Client Data Processing Addendum
Version 2.0 · Last updated 15 May 2026
This Client Data Processing Addendum (Addendum) forms part of the agreement between Lawyerly Ltd (company number 15697410) and the client receiving services from us.
This Addendum applies where, in the course of providing the services, we process personal data on your behalf as a processor.
If we processed Client Personal Data for you when our service was offered under the name "Lawyerlink", this Addendum applies to that processing in place of any earlier version. The legal entity acting as processor, Lawyerly Ltd (company number 15697410), has not changed.
For the purposes of this Addendum:
-
you means the client, acting as controller unless stated otherwise;
-
we, us and our mean Lawyerly Ltd, acting as processor where this Addendum applies;
-
Agreement means our Terms of Service and Engagement together with any applicable Subscription Plan terms, Fixed Fee Proposal, scope confirmation, statement of work, order, or other written service-specific document under which we provide services to you;
-
Client Personal Data means personal data processed by us on your behalf in connection with the services;
-
Data Protection Legislation means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable UK legislation relating to privacy or data protection, each as amended or replaced from time to time; and
-
Sub-processor means another processor engaged by us to process Client Personal Data on your behalf in connection with the services.
This Addendum prevails over any inconsistent provision of the Agreement, but only to the extent of that inconsistency and only in relation to the processing of Client Personal Data.
This Addendum applies for as long as we process Client Personal Data on your behalf. Any provisions which are intended to continue after the end of the services, including confidentiality, deletion, return, liability, and governing law, will continue accordingly.
This section explains the parties’ roles and the scope of processing covered by this Addendum.
You act as controller in relation to the Client Personal Data, unless applicable law provides otherwise.
We act as processor only to the extent that we process Client Personal Data on your behalf in connection with the services.
You are responsible for determining the purposes and lawful basis for the processing of Client Personal Data, including ensuring that:
-
you are entitled to provide the relevant personal data to us;
-
you have given any required privacy information to data subjects;
-
you have obtained any consents required by law, where consent is the lawful basis relied on; and
-
your instructions to us comply with Data Protection Legislation.
This section explains the basis on which we process personal data for you.
We will process Client Personal Data only:
-
on your documented instructions;
-
as necessary to provide the services under the Agreement; and
-
as otherwise required by applicable law.
If we are required by law to process Client Personal Data other than on your instructions, we will inform you of that requirement before processing, unless the law prohibits us from doing so.
You may provide documented instructions to us through the Agreement, through written service requests, through use of the Client Hub or related systems, or through other written communications that are reasonably clear and consistent with the Agreement.
If we reasonably believe that an instruction infringes Data Protection Legislation, we will inform you without undue delay.
We are not required to follow an instruction that is unlawful, technically impossible, outside the scope of the services, or would materially compromise the security or integrity of our systems or the confidentiality of other clients’ data.
This section explains the commitments we make when processing Client Personal Data on your behalf.
We will:
-
process Client Personal Data only in accordance with this Addendum and your lawful documented instructions;
-
ensure that persons authorised to process Client Personal Data are subject to appropriate confidentiality obligations;
-
take appropriate technical and organisational measures designed to protect Client Personal Data;
-
assist you, taking into account the nature of the processing and the information available to us, with responding to requests from data subjects;
-
assist you, taking into account the nature of the processing and the information available to us, with your compliance obligations relating to security, breach notification, data protection impact assessments, and prior consultation with the ICO where applicable;
-
make available to you information reasonably necessary to demonstrate our compliance with this Addendum; and
-
maintain records where required by Data Protection Legislation.
We may update our internal processes, systems, and security measures from time to time, provided that the overall level of protection for Client Personal Data is not materially reduced.
We will implement and maintain appropriate technical and organisational measures to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.
These measures will be appropriate to the risks presented by the processing, having regard to the nature of the Client Personal Data and the harm that might result from a personal data breach.
A summary of the technical and organisational measures we apply is set out in the section headed Technical and Organisational Measures.
We will not transfer Client Personal Data outside the United Kingdom, or otherwise make it available in a territory requiring transfer safeguards under Data Protection Legislation, unless:
-
the transfer is made in compliance with Data Protection Legislation; and
-
an appropriate safeguard, exemption, or other lawful transfer mechanism applies.
Where relevant, this may include reliance on adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, the UK Extension to the EU-US Data Privacy Framework, or another lawful transfer mechanism.
We will:
-
use only Sub-processors that are capable of providing appropriate safeguards for the protection of Client Personal Data;
-
enter into a written agreement with each Sub-processor imposing data protection obligations that are materially equivalent to the relevant obligations in this Addendum; and
-
remain responsible for the performance of our Sub-processors to the extent required by Data Protection Legislation and the Agreement.
A list of our current authorised Sub-processors is published at lawyerly.co/sub-processors. The published page is updated as our Sub-processor list changes and is the canonical source of the current list.
If we add or replace a Sub-processor, we will update the published page, and give you at least 30 days’ prior written notice by email, before the new or replacement Sub-processor begins processing Client Personal Data on your behalf.
If you have a reasonable data protection objection to a proposed new Sub-processor, you must notify us promptly in writing, setting out the grounds of objection. We will consider the objection in good faith.
If we cannot reasonably resolve the objection, either party may suspend or end the affected part of the services on written notice, without affecting any other part of the Agreement.
This section explains how we deal with rights requests, regulatory communications, audits, and data incidents.
Data subject requests
If we receive a request from a data subject relating to Client Personal Data, we will notify you without undue delay unless we are legally prohibited from doing so. We will not respond to such a request ourselves unless you instruct us to do so or we are required to do so by law.
We will provide reasonable cooperation and assistance, taking into account the nature of the processing and the information available to us, to help you respond to data subject requests.
Regulator communications
Personal data breaches
If we become aware of a personal data breach affecting Client Personal Data, we will notify you without undue delay. The notification will, to the extent reasonably available at the time, include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.
We will take reasonable steps to contain, investigate, and remediate the breach, and will provide further information as it becomes available.
Unless required by law, we will not notify data subjects, the ICO, or any third party about a breach affecting Client Personal Data without first consulting you.
Data protection impact assessments and prior consultation
Audits and demonstrating compliance
We will make available to you information reasonably necessary to demonstrate compliance with this Addendum.
Any audit or inspection requested by you must be reasonable, proportionate, and limited to information relevant to the processing covered by this Addendum. Audits must be conducted on reasonable notice, during normal business hours, and in a way that does not unreasonably disrupt our business, compromise security, or expose confidential information relating to other clients.
We may satisfy audit requests through provision of relevant documentation, policies, summaries, reports, or responses to reasonable questionnaires where appropriate.
On expiry or termination of the relevant services, and subject to any contrary requirement under applicable law, we will, on your written request and within a reasonable period:
-
return the relevant Client Personal Data to you; or
-
securely delete the relevant Client Personal Data.
If you do not make a request within a reasonable period after the end of the services, we may delete the relevant Client Personal Data in accordance with our retention practices, unless we are required by law to retain it.
We may also retain residual copies in routine backup systems for a limited period where immediate deletion is not reasonably practicable, provided those copies remain subject to appropriate safeguards and are deleted in accordance with our standard backup retention cycle.
Any contractual liability arising under or in connection with this Addendum will be subject to the liability, exclusion, and limitation provisions set out in the Agreement, unless Data Protection Legislation requires otherwise.
Nothing in this Addendum excludes or limits liability to a data subject, the ICO, or any other regulator where such liability cannot lawfully be excluded or limited.
This section sets out the subject matter, nature, purpose, duration, categories of personal data, and categories of data subjects relevant to the processing covered by this Addendum.
Subject matter of the processing
The provision of legal and related services by Lawyerly Ltd to the client under the Agreement, where such services involve the processing of Client Personal Data on the client’s behalf.
Duration of the processing
For the duration of the relevant services and, where applicable, any post-termination period during which Client Personal Data is retained in accordance with the Agreement, this Addendum, or applicable law.
Nature of the processing
Collection, recording, organisation, structuring, storage, retrieval, consultation, use, analysis, disclosure by transmission where necessary, restriction, deletion, and other processing activities reasonably required to provide the services.
Purpose of the processing
Categories of data subjects
Depending on the services, these may include:
-
the client’s personnel, officers, contractors, representatives, and users;
-
the client’s customers, clients, suppliers, counterparties, or advisors;
-
individuals referred to in documents or information uploaded or shared by the client; and
-
other individuals whose personal data is included in materials processed on the client’s behalf.
Categories of personal data
Depending on the services, these may include:
-
names, job titles, contact details, and identifiers;
-
company and business details;
-
billing and payment-related information;
-
account, authentication, and usage information;
-
correspondence and communication records;
-
personal data contained in documents, contracts, advice requests, uploads, and working materials;
-
compliance and verification information where relevant; and
-
any other personal data the client chooses to provide or instruct us to process through the services.
Special category data
Not intentionally required as a standard feature of the services, but may be processed where included by the client in documents, instructions, or matters for which processing is required.
Criminal offence data
Not intentionally required as a standard feature of the services, but may be processed where included by the client in documents, instructions, or matters for which processing is required.
These measures may include, where appropriate:
-
information security and data protection policies, standards, and internal controls;
-
access controls designed to ensure that Client Personal Data is available only to authorised personnel on a need-to-know basis;
-
confidentiality obligations for staff and contractors with access to Client Personal Data;
-
user authentication controls and account security measures;
-
encryption or other protective measures for data in transit and, where appropriate, at rest;
-
secure hosting environments and infrastructure safeguards;
-
logging, monitoring, and alerting tools designed to support security oversight and incident detection;
-
backup, resilience, and recovery measures designed to support service continuity and restoration;
-
vulnerability management, patching, and system maintenance processes;
-
incident response and breach management procedures;
-
supplier and Sub-processor review processes;
-
secure deletion and disposal practices where data is no longer required; and
-
staff training and awareness measures relevant to privacy, confidentiality, and information security.