Data Processing Addendum

1. Scope & parties.

This DPA applies where Strata ("Processor") processes personal data on behalf of an attorney or firm ("Controller") in providing the service. It is incorporated into and governed by the Terms of Use. "Personal data" has the meaning given under applicable data-protection law (e.g., GDPR, CCPA/CPRA).

2. Roles.

The Controller is the attorney or firm that determines the purposes and means of processing matter data; Strata acts as Processor, processing matter data only on documented instructions from the Controller and as necessary to provide the service.

3. Details of processing.

4. Zero retention & no training.

Matter data is processed solely to produce the Controller's work product and is permanently erased from Strata's systems on download. Matter data is not used to train any model, Strata's or any sub-processor's, and Strata requires contractual no-training terms from every system that touches matter data.

5. Sub-processors.

Strata engages processing providers under written terms imposing confidentiality and the no-training and security obligations no less protective than this DPA. The Controller grants general authorization to Strata's sub-processors as listed; the current list is provided to engaged customers under NDA. Strata remains liable for sub-processor performance consistent with applicable law. Strata will notify the Controller of intended sub-processor changes and the Controller may object on reasonable data-protection grounds.

6. Security measures.

Strata implements technical and organizational measures appropriate to the risk, including: encryption in transit (TLS 1.2/1.3) and at rest (AES-256); per-matter scoping; role-based, least-privilege, multi-factor access with no engineering or operations access to matter content; per-matter isolation; logging and monitoring; and a defined incident-response process. [Confirm: hosting region, certification status (SOC 2 / ISO 27001 — in progress), and pen-test cadence.]

7. Data-subject rights assistance.

Taking into account the zero-retention model, Strata will reasonably assist the Controller in fulfilling its obligations to respond to data-subject requests (access, correction, deletion, objection), recognizing that matter data is erased on download and therefore generally no longer exists to correct or retrieve after that point.

8. Personal-data breach notification.

Strata will notify the Controller without undue delay of any personal-data breach affecting matter data of which Strata becomes aware, and will provide reasonable information and cooperation to meet the Controller's notification obligations. [Confirm notification timeline, e.g., without undue delay and in any event within 72 hours of awareness.]

9. Return & deletion.

On download or on request, Strata will erase matter data from its systems and direct its sub-processors to erase matter data consistent with their terms. Strata retains only account, billing, and security-metadata as described in the Privacy Policy.

10. International transfers.

To the extent matter data is processed outside the Controller's jurisdiction, transfers occur under appropriate safeguards. [Confirm transfer mechanism: EU Standard Contractual Clauses, UK International Data Transfer Addendum, or applicable derogation, and the list of third countries.]

11. Audit.

Strata will make available information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including reasonable independent assessments, subject to confidentiality and the security limits that protect other customers. [Confirm audit/assessment mechanism.]

12. Order of precedence & governing law.

In the event of conflict, this DPA prevails over the Terms of Use solely as to processing of personal data. This DPA is governed by the same law as the Terms of Use [the State of Nevada], except where GDPR or other mandatory data-protection law requires otherwise.

13. Contact.

Data-protection inquiries: strata-legal@proton.me.