Data Processing Addendum

This Data Processing Addendum (the DPA) forms part of the agreement between the business customer identified on the relevant order or subscription (the Customer) and onTerms, operated by Rated Counsel Limited (registered in England and Wales, company number 11812572, registered office 5 Golden Mede, Waddesdon HP18 0NG) (onTerms, we, us), under the Terms of Service. It applies where, and only to the extent that, the Customer’s use of the onTerms service involves onTerms processing personal data on the Customer’s behalf, for example the names and business contact details of order parties and signatories, or personal data contained in dispute evidence the Customer submits.

This DPA is a template pending counsel review. Bracketed items, and the specific points listed in section 14, require sign-off by qualified counsel before this document is executed with any customer. It is written for the UK GDPR and, where the EU GDPR applies to the Customer’s processing, for the EU GDPR. References to the GDPR mean whichever of those regimes applies; references to Articles are to the corresponding Article of each. Terms such as controller, processor, personal data, data subject and personal data breach have the meanings given in the GDPR.

The onTerms service is offered to business customers only. Consumer use is out of scope and contractually excluded under the Terms of Service. This DPA is governed by the law of England and Wales, as set out in the Terms of Service.

1. Roles of the parties

1.1 Customer as controller, onTerms as processor

For personal data that the Customer submits to the service in the content of orders, signing ceremonies, counterparty invitations, agent executions under verifiable mandates and, where the Customer elects to use the dispute tools, dispute evidence (together, Customer Personal Data), the Customer is the controller (or, where the Customer acts for its own client, a processor acting on that controller’s instructions) and onTerms is the Customer’s processor under Article 28.

1.2 onTerms as independent controller

onTerms is an independent controller, not a processor, for the following processing, which is described in the Privacy Notice rather than governed by this DPA:

• account, authentication, billing, support and service-communication data relating to the Customer’s own users (for example the name, email address and session data handled through WorkOS, and billing records handled through Stripe);
• security, fraud-prevention and abuse-prevention records, including service logs; and
• the transparency-log integrity purpose: onTerms determines the purpose of maintaining a public, append-only transparency log (an RFC 6962 Merkle tree) of content hashes, leaf hashes, signed tree heads and inclusion proofs, so that any record can be independently verified. onTerms therefore acts as a controller for the publication and indefinite retention of those hashes. The log stores hashes only; it never stores order bodies, evidence or other plaintext content.

Note for counsel: for dispute case files there is a credible analysis that onTerms is a joint controller with the parties for some elements, rather than a pure processor. A controllership analysis, and a choice between Article 26 joint-controller terms and the Article 28 terms in this DPA for the dispute layer, must be settled before any live dispute-evidence ingestion.

2. Details of the processing

3. Documented instructions

onTerms will process Customer Personal Data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do so by the law of the United Kingdom or of an EU member state to which onTerms is subject; in that case onTerms will inform the Customer of the legal requirement before processing, unless that law prohibits doing so on important grounds of public interest. The Customer’s documented instructions are:

• the Terms of Service and this DPA;
• the Customer’s configuration and use of the service, including creating and executing orders, inviting counterparty signatories by email, granting and scoping agent mandates, enabling identity verification, and electing dispute tiers; and
• any further written instructions agreed between the parties.

onTerms will inform the Customer if, in its opinion, an instruction infringes the GDPR. The Customer is responsible for the lawfulness of the Customer Personal Data it submits and for having a lawful basis to disclose it to onTerms, including with respect to its counterparties’ signatories.

4. Confidentiality

onTerms ensures that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and access Customer Personal Data only as needed to provide and support the service.

5. Security measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, onTerms implements the technical and organisational measures below (Article 32). They reflect the actual architecture of the service today.

• Non-custodial signing keys.User signing keys are passkeys (WebAuthn) or party-held Ed25519 keys. onTerms never holds them and cannot sign on a user’s behalf.
• Minimal service key custody. onTerms holds one private key, used solely to sign transparency-log tree heads. It is managed as a restricted platform secret.
• Tamper evidence by design. Records are content-addressed and committed to an append-only RFC 6962 Merkle transparency log. Any alteration of a committed record is detectable by independent verification.
• Hash-only publication. The public transparency log and the free verify endpoint expose content hashes, inclusion proofs and status only. Order bodies, party details and evidence are never published.
• Encryption. All service traffic is encrypted in transit (TLS). Customer Personal Data at rest is stored in Neon Postgres with provider-managed encryption at rest.
• Authentication and session security. User authentication is provided by WorkOS AuthKit with secure session cookies. Passkey ceremonies use a short-lived (5 minute) httpOnly challenge cookie.
• Agent access control. Agents act only under verifiable mandates using OAuth 2.1 and did:web, with scoped permissions, and their executions are recorded in the transparency log.
• Application access control. Seat-based access on team plans, scoped and revocable Verify-API keys, and separation between public verification surfaces and authenticated order data.
• Payment and identity data minimisation. Card data is processed by Stripe and never touches onTerms systems. Identity verification, where enabled, is performed by Stripe Identity; onTerms stores the verification status, not identity documents.
• Vendor assurance. Hosting, database and payment sub-processors (Vercel, Neon, Stripe) maintain their own independent security attestations, available from those providers. onTerms does not claim a SOC 2 or ISO 27001 certification of its own.

6. Sub-processors

6.1 Authorisation and current list

The Customer gives general written authorisation for onTerms to engage the sub-processors listed at /legal/subprocessors, which at the date of this DPA are: Vercel (hosting and serverless compute, United States, region iad1), Neon (PostgreSQL database, AWS us-east-1, United States), WorkOS (authentication), Stripe (payments, billing portal and, where enabled, Stripe Identity verification) and Postmark by ActiveCampaign (transactional email, including counterparty signing invitations). Squarespace provides domain registration and DNS only and does not process Customer Personal Data within the service.

6.2 Changes and right to object

onTerms will give the Customer at least 30 days’ prior notice of the addition or replacement of a sub-processor, by email to the Customer’s registered account email and by updating /legal/subprocessors. The Customer may object on reasonable data-protection grounds within that period. If the objection cannot be resolved, the Customer may terminate the affected part of the service and receive a pro-rata refund of prepaid fees for the unused period.

6.3 Flow-down and responsibility

onTerms imposes data-protection obligations on each sub-processor that are materially equivalent to those in this DPA, and remains liable to the Customer for the performance of each sub-processor’s obligations.

6.4 Optional features not yet enabled

Two categories of sub-processing are built but not active at the date of this DPA and will only be engaged after notice under section 6.2: Upstash (rate limiting) and AI model routing via Vercel AI Gateway to Anthropic and OpenAI (which would support Tier 2A AI mediation and award-drafting assistance). Tier 2A is inert until that gateway is configured. Tier 2B binding arbitration is built but disabled pending counsel sign-off and is not part of the service; no dispute evidence is sent to any AI model provider today. If these features are enabled, the routing of evidence to United States model providers is a restricted transfer requiring the safeguards in section 11 and a transfer risk assessment before activation.

7. Assistance with data subject rights, DPIAs and consultations

Taking into account the nature of the processing, onTerms will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer’s obligation to respond to data subject requests under Articles 12 to 22, and will assist the Customer in ensuring compliance with Articles 32 to 36 (security, breach notification, data protection impact assessments and prior consultation), taking into account the information available to onTerms. If onTerms receives a request directly from a data subject relating to Customer Personal Data, it will, to the extent lawful, promptly forward it to the Customer and not respond on the merits without the Customer’s instruction.

Erasure mechanics. Because records are content-addressed and the transparency log is append-only, erasure is implemented by deleting the stored plaintext (the order record or evidence) from the database, after which the corresponding content hash remains in the public log. A hash of deleted content does not by itself reveal that content, and the log never contains order bodies or evidence. The treatment of residual hashes under Article 17 is flagged as a counsel review point in section 14.

8. Personal data breach notification

onTerms will notify the Customer without undue delayafter becoming aware of a personal data breach affecting Customer Personal Data. The notification will, to the extent the information is available, describe the nature of the breach, the categories and approximate numbers of data subjects and records concerned, the likely consequences, the measures taken or proposed, and a contact point, and onTerms will provide updates as further information becomes available. Notification is not an admission of fault. onTerms will reasonably cooperate with the Customer’s own notification obligations under Articles 33 and 34. Security concerns can be reported to hello@ratedcounsel.com.

9. Deletion and return of data

During the term, the Customer can access and export its order records through the service. On termination or expiry of the agreement, onTerms will, at the Customer’s choice, return Customer Personal Data in a structured, commonly used machine-readable format or delete it, and will delete remaining copies within 30 days, except that:

• content hashes already committed to the public transparency log are not deleted: the log is append-only and immutable by design, stores hashes and inclusion data only, and never contains order bodies, party details or evidence (see sections 1.2 and 7);
• onTerms may retain data it processes as an independent controller under section 1.2 (for example billing records retained to meet statutory obligations); and
• residual copies in encrypted backups are deleted in the ordinary course of backup rotation, and remain protected by this DPA until deleted.

10. Audits and information

onTerms will make available to the Customer the information reasonably necessary to demonstrate compliance with Article 28, in the following order: first, this DPA, the sub-processor list, our security documentation and the most recent third-party attestation reports of our sub-processors (provided under confidentiality); and second, where that information is reasonably insufficient, by allowing and contributing to an audit or inspection by the Customer or its mandated independent auditor. Audits require at least 30 days’ written notice, may occur no more than once in any 12-month period (except following a personal data breach or where required by a supervisory authority), are at the Customer’s cost, must not disrupt the service, and must not give access to data of other customers or to onTerms confidential information unrelated to the audit.

11. International transfers

The service is hosted on infrastructure in the United States (Vercel region iad1; Neon on AWS us-east-1), so Customer Personal Data is stored and processed in the United States by the sub-processors in section 6. For transfers of Customer Personal Data subject to the UK GDPR, the parties incorporate by reference the ICO’s International Data Transfer Agreement (IDTA) or, where EU Standard Contractual Clauses are also used, the UK International Data Transfer Addendum to those clauses. For transfers subject to the EU GDPR, the parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller to processor) or Module Three (processor to processor) as applicable, with onTerms as data importer where it is the importing party. Where a sub-processor participates in an adequacy framework recognised under the applicable regime (for example the UK-US Data Bridge or the EU-US Data Privacy Framework), onTerms may rely on that mechanism instead for that sub-processor.

Note for counsel: the populated annexes for the IDTA, Addendum and SCCs, and the supporting transfer risk assessment, should be completed against Rated Counsel Limited as the UK-established data importer/exporter, since the transfer map (Customer to onTerms, and onTerms to each US sub-processor) depends on it.

12. Liability

Each party’s liability arising out of or related to this DPA is subject to the exclusions and limitations of liability in the Terms of Service, and this DPA does not change the allocation of liability between the parties as between themselves under Article 82. Nothing in this DPA limits any liability that cannot lawfully be limited.

13. Order of precedence and changes

If there is a conflict between this DPA and the Terms of Service regarding the processing of Customer Personal Data, this DPA prevails to the extent of the conflict. onTerms may update this DPA to reflect changes in law or in the service; material changes will be notified in the same way as sub-processor changes under section 6.2. The version in force is always published at /legal/dpa.

14. Points reserved for counsel review

This template is published for transparency while under legal review. The following points are expressly reserved and must be settled by counsel before execution:

• Operating entity. The operator is Rated Counsel Limited (England and Wales, company number 11812572, registered office 5 Golden Mede, Waddesdon HP18 0NG); confirm the transfer analysis in section 11 against that UK establishment.
• Dispute-layer controllership. Whether onTerms is a processor or a joint controller (Article 26) for dispute case files, and the consequent choice of terms, per section 1.2.
• Erasure versus log immutability. The Article 17 treatment of content hashes that remain in the append-only transparency log after plaintext deletion, including whether crypto-shredding of any encrypted material should be formalised as the standard erasure route, and the scope of the Article 17(3)(e) legal-claims exemption during and after a dispute.
• Retention schedule. A defined retention period for dispute-evidence plaintext (dispute term plus limitation and enforcement windows), distinct from indefinite retention of hashes, to satisfy the storage-limitation principle (Article 5(1)(e)).
• Lawful basis for the evidence pipeline. A documented legitimate interests assessment for Article 6(1)(f) and an Article 9(2)(f) condition for any special category data in dispute evidence, noting that contract-level proportionality fields in order schemas are not a GDPR assessment.
• DPIA. A data protection impact assessment (Article 35) before any live dispute-evidence ingestion, given novel AI decision-support, potentially sensitive evidence and immutable integrity records.
• AI model routing. The IDTA or SCC annexes plus a transfer risk assessment before enabling Vercel AI Gateway routing to Anthropic or OpenAI, and consideration of UK or EU resident model endpoints for evidence-bearing analysis.
• Binding arbitration. Tier 2B binding arbitration remains disabled and the associated arbitration rules are a v1.0 draft for counsel review; this DPA does not yet purport to cover a live binding forum.

15. Contact

Questions about this DPA, sub-processor notices, data subject requests and breach reports should be sent to hello@ratedcounsel.com. See also the Privacy Notice, the Sub-processor List, the Cookie Notice and the Terms of Service.