Schedule 1: GDPR Data Processing Agreement for
UK Clients

1. For the purposes of this Schedule 1, the term “processor” means Settify to the extent it is a ‘processor’ under the GDPR with respect to the Service, and the term “controller” means the Client to the extent it is a ‘controller’ under the GDPR with respect to the Service.
2. Unless a contrary intention is apparent, references within this Schedule to Articles are references to Articles of the GDPR.
3. This Schedule applies where the Jurisdiction is in the United Kingdom.

1. Subject matter and duration of processing: The processor will collect biographical information for the controller, from the controller’s clients and prospective clients, to assist in the provision of legal services by the controller to its clients. Processing occurs instantaneously, information is accessible for 60 days, and completely anonymised after 2 years.
2. Nature of the processing: Information is collected from the controller’s clients and prospective clients via a web app, accessible on a computer, laptop, tablet, or smartphone. The information consists of biographical information that would be useful for a lawyer to receive in advance of a first meeting with a client.
3. Purposes of the processing:
   1. to provide clients and prospective clients with information about the legal system as it might apply to their case, so they know what to expect from their first meeting with a lawyer, reducing anxiety and confusion;
   2. to provide clients and prospective clients with a convenient, costeffective way to provide background information to their lawyer, rather than providing it in conference at the lawyer's hourly rate;
   3. to provide lawyers with a convenient way to receive background information from their clients and prospective clients;
   4. to continually improve the Settify service for lawyers and for clients and prospective clients.
4. Type of personal data: biographical information, contact details, relationship history, information about spouse and children, parenting information, asset and liability information. No credit card details or bank account numbers are collected.
5. Categories of data subject: the controller’s clients and prospective clients.

1. Subject matter and duration of processing: The processor will collect basic professional information about the controller’s legal personnel and legal assistants. This information will be retained for so long as the processor provides the Service to the controller.
2. Nature of the processing: Information is collected from the controller’s practice manager or similar, and used to pre-populate the list of lawyers and legal assistants that is presented to the controller when using the admin features in the Application. This information is sent to Australia to be processed by Settify employees.
3. Purposes of the processing:
   1. to provide the controller with the ability to select which lawyer will be assisting which client;
   2. to automatically CC the lawyer’s assistant when an email is generated from the Application to the lawyer;
   3. to allow the creation and sending of emails (including automated emails) by the Application, for and on behalf of lawyers and legal assistants;
4. Type of personal data: names, contact information, professional biographies, headshots and workgroup allocations. This data is often available on a law firm’s website, but may or may not be available on the controller’s website.
5. Categories of data subject: the controller’s partners, directors, and employees.

1. The processor must only act on the written instructions of the controller (unless required by law to act without such instructions) and for the avoidance of doubt, execution of this Agreement constitutes written instructions from the controller to the processor to provide the Service as set out in this Agreement;
2. The processor must ensure that people processing the data are subject to a duty of confidence;
3. The processor must take appropriate measures to ensure the security of processing;
4. The processor must only engage a sub-processor with the prior consent of the data controller and a written contract. The processor will remain liable to the data controller for all the acts and/or omissions of its sub-processors;
5. The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
6. The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
7. The processor must delete or return all personal data to the controller as requested at the end of the contract (alternatively, the controller may elect for the processor to continue to store personal data on its behalf, at no charge); and
8. The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
9. The processor must co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;
10. The processor must ensure the security of its processing in accordance with Article 32;
11. The processor must keep records of its processing activities in accordance with Article 30.2;
12. The processor must notify any personal data breaches to the controller in accordance with Article 33;
13. The processor must employ a data protection officer if required in accordance with Article 37;
14. The processor must appoint (in writing) a representative within the European Union if required in accordance with Article 27; and
15. The processor will not transfer any personal data outside the UK, unless and until it has established an adequate level of protection, as required by the Data Protection Laws.

1. Nothing in this Agreement or this Schedule relieves the processor or the controller of their own direct responsibilities and liabilities under the GDPR.

Infrastructure Sub-processors

We use these Sub-processors for hosting and running our Services. These are third parties that store and process your data within our Service.

Please note for this differs from digital sovereignty (see https://aws.amazon.com/compliance/digital-sovereignty/). Data processed on behalf of firms via AWS is processed and stored inside the region specified during rollout, by default this is the region closest to the firm. Australia is the legal Jurisdiction, as the contractual agreement is between Settify Pty Ltd and AWS Web Services Australia Pty Ltd.

Platform Sub-processors

We use these Sub-processors to help us manage and provide the Service.

Business Operations Sub-processors

We use these Sub-processors to offer direct support services to you and your team. They are primarily used for communications between Customers and our support teams.