Acuerdo de Procesamiento de Datos
Última actualización: 15 de enero de 2026
1. Scope and Purpose
This Data Processing Agreement ("DPA") forms part of the agreement between Legent, Inc. ("Processor") and the subscribing organization ("Controller") for the provision of AI-powered legal research services. This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Legent platform.
2. Definitions
"Personal Data," "Processing," "Data Subject," "Controller," and "Processor" have the meanings given in the EU General Data Protection Regulation (GDPR), Brazil's Lei Geral de Proteção de Dados (LGPD), and equivalent applicable data protection laws. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Processing Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law.
4. Security Measures
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: (a) encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3); (b) firm-level tenant isolation; (c) role-based access controls and audit logging; (d) regular penetration testing by independent third parties; (e) incident response procedures with defined notification timelines.
5. Sub-processors
The Controller authorizes the Processor to engage Sub-processors for the provision of the service. The Processor shall maintain a current list of Sub-processors, available upon request, and shall notify the Controller at least 30 days prior to the addition or replacement of any Sub-processor. The Controller may object to a new Sub-processor on reasonable grounds related to data protection.
6. Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, portability, and objection. The Processor shall promptly notify the Controller of any Data Subject request received directly.
7. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a Personal Data breach. The notification shall describe the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
8. Data Residency
Personal Data shall be processed and stored in the region selected by the Controller at the time of onboarding (Brasil, México, or the United States). The Processor shall not transfer Personal Data outside the selected region without the Controller's prior written consent, except where required by applicable law.
9. Audit Rights
The Controller may audit the Processor's compliance with this DPA, subject to reasonable notice and during normal business hours. The Processor shall make available all information necessary to demonstrate compliance and shall allow and contribute to audits conducted by the Controller or an independent auditor mandated by the Controller.
10. Return and Deletion of Data
Upon termination of the agreement or upon the Controller's request, the Processor shall, at the Controller's choice, return all Personal Data to the Controller or securely delete it within 30 days, and certify such deletion in writing. This obligation does not apply to the extent retention is required by applicable law.
11. Term and Governing Law
This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. This DPA shall be governed by the same governing law as the underlying service agreement between the parties.
12. Contact
For questions about this DPA, contact Legent's Data Protection Officer at dpo@legent.ai or write to: Legent, Inc., Carrera 7 #71-21, Oficina 1202, Bogotá, Colombia.