Data Processing Agreement
THIS DATA PROCESSING ADDENDUM (this “DPA”) forms part of the Agreement by and between MH Sub I, LLC dba Martindale-Avvo (“Company”) and You (“Recipient”) as identified in the Agreement or Order form (the “Agreement”) and will be effective on the later of (i) the effective date of the Agreement; or (ii) the date Client processes any Company Personal Data (defined below). All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.
WHEREAS, Company operates a service that connects consumers with attorneys;
WHEREAS, Company collects and processes personal data from consumers seeking legal services;
WHEREAS, Recipient desires to provide legal services to consumers;
WHEREAS, the parties wish to establish the terms and conditions governing the processing of personal data in compliance with applicable data protection laws;
NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein, the parties agree as follows:
For purposes of this DPA, the following terms shall have the meanings set forth below:
1.1 “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data, including but not limited to: (a) the California Consumer Privacy Act (“CCPA“) and California Privacy Rights Act (“CPRA“); (b) state privacy laws; and (c) other applicable federal and state, data protection laws.
1.2 “Consumer” means an individual who submits information to Company seeking legal services.
1.3 “Personal Data” means any information relating to an identified or identifiable natural person provided through the products and services in the Service Agreement, including but not limited to name, contact information, demographic information, and case details.
1.4 “Processing” has the meaning set forth in Applicable Data Protection Law and includes any operation performed on Personal Data.
1.5 “Services Agreement” means the agreement between the parties.
2.1 Relationship to Services Agreement. This DPA supplements and forms part of the Services Agreement. In the event of any conflict between this DPA and the Services Agreement, this DPA shall prevail with respect to data processing matters.
2.2 Roles. For purposes of Applicable Data Protection Law:
(a) Company acts as a “Controller” or “Business” with respect to the Personal Data;
(b) Recipient acts as an independent “Controller” or “Business” upon receipt of Personal Data and processes Personal Data for Recipient’s own purposes to provide legal services.
2.3 Purpose. Recipient shall process Personal Data solely for the following purposes:
(a) Evaluating potential client matters;
(b) Contacting Consumers regarding legal representation;
(c) Providing legal services to Consumers who become clients;
(d) Complying with legal and professional obligations; and
(e) Such other purposes as may be mutually agreed in writing.
3.1 Lawful Processing. Recipient shall:
(a) Process Personal Data in accordance with Applicable Data Protection Law;
(b) Process Personal Data only for the purposes set forth in Section 2.3;
(c) Implement appropriate technical and organizational measures to protect Personal Data;
(d) Maintain all necessary registrations, notices, and documentation required under Applicable Data Protection Law.
3.2 Professional Obligations. Recipient acknowledges that Personal Data may be subject to attorney-client privilege and confidentiality obligations under applicable rules of professional conduct. Recipient shall comply with all such professional obligations.
3.3 Data Minimization. Recipient shall only request and collect the minimum amount of Personal Data necessary to provide legal services.
3.4 Prohibition on Sale. Recipient shall not sell, rent, lease, or otherwise monetize Personal Data received from Company, except as permitted by Applicable Data Protection Law and consistent with providing legal services.
3.5 Retention and Deletion. Recipient shall:
(a) Retain Personal Data only as long as necessary for the purposes set forth in Section 2.3 or as required by law;
(b) Implement a data retention and deletion policy consistent with Applicable Data Protection Law and professional obligations;
(c) Securely delete or anonymize Personal Data when no longer needed, subject to legal and professional retention requirements.
4.1 Lawful Collection. Company represents and warrants that:
(a) It has collected Personal Data in compliance with Applicable Data Protection Law;
(b) It has provided appropriate notice to Consumers regarding the sharing of Personal Data with attorneys;
(c) It has obtained all necessary consents or has another lawful basis for sharing Personal Data with Recipient;
(d) The Personal Data does not include information from individuals who have opted out of such sharing where required by law.
4.2 Accuracy. Company shall use commercially reasonable efforts to ensure that Personal Data provided to Recipient is accurate and up to date.
4.3 Data Subject Requests. Company shall handle Consumer requests related to access, deletion, correction, and other rights under Applicable Data Protection Law. Company shall notify Recipient of any such requests that may affect Personal Data in Recipient’s possession.
5.1 Security Measures. Each party shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.
5.2 Confidentiality. Recipient shall ensure that any personnel who have access to Personal Data are subject to appropriate confidentiality obligations.
5.3 Sub-Processors. Recipient may engage third-party service providers (“Sub-Processors“) to assist in processing Personal Data, provided that:
(a) Recipient imposes data protection obligations on Sub-Processors that are no less protective than those in this DPA;
(b) Recipient remains liable for Sub-Processor compliance;
(c) Sub-Processors are limited to those necessary for Recipient’s legal practice (e.g., cloud storage providers, case management systems, expert witnesses, investigators).
6.1 Notification Obligation. Each party shall notify the other party without undue delay upon becoming aware of any:
(a) Unauthorized access to, or acquisition, disclosure, or loss of Personal Data (“Data Breach“);
(b) Accidental or unlawful destruction, alteration, or loss of Personal Data;
(c) Complaint, investigation, or inquiry from a data protection authority regarding Personal Data.
6.2 Breach Response. The party experiencing a Data Breach shall:
(a) Investigate the Data Breach and provide detailed information to the other party;
(b) Take reasonable steps to mitigate the effects of the Data Breach;
(c) Cooperate with the other party in addressing the Data Breach;
(d) Provide such assistance as reasonably requested to enable compliance with Applicable Data Protection Law;
(e) Not make any public statements or notifications regarding the Data Breach without prior consultation with the other party, except as required by law or professional obligations.
6.3 Costs. Each party shall bear its own costs associated with responding to a Data Breach caused by that party’s breach of this DPA.
7.1 Data Subject Requests. If Recipient receives a request from a Consumer to exercise rights under Applicable Data Protection Law (including access, deletion, correction, portability, or opt-out rights), Recipient shall:
(a) Promptly notify Company of the request;
(b) Respond to the request as required by Applicable Data Protection Law;
(c) Cooperate with Company in responding to the request if coordination is necessary.
7.2 Do Not Sell Requests. Company shall maintain a process for Consumers to opt out of the sale or sharing of Personal Data. Company shall not provide Personal Data to Recipient for Consumers who have exercised such opt-out rights where applicable.
8.1 Records. Each party shall maintain records of its processing activities as required by Applicable Data Protection Law.
8.2 Audit Rights. Upon reasonable notice and no more than once per year (unless required by a data protection authority or in connection with a Data Breach), each party may audit the other party’s compliance with this DPA, provided that:
(a) The audit is conducted during business hours and does not unreasonably interfere with operations;
(b) The auditing party executes a confidentiality agreement;
(c) With respect to Recipient, the audit does not compromise attorney-client privilege or attorney work product.
8.3 Cooperation with Authorities. Each party shall cooperate with data protection authorities as required by Applicable Data Protection Law.
9.1 Data Localization. Recipient shall process Personal Data only in the following jurisdiction(s): United States.
9.2 Transfer Mechanisms. If Personal Data is transferred outside the jurisdiction of origin, the parties shall implement appropriate safeguards required by Applicable Data Protection Law, including Standard Contractual Clauses or other approved transfer mechanisms.
10.1 Indemnification. Each party (“Indemnifying Party“) shall indemnify, defend, and hold harmless the other party (“Indemnified Party“) from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising from:
(a) The Indemnifying Party’s breach of this DPA;
(b) The Indemnifying Party’s violation of Applicable Data Protection Law;
(c) A Data Breach caused by the Indemnifying Party’s negligence or willful misconduct.
10.2 Limitation. Nothing in this Section limits either party’s liability for fraud, gross negligence, or willful misconduct.
11.1 Term. This DPA shall commence on the Effective Date and continue for so long as Personal Data is processed under the Services Agreement.
11.2 Effect of Termination. Upon termination of the Services Agreement:
(a) Company shall cease providing new Personal Data to Recipient;
(b) Recipient may continue to process Personal Data previously received to the extent necessary to:
(i) Complete representation of existing clients;
(ii) Comply with legal and professional retention obligations;
(iii) Defend against claims or litigation;
(c) The provisions of this DPA shall survive termination to the extent Recipient continues to process Personal Data.
11.3 Return or Deletion. Upon Company’s written request and to the extent not inconsistent with Recipient’s legal or professional obligations, Recipient shall either return or securely delete Personal Data and certify such deletion in writing.
12.1 Amendments. This DPA may be amended only by written agreement of both parties. However, if required to comply with changes in Applicable Data Protection Law, either party may propose reasonable amendments.
12.2 Notices. All notices under this DPA shall be in writing and delivered to the addresses set forth above or such other addresses as a party may designate in writing.
12.3 Governing Law. This DPA shall be governed by the laws of California, without regard to conflict of law principles.
12.4 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
12.5 Entire Agreement. This DPA, together with the Services Agreement, constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes all prior agreements and understandings.
12.6 Counterparts. This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one instrument.