processing.

3.2. The Processor shall comply with the obligations set forth in Articles 35 and 36 of the EU GDPR and UK GDPR in relation to Data Protection Impact Assessments.

3.3. The Processor warrants that the employees involved in the processing of the Controller's Personal Data and other individuals working for the Processor are prohibited from processing the Personal Data beyond the scope of the Controller's instructions. Furthermore, the Processor warrants that the individuals authorized to process Personal Data shall be obliged to maintain confidentiality or shall be subject to an appropriate legal duty of confidentiality. The confidentiality and the obligation to maintain secrecy shall continue to apply even after termination of this DPA.

3.4. The Processor shall inform the Controller without undue delay if it becomes aware of any violations of this DPA. The Processor shall take the necessary measures to secure the Personal Data and to mitigate any possible adverse consequences to the data subjects and shall consult with the Controller on this without undue delay.

3.5. The Processor shall name a contact person for the Controller for data protection issues arising within the scope of this DPA.

3.6. The Processor shall correct or delete the Personal Data if the Controller instructs it to do so and this is covered by the scope of the instructions. If a deletion in compliance with Data Protection Legislation is not possible, the Processor shall undertake the destruction on the basis of an individual assignment by the Controller, unless already agreed in the Agreement.

3.7. Personal Data shall be either surrendered or deleted upon the Controller's request after the termination of the Agreement.

4. Obligations of the Controller

4.1. The Controller shall inform the Processor immediately and in full if it identifies errors or irregularities in the Personal Data.

4.2. In the event of a claim by a data subject under the Data Protection Legislation, the Controller and the Processor undertake to support each other in the defense of the claim regarding the verification of the capacity to sue.

4.3. The Controller shall name the Processor a contact person for data protection issues arising within the scope of this DPA.

5 . Security

5.1. The Processor shall implement the technical and organizational measures described in the Annex to adequately protect the Controller’s Personal Data. The measures shall ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing on a permanent basis.

5.2. The Processor reserves the right to change the technical and organizational measures taken, but it must be ensured that the changes do not degrade the contractually agreed level of protection.

5.3. The Processor shall implement a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the security of the processing.

6. Requests from data subjects

6.1. The Processor shall support the Controller in fulfilling the requests and claims of data subjects to the extent required by Data Protection Legislation and this DPA.

6.2. If a data subject approaches the Processor with requests for correction, deletion or information, the Processor will refer the Personal Data subject to the Controller, provided that an assignment to the Controller is possible according to the data subject's information.

6.3. The Processor will give the Controller its full co-operation and assistance in responding to any complaint, notice, communication or data subject request.

7. Audit

7.1. The Processor shall prove to the Controller compliance with the obligations set forth in the Data Protection Legislation and this DPA by appropriate means. To prove compliance with the agreed obligations, the Processor may provide the Controller with certificates and test results of third parties (e.g. ISO 27001) or test reports of the data protection officer.

7.2. If, in individual cases, inspections by the Controller or an inspector commissioned by the Controller are necessary, these shall be carried out during normal business hours without disrupting operations, after prior notification, and taking into account a reasonable lead time. The Processor may make such inspections conditional upon the signing of an appropriate confidentiality agreement. Should the auditor commissioned by the Controller be in a competitive relationship with the Processor, the Processor shall have a right of objection against the auditor.

7.3. Should a data protection supervisory authority or other sovereign supervisory authority of the Controller carry out an inspection, 6.2 shall apply accordingly as a matter of principle. It is not necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or statutory confidentiality.

7.4. The Processor may demand reasonable remuneration for assistance in conducting an inspection pursuant to 6.2 or 6.3, unless the inspection is prompted by the urgent suspicion of a Personal Data Breach (as defined below) in the Processor's area of responsibility or another violation by the Processor of this DPA. In this case, the suspicious facts are to be presented by the Controller with the announcement of the inspection.

8 . Cross border transfers

8.1. The Processor (and any sub-processors) must not transfer or otherwise process the Personal Data outside the area comprising the European Economic Area (“EEA”) and the UK without obtaining the Controller's prior written consent.

8.2. Where such consent is granted, the Processor may only process, or permit the processing, of the Personal Data outside the EEA/UK under the following conditions:

8.2.1. the Processor is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or

8.2.2. the Processor participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the Processor (and, where appropriate, the Controller) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR. The Processor must identify the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and Processor must immediately inform the Controller of any change to that status; or

8.2.3. the transfer otherwise complies with the Data Protection Legislation.

8.3. If any Personal Data transfer between the Controller and the Processor requires execution of SCCs in order to comply with the Data Protection Legislation (where the Controller is the entity exporting Personal Data to the Processor outside the EEA/UK), the parties will complete all relevant details in, and execute, the SCCs, and take all other actions required to legitimise the transfer.

8.4. If the Controller consents to the appointment by the Processor of a sub-processor located outside the EEA/UK in compliance with the provisions of clause 8.3, then the Controller authorises the Processor to enter into SCCs with the sub-processor. The Processor will make the executed SCCs available to the Controller on request.

9. Sub-processors

9.1. The Controller agrees that the Processor may engage sub-processors.

9.2. Prior to the involvement or replacement of sub-processors, the Processor shall inform the Controller in writing with a reasonable notice period. The Controller may object to the change only for good cause. The objection must be made within two weeks of being informed and all important reasons must be expressly stated. If no objection is made within this period, the change shall be deemed to have been approved.

9.3. At the time of conclusion of this DPA the Controller expressly agrees to the following sub-processors:

  • Google Cloud Platform, Frankfurt German, hosting & Personal Database storage 
  • MongoDB (Hosted on Google Cloud Platform), Frankfurt Germany, Personal Database
  • Pinecone (Hosted on Google Cloud Platform), Europe West 1, database
  • Mixpanel, Netherlands, Analytics 
  • Mailgun, EU, Email sending 
  • MS Azure, OpenAI services, Amsterdam, Canada East, East US 2, Japan East, France Central, Sweden Central, Switzerland North, and UK South

Depending on how the product is used these sub-processors may, but not necessarily will, have access to Personal Data: 

  • OpenAI, USA, LLMs (executed SCCs in place with this sub-processor)
  • Anthropic, USA, LLMs (executed SCCs in place with this sub-processor)
  • APIDeck, EU, Integrations (e.g. salesforce)

9.4. If the Processor concludes agreements with sub-processors, Processor shall be obliged to transfer its data protection obligations under this DPA to the sub-processors.

9.5. Upon written request of the Controller, the Processor shall at any time provide information about the data protection-related obligations of its sub-processors.

10. Personal Data Breach

10.1. Controller will within 24 hours and in any event without undue delay notify the Processor in writing if it becomes aware of a breach of security leading to the accidental, unauthorized or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data (“Personal Data Breach”).

10.2. Where Controller becomes aware of a Personal Data breach it will, without undue delay, also provide the Processor with a description of the nature of the Personal Data Breach, including the categories of in-scope Personal Data and an approximate number of both data subjects and the Personal Data records concerned, the likely consequences and a description of the measures taken or proposed to mitigate its possible adverse effects.

10.3. Immediately following any Personal Data Breach, the parties will co-ordinate with each other to investigate the matter.

11 . Record keeping

11.1. The Processor will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures (“Records”).

11.2. The Processor will ensure that the Records are sufficient to enable the Controller to verify the Processor’s compliance with its obligations under this DPA and the Data Protection Legislation and Processor will provide the Controller with copies of the Records upon request.

12 . Information obligations, written form clause, choice of law

12.1. If the Personal Data at the Processor is endangered by seizure or attachment, by insolvency or composition proceedings or by other events or measures of third parties, the Processor shall inform the Controller thereof without undue delay. The Processor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the Personal Data rests exclusively with Controller as the "controller" in the meaning of the Data Protection Legislation.

12.2. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its  Agreement or DPA obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation, either party may terminate the Agreement on not less than 5 working days’ written notice to the other party.

12.3. Amendments to this DPA shall require a written agreement and the express indication that it is an amendment or supplement addition to this DPA. This also applies to the waiver of this formal requirement.

12.4. Should individual parts of this DPA be invalid, this shall not affect the validity of the remainder of the DPA.

12.5. To the extent that the parties have in the past, for the purposes described in this Agreement already concluded a data processing agreement, this DPA shall replace the previous data processing agreement(s).

12.6. This DPA is governed by the laws of England and Wales.