Skip to main content
Back to Home

Data Processing Agreement

Effective Date: May 7, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions or other written or electronic agreement (“Agreement”) between NeuralSoft Systems, LLC d/b/a Legal Simplicity (“Company”, “Processor”) and the customer identified in the Agreement (“Customer”, “Controller”) for the use of the Deadline Pilot service (the “Service”).

This DPA reflects the parties' agreement with respect to the Processing of Personal Data by the Company on Customer's behalf, in accordance with the requirements of Data Protection Laws as defined below. By entering into the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates.

In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail with respect to the parties' data-protection obligations. In the event of any conflict between this DPA and the Standard Contractual Clauses (Annex C), the Standard Contractual Clauses shall prevail to the extent required by applicable law.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement. The following definitions apply:

Authorized Affiliate” means any of Customer's affiliates permitted to or otherwise receiving the benefit of the Service pursuant to the Agreement.

Customer Personal Data” means any Personal Data that the Company Processes on behalf of Customer in connection with providing the Service, including without limitation the categories described in Annex B.

Data Protection Laws” means all applicable laws, regulations, and regulatory requirements relating to the Processing of Personal Data and privacy, including, as applicable: (i) the EU General Data Protection Regulation 2016/679 (“EU GDPR”); (ii) the UK General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018 (“UK GDPR”); (iii) the Swiss Federal Act on Data Protection (“FADP”); (iv) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”); (v) the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, and other comparable U.S. state privacy laws; (vi) Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25; and (vii) Brazil's Lei Geral de Proteção de Dados (“LGPD”), in each case as amended from time to time.

Personal Data”, “Controller”, “Processor”, “Data Subject”, and “Processing” have the meanings given in the EU GDPR (and equivalent meanings under analogous terms used in other Data Protection Laws, including “Personal Information”, “Business”, and “Service Provider” under the CCPA).

Standard Contractual Clauses” or “SCCs” means (i) for transfers of Personal Data subject to the EU GDPR, the standard contractual clauses approved by European Commission Decision (EU) 2021/914 of June 4, 2021 (Module Two: Controller to Processor); (ii) for transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office (“UK IDTA”); and (iii) for transfers subject to the Swiss FADP, the SCCs as adapted under the guidance of the Swiss Federal Data Protection and Information Commissioner.

Sub-processor” means any third party engaged by the Company to Process Customer Personal Data on the Company's behalf, as listed at deadlinepilot.com/subprocessors.

2. Roles and Scope of Processing

2.1 Roles. With respect to Customer Personal Data, Customer is the Controller (or, if applicable, the Processor of another Controller) and the Company is the Processor. Under the CCPA, the Company is a Service Provider and shall not sell or share Personal Information, retain Personal Information for any purpose other than performing the Service for Customer, or combine Customer Personal Data with Personal Data the Company receives from another customer or other source, except as expressly permitted by the CCPA.

2.2 Subject Matter. The subject matter of the Processing is the provision of the Service to Customer under the Agreement. The duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex B.

2.3 Customer Instructions. The Company shall Process Customer Personal Data only on documented instructions from Customer, which include the Agreement (as Customer's standing instruction to provide the Service), this DPA, and any further written or electronic instructions Customer provides through the Service. The Company shall promptly notify Customer if, in its opinion, an instruction infringes Data Protection Laws, except where prohibited by law from doing so.

3. Company (Processor) Obligations

3.1 Confidentiality. The Company shall ensure that personnel authorized to Process Customer Personal Data are subject to a duty of confidentiality and have undertaken appropriate confidentiality commitments.

3.2 Security. The Company shall implement and maintain the technical and organizational measures described in Annex C to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The Company may update Annex C from time to time, provided that the overall level of protection is not materially diminished.

3.3 Sub-processors. Customer authorizes the Company to engage the Sub-processors listed at deadlinepilot.com/subprocessors and to update that list from time to time. The Company shall give Customer at least thirty (30) days' advance written notice (which may be by email or by updating the published list with a notification mechanism) before engaging a new Sub-processor that Processes Customer Personal Data. If Customer reasonably objects to a new Sub-processor on data-protection grounds within fifteen (15) business days of receiving notice, the parties shall work in good faith to resolve the objection; if no resolution is reached, Customer may terminate the affected portion of the Service for convenience by written notice. The Company shall enter into a written contract with each Sub-processor that imposes data-protection obligations no less protective than those set out in this DPA, and remains liable to Customer for the acts and omissions of its Sub-processors.

3.4 Data Subject Rights. The Company shall, taking into account the nature of the Processing, provide reasonable assistance to Customer (insofar as possible) to enable Customer to fulfill its obligations to respond to requests from Data Subjects to exercise their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, objection, and opt-out of sale or sharing). If a Data Subject contacts the Company directly with such a request, the Company shall promptly notify Customer and shall not respond substantively except as Customer instructs or as required by applicable law.

3.5 Personal Data Breach. The Company shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice shall include, to the extent known: the nature of the breach, the categories and approximate numbers of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach. The Company shall reasonably cooperate with Customer in investigating and remediating the breach.

3.6 Assistance with DPIAs. The Company shall provide Customer reasonable assistance with data-protection impact assessments and prior consultations with supervisory authorities required under Data Protection Laws, taking into account the nature of the Processing and the information available to the Company.

3.7 Return or Deletion. Upon termination or expiration of the Agreement, the Company shall, at Customer's choice, delete or return all Customer Personal Data in its possession, except to the extent applicable law requires the Company to retain some or all of the Customer Personal Data, in which case the Company shall continue to protect it in accordance with this DPA. Customer may export Customer Personal Data through the Service for thirty (30) days after termination as set out in the Agreement.

4. International Data Transfers

4.1 Transfer Mechanisms. To the extent the Service involves the transfer of Customer Personal Data subject to the EU GDPR, UK GDPR, or Swiss FADP outside of the European Economic Area, the United Kingdom, or Switzerland (as applicable) to a country that has not been recognized as providing an adequate level of protection, the parties agree that such transfer shall be governed by: (a) for EU GDPR transfers, the EU SCCs (Module Two: Controller to Processor), hereby incorporated by reference and deemed entered into between the parties as of the effective date of this DPA, with the docking clause selected and Annexes I, II, and III of the EU SCCs populated as set out in Annexes A, B, and D of this DPA respectively; (b) for UK GDPR transfers, the UK IDTA, hereby incorporated by reference; and (c) for Swiss transfers, the EU SCCs as adapted by the Swiss FDPIC. The Company also self-certifies under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework where applicable.

4.2 Onward Transfers. The Company shall ensure that any Sub-processor located outside the EEA, UK, or Switzerland that Processes Customer Personal Data is bound by data-protection obligations equivalent to those in this DPA and the SCCs, including by entering into the SCCs (or the UK IDTA or equivalent) where applicable.

5. Audits

The Company shall make available to Customer all information reasonably necessary to demonstrate compliance with the Company's obligations under Article 28 of the EU GDPR and equivalent provisions in other Data Protection Laws. On Customer's reasonable written request, the Company shall provide responses to reasonable questionnaires and shall make available copies of recent third-party audit reports or certifications maintained by its infrastructure providers (subject to confidentiality). On-site audits will be conducted only where required by law or where the information so provided is materially insufficient, with at least thirty (30) days' advance written notice, no more than once in any twelve- month period (except in case of a documented Personal Data Breach), during regular business hours, and at Customer's expense.

6. Customer (Controller) Obligations

Customer represents and warrants that: (a) it has all necessary rights, consents, and authorizations to provide Customer Personal Data to the Company for the purposes set out in the Agreement; (b) it has provided all required notices to, and obtained all required consents from, Data Subjects; (c) Customer's Processing instructions to the Company comply with Data Protection Laws; and (d) Customer has implemented appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful Processing within its own systems. Without limiting the foregoing, Customer shall not provide the Company with special categories of data (such as protected health information), children's data, or other Personal Data subject to heightened legal requirements except as expressly permitted by the Agreement.

7. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability set out in the Agreement, except that nothing in this DPA, the Agreement, or the Standard Contractual Clauses shall limit either party's liability to a Data Subject for damages caused by infringement of the Standard Contractual Clauses, where such limitation is prohibited by Data Protection Laws.

8. Term and Termination

This DPA takes effect on the date the Agreement takes effect (or, if later, on the date both parties have agreed to this DPA) and continues for the duration of the Agreement. Sections that by their nature should survive (including Sections 1, 3.7, 4, 7, and 9) survive termination.

9. General

9.1 Order of Precedence. If there is any conflict between the Agreement, this DPA, and the SCCs, the order of precedence is: (i) the SCCs (to the extent required by Data Protection Laws), (ii) this DPA, (iii) the Agreement.

9.2 Governing Law. Except where otherwise mandated by Data Protection Laws (including Clause 17 of the EU SCCs), this DPA shall be governed by the laws of the State of Florida, with exclusive forum and venue as set out in the Agreement.

9.3 Notices. Notices to the Company under this DPA shall be sent to privacy@deadlinepilot.com and to legal@deadlinepilot.com. Notices to Customer shall be sent to the email address on Customer's account.

Annex A — List of Parties

Data Exporter (Controller). Customer, as identified in the Agreement. Contact: as set out in Customer's account. Activities relevant to the data transferred: use of the Service for deadline extraction, calendar generation, and inbound document processing as described in the Agreement. Role: Controller (or Processor of another Controller, as applicable).

Data Importer (Processor). NeuralSoft Systems, LLC d/b/a Legal Simplicity. Contact: privacy@deadlinepilot.com. Activities relevant to the data transferred: provision of the Deadline Pilot Service. Role: Processor.

Annex B — Description of the Processing

Categories of Data Subjects. Customer's personnel and authorized users; the parties to the legal matters Customer manages using the Service (including litigants and counsel) to the extent their information appears in Customer-uploaded documents.

Categories of Personal Data. Account information (name, business email, authentication credentials managed by Clerk); document content uploaded by Customer (court orders, e-service emails, and related legal documents) which may incidentally contain names, contact information, case numbers, dates, and other information; usage and operational metadata (request paths, extraction counts, timestamps); payment metadata returned by Stripe (no card numbers).

Special Categories of Data. Customer agrees not to upload special categories of data (Article 9 EU GDPR, including health data) and the parties acknowledge that the Service is not currently offered as a HIPAA-eligible service. The Service is not intended to receive children's data.

Frequency of the Transfer. Continuous, on Customer demand, for the duration of the Agreement.

Nature of the Processing. Storage; transmission; AI-based extraction of deadlines; OCR; calendar generation; email delivery; access control and authentication; logging.

Purpose. Provision of the Service as described in the Agreement, including deadline extraction, calendar generation, e-service email processing, and related document management.

Retention Period. As specified by Customer's plan and configuration, with optional immediate deletion after processing. On termination, data is returned or deleted in accordance with Section 3.7.

Annex C — Technical and Organizational Security Measures

The Company maintains the following measures, which may be updated from time to time provided the overall level of protection is not materially diminished:

  • Encryption. Customer Personal Data is encrypted in transit using TLS 1.2 or higher. Documents and sensitive credentials are encrypted at rest using AES-256 (object storage) or application-level encryption (database).
  • Hosting. The Service is hosted on cloud infrastructure providers that maintain SOC 2 Type II certifications. The Service itself is not separately SOC 2 certified at this time.
  • Access Controls. Role-based access; least-privilege principle; multi-factor authentication for production access; periodic access reviews; privileged access only on a need-to-know basis.
  • Authentication. Customer authentication is provided by Clerk, an enterprise identity platform, with support for MFA and SSO.
  • Logging and Monitoring. Application and security logs; centralized error monitoring; anomaly detection; audit logs of administrative actions.
  • Vulnerability Management. Automated dependency scanning; periodic penetration testing; security patching cadence aligned to severity.
  • Backups and Disaster Recovery. Daily backups of structured data; tested restore procedures; geographically separated backup locations.
  • Personnel. Confidentiality undertakings; security training; background checks where permitted by law.
  • Incident Response. Documented incident-response plan; 72-hour breach-notification commitment to affected customers (Section 3.5).
  • Data Segregation. Customer Personal Data is logically segregated in multi-tenant infrastructure; access controls prevent one customer from accessing another's data.
  • Sub-processor Oversight. Sub-processors are assessed before engagement and required to maintain protections substantially equivalent to those in this DPA.

Annex D — Sub-processors

The current list of authorized Sub-processors is published at deadlinepilot.com/subprocessors, and is incorporated into this DPA by reference. The Company will provide notice of changes as set out in Section 3.3.

Contact

Questions or requests under this DPA should be sent to privacy@deadlinepilot.com.

Deadline Pilot