Data Processing Agreement
This agreement applies automatically to every Orivo account — no signature required. It is the document that puts our confidentiality architecture in writing. Firms that want a counter-signed copy addressed to them need only ask: [email protected].
The short version
- We process your matter content only on your firm's instructions.
- Never for training AI models — ours or anyone else's. Our AI providers are barred too.
- Matters are isolated per firm, encrypted, and every action is logged append-only.
- You get at least 14 days' notice before any sub-processor handling matter content changes.
- If a breach affects your data, we notify you without undue delay — target, 72 hours.
The short version is a convenience, not a substitute — the numbered clauses below govern.
1.Parties and scope
This Data Processing Agreement ("DPA") is between Orivo — the operator of the Orivo platform, including its successors and permitted assigns (the "Provider") — and the firm or individual legal professional identified in the Orivo account (the "Firm"). It forms part of the Terms of Service and takes effect for each account on first use of the platform.
It governs the Provider's handling of Matter Content: personal data contained in documents, conversations, drafts and other material the Firm places in, or generates through, the platform.
2.Roles
For Matter Content, the Firm is the data fiduciary (Digital Personal Data Protection Act, 2023) or data controller (GDPR and comparable laws), and the Provider acts as data processor, acting only on the Firm's instructions. For the Firm's own account and usage data, the Provider acts as fiduciary/controller as described in the Privacy Policy.
3.What is processed, and why
Matter Content may include client and party identities, case facts, documents, dates, communications and work product — including, by the nature of legal practice, sensitive categories of data. It is processed for one purpose: to operate the platform for the Firm — storage, retrieval, analysis, research, drafting and the other functions the Firm invokes. The Firm's instructions are: use of the platform's features, plus any reasonable written instructions given to the Provider.
4.The training prohibition
The Provider will never use Matter Content to train, fine-tune or otherwise improve any AI model — its own or a third party's. Where Matter Content is submitted to an AI provider to fulfil a request the Firm made, it is submitted under commercial terms that prohibit that provider from using it for model training. This clause cannot be varied except in a written agreement signed by both parties.
5.The Provider's obligations
- Process Matter Content only on the Firm's instructions, and inform the Firm if an instruction appears to conflict with applicable data-protection law.
- Ensure every person with access to Matter Content is bound by confidentiality obligations.
- Maintain technical and organisational measures appropriate to legal work product: encryption in transit (TLS 1.2+) and at rest, per-firm isolation enforced at the database layer, role-based access controls, and append-only audit logging of significant actions.
- Assist the Firm, within timelines required by applicable law, in answering data-principal and data-subject requests (access, correction, erasure, portability).
- Notify the Firm without undue delay — target, within 72 hours — after becoming aware of a personal-data breach affecting the Firm's Matter Content, with the information the Firm needs for its own legal obligations.
- Assist the Firm, on reasonable request, with data-protection impact assessments that concern the platform.
6.Sub-processors
The Firm authorises the Provider to engage sub-processors in these categories: cloud hosting and storage, AI model inference, authentication, error monitoring, usage analytics and transactional email. Each sub-processor is bound by data-protection obligations no less protective than this DPA, and the Provider remains fully liable for their performance.
A current list of sub-processors is available on request at [email protected]. The Provider gives at least 14 days' notice before adding or replacing a sub-processor that handles Matter Content; if the Firm reasonably objects on data-protection grounds and no resolution is found, the Firm may terminate its account and export its data under clause 9.
7.International transfers
Where Matter Content crosses borders — for example between India, the US and the EU — the transfer is made under recognised safeguards: standard contractual clauses, an adequacy decision, or equivalent measures valid in the originating jurisdiction.
8.Audits and information
On the Firm's reasonable written request — no more than once in any 12-month period, except following a material breach — the Provider will supply information sufficient to demonstrate compliance with this DPA, and will cooperate in good faith with audits the Firm is legally required to conduct, on reasonable notice and without endangering other firms' data.
9.Return and deletion
The Firm can export its Matter Content at any time in standard formats, together with its original uploaded files. On account termination, the Provider applies the published retention schedule: a 30-day soft-delete window, purge from primary storage at its end, and removal from backups within 90 days of deletion — subject only to records the Provider is legally required to keep.
10.Liability
Liability under this DPA is subject to the limitations in the Terms of Service, except where applicable data-protection law does not permit such limits.
11.Precedence and term
If this DPA conflicts with the Terms on the processing of personal data, this DPA prevails. It remains in force for as long as the Provider processes Matter Content for the Firm, and binds and benefits each party's successors and permitted assigns.
12.Execution
This DPA applies by incorporation into the Terms — no signature is needed for it to bind. Firms that require an executed copy (for their own records, or their clients') can request a counter-signed version at [email protected]; we return it within five business days.