site logo
site logo

We respect your privacy.

Lexkeep uses cookies to enable core functionality and, if you choose, marketing measurement. Learn more in our Privacy Policy.

Data Processing Addendum

Effective date: 15 March 2026
Version: 1

This Data Processing Addendum (“DPA”) forms part of the agreement between Lexkeep Oy (“Lexkeep”, “Processor”) and the customer entity that enters into the Lexkeep Terms of Use or other service agreement (“Customer”, “Controller”) (together, the “Parties”).

This DPA applies to the extent Lexkeep processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

Terms used but not defined in this DPA have the meanings given in the GDPR and/or the Parties’ main agreement (“Agreement”).

  • GDPR” means Regulation (EU) 2016/679.
  • Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject” have the meanings in the GDPR.
  • Customer Data” means data (including Personal Data) submitted to the Services by or on behalf of Customer.
  • Sub-processor” means any processor engaged by Lexkeep to process Personal Data on behalf of Customer.

2. Roles and Scope

2.1 Customer as Controller. Customer is the Controller of Personal Data contained in Customer Data.
2.2 Lexkeep as Processor. Lexkeep processes Personal Data only on documented instructions from Customer, including as necessary to provide the Services.
2.3 Lexkeep as independent controller. Lexkeep acts as an independent controller for certain data processed for its own business purposes (e.g., account administration, billing, security, fraud prevention, and service communications), as described in the Privacy Policy.

3. Subject Matter, Duration, Nature and Purpose of Processing

3.1 Subject matter. Provision of the Services, including secure storage, collaboration, access control, audit logging, integrity verification, and blockchain anchoring of file fingerprints.
3.2 Duration. Processing continues for the term of the Agreement and until deletion/return is completed under Section 11.
3.3 Nature and purpose. Lexkeep processes Customer Data to:

  • store, encrypt, retrieve, and manage files and metadata;
  • manage user accounts, cohorts (matter workspaces), permissions, and sharing;
  • generate audit trails and integrity certificates;
  • compute cryptographic hashes (e.g., Keccak‑256) for integrity verification;
  • anchor hashes on a public blockchain (e.g., Ethereum) to provide tamper-evident proof of existence and timing;
  • provide customer support, security monitoring, and service operations.

4. Categories of Personal Data and Data Subjects

4.1 Categories of Data Subjects may include Customer’s employees, contractors, clients, counterparties, witnesses, experts, and other individuals whose data is included in Customer Data.
4.2 Categories of Personal Data may include names, contact details, identifiers, communications, and any other Personal Data contained in documents, audio, video, images, and metadata uploaded by Customer.

5. Customer Instructions

5.1 Customer instructs Lexkeep to process Personal Data as necessary to provide the Services and as further documented in the Agreement, this DPA, and Customer’s use/configuration of the Services.
5.2 If Lexkeep believes an instruction infringes applicable law, Lexkeep will inform Customer (unless prohibited by law).

6. Confidentiality

Lexkeep ensures that persons authorised to process Personal Data are bound by confidentiality obligations.

7. Security Measures

7.1 Lexkeep implements appropriate technical and organisational measures to protect Personal Data, including (as applicable):

  • encryption in transit (TLS);
  • encryption at rest for stored files and data (AES‑256 or equivalent);
  • access controls and role-based permissions;
  • audit logging and monitoring;
  • secure key management practices;
  • vulnerability management and incident response procedures.

7.2 Optional End-to-End Encryption (E2EE). Where Customer enables E2EE, files are encrypted on the user’s device/browser before upload. In E2EE mode, Lexkeep does not have access to the plaintext contents of those files, subject to Customer’s key management and sharing choices.

7.3 Blockchain anchoring. Lexkeep anchors cryptographic fingerprints (hashes) of files and/or records on a public blockchain. Hashes are one-way fingerprints and do not contain the underlying file content. Blockchain records are immutable and cannot be deleted or altered by Lexkeep.

8. Sub-processors

8.1 Authorised Sub-processors. Customer authorises Lexkeep to engage Sub-processors to provide the Services.
8.2 Current Sub-processors. As of the Effective Date, Lexkeep uses the following Sub-processors:

  • Amazon Web Services (AWS) – cloud hosting and infrastructure (EU region by default)
  • Stripe – payment processing and billing
  • Microsoft 365 (Office 365) – business communications and support operations (e.g., email)

8.3 Sub-processor obligations. Lexkeep will impose data protection obligations on Sub-processors that are no less protective than those in this DPA.
8.4 Changes. Lexkeep may update its Sub-processor list from time to time. Where required by law or contract, Lexkeep will provide notice of material changes via the Platform or other reasonable means.

9. International Transfers

9.1 Lexkeep hosts Customer Data in the European Union by default.
9.2 Where Personal Data is transferred outside the EEA/UK (for example, due to Sub-processor operations or support communications), Lexkeep will ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum (UK IDTA), or another lawful transfer mechanism.

10. Assistance to Customer

Lexkeep will provide reasonable assistance to Customer to:

  • respond to Data Subject requests (access, deletion, etc.), to the extent applicable to Customer Data;
  • support Customer’s security and DPIA obligations, where reasonably required and proportionate;
  • provide information necessary to demonstrate compliance with Article 28 GDPR.

11. Deletion and Return

11.1 Upon termination of the Services, Customer may request export/return of Customer Data where supported by the Services.
11.2 Lexkeep will delete Customer Data within a reasonable period after termination, subject to:

  • backup/DR retention cycles;
  • legal obligations; and
  • the immutable nature of blockchain anchoring (hashes anchored on-chain cannot be deleted).

12. Audits

12.1 Customer may request reasonable information to verify Lexkeep’s compliance with this DPA.
12.2 Where an audit is required, it will be subject to reasonable notice, confidentiality, and security requirements, and may be satisfied by third-party audit reports or certifications where available.

13. Liability

Liability under this DPA is subject to the limitations and exclusions in the Agreement, unless prohibited by applicable law.

14. Order of Precedence

In the event of conflict between this DPA and the Agreement regarding Personal Data processing, this DPA will prevail.

15. Contact

For privacy and data protection inquiries: privacy@lexkeep.com