top of page
Data Processing Addendum (DPA)
February 2025
​

1. DEFINITIONS 

1.1  In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly: 

(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under
common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;

(b) “Price.Law”means the Price.Law law firm;

(c) “controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data;

(d) “Data Protection Law” means the (i) California Consumer Privacy Act as amended by the
California Privacy Rights Act (collectively, “CCPA”), Virginia Consumer Data Protection Act
(“VDPA”), Colorado Privacy Act (“CPA”), Connecticut Data Privacy Act (“CDPA”), Utah ConsumerPrivacy Act (“UCPA”), (collectively, “US Privacy Laws”), (ii) EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), (iii) UK General Data Protection Regulations (“UK GDPR”) and the UK Data Protection Act 2018 (“DPA 2018”) (collectively, “UK Privacy Laws”), and (iv) the Federal Act on Data Protection of Switzerland (Swiss FADP”), including their respective implementing regulations for each of the laws and regulations and any amendments or replacements thereto;

(e) “data subject” means the identified or identifiable person to whom the personal data relates;

(f) “Client Data” means any information provided by Client or collected from or on behalf of Client by Price.Law pursuant to the Agreement;

(g) “personal data” means any information relating to an identified or identifiable natural person;

(h) “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed;

(i) “process” or “processing” means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(j) “processor” means the entity which processes personal data on behalf of the controller;

(k) “Services” means all legal services, and related support provided pursuant to an engagement letter.

   

2. DATA PROTECTION AND USE

2.1 Data Protection Commitment.  Price.Law undertakes to process the personal data pursuant to all applicable requirements under the applicable Data Protection Law, including adherence to security measures required pursuant to Article 32 of the GDPR. 

2.2 Data Processing Role.  The Parties hereby acknowledge that for the purposes of this Agreement, Price.Law is the data controller, where either a third-party or the Client is the data provider. Client shall be responsible for the accuracy, quality, and legality of personal data provided to Price.Law, as well as the means of data acquisition.   

2.3 Processing Per Instructions.  Price.Law agrees to process the personal data only as instructed by Client for the purposes set forth in Exhibit A, which sets out the subject-matter, nature and purpose of processing undertaken by Price.Law, as well as the duration of processing and the types of personal data and categories of data subjects processed. Price.Law shall not process the personal data other than on Client’s documented instructions unless processing is required by applicable laws to which Price.Law or their contracted processor is subject, in which case Price.Law shall to the extent permitted by applicable laws inform Client of that legal requirement before the relevant processing of that personal data. In the event Price.Law cannot processed personal data in accordance with this DPA, Price.Law shall notify the other Party, in which case both parties shall determine whether processing can continue with an appropriate level of protection, or whether processing shall cease in no more than ten (10) days. If it is determined that processing shall cease, personal data shall no longer be processed, and all personal data previously processed, and copies thereof shall either be returned or completely destroyed. In determining whether personal data can be processed in accordance with this DPA, Price.Law shall take into account the national laws of the country in which the personal data is processed, the impact on the rights of individuals in regard to their personal data, and any government access to that personal data and whereby specific notice of the access and processing by that government authority cannot be disclosed.

2.4 Restrictions in Processing. Price.Law shall only process the personal data as instructed by Client to fulfil its Services as set forth in the Agreement, requested through use of the Services, or applicable written instructions. Personal data shall only be further processed for the purpose of anonymizing for use by Price.Law in improving its Services, aggregate analytics, and research and statistical purposes that are unrelated to an identified individual.

2.5 Confidentiality.  Price.Law shall require its employees and contractors authorized to process the personal data to be subject to confidentiality undertakings in relation to the personal data.

2.6 Security.  Price.Law shall maintain appropriate technical and organizational measures for protection of the security, confidentiality, and integrity of Client Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Price.Law will not materially decrease the overall security of the Services during a subscription term. Security requirements specific to Price.Law’s legal services are detailed in Exhibit B.

2.7 Sub-processors.  Client authorizes Price.Law to engage third-party service providers (“Sub-processors”) to process the personal data of Client Representatives, Other Business Representatives, and Other Users, to facilitate its Services for all administrative and other business-related activities and shall provide the details of all Sub-processors upon request. Price.Law shall inform Client in writing, including electronically, at least 30 days in advance of any intended changes that will result in the addition or replacement of a Subprocessor that processes Client Data under the Agreement thereby giving Client the opportunity to object to such changes on reasonable grounds prior to the engagement of the concerned Subprocessor(s). In such case Parties will cooperate in good faith to find a mutually acceptable resolution to address such objection. Price.Law agrees to carry out due diligence to confirm its Sub-processors are capable of providing the level of protection required under applicable Data Protection Law, including implementing appropriate technical and organizational measures for processing the personal data and providing protection for the rights of data subjects. If the Subprocessor does not fulfil its data protection obligations under applicable Data Protection Law that relate to its role in processing Client Data as a Subprocessor, Price.Law shall remain fully liable to Client as regards the fulfilment of the obligations of the Subprocessor as they relate to Services under this Agreement.   

2.8 Data Transfer to Third Countries or International Organizations.  Client authorizes Price.Law to transfer the personal data to a third country or an international organization to process the personal data to facilitate its Services on condition that Price.Law ensures adequate protections are in place as required under applicable Data Protection Law for such transfer. Where processing involves transferring of personal data from the European Economic Area to a third country or international organization, including to the United States, the Standard Contractual Clauses in Exhibit D shall apply. Where processing involves transferring of personal data from the United Kingdom to a third country or international organization, including to the United States, the Standard Contractual Clauses in Exhibit E shall apply. Where processing involves transferring of personal data from the Switzerland to a third country or international organization, including to the United States, the Transfers of Swiss Personal Data in Exhibit F shall apply.

2.9 Rights of Data Subjects. Price.Law agrees to assist Client to meet its obligations under applicable Data Protection Law for responding to a data subject’s exercise of rights.  Price.Law shall promptly notify Client if it receives a request from a data subject for whom Price.Law processes personal data under this Agreement in respect of the exercise of the rights of such data subject and shall ensure that it does not respond to that request except on Client’s documented instructions, or as required by applicable Data Protection Law, in which case Price.Law shall to the extent permitted by law inform Client of that legal requirement before responding to the request.  

2.10 Data Breach and Other Compliance Obligations. Price.Law shall inform Client without undue delay after becoming aware of a personal data breach, and in any event within within 48 hours. Price.Law shall make reasonable efforts to identify the cause of the personal data breach and shall take those steps Client deems necessary and reasonable to remediate the cause of such personal data breach to the extent the remediation is within Price.Law’s reasonable control. The obligations herein shall not apply to personal data breach caused by Client or Client’s users. Price.Law agrees to provide information to assist Client in meeting its requirements for notification to applicable regulatory bodies and data subjects, as required under applicable Data Protection Law. 

2.11 Reasonable Assistance.  Price.Law shall provide reasonable assistance to Client to comply with its obligations under applicable Data Protection Law, including data protection impact assessments and prior consultation with the applicable supervisory authority. Price.Law shall also provide reasonable assistance in providing information to enable Client to fulfil its obligations and demonstrate its compliance with applicable Data Protection Law and allow for and contribute to audits and inspections, and a right to assistance in the event an audit is required by an applicable supervisory authority.

2.12 Retention of Data.  The personal data shall be retained by Price.Law for a reasonable time in accordance with its provision of Services.  Upon request, Price.Law shall provide specific information on how its retention policy applies to the personal data processed on behalf of Client.  Upon termination of Price.Law’s Services under this Agreement by either party, and upon request of Client within thirty days of notice of termination, Price.Law shall at the choice of Client, delete or return all or any portion of any personal data in its possession or control, and delete existing copies, with deletion occurring as part of Price.Law’s standard deletion cycle.  The personal data will only be further retained as allowed under applicable Data Protection Law or required under regulatory provisions mandating record retention.

​

3. LIMITED LIABILITY

3.1 Limitation of Liability. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to Section 8.3 “Limitation of Liability” of the Terms, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Terms and all DPAs together.   

3.2 NO LIABILITY FOR CONSEQUENTIAL DAMAGES. NOTWITHSTANDING THE FOREGOING, IN NO EVENT SHALL COMPANY BE LIABLE TO CLIENT OR TO ANY THIRD PARTY FOR ANY INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL, CONSEQUENTIAL OR COMPENSATORY LOSSES, DAMAGES, CLAIMS OR CAUSES OF ACTION, INCLUDING, BUT NOT LIMITED TO, THOSE ARISING FROM LOSS OF BUSINESS OR PROFITS OR ANY OTHER ECONOMIC LOSS, EVEN IF COMPANY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.

​

4. GENERAL 

4.1 Precedence. The provisions of this DPA are supplemental to the provisions of the Terms. In the event of inconsistencies between the provisions of this DPA and the provisions of the Terms, the provisions of this DPA shall prevail with respect to the subject matter of this DPA. Where and to the extent that Standard Contractual Clauses in Exhibit D or Exhibit E apply, if there is any conflict between this DPA and Standard Contractual Clauses, Standard Contractual Clauses will prevail.

4.2 Severability. The parties agree that, if any section or sub-section of this DPA is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this DPA.

4.3 Duration. The DPA shall apply for the duration of the provision of Services under the Terms. For the duration of the provision of Services under the Terms, this DPA cannot be terminated unless the parties have executed an agreement governing the processing of personal data in connection with the provision of the Services under the Terms.

4.4 Governing Law; Venue. Except as otherwise provided herein, this DPA will be governed by and construed in accordance with the laws of the state of Oregon, without regard to its conflict of laws rules. Any legal action or proceeding arising under this Agreement DPA brought by Client will be brought exclusively in the federal or state courts located in Multnomah County, Oregon and the parties hereby irrevocably consent to the personal jurisdiction and venue therein.

​

‍EXHIBIT A - SCOPE OF PROCESSING

This Exhibit A details the scope of the processing of personal data under this Agreement.

Duration of the Processing: Price.Law will process the personal data for the duration of the Agreement, unless otherwise instructed by Client in writing.   

Subject-Matter of the Processing: The subject matter of the processing is fulfilling of the Services under the Agreement, Client feedback surveys, data analytics and reporting through the Price.Law legal services, technological support services, and related administrative, sales and marketing activities relevant to the business relationship.  

Nature and Purpose of the Processing: The nature and purpose of the processing is to fulfill the Agreement and perform services on behalf of the Client to measure Client experience by gathering Client feedback and providing valuable data for business use to improve workforce performance and drive market growth. Other data processing through de-identified, aggregate analysis is for the purpose of improving the Price.Law legal services and website and for research and statistical purposes. 

 

Categories of Data Subjects: Each category listed includes current, past and prospective data subjects.

  • Clients 

  • Employees, contingent workers, or contractors

  • Client Representatives

  • Other Business Representatives

 

Categories of Data

  • Personal Details: Including name, surname, e-mail and telephone details, address, language preference, date of birth, gender 

  • Employment Details: Including employer name, job title, work email, work phone 

  • Client Records: Including details of services purchased or for which data subject is considered a prospect; records of interaction with data subject (including Client service records, correspondence and details) Client billing and financial information (including finance and payment information); contact information; matters pending and closed; communication preferences; comments posted to website forums hosted by Price.Law, Client event attendance details; website registration information; personal data collected through the use of cookies set by or on behalf of Client

  • Electronic Data: Including IP addresses and personal data collected through the use of cookies, navigation, device ID, browser type 

  • Survey Responses: e.g. Client feedback, experience ratings, and related information

  • Family, Lifestyle and Social Circumstances

  • Other information specific to the Price.Law Services

 

Special Categories of Data

The parties do not anticipate sharing, and agree to delete upon discovery during their course of performance of the Agreement, personal data that concern any of the following special categories of data:  information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life or any other similar categories of data provided special protections under applicable data protection laws and regulations.  

Processing Operations: The personal data will be subject to the basic processing activities listed below:

  • Receiving data: Including collection, accessing, retrieval, recording, and data entry

  • Holding data: Including storage, organization and structuring

  • Using data: Including analyzing, consultation, testing, automated decision making and profiling

  • Updating data: Including correcting, adaptation, alteration, alignment and combination

  • Protecting data: Including restricting, encrypting, and security testing

  • Erasing data: Including destruction and deletion

  • Anonymizing or de-identifying data for aggregate use

  • Protection of rights: Including reducing software piracy and fraud, ensuring that applications and websites are used in compliance with applicable terms and the law; protecting Clients; and

  • Services development and improvement: Including measuring and better understanding how websites and applications are used in order to improve these; tailoring overall Client experience with use of websites and applications.

 

‍EXHIBIT B - DATA SECURITY REQUIREMENTS

This Exhibit B details the technical and organizational security measures implemented by Price.Law that shall apply to the processing of personal data under this Agreement.

Price.Law shall implement and maintain appropriate technical an organizational measures designed to protect personal data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that Price.Law may transmit, store or otherwise process. 

​

Technical and Organizational Security Measures Implemented by Price.Law

  • Protect web and database servers using firewalls;

  • Require passwords for account registration requiring minimum password strength attributes;

  • Track user access;

  • Apply role-based security to system access;

  • Use data encryption for personal data appropriate to the type of personal data being processed; 

  • Use third-party vendors maintaining compliance with industry standards to process personal data requiring a higher level of protection than available in Price.Law’s systems;

  • Review and test vendor-supplied patches for compatibility before installation;

  • Perform regular system backups;

  • Perform regular maintenance on systems; 

  • Perform security monitoring on systems;  

  • Contractually require third-party vendors that process personal data to implement technical and organizational security measures appropriate to the risk of the nature, scope, context and purposes of the processing; 

  • Contractually obligate employees to maintain the confidentiality of personal data accessible through their employment; and

  • Require all employees to attend regular security and awareness training; and

  • Internal documented procedures and controls to enable security including SOC 2 Type II controls, finance procedures, delegation of control, legal contract negotiation, obligation tracking, Client service management, employee policies and training.

 

Technical and Organizational Security Measures applicable to Amazon Web Services

Technical and Organizational Measures applicable to Amazon Web Services are available at: https://aws.amazon.com/security/?nc=sn&loc=0 (last accessed April 16, 2021), and include:

  • AWS investigates all reported vulnerabilities in any aspect of its cloud services.

  • Data encryption in transit interconnecting datacenters and regions is automatically encrypted at the physical layer before it leaves secured facilities.

  • Encryption for all VPC cross-region peering traffic, and Client or service-to-service TLS connections.

  • Tools managed to encrypt data in transit and at rest to ensure only authorize users can access data.

  • Use of keys managed by AWS Key Management Systems or managed using encryption keys with Cloud HSM using FIPS 140-2 Level 3 validated HSMs.

  • AWS supports more security standards and compliance certifications than any other offering, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171, helping satisfy compliance requirements for virtually every regulatory agency around the globe.

 

EXHIBIT C - LIST OF SUB-PROCESSORS

This Exhibit C details the list of subprocessors engaged to process personal data under this Agreement, including for processing of personal data under Exhibit D, Exhibit E, and Exhibit F.

In the event a subprocessor is engaged to process personal data under this Agreement, the details of the subprocessor shall be added to this Exhibit C.

The following subprocessors are authorized by the data controller to process personal data under this agreement:

NAME OF SUB-PROCESSOR:  ZOHO

LOCATION OF SUB-PROCESSOR:  Quincy, Washington or Dallas, Texas

DESCRIPTION OF PROCESSING: Application web hosting and data storage

 

EXHIBIT D - EU STANDARD CONTRACTUAL CLAUSES

1. Incorporation and References 

The provisions of the EU Standard Contractual Clauses pursuant to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en  and as amended or replaced from time shall be incorporated into this DPA by reference and shall apply to Personal Data of residents of the European Economic Area (“EEA”) as referenced in this Section 1:

a. On the basis of the Standard Contractual Clauses pursuant to European Commission accessible at ???

b. List of parties required under Annex I as set out in Section 2 of this Exhibit D;

c. Description of transfer required under Annex I as set out in Exhibit A to this Agreement;

d. Operative clauses to the EU Standard Contractual Clauses as detailed in Section 3 of this Exhibit D;

e. Competent supervisory authority required under Annex I as set out in Section 4 of this Exhibit D;

f. Technical and organizational measures required under Annex II as set out in Exhibit B to this Agreement; and

g. List of sub-processors authorized for use required under Annex III as set out in Exhibit C to this Agreement.

1.1 The provisions of the EU Standard Contractual Clauses shall be incorporated into this DPA by reference.
‍1.2 Pursuant to the terms of the Agreement, the Parties agree to process personal data of residents of the European Economic Union in compliance with the terms of the EU Standard Contractual Clauses as referenced in this Section 1.

​

2. Parties to the EU Standard Contractual Clauses

2.1 Module One shall not apply to this Agreement.

2.2 For the purposes of Modules Two through Four, the data controller shall be "Price.Law” with offices at Penn Valley, CA, United States of America, and the data provider shall be the Client or another third-party source. The Price.Law Privacy Compliance Officer for may be contacted directly at Cyndi@Price.Law.

3. Operative Clauses to the EU Standard Contractual Clauses

3.1 The relevant provisions contained in the EU Standard Contractual Clauses are incorporated by reference.

3.2 The personal data transferred concern the categories of data subjects are set out in Exhibit A of the DPA.

3.3 The personal data transferred concern the categories of data are set out in Exhibit A of the DPA.

3.4 If included in processing, the details of special categories are set out in Exhibit A of the DPA.

3.5 In relation to processing operations, the personal data transferred will be subject to the basic processing activities set out in Exhibit A of the DPA.

3.6 In Clause 7, the & "Docking Clause (Optional)", shall be deemed not incorporated.

3.7 In Clause 9, the Parties choose Option 1, Specific Prior Authorisation, with a time period of 30 days.

3.8 The optional wording in Clause 11 shall be deemed not incorporated,
‍3.9 In Clause 17 and Clause 18, the governing law and forum, respectively, shall be the Netherlands.
‍3.10 The description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are set out in Exhibit B of the DPA.
‍3.11 The list of data importer’s authorized sub-processors in accordance with Clause 9(a) is set out in Exhibit C to this DPA.
‍3.12 The effective date of the EU Standard Contractual Clauses is the date the Client agreed to the Agreement.

 

4. Competent Supervisory Authority

In accordance with Clause 13, the applicable competent supervisory authority shall be determined by reference to the following order:

a) The supervisory authority of the Member State where Client’s EU headquarters is located; 

b) The supervisory authority of the Member State where Client’s EU representative is located;  

c) The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred is located; or

d) Dutch Data Protection Authority in the Netherlands. 

 

EXHIBIT E - International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
(the “UK Transfer Addendum”)

1. Incorporation and References 

1.1 The UK Transfer Addendum is incorporated into this DPA by reference and applies to the Processing of Personal Data of residents of the United Kingdom.

1.2 The UK Transfer Addendum is an addendum to the approved EU Standard Contractual Clauses and is issued by the UK’s Information Commissioner’s Office, Version B1.0, in force as of 21 March 2022 
(available at: https://ico.org.uk/media/fororganisations/documents/4019539/international-data-transfer-addendum.pdf).

1.3 The operative clauses are as detailed in Exhibit D.

1.4 The Start Date shall be the date last signed.

​

2. Parties

Data Exporter: Client
Legal Name: As signed in the Engagement Letter
Address: As listed in the Engagement Letter
Registration Number: As listed in the Engagement Letter if applicable
Contact Name: As listed in the Engagement Letter
Contact Title: As listed in the Engagement Letter
Contact Email: As listed in the Engagement Letter

Data Importer: Price.Law
Legal Name: Price.Law entity signed in the Engagement Letter
Address: As listed in the Engagement Letter
Registration Number: As listed in the Engagement Letter if applicable
Contact Name: As listed in the Engagement Letter
Contact Title: As listed in the Engagement Letter
Contact Email: As listed in the Engagement Letter

 

3. Additional Information

3.1 The information required in Table 1 is populated by the information set out in Exhibit D of this DPA.
‍3.2 The information required in Table 2 is populated by the form of the EU Standard Contractual Clauses set out in Exhibit D of this DPA.
‍3.3 The information required in Table 3 is populated by the information set out in Exhibit A Scope of Processing, Exhibit B Data Security Requirements and Exhibit D List of Subprocessors of this DPA.
‍3.4 For purposes of Table 4, Client can end this UK Transfer Addendum as set out in Section 19 of the UK Transfer Addendum.
‍3.5 All other standard terms set out in the UK Transfer Addendum shall apply.

 

EXHIBIT F - Transfers of Swiss Personal Data

For personal data of data subjects located in Switzerland, the EU Standard Contractual Clauses (as revised in Exhibit D of this DPA) are implemented as follows:

  1. The Swiss Federal Data Protection and Information Commissioner shall be the sole supervisory authority for the transfers exclusively subject to the Swiss FADP;

  2. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in theStandard Contractual Clauses shall be interpreted to include the Swiss FADP with respect to the transfers;

  3. References to Regulation (EU) 2018/1725 are removed

  4. References to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses;

  5. In Clause 17 and Clause 18, the governing law and forum, respectively, shall be Switzerland;

  6. Where the transfers are exclusively subject to the Swiss FADP, all references to the GDPR in theStandard Contractual Clauses are to be understood to be references to the Swiss FADP.

Where the transfers are subject to both the Swiss FADP and the GDPR, all references to the GDPR in the Standard Contractual Clauses are to be understood to be references to the Swiss FADP insofar as the transfers are subject to the Swiss FADP.

bottom of page