Skip to content

Schedule 1: GDPR Data Processing Agreement for
UK Clients

  1. Definitions
    1. For the purposes of this Schedule 1, the term “processor” means Settify to the extent it is a ‘processor’ under the GDPR with respect to the Service, and the term “controller” means the Client to the extent it is a ‘controller’ under the GDPR with respect to the Service.
    2. Unless a contrary intention is apparent, references within this Schedule to Articles are references to Articles of the GDPR.
    3. This Schedule applies where the Jurisdiction is in the United Kingdom.
  2. Processing of client information
    1. Subject matter and duration of processing: The processor will collect biographical information for the controller, from the controller’s clients and prospective clients, to assist in the provision of legal services by the controller to its clients. Processing occurs instantaneously, information is accessible for 60 days, and completely anonymised after 2 years.
    2. Nature of the processing: Information is collected from the controller’s clients and prospective clients via a web app, accessible on a computer, laptop, tablet, or smartphone. The information consists of biographical information that would be useful for a lawyer to receive in advance of a first meeting with a client.
    3. Purposes of the processing:
      1. to provide clients and prospective clients with information about the legal system as it might apply to their case, so they know what to expect from their first meeting with a lawyer, reducing anxiety and confusion;
      2. to provide clients and prospective clients with a convenient, cost effective way to provide background information to their lawyer, rather than providing it in conference at the lawyer's hourly rate;
      3. to provide lawyers with a convenient way to receive background information from their clients and prospective clients;
      4. to continually improve the Settify service for lawyers and for clients and prospective clients.
    4. Type of personal data: biographical information, contact details, relationship history, information about spouse and children, parenting information, asset and liability information. No credit card details or bank account numbers are collected.
    5. Categories of data subject: the controller’s clients and prospective clients.
  3. Processing of employee information
    1. Subject matter and duration of processing: The processor will collect basic professional information about the controller’s legal personnel and legal assistants. This information will be retained for so long as the processor provides the Service to the controller.
    2. Nature of the processing: Information is collected from the controller’s practice manager or similar, and used to pre-populate the list of lawyers and legal assistants that is presented to the controller when using the admin features in the Application. This information is sent to Australia to be processed by Settify employees.
    3. Purposes of the processing:
      1. to provide the controller with the ability to select which lawyer will be assisting which client;
      2. to automatically CC the lawyer’s assistant when an email is generated from the Application to the lawyer;
      3. to allow the creation and sending of emails (including automated emails) by the Application, for and on behalf of lawyers and legal assistants;
    4. Type of personal data: names, contact information, professional biographies, headshots and workgroup allocations. This data is often available on a law firm’s website, but may or may not be available on the controller’s website.
    5. Categories of data subject: the controller’s partners, directors, and employees.
  4. Compulsory terms
    1. The processor must only act on the written instructions of the controller (unless required by law to act without such instructions) and for the avoidance of doubt, execution of this Agreement constitutes written instructions from the controller to the processor to provide the Service as set out in this Agreement;
    2. The processor must ensure that people processing the data are subject to a duty of confidence;
    3. The processor must take appropriate measures to ensure the security of processing;
    4. The processor must only engage a sub-processor with the prior consent of the data controller and a written contract. The processor will remain liable to the data controller for all the acts and/or omissions of its sub-processors;
    5. The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
    6. The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
    7. The processor must delete or return all personal data to the controller as requested at the end of the contract (alternatively, the controller may elect for the processor to continue to store personal data on its behalf, at no charge); and
    8. The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
    9. The processor must co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;
    10. The processor must ensure the security of its processing in accordance with Article 32;
    11. The processor must keep records of its processing activities in accordance with Article 30.2;
    12. The processor must notify any personal data breaches to the controller in accordance with Article 33;
    13. The processor must employ a data protection officer if required in accordance with Article 37;
    14. The processor must appoint (in writing) a representative within the European Union if required in accordance with Article 27; and
    15. As Settify is a global organisation, sometimes we need to transfer your personal data to countries outside of the UK. However, if we need transfer your data outside of the UK, we take measures to comply with applicable Data Protection Laws related to such transfers and we have implemented relevant safeguards and compliance measures to ensure an adequate level of protection of personal data transferred outside the UK, including:
      1. transferring personal data from the UK to a country or recipient that has an adequate level of data protection confirmed by local privacy authorities;
      2. incorporating Standard Contractual Clauses (“SCCs”) into our agreements with you. This is a requirement under the EU’s General Data Protection Regulation (“GDPR”). SCCs are approved by the European Commission and provide the legal mechanism to transfer EU personal data outside of the UK;
      3. incorporating the UK International Data Transfer Addendum (“UK Addendum”) issued by the UK’s Information Commissioner’s Office into our agreements with you. This is a requirement under the UK GDPR. The UK Addendum provides the legal mechanism to transfer personal data outside of the UK; and
      4. we also rely on other alternative data transfer mechanisms approved by local privacy authorities to enable the transfer of personal data to a third country.
    16. We further protect your personal data by employing the following security controls:
      1. All client data stored is encrypted at rest and in transit, access controls are in place to restrict and prevent access to data after 60 days of inactivity. Client data is only available to a firm upon referral of their matter, prior to this access to client information is restricted based on a unique identifier and a client account (if created) and your data is encrypted. If you would like further information please contact us.
    17. Own compliance
      1. Nothing in this Agreement or this Schedule relieves the processor or the controller of their own direct responsibilities and liabilities under the GDPR.
    18. Our current sub-processors are as outlined in the list attached below.

      Infrastructure Sub-processors

      We use these Sub-processors for hosting and running our Services. These are third parties that store and process your data within our Service.

      Amazon Web Services, Inc Hosting, CDN, and data services in Europe, USA, Australia, and Canada, depending on customer location. Australia

      Please note for this differs from digital sovereignty (see https://aws.amazon.com/compliance/digital-sovereignty/). Data processed on behalf of firms via AWS is processed and stored inside the region specified during rollout, by default this is the region closest to the firm. Australia is the legal Jurisdiction, as the contractual agreement is between Settify Pty Ltd and AWS Web Services Australia Pty Ltd.

      Platform Sub-processors

      We use these Sub-processors to help us manage and provide the Service.

      Sentry Error monitoring tool with a focus on error reporting. USA
      Full Story Product analytics and user experience monitoring tool. USA
      Stripe Fees and charges associated with the use of the Service are sent to and processed by Stripe. USA
      Google Tag Manager (Optional) This is an optional service, which can be enabled for firms wishing to include Settify in the ROI. USA

      Business Operations Sub-processors

      We use these Sub-processors to offer direct support services to you and your team. They are primarily used for communications between Customers and our support teams.

      Pipedrive Maintains account and contact information for current and prospective customers. USA
      Freshdesk Maintains account and contact information for current and prospective customers. USA
      Microsoft Settify utilises Microsoft for internal and external communications. USA
      Slack Settify utilises Slack for internal and external communications. USA
      Notion Internal documentation repository and knowledgebase. Also used to assist with the management of a range internal business processes, such as employee onboarding, product strategy and planning, and other departmental processes. USA
Let's talk!