Data Processing Agreement

Glass Box Solutions, Inc.

Effective Date: January 25, 2026 Version: 1.0

This agreement defines the specific terms under which Glass Box Solutions processes data on behalf of our customers — law firms and legal professionals who act as data controllers. If you're a data controller sending us information, this document tells you exactly what we do with it, how we protect it, what your rights are, and what obligations we're accepting. It covers everything from subprocessor oversight to your audit rights to what happens to your data when you stop using our services.

Parties

This Data Processing Agreement ("DPA") is entered into between:

Customer (the entity agreeing to this DPA) ("Controller," "Customer," or "you")

and

Glass Box Solutions, Inc. ("Processor," "Provider," "we," or "us")

collectively referred to as the "Parties."

1. Definitions

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including CCPA/CPRA, HIPAA, CMIA, and other applicable privacy laws.

"CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA").

"Controller" means the entity that determines the purposes and means of processing Personal Data.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means information that identifies, relates to, describes, or could reasonably be linked to a particular individual or household, including "Personal Information" as defined by CCPA.

"Process" or "Processing" means any operation performed on Personal Data, including collection, use, storage, disclosure, or deletion.

"Processor" means an entity that processes Personal Data on behalf of a Controller.

"Protected Health Information" or "PHI" has the meaning given in HIPAA.

"Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.

"Services" means the Adjudica.AI platform and related services provided by Processor to Customer.

"Subprocessor" means any third party engaged by Processor to process Personal Data on behalf of Customer.

2. Scope and Roles

2.1 Scope

This DPA applies to all Processing of Personal Data by Processor on behalf of Customer in connection with the Services.

2.2 Roles

Customer is the Controller of Personal Data uploaded to or processed through the Services
Processor is the Processor of such Personal Data, processing it only on Customer's behalf and instructions

2.3 PHI

Processing of PHI is governed by the Business Associate Agreement ("BAA") between the Parties, which is incorporated herein by reference. In the event of conflict between this DPA and the BAA regarding PHI, the BAA controls.

3. Processing Instructions

3.1 Customer Instructions

Processor shall Process Personal Data only:

In accordance with Customer's documented instructions
As necessary to provide the Services
As required by Applicable Data Protection Law

3.2 Nature and Purpose of Processing

Element	Description
Subject Matter	Provision of legal AI services for Workers' Compensation practice
Duration	Duration of the Agreement plus data retention period
Nature	Document analysis, AI processing, storage, case management
Purpose	To provide the Services as described in the Agreement
Types of Personal Data	Names, contact information, case information, medical records, legal documents
Categories of Data Subjects	Attorneys, law firm staff, claimants (injured workers), medical providers, employers

3.3 Prohibited Processing

Processor shall NOT:

Process Personal Data for any purpose other than providing the Services
Sell Personal Data (as defined by CCPA)
Share Personal Data for cross-context behavioral advertising
Combine Personal Data with data from other sources except as necessary for the Services
Use Personal Data for Processor's own commercial purposes

4. CCPA/CPRA Service Provider Certification

4.1 Service Provider Status

For purposes of CCPA/CPRA, Processor is a "Service Provider" as defined in California Civil Code Section 1798.140(ag).

4.2 Processor Certification

Processor certifies that it:

Understands the restrictions in CCPA/CPRA Section 1798.140(ag) applicable to Service Providers
Will not sell or share Personal Data received from Customer
Will not retain, use, or disclose Personal Data:
- For any purpose other than the business purposes specified in this DPA
- Outside the direct business relationship with Customer
- For Processor's own commercial purposes
Will not combine Personal Data with personal information received from other sources, except as permitted by CCPA/CPRA
Will comply with CCPA/CPRA and provide the same level of privacy protection as required by CCPA/CPRA
Will notify Customer if Processor determines it can no longer meet its CCPA/CPRA obligations
Grants Customer the right to take reasonable steps to ensure Processor uses Personal Data consistent with Customer's CCPA/CPRA obligations
Grants Customer the right to stop and remediate unauthorized use of Personal Data upon notice

4.3 Subcontractor Flow-Down

Processor shall ensure that any Subprocessor is bound by written contract terms no less protective than this DPA, including the Service Provider restrictions above.

5. Data Security

5.1 Security Measures

Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

Security Domain	Measures
Encryption	AES-256 at rest, TLS 1.3 in transit
Access Control	RBAC, MFA, least privilege
Network Security	Firewalls, IDS/IPS, network segmentation
Monitoring	SIEM, audit logging, anomaly detection
Physical Security	SOC 2 certified data centers
Personnel	Background checks, security training, confidentiality agreements

5.2 Security Documentation

Upon request, Processor shall provide:

SOC 2 Type II report (under NDA)
Security questionnaire responses
Penetration test executive summary (under NDA)

6. Subprocessors

6.1 Authorized Subprocessors

Customer authorizes Processor to engage the Subprocessors listed in the Subprocessor List, available at [URL] or upon request.

6.2 Subprocessor Requirements

Before engaging a Subprocessor, Processor shall:

Conduct due diligence on the Subprocessor's security practices
Enter into a written agreement imposing obligations equivalent to this DPA
Remain liable for Subprocessor's compliance

6.3 New Subprocessors

Processor shall notify Customer at least 30 days before engaging a new Subprocessor that will process Customer's Personal Data. Customer may object to a new Subprocessor by providing written notice within 15 days of notification. If Customer objects and the Parties cannot resolve the objection, Customer may terminate the affected Services.

6.4 Subprocessor List Updates

Processor shall maintain a current Subprocessor List and notify Customer of changes.

7. Data Subject Rights

7.1 Assistance with Requests

Processor shall assist Customer in responding to Data Subject requests to exercise rights under Applicable Data Protection Law, including:

Right to Know / Access
Right to Delete
Right to Correct
Right to Opt-Out
Right to Limit Use of Sensitive Personal Information
Right to Data Portability

7.2 Response Timeline

Processor shall respond to Customer's assistance requests within 10 business days.

7.3 Direct Requests

If Processor receives a Data Subject request directly, Processor shall:

Promptly redirect the Data Subject to Customer
Notify Customer of the request within 5 business days
Not respond directly unless instructed by Customer

8. Security Incidents

8.1 Notification

Processor shall notify Customer of any Security Incident without undue delay, and in any event within 72 hours of becoming aware of the incident.

8.2 Notification Content

Security Incident notifications shall include, to the extent known:

Description of the incident
Categories and approximate number of Data Subjects affected
Categories and approximate number of records affected
Likely consequences
Measures taken or proposed to address the incident
Contact point for further information

8.3 Cooperation

Processor shall:

Cooperate with Customer's investigation
Take reasonable steps to mitigate effects
Preserve evidence for forensic analysis
Not notify Data Subjects or regulators on Customer's behalf without Customer's prior approval (except as required by law)

9. Audits

9.1 Audit Rights

Customer may audit Processor's compliance with this DPA by:

Reviewing Processor's SOC 2 report and other certifications
Submitting written questions (up to annually)
Conducting or commissioning an on-site audit (with 30 days' notice, during business hours, no more than annually)

9.2 Audit Scope

Audits shall be limited to:

Verification of compliance with this DPA
Processing activities related to Customer's Personal Data
Security measures and controls

9.3 Audit Costs

Customer bears the cost of audits it initiates, except where an audit reveals material non-compliance, in which case Processor bears the cost.

10. Data Retention and Deletion

10.1 Retention

Processor shall retain Personal Data only for as long as necessary to provide the Services or as required by Applicable Data Protection Law.

10.2 Deletion

Upon termination of the Agreement:

Customer may export its data for 30 days following termination
After the export period, Processor shall delete Personal Data within 90 days
Processor may retain data as required by law, subject to ongoing confidentiality and security obligations

10.3 Deletion Certification

Upon request, Processor shall certify in writing that Personal Data has been deleted.

11. International Data Transfers

11.1 Transfer Mechanisms

If Personal Data is transferred outside the United States, Processor shall ensure appropriate safeguards, which may include:

Standard Contractual Clauses (for EU/UK data)
Binding Corporate Rules
Other lawful transfer mechanisms

11.2 Current Data Location

Personal Data is currently processed in: United States (Google Cloud Platform)

12. Liability

12.1 Liability Cap

Each Party's liability under this DPA is subject to the limitations of liability in the Agreement.

12.2 Indemnification

Each Party shall indemnify the other for losses arising from the indemnifying Party's breach of this DPA, subject to the limitations in the Agreement.

13. Term and Termination

13.1 Term

This DPA is effective upon execution of the Agreement and continues for the duration of the Agreement.

13.2 Survival

Obligations regarding confidentiality, data deletion, and audit rights survive termination.

14. General Provisions

14.1 Governing Law

This DPA is governed by the laws of the State of California.

14.2 Entire Agreement

This DPA, together with the Agreement and BAA (if applicable), constitutes the entire agreement regarding data processing.

14.3 Amendments

Processor may update this DPA to reflect changes in Applicable Data Protection Law. Material changes will be communicated with 30 days' notice.

14.4 Severability

If any provision is found unenforceable, the remaining provisions continue in effect.

15. Contact Information

Data Protection Contact:

Email: privacy@adjudica.ai
Mail: Glass Box Solutions, Inc., [ADDRESS]

For Data Subject Requests:

Email: privacy@adjudica.ai
Subject: "Data Subject Request - [Customer Name]"

Signatures

CUSTOMER

Signature: _______________________________

Name: _______________________________

Title: _______________________________

Date: _______________________________

GLASS BOX SOLUTIONS, INC.

Signature: _______________________________

Name: _______________________________

Title: _______________________________

Date: _______________________________

This Data Processing Agreement is effective as of the date last signed.

Glass Box Solutions, Inc.

@Developed & Documented by Glass Box Solutions, Inc. using human ingenuity and modern technology