Legal
Data Processing Agreement
Last updated: May 15, 2026
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Data Controller (“Customer”): The organization or individual entering into a subscription or service agreement with ModulawAI, as identified in the applicable order form or service agreement.
- Data Processor (“ModulawAI”): ModulawAI Inc., a Delaware corporation, with its principal place of business at 7 Peter Utulu Close, Anu Crescent, Badore, Ajah, Lagos, Nigeria, and registered agent Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, USA, and its Nigerian subsidiary ModulawAI Nigeria Limited (RC-8401723).
This DPA forms part of the Terms and Conditions or service agreement between the Customer and ModulawAI (“Principal Agreement”) and is incorporated into it by reference.
2. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person processed by ModulawAI on behalf of the Customer through the Platform.
- “Processing” means any operation performed on Personal Data including collection, storage, retrieval, use, disclosure, or deletion.
- “Data Subject” means the individual whose Personal Data is processed.
- “Sub-processor” means any third party engaged by ModulawAI to process Personal Data on behalf of the Customer.
- “Applicable Data Protection Law” means the NDPR, NDPA, GDPR, and any other applicable data protection laws in the Customer’s or Data Subjects’ jurisdiction.
3. Processing instructions
ModulawAI shall process Personal Data only on documented instructions from the Customer, which shall initially be as set out in this DPA and the Principal Agreement. ModulawAI shall promptly notify the Customer if, in its opinion, any instruction infringes Applicable Data Protection Law.
ModulawAI processes Personal Data for the following purposes on the Customer’s behalf:
- Providing legal research, AI chatbot, and case management services.
- Storing and processing documents uploaded by the Customer or its users.
- Facilitating workspace, team, and client management features.
- Providing customer support at the Customer’s request.
4. Confidentiality
ModulawAI shall ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations. ModulawAI personnel shall not access Customer’s uploaded legal documents except where strictly necessary for technical support, with the Customer’s prior consent, and subject to logging of such access.
5. Security
ModulawAI shall implement and maintain appropriate technical and organizational security measures including:
- AES-256 encryption of Personal Data at rest.
- TLS 1.2+ encryption of Personal Data in transit.
- Role-based access control and least-privilege access.
- Regular security assessments and access log reviews.
- Incident response and breach notification procedures (see section 9).
- bcrypt password hashing for authentication credentials.
6. Sub-processors
The Customer hereby provides general authorization for ModulawAI to engage sub-processors. The authoritative, continuously-maintained list — including a changelog of additions and removals — is published at modulaw.ai/subprocessors. The snapshot below mirrors that page as of the “Last updated” date at the top of this agreement.
ModulawAI will give enterprise customers at least 30 days’ prior written notice of any intended addition or replacement of a sub-processor. Customers may object to a new sub-processor within that period by contacting dpo@modulaw.ai. If ModulawAI cannot reasonably accommodate the objection, the Customer may terminate the affected services without penalty.
ModulawAI shall impose data protection obligations on all sub-processors equivalent to those set out in this DPA, by written contract.
Snapshot of current sub-processors (as of May 15, 2026)
Infrastructure: Microsoft Azure (hosting, Blob Storage, Document Intelligence); AWS (Bedrock inference, Amplify hosting for the Word add-in); MongoDB Atlas; Neo4j; Redis; Pinecone.
AI inference: Azure OpenAI Service; AWS Bedrock (Anthropic Claude, Amazon Nova, Meta Llama, Moonshot Kimi); Fireworks AI; Anthropic (direct, for some Word add-in features). Optional LangSmith tracing where enabled.
Voice and real-time: LiveKit (transport); Deepgram (speech-to-text); ElevenLabs (text-to-speech); Cartesia (TTS fallback).
Messaging and payments: Paystack and Stripe (payments); ZeptoMail / Zoho (transactional email); WhatsApp Business / Meta (OTP and notifications on user opt-in); Google reCAPTCHA (bot protection).
Research and legal data sources: CourtListener; CanLII; EUR-Lex; TinyFish; Tavily; Bing Search; Google Custom Search.
Analytics and marketing (consent-gated): Google Analytics; Microsoft Clarity; Meta (Facebook Pixel); TikTok Pixel; X / Twitter Ads; Apollo.
7. Data subject rights assistance
ModulawAI shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures to fulfill the Customer’s obligations to respond to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection) under Applicable Data Protection Law. ModulawAI will notify the Customer of any Data Subject requests received directly by ModulawAI within 5 business days.
8. Data protection impact assessments
ModulawAI shall provide reasonable assistance to the Customer in carrying out Data Protection Impact Assessments and in consulting with relevant supervisory authorities where required by Applicable Data Protection Law, taking into account the nature of the processing and information available to ModulawAI.
9. Personal data breach notification
ModulawAI shall notify the Customer without undue delay (and in any case within 72 hours) upon becoming aware of a Personal Data breach affecting Customer data. The notification shall include, to the extent available:
- A description of the nature of the breach.
- Categories and approximate number of Data Subjects and records affected.
- Likely consequences of the breach.
- Measures taken or proposed to address the breach.
The Customer is responsible for notifying the relevant supervisory authority and Data Subjects as required by Applicable Data Protection Law.
10. International data transfers
Where Personal Data is transferred outside the Customer’s jurisdiction, ModulawAI shall ensure such transfers are made subject to appropriate safeguards under Applicable Data Protection Law (including Standard Contractual Clauses, intra-group agreements, or adequacy decisions as applicable). ModulawAI’s cross-border transfer framework is described in the Data Protection Policy.
11. Audit rights
ModulawAI shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, provided that:
- The Customer gives ModulawAI at least 30 days’ prior written notice.
- Audits are conducted no more than once per 12 months unless required by a supervisory authority.
- The Customer bears all costs of the audit unless the audit reveals material non-compliance by ModulawAI.
- The Customer executes a confidentiality agreement prior to any audit.
12. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Principal Agreement (Terms and Conditions). ModulawAI’s aggregate liability for breaches of this DPA shall not exceed the total fees paid by the Customer in the 12 months preceding the event giving rise to the claim, except where such limitation is not permitted by Applicable Data Protection Law.
13. Term and deletion
This DPA takes effect on the date the Customer first accepts the Terms and Conditions or executes an order form incorporating it, and remains in force for the duration of the Principal Agreement.
Upon termination or expiry of the Principal Agreement, ModulawAI shall, at the Customer’s choice, delete or return all Personal Data processed on the Customer’s behalf and delete existing copies, unless applicable law requires storage of the Personal Data. ModulawAI will confirm deletion in writing within 30 days of termination.
14. AI training prohibition
ModulawAI shall not use any Personal Data or Customer Content processed under this DPA to train, fine-tune, or improve any AI model (whether operated by ModulawAI or any third party), except where the Customer has given explicit, separate written consent for specific training purposes.
15. Governing law
This DPA is governed by the laws of the State of Delaware, USA, unless the Principal Agreement specifies otherwise, or unless mandatory provisions of Applicable Data Protection Law require a different governing law for specific obligations.
Execute this DPA
This page sets out our standard DPA terms. Enterprise customers requiring a countersigned DPA should contact us to initiate the process.
Email: dpo@modulaw.ai
ModulawAI Inc.
7 Peter Utulu Close, Anu Crescent, Badore, Ajah, Lagos, Nigeria (Principal Office)
Registered Agent: Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, USA