This Data Processing Addendum ("DPA") forms part of the Agreement between Customer ("Controller") and DriftPatrol ("Processor") and governs the Processing of Personal Data on Controller's behalf. Where the GDPR, UK GDPR, or CCPA/CPRA applies, this DPA controls over any conflicting term.
"Applicable Data Protection Laws" means the EU General Data Protection Regulation (2016/679), the UK Data Protection Act 2018 and UK GDPR, the California Consumer Privacy Act as amended by the CPRA, and other data-protection laws applicable to the Processing.
"Personal Data," "Processing," "Data Subject," "Controller," and "Processor" have the meanings given in the GDPR; "Service Provider," "Business," "Consumer," "Sale," and "Share" have the meanings given in CCPA/CPRA.
"Sub-processor" means any third party engaged by Processor to Process Personal Data.
Processor Processes Personal Data solely on behalf of Controller, per documented instructions contained in the Agreement and this DPA. Processor will notify Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws.
Under CCPA/CPRA, Processor acts as a "Service Provider." Processor does not Sell or Share Personal Data and will not retain, use, or disclose Personal Data outside the direct business relationship, or combine Personal Data with data from other sources except as permitted by CCPA/CPRA.
Subject matter. Provision of the DriftPatrol Service to Controller.
Duration. The Subscription Term plus up to ninety (90) days for data export, followed by deletion within ninety (90) days and backup purge within twelve (12) months.
Nature and purpose. Hosting, retrieving, indexing, diffing, summarizing, and transmitting content from Monitored URLs; authenticating users; delivering digests and alerts.
Categories of Data Subjects. Controller's Authorized Users; individuals whose Personal Data may incidentally appear on Monitored URLs.
Categories of Personal Data. Name, business email, organization, role, IP address, authentication metadata, session logs; any Personal Data incidentally contained in the content of Monitored URLs.
Special category data. None intentionally Processed. Controller should not designate Monitored URLs whose content contains special-category or sensitive Personal Data.
Controller is responsible for ensuring it has a lawful basis to Process Personal Data via the Service; that Monitored URLs may lawfully be Processed under its instructions; and that notices and consents required by law have been provided.
Processor implements and maintains appropriate technical and organizational measures consistent with Article 32 GDPR, including: encryption in transit (TLS 1.2+) and at rest (AES-256 for database storage); role-based access control and least-privilege access for personnel; multi-factor authentication on administrative systems; centralized audit logging; separation of production and development environments; personnel security training at hire and annually; vendor risk management; and documented incident response. Additional detail is provided in the Security Overview.
Controller authorizes Processor to engage the Sub-processors listed in Exhibit B, below. Processor will provide thirty (30) days' notice of new Sub-processors by updating this page and, on request, by email to the administrative contact on file. Controller may object on reasonable grounds; absent resolution, Controller may terminate the affected portion of the Service and receive a pro-rated refund. Processor remains liable for Sub-processor acts and omissions.
For transfers of Personal Data originating in the EEA, UK, or Switzerland to jurisdictions not deemed adequate, the parties incorporate the EU Standard Contractual Clauses (Module Two, Controller-to-Processor) and the UK International Data Transfer Addendum, as applicable, which are deemed executed by execution of the Agreement.
Processor will assist Controller in responding to Data Subject requests, including access, rectification, erasure, restriction, portability, and objection, by providing reasonable tooling. Processor will forward any request received directly from a Data Subject to Controller without undertaking to respond, unless required by law.
Processor will notify Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data. Notice will include, to the extent known: nature of the breach, categories and approximate number of Data Subjects, likely consequences, and measures taken or proposed.
Processor will make available all information reasonably necessary to demonstrate compliance, including the most recent third-party assessment report once available. Where a Controller regulator requires on-site audit, Processor will cooperate, subject to reasonable notice, confidentiality obligations, and cost-allocation for disproportionate audits.
Upon termination, Processor will, at Controller's election, delete or return Personal Data within ninety (90) days, except for (a) Personal Data retained as required by applicable law; and (b) Personal Data stored in backups, which are purged in the ordinary course within twelve (12) months and remain subject to this DPA until purged.
Each party's liability under this DPA is subject to the limitations in the Agreement. Nothing in this DPA limits liability that cannot be excluded under Applicable Data Protection Laws.
See Section 3 above.
| Sub-processor | Purpose | Location | Data-use posture |
|---|---|---|---|
| Cloudflare, Inc. | Hosting, DNS, CDN, WAF, serverless compute, database (D1), KV storage | USA, global edge | SOC 2 Type II; encryption at rest + transit; no training on Customer Data |
| Anthropic, PBC | Machine summarization of publicly retrieved content via Claude API (commercial) | USA | Zero-retention by default. Per Anthropic's Commercial Terms and Usage Policy: API-submitted Customer Data is not used to train Anthropic models, is not retained beyond inference processing, and is segregated from consumer-product data. Anthropic complies with SOC 2 Type II. |
| Twilio SendGrid | Transactional email delivery (authentication, digests, notices) | USA | SOC 2 Type II; ISO 27001; encryption in transit (TLS 1.2+) |
| Stripe, Inc. | Payment processing, subscription management | USA | PCI DSS Level 1; SOC 2 Type II; payment-card data segregated |
| GitHub, Inc. | Source code repository; no Customer Data Processed | USA | SOC 2 Type II; SSO + branch protection enforced |
This Exhibit C addresses ABA Formal Opinion 512 (July 2024) and analogous state-bar guidance regarding the use of generative-AI tools by attorneys.
Model used: Anthropic Claude family (Sonnet tier), accessed via the Anthropic Commercial API.
Data flow: Customer Data (Monitored URL content + Customer-set keywords) is sent to Anthropic's API solely to generate a summarization of differences between successive snapshots of the Monitored URL. Output is returned to DriftPatrol, stored in Customer's tenant in DriftPatrol's D1 database, and delivered to Customer.
Training: Anthropic does not use commercial-API submissions to train its models. DriftPatrol does not fine-tune any model on Customer Data, nor does DriftPatrol use Customer Data to train any third-party model.
Retention by Anthropic: Anthropic's published commercial terms commit to default zero-retention beyond the time required to perform inference and detect abuse, after which inputs and outputs are deleted from Anthropic systems. DriftPatrol passes through this posture without modification.
Confidentiality posture for legal-vendor purposes: DriftPatrol is engaged as a Processor under this DPA. Customer is responsible for determining (a) whether use of the Service satisfies the Customer's professional-conduct obligations under Customer's jurisdiction's bar rules, including informed-client-consent requirements where applicable; and (b) whether any specific Monitored URL content constitutes confidential client information warranting additional safeguards. Customer should not designate as a Monitored URL any page whose content is privileged, attorney-work-product, or otherwise subject to a court-ordered seal.
The Colorado Artificial Intelligence Act categorizes certain AI systems used in legal-decision support as "high-risk." DriftPatrol's machine-summarization Output may inform but does not make legal decisions. Customer is responsible for the human-in-the-loop review required by §6-1-1703(7). DriftPatrol provides documentation of training-data scope (Anthropic's published model cards), known limitations, and recommended Customer use-case fit on request to [email protected]. A formal Risk Assessment Summary is maintained at driftpatrol.app/ai-governance and updated upon material model changes.
This Exhibit E applies where Customer uses DriftPatrol features that process legal documents, deposition transcripts, contract drafts, or other attorney-generated materials (collectively, "Legal Content").
ABA Model Rule 1.6 — Duty of Confidentiality. Use of DriftPatrol to analyze Legal Content does not, by itself, constitute a waiver of attorney-client privilege or work-product protection, provided Customer takes reasonable precautions consistent with ABA Model Rule 1.6(c) and analogous state rules. DriftPatrol's architecture is specifically designed to satisfy those precautions:
ABA Formal Opinion 512 (July 2024) Compliance. DriftPatrol's use of Anthropic's Claude API satisfies the due-diligence requirements described in ABA Formal Opinion 512 regarding attorneys' use of generative-AI tools:
Attorney-Client Privilege — No Waiver. Transmitting Legal Content to a confidential, non-retained third-party processor under a signed DPA does not waive privilege under the dominant U.S. rule, provided the communication is made in confidence and with reasonable precautions. This DPA constitutes a confidentiality agreement between Customer and DriftPatrol. Anthropic's Commercial API Terms constitute an analogous confidentiality undertaking with respect to the API subprocessor. Customers with jurisdiction-specific concerns should consult independent ethics counsel.
Court-Sealed and Highly Sensitive Materials. Customer should exercise independent judgment before submitting materials subject to a court-ordered seal, in camera review, or grand jury secrecy obligations to any third-party AI processor, including DriftPatrol. DriftPatrol's architecture provides strong technical safeguards, but regulatory obligations vary by jurisdiction and matter.
Data Deletion Timeline. For Legal Content specifically:
| Data | Retention |
|---|---|
| Raw document / transcript text | Never written to disk. Deleted from memory within 60 seconds of analysis completion. |
| AI analysis output (characterization of changes, drift flags) | Retained in Customer account for the Subscription Term, then deleted within 90 days per Section 11. |
| Anthropic API: submitted content | Zero-retention. Deleted after inference per Anthropic Commercial Terms. |
Signed DPA. A countersigned PDF copy of this DPA, suitable for inclusion in a vendor-management file or response to client due diligence requests, is available at no charge. Request via [email protected].
Contact: [email protected] · [email protected]. A signed PDF version of this DPA is available on request.
