Data Processing Agreement

Last Updated: November 2025

This Data Processing Agreement ("DPA") is entered into between VaultPoint Consulting LLC ("VaultPoint," "Processor," "we") and the law firm or legal organization subscribing to the Service ("Client," "Controller," "you").


This DPA supplements the Terms of Service and governs VaultPoint's processing of personal data and Client Documents on behalf of Client.

1. Definitions

1.1 Key Terms


  • "Personal Data": Any information relating to an identified or identifiable individual, including but not limited to client names, contact information, case details, and privileged communications contained in Client Documents.

  • "Client Documents": All documents, files, and data uploaded to the Service by Client, including legal briefs, memos, templates, case files, and related materials.

  • "Processing": Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, deletion, or destruction.

  • "Sub-Processor": Any third-party service provider engaged by VaultPoint to process Personal Data on Client's behalf.

  • "Data Subject": An individual whose Personal Data is processed (e.g., Client's clients, opposing parties, witnesses).


VaultPoint does not provide legal advice. All AI Outputs are drafts requiring review by a supervising attorney before use.


1.2 Regulatory Terms


  • "GDPR": General Data Protection Regulation (EU) 2016/679

  • "CCPA": California Consumer Privacy Act

  • "HIPAA": Health Insurance Portability and Accountability Act (if applicable to Client's practice)

2. Roles and Scope

2.1 Controller and Processor

  • Client is the Data Controller: Client determines the purposes and means of processing Personal Data contained in Client Documents.

  • VaultPoint is the Data Processor: VaultPoint processes Personal Data solely on Client's documented instructions via the Service.


2.2 Scope of Processing

VaultPoint will process Personal Data only to:

  • Store and retrieve Client Documents in Client's isolated environment

  • Generate AI outputs (drafts, summaries, research) based on Client's queries

  • Maintain audit logs for compliance and privilege protection

  • Provide technical support via metadata-only system logs (no content access)


2.3 Client Instructions


Client instructs VaultPoint to process Personal Data as necessary to provide the Service as described in the Terms of Service. VaultPoint will not process Personal Data for any other purpose unless required by law or with Client's prior written consent.

3. Sub-Processors

3.1 Authorized Sub-Processors

VaultPoint engages third-party Sub-Processors to provide infrastructure and services necessary to operate the platform. Each Sub-Processor maintains its own security certifications and contractual obligations to VaultPoint.


Sub-Processor Categories and Certifications:

Cloud Infrastructure Providers: These Sub-Processors host Client data in isolated, encrypted environments. Sub-Processors in this category hold SOC 2 Type II, ISO 27001, and FedRAMP certifications.


AI Model Providers: These Sub-Processors process Client queries with contractual zero-data-retention guarantees. Sub-Processors in this category hold SOC 2 Type II certification and maintain agreements prohibiting data storage or training on Client data.


Vector Database Providers: These Sub-Processors store encrypted document embeddings used for retrieval. Sub-Processors in this category hold SOC 2 Type II certification.


Payment Processors: These Sub-Processors handle billing and subscription management. Sub-Processors in this category hold PCI DSS Level 1 certification.


Communication Services: These Sub-Processors deliver transactional emails (account notifications, password resets, security alerts). Sub-Processors in this category maintain standard email security protocols.


VaultPoint does not hold independent SOC 2, ISO 27001, or other third-party security certifications. Instead, VaultPoint:


  • Selects Sub-Processors with certifications equivalent to or exceeding industry standards for their respective categories

  • Implements the technical and organizational security measures described in Section 4 of this DPA

  • Conducts due diligence on all Sub-Processors before engagement, including review of their security documentation and certifications

  • Requires all Sub-Processors to sign Data Processing Agreements meeting GDPR Article 28 standards


A detailed list of current Sub-Processor names (not just categories) is available upon written request to hello@vaultpoint.io.



3.2 Sub-Processor Obligations

VaultPoint ensures all Sub-Processors:

  • Sign written Data Processing Agreements imposing data protection obligations equivalent to this DPA

  • Maintain security certifications meeting or exceeding industry standards for their category (SOC 2 for cloud providers, PCI DSS for payment processors, etc.)

  • Are contractually prohibited from using Client data for their own purposes, including training AI models, marketing, or analytics

  • Notify VaultPoint of data breaches within 24 hours of discovery

  • Provide VaultPoint with evidence of compliance (audit reports, certifications) upon request


VaultPoint's due diligence process includes:


  • Reviewing Sub-Processor security documentation, including SOC 2 Type II reports, penetration test results, and Data Processing Agreements

  • Verifying that certifications are current and scope-appropriate for the services provided

  • Monitoring for security incidents via Sub-Processor status pages and security bulletins

  • Replacing Sub-Processors that fail to maintain adequate security standards


VaultPoint does not conduct independent audits of Sub-Processors' infrastructure or operations. Instead, VaultPoint relies on third-party audit reports (such as SOC 2 Type II reports produced by independent auditors) and contractual commitments. This approach is consistent with industry standards for technology service providers.


Clients may request copies of Sub-Processor certifications or audit summaries (with confidential sections redacted as required by Sub-Processor agreements) by contacting hello@vaultpoint.io.


3.3 Changes to Sub-Processors


VaultPoint will notify Client at least 30 days before adding or replacing Sub-Processors that process Client Documents or Personal Data.


Notification will be sent via email to the primary contact address associated with Client's account and will include:


  • The name and category of the new Sub-Processor

  • The purpose for which the Sub-Processor will process data

  • A summary of the Sub-Processor's security certifications


Client may object to a new Sub-Processor by providing written notice to hello@vaultpoint.io within 30 days of notification. Objections must be based on reasonable concerns about the Sub-Processor's ability to meet the data protection obligations outlined in this DPA.


If Client objects, VaultPoint will either:


  • Not engage that Sub-Processor for Client's data, or

  • Allow Client to terminate the Service without penalty, with full data export provided within 30 days


If Client does not object within 30 days, the new Sub-Processor is deemed accepted.


4. Data Security Measures

4.1 Technical and Organizational Measures

VaultPoint implements the following security measures to protect Client Documents and Personal Data:

Encryption:


  • TLS 1.3 encryption for all data in transit between Client's devices and VaultPoint's infrastructure

  • AES-256 encryption for all data at rest (documents, outputs, audit logs, backups)

  • End-to-end encryption for all API communications between VaultPoint's services and Sub-Processors


Access Controls:


  • Multi-factor authentication (MFA) required for all user accounts

  • Role-based access control (RBAC) with four permission levels: Admin, Attorney, Paralegal, Read-Only

  • AWS Identity and Access Management (IAM) policies configured with least-privilege principles

  • Automatic session timeouts after 30 minutes of inactivity

  • Password requirements: minimum 12 characters, complexity requirements enforced


Isolation:


  • Dedicated Virtual Private Cloud (VPC) provisioned for each Client

  • No commingling of Client data across environments

  • Isolated database instances and storage buckets per Client

  • Network segmentation preventing cross-Client access

  • Separate encryption keys per Client environment


Monitoring and Logging:


  • Real-time intrusion detection and automated threat response

  • Automated anomaly detection for unusual access patterns

  • Immutable audit logs (tamper-proof, append-only) with 7-year retention

  • All queries, document uploads, user actions, and system events logged with timestamps and user IDs

  • Quarterly review of access logs and security events


Testing and Maintenance:


  • Quarterly vulnerability scans of all production systems

  • Annual third-party penetration testing by certified security firms

  • Continuous security patching and updates applied within 30 days of release for critical vulnerabilities

  • Automated backup integrity testing (monthly restoration drills)

  • Incident response plan tested annually



4.2 Personnel Security

  • Security awareness training provided annually to all personnel

  • Access to Client data limited to personnel with legitimate business need (support, infrastructure maintenance)

  • VaultPoint personnel cannot view Client Documents or AI Outputs; support is provided via metadata-only system logs



4.3 Data Retention and Deletion

Client Documents: Retained in Client's isolated environment until Client deletes them or terminates the subscription. VaultPoint does not automatically delete Client Documents.

AI Outputs: Retained in Client's environment until Client deletes them or for 30 days after subscription termination, whichever occurs first.

Audit Logs: Retained for 7 years from the date of creation, or as required by applicable bar association rules and legal hold obligations, whichever is longer.

Backups: Daily automated backups retained for 7 days on a rolling basis. All backups permanently deleted within 30 days of subscription termination.

Payment Data: Retained by Sub-Processor payment processors per PCI DSS requirements. VaultPoint does not store full credit card numbers or sensitive payment information.

Upon termination of the Service, VaultPoint will:

  • Provide Client 30 days to export all Client Documents, AI Outputs, and audit logs via the admin portal

  • Permanently delete all Client data (documents, outputs, backups, metadata) from all systems within 30 days of termination

  • Provide written certification of data deletion upon Client's request

  • Ensure all Sub-Processors delete Client data per their respective Data Processing Agreements


Exceptions: VaultPoint may retain anonymized, aggregated usage statistics (e.g., "average queries per firm") that cannot be traced back to any specific Client or Data Subject. Such data is used solely for internal analytics and service improvement.

5. Data Subject Rights

VaultPoint will assist Client in responding to requests from Data Subjects (individuals whose Personal Data is processed) to exercise their rights under applicable privacy laws, including:



  • Right of Access: Data Subjects may request access to their Personal Data. Client is responsible for responding to such requests. VaultPoint will provide Client with the technical means to export relevant data via the admin portal.

  • Right to Rectification: Data Subjects may request correction of inaccurate Personal Data. Client may update or correct data directly via the admin portal.

  • Right to Erasure ("Right to be Forgotten"): Data Subjects may request deletion of their Personal Data. Client may delete specific documents or outputs via the admin portal. VaultPoint will permanently delete data within 30 days of Client's deletion request.

  • Right to Restriction of Processing: Data Subjects may request temporary restriction of processing. Client may suspend specific user accounts or restrict access to specific documents via admin controls.

  • Right to Data Portability: Data Subjects may request their Personal Data in a machine-readable format. VaultPoint provides export functionality in CSV, JSON, and PDF formats via the admin portal.

  • Right to Object: Data Subjects may object to processing for specific purposes. Client is responsible for evaluating such objections and instructing VaultPoint accordingly.


VaultPoint will respond to Client's requests for assistance with Data Subject rights within 10 business days. If VaultPoint receives a Data Subject request directly (rather than through Client), VaultPoint will forward the request to Client within 5 business days and will not respond to the Data Subject without Client's prior authorization.



6. Data Breach Notification

6.1 VaultPoint's Obligations

In the event of a data breach affecting Client Documents or Personal Data, VaultPoint will:


  • Notify Client within 24 hours of discovery via email to the primary account contact from support@vaultpoint.io

  • Provide a written description of the breach, including:

    • The nature of the breach (unauthorized access, data loss, system compromise, etc.)

    • The categories and approximate number of Data Subjects affected

    • The categories and approximate number of Client Documents affected

    • The likely consequences of the breach

    • Immediate remediation steps taken by VaultPoint

  • Provide ongoing updates every 24 hours until the incident is fully resolved and all affected systems are secured

  • Cooperate fully with Client's investigation, regulatory notifications, and client disclosures

  • Provide technical assistance in assessing the scope and impact of the breach

  • Implement additional security measures to prevent recurrence


6.2 Client's Obligations

Client is responsible for:


  • Evaluating whether the breach requires notification to Data Subjects, regulatory authorities (e.g., state attorneys general, bar associations), or professional liability insurers

  • Making all required notifications to Data Subjects and authorities within applicable deadlines (e.g., 72 hours under GDPR, as required by state breach notification laws)

  • Managing client communications and public relations related to the breach


VaultPoint will provide reasonable assistance with these obligations but is not responsible for Client's compliance with notification requirements.


6.3 Definition of Data Breach

For purposes of this DPA, a "data breach" means:


  • Unauthorized access to Client Documents or Personal Data by individuals not authorized under this DPA

  • Accidental or unlawful destruction, loss, alteration, or disclosure of Client Documents or Personal Data

  • Any incident that compromises the confidentiality, integrity, or availability of Client data


A data breach does NOT include:


  • Authorized access by Client's users or VaultPoint personnel acting within the scope of this DPA

  • Incidents affecting only metadata or system logs that do not expose Client Documents or Personal Data

  • Unsuccessful intrusion attempts that are blocked by VaultPoint's security controls



7. Audits and Compliance

7.1 Client's Audit Rights

Client or Client's authorized auditor may, upon reasonable notice (at least 30 days) and during normal business hours, audit VaultPoint's compliance with this DPA, provided that:

  • Audits occur no more than once per calendar year (unless required by applicable law or following a data breach)

  • The auditor is bound by confidentiality obligations equivalent to this DPA

  • The audit does not unreasonably interfere with VaultPoint's business operations

  • The audit focuses on VaultPoint's technical and organizational measures, not Sub-Processor infrastructure (Sub-Processor audit reports are available upon request per Section 3.2)


VaultPoint may charge Client for reasonable costs incurred in facilitating the audit (e.g., personnel time, documentation preparation) if the audit exceeds 8 hours or requires access to systems beyond those directly processing Client data.


7.2 VaultPoint-Provided Documentation

As an alternative to on-site audits, VaultPoint will provide Client (upon written request to hello@vaultpoint.io) with:

  • Summaries of Sub-Processor SOC 2 Type II audit reports (with confidential sections redacted)

  • Documentation of VaultPoint's technical security measures implemented per Section 4.1

  • Evidence of Sub-Processor Data Processing Agreements

  • Incident response procedures and breach notification protocols

  • Data retention and deletion policies


This documentation is typically sufficient to demonstrate compliance with GDPR Article 28 and similar regulatory requirements.



8. International Data Transfers


VaultPoint operates exclusively within the United States. All Client data is stored and processed in AWS data centers located in the United States (US-East or US-West regions).


If Client is located outside the United States and chooses to use the Service:


  • Client's data will be transferred to and processed in the United States

  • Client acknowledges that U.S. privacy laws may differ from those in Client's jurisdiction

  • VaultPoint provides the same security protections (encryption, isolation, zero-data-retention, audit logging) regardless of Client's location


VaultPoint does not currently offer non-U.S. data residency options. If Client's organization is subject to data localization requirements (e.g., EU data must remain in the EU), Client should not use the Service or should contact hello@vaultpoint.io to discuss custom arrangements (additional fees may apply).

9. Limitation of Liability


9.1 Cap on Damages

To the maximum extent permitted by law, VaultPoint's total liability arising from this DPA or any breach of its obligations under this DPA shall not exceed the fees paid by Client in the 12 months preceding the claim (or $7,000 if less than 12 months have elapsed).

9.2 Excluded Damages

VaultPoint shall not be liable for:

  • Indirect, incidental, consequential, special, or punitive damages

  • Lost profits, lost revenue, lost data (except as provided in Section 4.3 regarding backups), or lost business opportunities

  • Damages arising from Client's failure to implement appropriate security measures on Client's own systems (e.g., weak passwords, failure to enable MFA)

  • Damages caused by Sub-Processor actions beyond VaultPoint's reasonable control, provided VaultPoint exercised reasonable care in selecting and monitoring Sub-Processors

  • Damages arising from Client's instructions that violate applicable law or this DPA

  • Damages resulting from unauthorized access caused by Client's users sharing credentials or failing to report compromised accounts


9.3 Exceptions

These limitations do not apply to:


  • VaultPoint's gross negligence or willful misconduct

  • VaultPoint's breach of confidentiality obligations under Section 2 of the Terms of Service

  • Claims that cannot be limited by law (e.g., certain statutory violations, fraud)

  • VaultPoint's obligations to assist with data breach notifications under Section 6


9.4 Allocation of Risk

Client acknowledges that the fees charged by VaultPoint reflect this allocation of risk. Higher limits of liability are available through separate negotiation and additional fees.


10. Term and Termination


10.1 Term

This DPA takes effect on the date Client activates the Service and remains in effect until the earlier of:


  • Client's termination of the Service per the Terms of Service

  • VaultPoint's termination of the Service per the Terms of Service

  • Mutual written agreement to terminate


10.2 Effect of Termination


Upon termination of this DPA or the underlying Service subscription:


  • VaultPoint will cease all processing of Client Documents and Personal Data, except as necessary to fulfill data export and deletion obligations

  • Client will have 30 days to export all Client Documents, AI Outputs, and audit logs via the admin portal

  • After 30 days, VaultPoint will permanently delete all Client data (documents, outputs, backups, metadata) from all systems, including Sub-Processor systems

  • VaultPoint will provide written certification of data deletion upon Client's written request to hello@vaultpoint.io

  • Sections of this DPA that by their nature should survive termination (confidentiality, limitation of liability, dispute resolution) will continue to apply


10.3 Data Retention Exceptions


Notwithstanding Section 10.2, VaultPoint may retain:


  • Audit logs for the remainder of the 7-year retention period (or as required by legal hold obligations)

  • Anonymized, aggregated usage statistics that cannot be traced back to Client or any Data Subject

  • Financial records (invoices, payment receipts) as required by tax and accounting regulations

  • Information required to be retained by law, court order, or government investigation


VaultPoint will notify Client if legally required to retain data beyond the 30-day deletion period.



11. General Provisions


11.1 Amendments

VaultPoint may update this DPA by posting the revised version at vaultpoint.io/legal and notifying Client via email at least 30 days before the changes take effect.


If changes materially reduce Client's rights or VaultPoint's obligations, Client may terminate the Service without penalty by providing written notice within 30 days of notification.


Continued use of the Service after changes take effect constitutes acceptance of the revised DPA.


11.2 Governing Law


This DPA is governed by the laws of the State of Florida, without regard to conflict of law principles. Disputes arising from this DPA are subject to the dispute resolution provisions in Section 11 of the Terms of Service (arbitration in Miami, Florida).


11.3 Relationship to Terms of Service


This DPA supplements and is incorporated into the Terms of Service. In the event of conflict between this DPA and the Terms of Service regarding data processing obligations, this DPA controls.

11.4 Severability


If any provision of this DPA is found unenforceable, the remaining provisions remain in full force and effect. The unenforceable provision will be modified to the minimum extent necessary to make it enforceable while preserving its original intent.

11.5 No Third-Party Beneficiaries


This DPA is between VaultPoint and Client only. Data Subjects and Sub-Processors are not third-party beneficiaries with independent rights to enforce this DPA.


11.6 Assignment


Client may not assign this DPA without VaultPoint's prior written consent. VaultPoint may assign this DPA to an acquirer or successor entity in connection with a merger, acquisition, or sale of substantially all assets, provided the assignee agrees to be bound by this DPA.


11.7 Notices


All notices under this DPA must be in writing and sent to:


Client notices to VaultPoint:

Email: hello@vaultpoint.io

Subject: "DPA Notice - [Your Firm Name]"



VaultPoint notices to Client:

Email: The primary contact email associated with your account



For security incidents:

Email: support@vaultpoint.io

Subject: "[SECURITY INCIDENT] - [Your Firm Name]"

Phone: Available in account dashboard for true emergencies


Notices are deemed received 24 hours after email transmission or upon confirmation of receipt, whichever is earlier.



12. Contact Information



For questions about this DPA or to exercise rights under this agreement, contact:


VaultPoint Consulting LLC
Email: hello@vaultpoint.io
Website: vaultpoint.io
Subject line for DPA inquiries: "DPA Question - [Your Firm Name]"



For data subject rights requests:
Email: hello@vaultpoint.io
Subject line: "Data Rights Request - [Your Firm Name]"



For security incidents or data breaches:
Email: support@vaultpoint.io
Subject line: "[SECURITY INCIDENT] - [Your Firm Name]"



We will respond within 10 business days for general DPA questions, within 5 business days for data subject rights requests, and within 24 hours for security incidents.

1. Definitions


1.1 Key Terms


  • "Personal Data": Any information relating to an identified or identifiable individual, including but not limited to client names, contact information, case details, and privileged communications contained in Client Documents.

  • "Client Documents": All documents, files, and data uploaded to the Service by Client, including legal briefs, memos, templates, case files, and related materials.

  • "Processing": Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, deletion, or destruction.

  • "Sub-Processor": Any third-party service provider engaged by VaultPoint to process Personal Data on Client's behalf.

  • "Data Subject": An individual whose Personal Data is processed (e.g., Client's clients, opposing parties, witnesses).


VaultPoint does not provide legal advice. All AI Outputs are drafts requiring review by a supervising attorney before use.


1.2 Regulatory Terms


  • "GDPR": General Data Protection Regulation (EU) 2016/679

  • "CCPA": California Consumer Privacy Act

  • "HIPAA": Health Insurance Portability and Accountability Act (if applicable to Client's practice)

2. Roles and Scope


2.1 Controller and Processor


  • Client is the Data Controller: Client determines the purposes and means of processing Personal Data contained in Client Documents.

  • VaultPoint is the Data Processor: VaultPoint processes Personal Data solely on Client's documented instructions via the Service.


2.2 Scope of Processing

VaultPoint will process Personal Data only to:

  • Store and retrieve Client Documents in Client's isolated environment

  • Generate AI outputs (drafts, summaries, research) based on Client's queries

  • Maintain audit logs for compliance and privilege protection

  • Provide technical support via metadata-only system logs (no content access)


2.3 Client Instructions


Client instructs VaultPoint to process Personal Data as necessary to provide the Service as described in the Terms of Service. VaultPoint will not process Personal Data for any other purpose unless required by law or with Client's prior written consent.

3. Sub-Processors


3.1 Authorized Sub-Processors

VaultPoint engages third-party Sub-Processors to provide infrastructure and services necessary to operate the platform. Each Sub-Processor maintains its own security certifications and contractual obligations to VaultPoint.


Sub-Processor Categories and Certifications:

Cloud Infrastructure Providers: These Sub-Processors host Client data in isolated, encrypted environments. Sub-Processors in this category hold SOC 2 Type II, ISO 27001, and FedRAMP certifications.


AI Model Providers: These Sub-Processors process Client queries with contractual zero-data-retention guarantees. Sub-Processors in this category hold SOC 2 Type II certification and maintain agreements prohibiting data storage or training on Client data.


Vector Database Providers: These Sub-Processors store encrypted document embeddings used for retrieval. Sub-Processors in this category hold SOC 2 Type II certification.


Payment Processors: These Sub-Processors handle billing and subscription management. Sub-Processors in this category hold PCI DSS Level 1 certification.


Communication Services: These Sub-Processors deliver transactional emails (account notifications, password resets, security alerts). Sub-Processors in this category maintain standard email security protocols.


VaultPoint does not hold independent SOC 2, ISO 27001, or other third-party security certifications. Instead, VaultPoint:


  • Selects Sub-Processors with certifications equivalent to or exceeding industry standards for their respective categories

  • Implements the technical and organizational security measures described in Section 4 of this DPA

  • Conducts due diligence on all Sub-Processors before engagement, including review of their security documentation and certifications

  • Requires all Sub-Processors to sign Data Processing Agreements meeting GDPR Article 28 standards


A detailed list of current Sub-Processor names (not just categories) is available upon written request to hello@vaultpoint.io.



3.2 Sub-Processor Obligations

VaultPoint ensures all Sub-Processors:

  • Sign written Data Processing Agreements imposing data protection obligations equivalent to this DPA

  • Maintain security certifications meeting or exceeding industry standards for their category (SOC 2 for cloud providers, PCI DSS for payment processors, etc.)

  • Are contractually prohibited from using Client data for their own purposes, including training AI models, marketing, or analytics

  • Notify VaultPoint of data breaches within 24 hours of discovery

  • Provide VaultPoint with evidence of compliance (audit reports, certifications) upon request


VaultPoint's due diligence process includes:


  • Reviewing Sub-Processor security documentation, including SOC 2 Type II reports, penetration test results, and Data Processing Agreements

  • Verifying that certifications are current and scope-appropriate for the services provided

  • Monitoring for security incidents via Sub-Processor status pages and security bulletins

  • Replacing Sub-Processors that fail to maintain adequate security standards


VaultPoint does not conduct independent audits of Sub-Processors' infrastructure or operations. Instead, VaultPoint relies on third-party audit reports (such as SOC 2 Type II reports produced by independent auditors) and contractual commitments. This approach is consistent with industry standards for technology service providers.


Clients may request copies of Sub-Processor certifications or audit summaries (with confidential sections redacted as required by Sub-Processor agreements) by contacting hello@vaultpoint.io.


3.3 Changes to Sub-Processors


VaultPoint will notify Client at least 30 days before adding or replacing Sub-Processors that process Client Documents or Personal Data.


Notification will be sent via email to the primary contact address associated with Client's account and will include:


  • The name and category of the new Sub-Processor

  • The purpose for which the Sub-Processor will process data

  • A summary of the Sub-Processor's security certifications


Client may object to a new Sub-Processor by providing written notice to hello@vaultpoint.io within 30 days of notification. Objections must be based on reasonable concerns about the Sub-Processor's ability to meet the data protection obligations outlined in this DPA.


If Client objects, VaultPoint will either:


  • Not engage that Sub-Processor for Client's data, or

  • Allow Client to terminate the Service without penalty, with full data export provided within 30 days


If Client does not object within 30 days, the new Sub-Processor is deemed accepted.


4. Data Security Measures


4.1 Technical and Organizational Measures

VaultPoint implements the following security measures to protect Client Documents and Personal Data:

Encryption:


  • TLS 1.3 encryption for all data in transit between Client's devices and VaultPoint's infrastructure

  • AES-256 encryption for all data at rest (documents, outputs, audit logs, backups)

  • End-to-end encryption for all API communications between VaultPoint's services and Sub-Processors


Access Controls:


  • Multi-factor authentication (MFA) required for all user accounts

  • Role-based access control (RBAC) with four permission levels: Admin, Attorney, Paralegal, Read-Only

  • AWS Identity and Access Management (IAM) policies configured with least-privilege principles

  • Automatic session timeouts after 30 minutes of inactivity

  • Password requirements: minimum 12 characters, complexity requirements enforced


Isolation:


  • Dedicated Virtual Private Cloud (VPC) provisioned for each Client

  • No commingling of Client data across environments

  • Isolated database instances and storage buckets per Client

  • Network segmentation preventing cross-Client access

  • Separate encryption keys per Client environment


Monitoring and Logging:


  • Real-time intrusion detection and automated threat response

  • Automated anomaly detection for unusual access patterns

  • Immutable audit logs (tamper-proof, append-only) with 7-year retention

  • All queries, document uploads, user actions, and system events logged with timestamps and user IDs

  • Quarterly review of access logs and security events


Testing and Maintenance:


  • Quarterly vulnerability scans of all production systems

  • Annual third-party penetration testing by certified security firms

  • Continuous security patching and updates applied within 30 days of release for critical vulnerabilities

  • Automated backup integrity testing (monthly restoration drills)

  • Incident response plan tested annually



4.2 Personnel Security

  • Security awareness training provided annually to all personnel

  • Access to Client data limited to personnel with legitimate business need (support, infrastructure maintenance)

  • VaultPoint personnel cannot view Client Documents or AI Outputs; support is provided via metadata-only system logs



4.3 Data Retention and Deletion

Client Documents: Retained in Client's isolated environment until Client deletes them or terminates the subscription. VaultPoint does not automatically delete Client Documents.


AI Outputs: Retained in Client's environment until Client deletes them or for 30 days after subscription termination, whichever occurs first.


Audit Logs: Retained for 7 years from the date of creation, or as required by applicable bar association rules and legal hold obligations, whichever is longer.


Backups: Daily automated backups retained for 7 days on a rolling basis. All backups permanently deleted within 30 days of subscription termination.


Payment Data: Retained by Sub-Processor payment processors per PCI DSS requirements. VaultPoint does not store full credit card numbers or sensitive payment information.

Upon termination of the Service, VaultPoint will:

  • Provide Client 30 days to export all Client Documents, AI Outputs, and audit logs via the admin portal

  • Permanently delete all Client data (documents, outputs, backups, metadata) from all systems within 30 days of termination

  • Provide written certification of data deletion upon Client's request

  • Ensure all Sub-Processors delete Client data per their respective Data Processing Agreements


Exceptions: VaultPoint may retain anonymized, aggregated usage statistics (e.g., "average queries per firm") that cannot be traced back to any specific Client or Data Subject. Such data is used solely for internal analytics and service improvement.

5. Data Subject Rights


VaultPoint will assist Client in responding to requests from Data Subjects (individuals whose Personal Data is processed) to exercise their rights under applicable privacy laws, including:



  • Right of Access: Data Subjects may request access to their Personal Data. Client is responsible for responding to such requests. VaultPoint will provide Client with the technical means to export relevant data via the admin portal.

  • Right to Rectification: Data Subjects may request correction of inaccurate Personal Data. Client may update or correct data directly via the admin portal.

  • Right to Erasure ("Right to be Forgotten"): Data Subjects may request deletion of their Personal Data. Client may delete specific documents or outputs via the admin portal. VaultPoint will permanently delete data within 30 days of Client's deletion request.

  • Right to Restriction of Processing: Data Subjects may request temporary restriction of processing. Client may suspend specific user accounts or restrict access to specific documents via admin controls.

  • Right to Data Portability: Data Subjects may request their Personal Data in a machine-readable format. VaultPoint provides export functionality in CSV, JSON, and PDF formats via the admin portal.

  • Right to Object: Data Subjects may object to processing for specific purposes. Client is responsible for evaluating such objections and instructing VaultPoint accordingly.


VaultPoint will respond to Client's requests for assistance with Data Subject rights within 10 business days. If VaultPoint receives a Data Subject request directly (rather than through Client), VaultPoint will forward the request to Client within 5 business days and will not respond to the Data Subject without Client's prior authorization.



6. Data Breach Notification


6.1 VaultPoint's Obligations

In the event of a data breach affecting Client Documents or Personal Data, VaultPoint will:


  • Notify Client within 24 hours of discovery via email to the primary account contact and support@vaultpoint.io

  • Provide a written description of the breach, including:

    • The nature of the breach (unauthorized access, data loss, system compromise, etc.)

    • The categories and approximate number of Data Subjects affected

    • The categories and approximate number of Client Documents affected

    • The likely consequences of the breach

    • Immediate remediation steps taken by VaultPoint

  • Provide ongoing updates every 24 hours until the incident is fully resolved and all affected systems are secured

  • Cooperate fully with Client's investigation, regulatory notifications, and client disclosures

  • Provide technical assistance in assessing the scope and impact of the breach

  • Implement additional security measures to prevent recurrence


6.2 Client's Obligations

Client is responsible for:


  • Evaluating whether the breach requires notification to Data Subjects, regulatory authorities (e.g., state attorneys general, bar associations), or professional liability insurers

  • Making all required notifications to Data Subjects and authorities within applicable deadlines (e.g., 72 hours under GDPR, as required by state breach notification laws)

  • Managing client communications and public relations related to the breach


VaultPoint will provide reasonable assistance with these obligations but is not responsible for Client's compliance with notification requirements.


6.3 Definition of Data Breach

For purposes of this DPA, a "data breach" means:


  • Unauthorized access to Client Documents or Personal Data by individuals not authorized under this DPA

  • Accidental or unlawful destruction, loss, alteration, or disclosure of Client Documents or Personal Data

  • Any incident that compromises the confidentiality, integrity, or availability of Client data


A data breach does NOT include:


  • Authorized access by Client's users or VaultPoint personnel acting within the scope of this DPA

  • Incidents affecting only metadata or system logs that do not expose Client Documents or Personal Data

  • Unsuccessful intrusion attempts that are blocked by VaultPoint's security controls


7. Audits and Compliance


7.1 Client's Audit Rights

Client or Client's authorized auditor may, upon reasonable notice (at least 30 days) and during normal business hours, audit VaultPoint's compliance with this DPA, provided that:

  • Audits occur no more than once per calendar year (unless required by applicable law or following a data breach)

  • The auditor is bound by confidentiality obligations equivalent to this DPA

  • The audit does not unreasonably interfere with VaultPoint's business operations

  • The audit focuses on VaultPoint's technical and organizational measures, not Sub-Processor infrastructure (Sub-Processor audit reports are available upon request per Section 3.2)


VaultPoint may charge Client for reasonable costs incurred in facilitating the audit (e.g., personnel time, documentation preparation) if the audit exceeds 8 hours or requires access to systems beyond those directly processing Client data.


7.2 VaultPoint-Provided Documentation

As an alternative to on-site audits, VaultPoint will provide Client (upon written request to hello@vaultpoint.io) with:

  • Summaries of Sub-Processor SOC 2 Type II audit reports (with confidential sections redacted)

  • Documentation of VaultPoint's technical security measures implemented per Section 4.1

  • Evidence of Sub-Processor Data Processing Agreements

  • Incident response procedures and breach notification protocols

  • Data retention and deletion policies


This documentation is typically sufficient to demonstrate compliance with GDPR Article 28 and similar regulatory requirements.


8. International Data Transfers


VaultPoint operates exclusively within the United States. All Client data is stored and processed in AWS data centers located in the United States (US-East or US-West regions).


If Client is located outside the United States and chooses to use the Service:


  • Client's data will be transferred to and processed in the United States

  • Client acknowledges that U.S. privacy laws may differ from those in Client's jurisdiction

  • VaultPoint provides the same security protections (encryption, isolation, zero-data-retention, audit logging) regardless of Client's location


VaultPoint does not currently offer non-U.S. data residency options. If Client's organization is subject to data localization requirements (e.g., EU data must remain in the EU), Client should not use the Service or should contact hello@vaultpoint.io to discuss custom arrangements (additional fees may apply).

9. Limitation of Liability


9.1 Cap on Damages

To the maximum extent permitted by law, VaultPoint's total liability arising from this DPA or any breach of its obligations under this DPA shall not exceed the fees paid by Client in the 12 months preceding the claim (or $7,000 if less than 12 months have elapsed).


9.2 Excluded Damages

VaultPoint shall not be liable for:

  • Indirect, incidental, consequential, special, or punitive damages

  • Lost profits, lost revenue, lost data (except as provided in Section 4.3 regarding backups), or lost business opportunities

  • Damages arising from Client's failure to implement appropriate security measures on Client's own systems (e.g., weak passwords, failure to enable MFA)

  • Damages caused by Sub-Processor actions beyond VaultPoint's reasonable control, provided VaultPoint exercised reasonable care in selecting and monitoring Sub-Processors

  • Damages arising from Client's instructions that violate applicable law or this DPA

  • Damages resulting from unauthorized access caused by Client's users sharing credentials or failing to report compromised accounts


9.3 Exceptions

These limitations do not apply to:


  • VaultPoint's gross negligence or willful misconduct

  • VaultPoint's breach of confidentiality obligations under Section 2 of the Terms of Service

  • Claims that cannot be limited by law (e.g., certain statutory violations, fraud)

  • VaultPoint's obligations to assist with data breach notifications under Section 6


9.4 Allocation of Risk

Client acknowledges that the fees charged by VaultPoint reflect this allocation of risk. Higher limits of liability are available through separate negotiation and additional fees.


10. Term and Termination


10.1 Term

This DPA takes effect on the date Client activates the Service and remains in effect until the earlier of:


  • Client's termination of the Service per the Terms of Service

  • VaultPoint's termination of the Service per the Terms of Service

  • Mutual written agreement to terminate


10.2 Effect of Termination


Upon termination of this DPA or the underlying Service subscription:


  • VaultPoint will cease all processing of Client Documents and Personal Data, except as necessary to fulfill data export and deletion obligations

  • Client will have 30 days to export all Client Documents, AI Outputs, and audit logs via the admin portal

  • After 30 days, VaultPoint will permanently delete all Client data (documents, outputs, backups, metadata) from all systems, including Sub-Processor systems

  • VaultPoint will provide written certification of data deletion upon Client's written request to hello@vaultpoint.io

  • Sections of this DPA that by their nature should survive termination (confidentiality, limitation of liability, dispute resolution) will continue to apply


10.3 Data Retention Exceptions


Notwithstanding Section 10.2, VaultPoint may retain:


  • Audit logs for the remainder of the 7-year retention period (or as required by legal hold obligations)

  • Anonymized, aggregated usage statistics that cannot be traced back to Client or any Data Subject

  • Financial records (invoices, payment receipts) as required by tax and accounting regulations

  • Information required to be retained by law, court order, or government investigation


VaultPoint will notify Client if legally required to retain data beyond the 30-day deletion period.



11. General Provisions


11.1 Amendments

VaultPoint may update this DPA by posting the revised version at vaultpoint.io/legal and notifying Client via email at least 30 days before the changes take effect.


If changes materially reduce Client's rights or VaultPoint's obligations, Client may terminate the Service without penalty by providing written notice within 30 days of notification.


Continued use of the Service after changes take effect constitutes acceptance of the revised DPA.


11.2 Governing Law


This DPA is governed by the laws of the State of Florida, without regard to conflict of law principles. Disputes arising from this DPA are subject to the dispute resolution provisions in Section 11 of the Terms of Service (arbitration in Miami, Florida).


11.3 Relationship to Terms of Service


This DPA supplements and is incorporated into the Terms of Service. In the event of conflict between this DPA and the Terms of Service regarding data processing obligations, this DPA controls.

11.4 Severability


If any provision of this DPA is found unenforceable, the remaining provisions remain in full force and effect. The unenforceable provision will be modified to the minimum extent necessary to make it enforceable while preserving its original intent.

11.5 No Third-Party Beneficiaries


This DPA is between VaultPoint and Client only. Data Subjects and Sub-Processors are not third-party beneficiaries with independent rights to enforce this DPA.


11.6 Assignment


Client may not assign this DPA without VaultPoint's prior written consent. VaultPoint may assign this DPA to an acquirer or successor entity in connection with a merger, acquisition, or sale of substantially all assets, provided the assignee agrees to be bound by this DPA.


11.7 Notices


All notices under this DPA must be in writing and sent to:


Client notices to VaultPoint:

Email: hello@vaultpoint.io

Subject: "DPA Notice - [Your Firm Name]"



VaultPoint notices to Client:

Email: The primary contact email associated with your account



For security incidents:

Email: support@vaultpoint.io

Subject: "[SECURITY INCIDENT] - [Your Firm Name]"

Phone: Available in account dashboard for true emergencies


Notices are deemed received 24 hours after email transmission or upon confirmation of receipt, whichever is earlier.



12. Contact Information



For questions about this DPA or to exercise rights under this agreement, contact:


VaultPoint Consulting LLC
Email: hello@vaultpoint.io
Website: vaultpoint.io
Subject line for DPA inquiries: "DPA Question - [Your Firm Name]"



For data subject rights requests:
Email: hello@vaultpoint.io
Subject line: "Data Rights Request - [Your Firm Name]"



For security incidents or data breaches:
Email: support@vaultpoint.io
Subject line: "[SECURITY INCIDENT] - [Your Firm Name]"



We will respond within 10 business days for general DPA questions, within 5 business days for data subject rights requests, and within 24 hours for security incidents.

1. Definitions


1.1 Key Terms


  • "Personal Data": Any information relating to an identified or identifiable individual, including but not limited to client names, contact information, case details, and privileged communications contained in Client Documents.

  • "Client Documents": All documents, files, and data uploaded to the Service by Client, including legal briefs, memos, templates, case files, and related materials.

  • "Processing": Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, deletion, or destruction.

  • "Sub-Processor": Any third-party service provider engaged by VaultPoint to process Personal Data on Client's behalf.

  • "Data Subject": An individual whose Personal Data is processed (e.g., Client's clients, opposing parties, witnesses).


VaultPoint does not provide legal advice. All AI Outputs are drafts requiring review by a supervising attorney before use.


1.2 Regulatory Terms


  • "GDPR": General Data Protection Regulation (EU) 2016/679

  • "CCPA": California Consumer Privacy Act

  • "HIPAA": Health Insurance Portability and Accountability Act (if applicable to Client's practice)

2. Roles and Scope


2.1 Controller and Processor

  • Client is the Data Controller: Client determines the purposes and means of processing Personal Data contained in Client Documents.

  • VaultPoint is the Data Processor: VaultPoint processes Personal Data solely on Client's documented instructions via the Service.


2.2 Scope of Processing

VaultPoint will process Personal Data only to:

  • Store and retrieve Client Documents in Client's isolated environment

  • Generate AI outputs (drafts, summaries, research) based on Client's queries

  • Maintain audit logs for compliance and privilege protection

  • Provide technical support via metadata-only system logs (no content access)


2.3 Client Instructions


Client instructs VaultPoint to process Personal Data as necessary to provide the Service as described in the Terms of Service. VaultPoint will not process Personal Data for any other purpose unless required by law or with Client's prior written consent.

3. Sub-Processors


3.1 Authorized Sub-Processors

VaultPoint engages third-party Sub-Processors to provide infrastructure and services necessary to operate the platform. Each Sub-Processor maintains its own security certifications and contractual obligations to VaultPoint.


Sub-Processor Categories and Certifications:

Cloud Infrastructure Providers: These Sub-Processors host Client data in isolated, encrypted environments. Sub-Processors in this category hold SOC 2 Type II, ISO 27001, and FedRAMP certifications.


AI Model Providers: These Sub-Processors process Client queries with contractual zero-data-retention guarantees. Sub-Processors in this category hold SOC 2 Type II certification and maintain agreements prohibiting data storage or training on Client data.


Vector Database Providers: These Sub-Processors store encrypted document embeddings used for retrieval. Sub-Processors in this category hold SOC 2 Type II certification.


Payment Processors: These Sub-Processors handle billing and subscription management. Sub-Processors in this category hold PCI DSS Level 1 certification.


Communication Services: These Sub-Processors deliver transactional emails (account notifications, password resets, security alerts). Sub-Processors in this category maintain standard email security protocols.


VaultPoint does not hold independent SOC 2, ISO 27001, or other third-party security certifications. Instead, VaultPoint:


  • Selects Sub-Processors with certifications equivalent to or exceeding industry standards for their respective categories

  • Implements the technical and organizational security measures described in Section 4 of this DPA

  • Conducts due diligence on all Sub-Processors before engagement, including review of their security documentation and certifications

  • Requires all Sub-Processors to sign Data Processing Agreements meeting GDPR Article 28 standards


A detailed list of current Sub-Processor names (not just categories) is available upon written request to hello@vaultpoint.io.



3.2 Sub-Processor Obligations

VaultPoint ensures all Sub-Processors:

  • Sign written Data Processing Agreements imposing data protection obligations equivalent to this DPA

  • Maintain security certifications meeting or exceeding industry standards for their category (SOC 2 for cloud providers, PCI DSS for payment processors, etc.)

  • Are contractually prohibited from using Client data for their own purposes, including training AI models, marketing, or analytics

  • Notify VaultPoint of data breaches within 24 hours of discovery

  • Provide VaultPoint with evidence of compliance (audit reports, certifications) upon request


VaultPoint's due diligence process includes:


  • Reviewing Sub-Processor security documentation, including SOC 2 Type II reports, penetration test results, and Data Processing Agreements

  • Verifying that certifications are current and scope-appropriate for the services provided

  • Monitoring for security incidents via Sub-Processor status pages and security bulletins

  • Replacing Sub-Processors that fail to maintain adequate security standards


VaultPoint does not conduct independent audits of Sub-Processors' infrastructure or operations. Instead, VaultPoint relies on third-party audit reports (such as SOC 2 Type II reports produced by independent auditors) and contractual commitments. This approach is consistent with industry standards for technology service providers.


Clients may request copies of Sub-Processor certifications or audit summaries (with confidential sections redacted as required by Sub-Processor agreements) by contacting hello@vaultpoint.io.


3.3 Changes to Sub-Processors


VaultPoint will notify Client at least 30 days before adding or replacing Sub-Processors that process Client Documents or Personal Data.


Notification will be sent via email to the primary contact address associated with Client's account and will include:


  • The name and category of the new Sub-Processor

  • The purpose for which the Sub-Processor will process data

  • A summary of the Sub-Processor's security certifications


Client may object to a new Sub-Processor by providing written notice to hello@vaultpoint.io within 30 days of notification. Objections must be based on reasonable concerns about the Sub-Processor's ability to meet the data protection obligations outlined in this DPA.


If Client objects, VaultPoint will either:


  • Not engage that Sub-Processor for Client's data, or

  • Allow Client to terminate the Service without penalty, with full data export provided within 30 days


If Client does not object within 30 days, the new Sub-Processor is deemed accepted.


4. Data Security Measures


4.1 Technical and Organizational Measures

VaultPoint implements the following security measures to protect Client Documents and Personal Data:

Encryption:


  • TLS 1.3 encryption for all data in transit between Client's devices and VaultPoint's infrastructure

  • AES-256 encryption for all data at rest (documents, outputs, audit logs, backups)

  • End-to-end encryption for all API communications between VaultPoint's services and Sub-Processors


Access Controls:


  • Multi-factor authentication (MFA) required for all user accounts

  • Role-based access control (RBAC) with four permission levels: Admin, Attorney, Paralegal, Read-Only

  • AWS Identity and Access Management (IAM) policies configured with least-privilege principles

  • Automatic session timeouts after 30 minutes of inactivity

  • Password requirements: minimum 12 characters, complexity requirements enforced


Isolation:


  • Dedicated Virtual Private Cloud (VPC) provisioned for each Client

  • No commingling of Client data across environments

  • Isolated database instances and storage buckets per Client

  • Network segmentation preventing cross-Client access

  • Separate encryption keys per Client environment


Monitoring and Logging:


  • Real-time intrusion detection and automated threat response

  • Automated anomaly detection for unusual access patterns

  • Immutable audit logs (tamper-proof, append-only) with 7-year retention

  • All queries, document uploads, user actions, and system events logged with timestamps and user IDs

  • Quarterly review of access logs and security events


Testing and Maintenance:


  • Quarterly vulnerability scans of all production systems

  • Annual third-party penetration testing by certified security firms

  • Continuous security patching and updates applied within 30 days of release for critical vulnerabilities

  • Automated backup integrity testing (monthly restoration drills)

  • Incident response plan tested annually



4.2 Personnel Security

  • Security awareness training provided annually to all personnel

  • Access to Client data limited to personnel with legitimate business need (support, infrastructure maintenance)

  • VaultPoint personnel cannot view Client Documents or AI Outputs; support is provided via metadata-only system logs



4.3 Data Retention and Deletion

Client Documents: Retained in Client's isolated environment until Client deletes them or terminates the subscription. VaultPoint does not automatically delete Client Documents.


AI Outputs: Retained in Client's environment until Client deletes them or for 30 days after subscription termination, whichever occurs first.


Audit Logs: Retained for 7 years from the date of creation, or as required by applicable bar association rules and legal hold obligations, whichever is longer.


Backups: Daily automated backups retained for 7 days on a rolling basis. All backups permanently deleted within 30 days of subscription termination.


Payment Data: Retained by Sub-Processor payment processors per PCI DSS requirements. VaultPoint does not store full credit card numbers or sensitive payment information.

Upon termination of the Service, VaultPoint will:

  • Provide Client 30 days to export all Client Documents, AI Outputs, and audit logs via the admin portal

  • Permanently delete all Client data (documents, outputs, backups, metadata) from all systems within 30 days of termination

  • Provide written certification of data deletion upon Client's request

  • Ensure all Sub-Processors delete Client data per their respective Data Processing Agreements


Exceptions: VaultPoint may retain anonymized, aggregated usage statistics (e.g., "average queries per firm") that cannot be traced back to any specific Client or Data Subject. Such data is used solely for internal analytics and service improvement.

5. Data Subject Rights


VaultPoint will assist Client in responding to requests from Data Subjects (individuals whose Personal Data is processed) to exercise their rights under applicable privacy laws, including:



  • Right of Access: Data Subjects may request access to their Personal Data. Client is responsible for responding to such requests. VaultPoint will provide Client with the technical means to export relevant data via the admin portal.

  • Right to Rectification: Data Subjects may request correction of inaccurate Personal Data. Client may update or correct data directly via the admin portal.

  • Right to Erasure ("Right to be Forgotten"): Data Subjects may request deletion of their Personal Data. Client may delete specific documents or outputs via the admin portal. VaultPoint will permanently delete data within 30 days of Client's deletion request.

  • Right to Restriction of Processing: Data Subjects may request temporary restriction of processing. Client may suspend specific user accounts or restrict access to specific documents via admin controls.

  • Right to Data Portability: Data Subjects may request their Personal Data in a machine-readable format. VaultPoint provides export functionality in CSV, JSON, and PDF formats via the admin portal.

  • Right to Object: Data Subjects may object to processing for specific purposes. Client is responsible for evaluating such objections and instructing VaultPoint accordingly.


VaultPoint will respond to Client's requests for assistance with Data Subject rights within 10 business days. If VaultPoint receives a Data Subject request directly (rather than through Client), VaultPoint will forward the request to Client within 5 business days and will not respond to the Data Subject without Client's prior authorization.



6. Data Breach Notification


6.1 VaultPoint's Obligations

In the event of a data breach affecting Client Documents or Personal Data, VaultPoint will:


  • Notify Client within 24 hours of discovery via email to the primary account contact and support@vaultpoint.io

  • Provide a written description of the breach, including:

    • The nature of the breach (unauthorized access, data loss, system compromise, etc.)

    • The categories and approximate number of Data Subjects affected

    • The categories and approximate number of Client Documents affected

    • The likely consequences of the breach

    • Immediate remediation steps taken by VaultPoint

  • Provide ongoing updates every 24 hours until the incident is fully resolved and all affected systems are secured

  • Cooperate fully with Client's investigation, regulatory notifications, and client disclosures

  • Provide technical assistance in assessing the scope and impact of the breach

  • Implement additional security measures to prevent recurrence


6.2 Client's Obligations

Client is responsible for:


  • Evaluating whether the breach requires notification to Data Subjects, regulatory authorities (e.g., state attorneys general, bar associations), or professional liability insurers

  • Making all required notifications to Data Subjects and authorities within applicable deadlines (e.g., 72 hours under GDPR, as required by state breach notification laws)

  • Managing client communications and public relations related to the breach


VaultPoint will provide reasonable assistance with these obligations but is not responsible for Client's compliance with notification requirements.


6.3 Definition of Data Breach

For purposes of this DPA, a "data breach" means:


  • Unauthorized access to Client Documents or Personal Data by individuals not authorized under this DPA

  • Accidental or unlawful destruction, loss, alteration, or disclosure of Client Documents or Personal Data

  • Any incident that compromises the confidentiality, integrity, or availability of Client data


A data breach does NOT include:


  • Authorized access by Client's users or VaultPoint personnel acting within the scope of this DPA

  • Incidents affecting only metadata or system logs that do not expose Client Documents or Personal Data

  • Unsuccessful intrusion attempts that are blocked by VaultPoint's security controls


7. Audits and Compliance


7.1 Client's Audit Rights

Client or Client's authorized auditor may, upon reasonable notice (at least 30 days) and during normal business hours, audit VaultPoint's compliance with this DPA, provided that:

  • Audits occur no more than once per calendar year (unless required by applicable law or following a data breach)

  • The auditor is bound by confidentiality obligations equivalent to this DPA

  • The audit does not unreasonably interfere with VaultPoint's business operations

  • The audit focuses on VaultPoint's technical and organizational measures, not Sub-Processor infrastructure (Sub-Processor audit reports are available upon request per Section 3.2)


VaultPoint may charge Client for reasonable costs incurred in facilitating the audit (e.g., personnel time, documentation preparation) if the audit exceeds 8 hours or requires access to systems beyond those directly processing Client data.


7.2 VaultPoint-Provided Documentation

As an alternative to on-site audits, VaultPoint will provide Client (upon written request to hello@vaultpoint.io) with:

  • Summaries of Sub-Processor SOC 2 Type II audit reports (with confidential sections redacted)

  • Documentation of VaultPoint's technical security measures implemented per Section 4.1

  • Evidence of Sub-Processor Data Processing Agreements

  • Incident response procedures and breach notification protocols

  • Data retention and deletion policies


This documentation is typically sufficient to demonstrate compliance with GDPR Article 28 and similar regulatory requirements.


8. International Data Transfers


VaultPoint operates exclusively within the United States. All Client data is stored and processed in AWS data centers located in the United States (US-East or US-West regions).


If Client is located outside the United States and chooses to use the Service:


  • Client's data will be transferred to and processed in the United States

  • Client acknowledges that U.S. privacy laws may differ from those in Client's jurisdiction

  • VaultPoint provides the same security protections (encryption, isolation, zero-data-retention, audit logging) regardless of Client's location


VaultPoint does not currently offer non-U.S. data residency options. If Client's organization is subject to data localization requirements (e.g., EU data must remain in the EU), Client should not use the Service or should contact hello@vaultpoint.io to discuss custom arrangements (additional fees may apply).

9. Limitation of Liability


9.1 Cap on Damages

To the maximum extent permitted by law, VaultPoint's total liability arising from this DPA or any breach of its obligations under this DPA shall not exceed the fees paid by Client in the 12 months preceding the claim (or $7,000 if less than 12 months have elapsed).


9.2 Excluded Damages

VaultPoint shall not be liable for:

  • Indirect, incidental, consequential, special, or punitive damages

  • Lost profits, lost revenue, lost data (except as provided in Section 4.3 regarding backups), or lost business opportunities

  • Damages arising from Client's failure to implement appropriate security measures on Client's own systems (e.g., weak passwords, failure to enable MFA)

  • Damages caused by Sub-Processor actions beyond VaultPoint's reasonable control, provided VaultPoint exercised reasonable care in selecting and monitoring Sub-Processors

  • Damages arising from Client's instructions that violate applicable law or this DPA

  • Damages resulting from unauthorized access caused by Client's users sharing credentials or failing to report compromised accounts


9.3 Exceptions

These limitations do not apply to:


  • VaultPoint's gross negligence or willful misconduct

  • VaultPoint's breach of confidentiality obligations under Section 2 of the Terms of Service

  • Claims that cannot be limited by law (e.g., certain statutory violations, fraud)

  • VaultPoint's obligations to assist with data breach notifications under Section 6


9.4 Allocation of Risk

Client acknowledges that the fees charged by VaultPoint reflect this allocation of risk. Higher limits of liability are available through separate negotiation and additional fees.


10. Term and Termination


10.1 Term

This DPA takes effect on the date Client activates the Service and remains in effect until the earlier of:


  • Client's termination of the Service per the Terms of Service

  • VaultPoint's termination of the Service per the Terms of Service

  • Mutual written agreement to terminate


10.2 Effect of Termination


Upon termination of this DPA or the underlying Service subscription:


  • VaultPoint will cease all processing of Client Documents and Personal Data, except as necessary to fulfill data export and deletion obligations

  • Client will have 30 days to export all Client Documents, AI Outputs, and audit logs via the admin portal

  • After 30 days, VaultPoint will permanently delete all Client data (documents, outputs, backups, metadata) from all systems, including Sub-Processor systems

  • VaultPoint will provide written certification of data deletion upon Client's written request to hello@vaultpoint.io

  • Sections of this DPA that by their nature should survive termination (confidentiality, limitation of liability, dispute resolution) will continue to apply


10.3 Data Retention Exceptions


Notwithstanding Section 10.2, VaultPoint may retain:


  • Audit logs for the remainder of the 7-year retention period (or as required by legal hold obligations)

  • Anonymized, aggregated usage statistics that cannot be traced back to Client or any Data Subject

  • Financial records (invoices, payment receipts) as required by tax and accounting regulations

  • Information required to be retained by law, court order, or government investigation


VaultPoint will notify Client if legally required to retain data beyond the 30-day deletion period.



11. General Provisions


11.1 Amendments

VaultPoint may update this DPA by posting the revised version at vaultpoint.io/legal and notifying Client via email at least 30 days before the changes take effect.


If changes materially reduce Client's rights or VaultPoint's obligations, Client may terminate the Service without penalty by providing written notice within 30 days of notification.


Continued use of the Service after changes take effect constitutes acceptance of the revised DPA.


11.2 Governing Law


This DPA is governed by the laws of the State of Florida, without regard to conflict of law principles. Disputes arising from this DPA are subject to the dispute resolution provisions in Section 11 of the Terms of Service (arbitration in Miami, Florida).


11.3 Relationship to Terms of Service


This DPA supplements and is incorporated into the Terms of Service. In the event of conflict between this DPA and the Terms of Service regarding data processing obligations, this DPA controls.

11.4 Severability


If any provision of this DPA is found unenforceable, the remaining provisions remain in full force and effect. The unenforceable provision will be modified to the minimum extent necessary to make it enforceable while preserving its original intent.

11.5 No Third-Party Beneficiaries


This DPA is between VaultPoint and Client only. Data Subjects and Sub-Processors are not third-party beneficiaries with independent rights to enforce this DPA.


11.6 Assignment


Client may not assign this DPA without VaultPoint's prior written consent. VaultPoint may assign this DPA to an acquirer or successor entity in connection with a merger, acquisition, or sale of substantially all assets, provided the assignee agrees to be bound by this DPA.


11.7 Notices


All notices under this DPA must be in writing and sent to:


Client notices to VaultPoint:

Email: hello@vaultpoint.io

Subject: "DPA Notice - [Your Firm Name]"



VaultPoint notices to Client:

Email: The primary contact email associated with your account



For security incidents:

Email: support@vaultpoint.io

Subject: "[SECURITY INCIDENT] - [Your Firm Name]"

Phone: Available in account dashboard for true emergencies


Notices are deemed received 24 hours after email transmission or upon confirmation of receipt, whichever is earlier.



12. Contact Information



For questions about this DPA or to exercise rights under this agreement, contact:


VaultPoint Consulting LLC
Email: hello@vaultpoint.io
Website: vaultpoint.io
Subject line for DPA inquiries: "DPA Question - [Your Firm Name]"



For data subject rights requests:
Email: hello@vaultpoint.io
Subject line: "Data Rights Request - [Your Firm Name]"



For security incidents or data breaches:
Email: support@vaultpoint.io
Subject line: "[SECURITY INCIDENT] - [Your Firm Name]"



We will respond within 10 business days for general DPA questions, within 5 business days for data subject rights requests, and within 24 hours for security incidents.

© 2025 VaultPoint. Available exclusively through approved partners.

© 2025 VaultPoint. Available exclusively through approved partners.