Largence

Legal

Data Processing Agreement

Processor terms for Customer (controller) personal data in the Service

This DPA forms part of the Terms of Service and governs how Largence Group Ltd processes personal data within Customer Data on your instructions as processor.

Entity

Largence Group Ltd

Company no.

16633893

Registered office

3 Circus Drive, Cambridge, England, CB4 2BT

Effective

30 June 2026

Section 1

Definitions and roles

This DPA forms part of the Terms of Service between Largence Group Ltd (Processor, Largence) and the Customer (Controller). Terms not defined here have the meaning in the Terms.

Data Protection Law means all laws applicable to the processing of personal data under this DPA, including the UK GDPR and the Data Protection Act 2018, and the Nigeria Data Protection Act 2023 and subsidiary regulation, in each case as applicable to the relevant processing. Controller, Processor, Data Subject, Personal Data, Processing, Personal Data Breach, Sub-processor, Supervisory Authority have the meanings given in Data Protection Law.

Roles. With respect to Personal Data within Customer Data, the Customer is the Controller and Largence is the Processor. Where the Customer is itself a processor for its clients, Largence is a sub-processor and the Customer's instructions reflect those of the relevant controller. Largence remains the controller of the account/website data described in the Privacy Policy.

Precedence. For matters of Personal Data processing, this DPA prevails over any conflicting term of the Terms.

Section 2

Scope and instructions

Largence will process Personal Data only:

  1. to provide, secure, maintain and support the Service;
  2. in accordance with the Customer's documented instructions (including those given through the Service's configuration and features); and
  3. as required by law applicable to Largence, in which case Largence will, where lawful, inform the Customer first.

The Terms, this DPA, the Customer's use and configuration of the Service, and any written instructions the parties agree, constitute the Customer's complete and documented instructions. Largence will inform the Customer if, in its reasonable opinion, an instruction infringes Data Protection Law (without obligation to give legal advice).

The subject matter, duration, nature and purpose of processing, the types of Personal Data and the categories of Data Subjects are set out in Annex 1.

No training; no secondary use. Largence will not use Personal Data within Customer Data, Inputs or Outputs to train, fine-tune or improve any AI model, and will not process such Personal Data for any purpose other than providing the Service to the Customer and as set out in this DPA. The AI Sub-processors (OpenAI and Anthropic) process API data under enterprise and API terms that do not train their models on that data, and Largence has adopted zero-data-retention settings with these providers so that Inputs and Outputs are not retained by them after a request is processed.

Section 3

Confidentiality

Largence will ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and are trained on their data-protection responsibilities, and will limit access to those who need it to provide the Service.

Section 4

Security

Largence will implement and maintain the technical and organisational measures set out in Annex 2, appropriate to the risk, to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Largence may update these measures provided their protection is not materially reduced.

The Customer is responsible for its own use of the Service, including configuring access controls, roles, ethical walls and retention settings, securing its credentials and devices, and determining the appropriateness of the measures for its matters.

Section 5

Sub-processing

The Customer grants Largence general authorisation to engage Sub-processors to process Personal Data, including those listed in Annex 3 (hosting, AI model provider(s), e-signature, email, payments, analytics and support).

Largence will impose on each Sub-processor data-protection obligations no less protective than those in this DPA (including the no-training restriction in clause 2.4), and remains liable for its Sub-processors' performance.

Largence will maintain the Sub-processor list at largence.com/legal/subprocessors and give the Customer at least 30 days' notice of any intended addition or replacement (by updating the list and, where subscribed, by notification). The Customer may object on reasonable data-protection grounds within that period; the parties will work in good faith to resolve the objection, failing which the Customer may terminate the affected part of the Service.

Customer-Authorised Connections are not Sub-processors. Where the Customer connects a third-party service that it controls (a Customer-Authorised Connection as described in the Terms — for example, the Customer's own Microsoft, Google or single-sign-on account, an e-signature account, or an external MCP server), the provider of that service is not a Largence Sub-processor. Largence is not responsible for that provider's processing of Personal Data once data is transmitted to it at the Customer's direction; as between the parties, the Customer is responsible for that connection and that processing. Annex 3 lists Largence's Sub-processors only.

Section 6

Data-subject rights

Taking into account the nature of the processing, Largence will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to Data Subjects exercising their rights. If Largence receives a request directly, it will not respond (except to confirm the request relates to the Customer) and will forward it to the Customer without undue delay.

Section 7

Personal Data Breach

Largence will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data, and will provide information reasonably available to help the Customer meet its breach-notification obligations, and take reasonable steps to mitigate and remediate.

Section 8

DPIAs and prior consultation

Largence will provide reasonable assistance to the Customer with data-protection impact assessments and any prior consultation with a Supervisory Authority, taking into account the nature of the processing and the information available to Largence.

Section 9

International transfers

Largence may transfer Personal Data to, and process it in, countries outside the Customer's jurisdiction (including the EEA, the UK and other countries where Largence or its Sub-processors operate), subject to an appropriate transfer mechanism under Data Protection Law.

Where a transfer requires a safeguard, the parties agree that the mechanisms in Annex 4 apply, which may include the UK International Data Transfer Agreement/Addendum, the European Commission Standard Contractual Clauses, and the transfer mechanisms permitted under the Nigeria Data Protection Act 2023. The relevant clauses are incorporated by reference and completed by the details in the Annexes.

Section 10

Audit

Largence will make available information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports and certifications (such as Cyber Essentials and SOC 2 Type II, once available). Where that is insufficient to demonstrate compliance, the Customer may audit on reasonable prior notice, no more than once per year (and following a Personal Data Breach), during business hours, subject to confidentiality and without unreasonable disruption; the parties will bear their own costs.

Section 11

Deletion and return

On expiry or termination of the Service, and on the Customer's earlier reasonable request, Largence will, at the Customer's option, return and/or delete the Personal Data within Customer Data, and will direct its Sub-processors to do the same, within 30 days, unless retention is required by law (in which case Largence will protect the data and process it only as required by that law). The Service's export functionality allows the Customer to retrieve Customer Data before deletion.

Section 12

Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions in the Terms, including the data-protection-breach cap, except to the extent Data Protection Law requires otherwise. Nothing in this DPA limits a Data Subject's rights under Data Protection Law.

Annex 1

Annex

Details of Processing

ItemDetail
Subject matterProvision of the Largence legal operating system to the Customer
DurationFor the term of the Service and any post-termination period in clause 11
Nature and purposeHosting, storage, organisation, retrieval, AI-assisted drafting/review/search, e-signing, messaging, and related processing to provide the Service on the Customer's instructions
Types of Personal DataContact and identity data; matter and client data; correspondence and documents; and any Personal Data the Customer chooses to submit, which may include special-category data and criminal-offence data in litigation matters
Categories of Data SubjectsThe Customer's clients, counterparties, witnesses, employees, contacts, and other individuals referenced in the Customer's matters and Customer Data
ControllerThe Customer (and, where applicable, the Customer's own clients)
ProcessorLargence

Annex 2

Annex

Technical and Organisational Security Measures

Largence maintains measures including, at a minimum:

  • Encryption of Personal Data in transit (TLS) and at rest, with documented key management.
  • Access control — role-based access, least-privilege, unique credentials, multi-factor authentication for administrative access, and support for Customer SSO/SCIM and ethical walls.
  • Tenant separation — logical separation of each Customer's data to prevent commingling, with regional/single-tenant hosting available to enterprise customers via AWS.
  • Logging and monitoring — audit logs, security monitoring and alerting.
  • Resilience and backups — regular backups, documented recovery objectives, and business-continuity arrangements.
  • Vulnerability and change management — patching, secure development practices, and periodic penetration testing.
  • Personnel — background checks where lawful, confidentiality obligations and data-protection training.
  • Incident response — a documented plan covering detection, escalation, notification and remediation.
  • Certifications — Cyber Essentials and SOC 2 Type II in progress (targeted within 3–6 months); ISO 27001 and other standards planned thereafter.

Annex 3

Annex

Sub-processors

Sub-processorPurposeLocation
Hetzner Online GmbHCloud hosting (default, all customers)Germany (Falkenstein)
Amazon Web ServicesCloud hosting (enterprise data-residency option) and email infrastructureEU and South Africa
OpenAIAI model inference (no training; zero data retention)USA
AnthropicAI model inference (no training; zero data retention)USA
AWS SES and ResendTransactional emailUSA / EU
PlausibleWeb analyticsEU
CloudflareSecurity, CDN and DDoS protectionGlobal
MonoNigerian identity/compliance verification (TIN, CAC, SCUML)Nigeria
TwilioMessaging and user notificationsUSA
PaystackPayment processing (NGN)Nigeria
StripePayment processing (GBP/international)USA / Ireland

Annex 4

Annex

Transfer Mechanisms

For transfers of Personal Data subject to the UK GDPR to a country without UK adequacy, the parties incorporate the UK International Data Transfer Agreement (or the UK Addendum to the EU SCCs), with Largence as data importer and the Customer as data exporter, completed by the details in Annexes 1–3.

For transfers subject to the EU GDPR (where applicable to the Customer's data), the parties incorporate the European Commission Standard Contractual Clauses (Module Two, controller-to-processor, or Module Three, processor-to-processor, as applicable), completed by the details in Annexes 1–3.

For transfers subject to the Nigeria Data Protection Act 2023 (including the default hosting of Nigerian customer data in Germany, any enterprise hosting in South Africa, and inference by the AI providers), the parties rely on the transfer mechanism permitted under the NDPA (adequacy, the data subject's consent, contractual safeguards, or another lawful basis), as confirmed by Annex 1 and applicable NDPC guidance.

Legal notices

Legal notices to Largence must be sent to legal@largence.com and, where required, to our registered office at 3 Circus Drive, Cambridge, England, CB4 2BT.