Data Protection Addendum

Published and last updated: 21 March 2026

This current consolidated Data Protection Addendum was published on 21 March 2026.

Definitions
Processor and Controller
Instructions and details of processing
Technical and organisational measures
Using staff and other Processors
Assistance with compliance and Data Subject rights
International data Transfers
Information and audit
Breach notification
Deletion of Protected Data and copies
Compensation and claims
Survival
Data protection contact
The Schedule — Data processing details

1. Definitions

In this Data Protection Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of our Agreement. In addition, in this Data Protection Addendum the following definitions have the meanings given below:

Applicable Law	means the following to the extent forming part of the law of United Kingdom (or a part of the United Kingdom) as applicable and binding on either party or the Services: any law, legislation, regulation, byelaw or subordinate legislation in force from time to time; the common law and laws of equity as applicable to the parties from time to time; any binding court order, judgment or decree; or any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party's assets, resources or business.
Controller	has the meaning given to that term in Data Protection Laws.
Data Protection Laws	means as applicable and binding on either party or the Services: the GDPR; the Data Protection Act 2018; any laws which implement or supplement any such laws; and any laws that replace, extend, re-enact, consolidate or amend any of the foregoing.
Data Protection Losses	means all liabilities arising directly or indirectly from any breach or alleged breach of any of the Data Protection Laws or of this Data Protection Addendum, including all: costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; compensation which is ordered by a court or Supervisory Authority to be paid to a Data Subject; and/or costs of compliance with investigations by a Supervisory Authority.
Data Subject	has the meaning given to that term in Data Protection Laws.
Data Subject Request	means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR in relation to any Protected Data.
GDPR	means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time).
International Recipient	means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without the Customer's prior written authorisation.
Lawful Safeguards	means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time.
List of Sub-Processors	means the latest version of the list of Sub-Processors used by the Supplier, as Updated from time to time, which as at Order Acceptance is available at www.ordolux.co.uk/subprocessors/.
Personal Data	has the meaning given to that term in Data Protection Laws.
Personal Data Breach	means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data.
processing	has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings).
Processing Instructions	has the meaning given to that term in paragraph 3.1.1.
Processor	has the meaning given to that term in Data Protection Laws.
Protected Data	means Personal Data in the Customer Data.
Sub-Processor	means a Processor engaged by the Supplier or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the Customer.
Supervisory Authority	means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
Transfer	bears the same meaning as the word 'transfer' in Article 44 of the GDPR (and related terms such as Transfers, Transferred and Transferring have corresponding meanings).

2. Processor and Controller

2.1 The parties agree that, for the Protected Data, the Customer shall be the Controller and the Supplier shall be the Processor. Nothing in our Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.

2.2 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct the Supplier to process the Protected Data in accordance with our Agreement.

2.3 The Supplier shall process Protected Data in compliance with:

the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under our Agreement; and
the terms of our Agreement.

2.4 The Customer shall ensure that it, its Affiliates and each Authorised User shall at all times comply with:

all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
the terms of our Agreement.

2.5 The Customer warrants, represents and undertakes, that at all times:

the processing of all Protected Data (if processed in accordance with our Agreement) shall comply in all respects with Data Protection Laws, including in terms of its collection, use and storage;
fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data that may be undertaken by the Supplier and its Sub-Processors in accordance with our Agreement;
the Protected Data is accurate and up to date;
it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to the Supplier (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier or any other person;
all instructions given by it to the Supplier in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
it has undertaken due diligence in relation to the Supplier's processing operations and commitments and it is satisfied that: the Supplier's processing operations are suitable for the purposes for which the Customer proposes to use the Services; the technical and organisational measures set out in the Information Security Addendum and our Agreement shall ensure a level of security appropriate to the risk as required by Data Protection Laws; and the Supplier has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

3. Instructions and details of processing

3.1 Insofar as the Supplier processes Protected Data on behalf of the Customer, the Supplier:

unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer's documented instructions as set out in our Agreement (including with regard to Transfers of Protected Data to any International Recipient), as Updated from time to time (Processing Instructions);
if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
shall promptly inform the Customer if the Supplier becomes aware of a Processing Instruction that, in the Supplier's opinion, infringes Data Protection Laws, provided that: this shall be without prejudice to paragraphs 2.4 and 2.5; and to the maximum extent permitted by Applicable Law, the Supplier shall have no liability howsoever arising for any losses arising from processing in accordance with the Processing Instructions following the Customer's receipt of the relevant information.

3.2 The Customer agrees that:

the Supplier (and each Sub-Processor) is not obliged to undertake any processing of Protected Data that the Supplier believes infringes any of the Data Protection Laws and shall not be liable to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under our Agreement as a result of not undertaking any processing in such circumstances; and
in the event the Customer has not resolved any Processing Instruction notified to it under paragraph 3.1.3 such that it is lawful in the Supplier's opinion within 28 days of such notification, such circumstances are a material breach of our Agreement by the Customer that cannot be remedied and the Supplier may terminate our Agreement in accordance with its terms.

3.3 The Customer shall be responsible for ensuring all Authorised Affiliates and Authorised Users read and understand the Privacy Policy (as Updated from time to time).

3.4 The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Subscribed Services by an Authorised User will be a Processing Instruction. The Customer shall ensure that Authorised Users do not execute any such command unless authorised by the Customer and acknowledges that if any Protected Data is deleted pursuant to any such command the Supplier is under no obligation to seek to restore it.

3.5 Subject to applicable Subscribed Service Specific Terms or the Order Form, the processing of the Protected Data by the Supplier under our Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in the Schedule.

4. Technical and organisational measures

4.1 The Supplier shall implement and maintain technical and organisational measures:

in relation to the processing of Protected Data by the Supplier, as set out in the Information Security Addendum; and
to assist the Customer insofar as is possible (taking into account the nature of the processing) in the fulfilment of the Customer's obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Customer's cost on a time and materials basis in accordance with the Supplier's Standard Pricing Terms.

4.2 During the period in which the Supplier processes any Protected Data, the Customer shall regularly undertake a documented assessment of whether the security measures implemented in accordance with paragraph 4.1 are sufficient to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Protected Data transmitted, stored or otherwise processed.

5. Using staff and other Processors

5.1 Subject to paragraph 5.2, the Supplier shall not engage (nor permit any other Sub-Processor to engage) any Sub-Processor for carrying out any processing activities in respect of the Protected Data in connection with our Agreement without the Customer's prior written authorisation. The Customer shall not unreasonably object to any new Sub-Processor (or any change to any of the Sub-Processors).

5.2 The Customer:

authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as at Order Acceptance; and
authorises the appointment of each Sub-Processor (or any change to any of the Sub-Processors) identified on the List of Sub-Processors as Updated from time to time. The Customer's right to object to the appointment of a new Sub-Processor following the relevant Update Notice introducing that change may be exclusively exercised by terminating our Agreement before that Update takes effect.

5.3 The Supplier shall:

prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially the same obligations as under paragraphs 2 to 12 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures); and
remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.

5.4 The Supplier shall ensure that all natural persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case the Supplier shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).

6. Assistance with compliance and Data Subject rights

6.1 The Supplier shall refer all Data Subject Requests it receives to the Customer without undue delay. The Customer shall pay the Supplier for all work, time, costs and expenses incurred by the Supplier or any Sub-Processor(s) in connection with such activity, calculated on a time and materials basis at the Supplier's rates set out in the Supplier's Standard Pricing Terms.

6.2 The Supplier shall provide such assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to the Supplier) in ensuring compliance with the Customer's obligations under Data Protection Laws with respect to:

security of processing;
data protection impact assessments;
prior consultation with a Supervisory Authority regarding high risk processing; and
notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,

provided the Customer shall pay the Supplier for all work, time, costs and expenses incurred in connection with providing such assistance, calculated on a time and materials basis at the Supplier's rates set out in the Supplier's Standard Pricing Terms.

7. International data Transfers

7.1 Subject to paragraphs 7.2 and 7.5, the Supplier shall not Transfer any Protected Data to any country or territory outside the United Kingdom, or to an organisation governed by public international law, without the Customer's prior written authorisation except where required by Applicable Law (in which case the provisions of paragraph 3.1 shall apply).

7.2 The Customer hereby authorises the Supplier (and any Sub-Processor) to Transfer any Protected Data for the purposes of providing the Services and performing the Supplier's obligations under our Agreement to any International Recipient(s) in accordance with paragraph 7.3, provided all Transfers shall (to the extent required under Data Protection Laws) be effected by way of Lawful Safeguards and in accordance with Data Protection Laws and our Agreement.

7.3 The Supplier (and its Sub-Processors) may only Transfer the Protected Data to (or process Protected Data in) the United Kingdom and such other countries as are notified by the Supplier in its then-current list of Sub-Processors or applicable service documentation.

7.4 The Lawful Safeguards employed in connection with Transfers pursuant to paragraph 7.2 shall be such transfer mechanisms as are permitted under Data Protection Laws from time to time, including adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, and/or any replacement or successor mechanism recognised under Data Protection Laws.

7.5 The Customer acknowledges that due to the nature of cloud services, the Protected Data may be Transferred to other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by Authorised Users. The Customer acknowledges that the Supplier does not control such processing and the Customer shall ensure that Authorised Users only initiate the Transfer of Protected Data to other geographical locations if Lawful Safeguards are in place and that such Transfer is in compliance with all Applicable Laws.

8. Information and audit

8.1 The Supplier shall maintain, in accordance with Data Protection Laws binding on the Supplier, written records of all categories of processing activities carried out on behalf of the Customer.

8.2 On request, the Supplier shall provide the Customer (or auditors mandated by the Customer) with a copy of the third party certifications and audits to the extent made generally available to its customers in accordance with the Supplier's security and compliance information made available to customers from time to time. Such information shall be confidential and shall be treated in accordance with applicable terms.

8.3 In the event that the Customer, acting reasonably, deems the information provided in accordance with paragraph 8.2 insufficient to satisfy its obligations under Data Protection Laws, the Supplier shall, on request by the Customer, make available to the Customer such information as is reasonably necessary to demonstrate the Supplier's compliance with its obligations under this Data Protection Addendum and Article 28 of the GDPR, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose, provided:

such audit, inspection or information request is reasonable, limited to information in the Supplier's possession or control and is subject to the Customer giving the Supplier reasonable (and in any event at least 60 days') prior notice;
the parties (each acting reasonably) shall agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which the Customer or third party auditor shall comply;
the Customer shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of the Supplier;
the duration of any audit or inspection shall be limited to one Business Day;
all costs of such audit or inspection or responding to such information request shall be borne by the Customer, and the Supplier's costs, expenses, work and time shall be reimbursed by the Customer on a time and materials basis in accordance with the Supplier's Standard Pricing Terms;
the Customer's rights under this paragraph 8.3 may only be exercised once in any consecutive 12 month period, unless otherwise required by a Supervisory Authority or if the Customer (acting reasonably) believes the Supplier is in breach of this Data Protection Addendum;
the Customer shall promptly (and in any event within five Business Days) report any non-compliance identified by the audit, inspection or release of information to the Supplier; and
all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits shall be the Supplier's Confidential Information.

9. Breach notification

In respect of any Personal Data Breach, the Supplier shall, without undue delay (and in any event within 72 hours):

notify the Customer of the Personal Data Breach; and
provide the Customer with details of the Personal Data Breach.

10. Deletion of Protected Data and copies

Following the end of the provision of the Services (or any part) relating to the processing of Protected Data the Supplier shall dispose of Protected Data in accordance with its obligations under our Agreement. The Supplier shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with our Agreement.

11. Compensation and claims

11.1 The Supplier shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with our Agreement:

only to the extent caused by the processing of Protected Data under our Agreement and directly resulting from the Supplier's breach of our Agreement; and
in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Agreement by the Customer.

11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with our Agreement or the Services, it shall promptly provide the other party with notice and full details of such claim.

11.3 The parties agree that the Customer shall not be entitled to claim back from the Supplier any part of any compensation paid by the Customer in respect of such damage to the extent that the Customer is liable to indemnify or otherwise compensate the Supplier in accordance with our Agreement.

11.4 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except: to the extent not permitted by Applicable Law; and that it does not affect the liability of either party to any Data Subject.

12. Survival

This Data Protection Addendum (as Updated from time to time) shall survive termination (for any reason) or expiry of our Agreement and continue until no Protected Data remains in the possession or control of the Supplier or any Sub-Processor, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely.

13. Data protection contact

The Supplier's data protection contact may be contacted at support@ordolux.co.uk.

The Schedule — Data processing details

Subject-matter of processing	The processing of Personal Data comprised in Customer Data submitted to, stored in, generated by or otherwise processed through the Services.
Duration of the processing	For the term of our Agreement and for any period thereafter during which the Supplier retains Protected Data in accordance with our Agreement, applicable law and its standard backup, archival and deletion processes.
Nature and purpose of the processing	Processing in accordance with the rights and obligations of the parties under our Agreement. Processing as reasonably required to provide, host, secure, support, maintain and improve the Services. Processing as initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by the Customer, in each case in a manner consistent with our Agreement. Processing in connection with matter management, client and contact management, document and file handling, time recording, billing, reporting, support, security, integrations and related platform functionality made available as part of the Services.
Type of Personal Data	Business and personal contact details (such as names, postal addresses, email addresses and telephone numbers); account, user and authentication data; client and matter data; document and file metadata; time recording, billing and payment-related data; communications and support data; technical and usage data; and any other Personal Data uploaded to or generated within the Services by or on behalf of the Customer in connection with its use of the Services.
Categories of Data Subjects	Authorised Users and other customer personnel; the Customer's clients, prospective clients and former clients; counterparties and their representatives; witnesses, experts, counsel, referrers, suppliers and professional contacts; billing contacts; and any other Data Subjects whose Personal Data is included in Customer Data.
Special categories of Personal Data	The Services are not intended to require special category Personal Data by default. However, because OrdoLux is a legal practice management platform, the Customer may choose to upload or store special category Personal Data relevant to a matter, including health data and other Article 9 GDPR data. The Supplier will process such data only on the Customer's documented instructions through the Services.