Data Processing Addendum

Last updated: May 13, 2026 · Version 1.0

This Data Processing Addendum forms part of the Terms of Service or executed MSA between Suture AI LLC ('Suture') and the Customer. It sets the terms on which Suture, as Processor, handles Personal Data on the Customer's behalf as Controller.

1. Definitions

Capitalized terms used and not defined in this Data Processing Addendum (the “DPA”) have the meanings given to them in the Terms of Service or executed MSA. For purposes of this DPA:

“Applicable Data Protection Law” means all data protection and privacy laws applicable to the parties’ processing of Personal Data, including the California Consumer Privacy Act, as amended (“CCPA”), and, where applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”).
“Controller” means the entity that determines the purposes and means of processing Personal Data; for purposes of this DPA, Customer is the Controller of all Personal Data submitted to or processed through the Service.
“Processor” means the entity that processes Personal Data on behalf of the Controller; Suture is the Processor for all Personal Data submitted to or processed through the Service.
“Subprocessor” means any third-party processor engaged by Suture to process Personal Data on behalf of Customer.
“Personal Data” has the meaning given in Applicable Data Protection Law and, in the context of this DPA, refers to personal information submitted to or processed through the Service by or on behalf of the Customer.
“Processing” has the meaning given in Applicable Data Protection Law and includes any operation performed on Personal Data, whether automated or not.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope & Roles

The Customer is the Controller of all Personal Data that the Customer or its Users submit to, store in, or process through the Service. This includes Personal Data of the Customer’s own clients, opposing parties, witnesses, and any other Data Subjects whose Personal Data appears in uploaded documents, emails, audio, or case records.

Suture is the Processor and processes Personal Data solely on the Customer’s documented instructions. Suture does not determine the purposes of processing and does not use Personal Data for its own purposes, except for the limited operational-metadata processing described in the Privacy Policy (e.g., billing, security, troubleshooting), which is necessary to provide the Service.

The subject matter and duration of processing, the nature and purpose, the types of Personal Data, and the categories of Data Subjects are described in the Terms of Service, the Privacy Policy, and any executed MSA / SOW.

3. Customer Instructions

Customer’s instructions for the processing of Personal Data are set forth in: (a) the Terms of Service or executed MSA; (b) this DPA, including the security measures in Annex A; (c) the configuration of Tools enabled in the Customer’s portal; and (d) any written instructions Customer gives Suture by email to the contacts in Section 13 of the Privacy Policy.

Suture will notify Customer if Suture believes any instruction infringes Applicable Data Protection Law and will, in such case, be entitled to suspend the affected processing without liability until Customer modifies or confirms the instruction in writing.

4. Confidentiality

Suture ensures that all personnel who process Personal Data are subject to written confidentiality obligations (including employee or contractor agreements) that survive the termination of those personnel’s engagement with Suture. Access to Personal Data is limited to those personnel who need it to perform Suture’s obligations under the Terms of Service.

Where Suture engages Subprocessors, Suture imposes confidentiality and data-protection obligations on each Subprocessor that are no less protective than those in this DPA.

5. Security Measures

Suture implements the technical and organizational measures described in Annex A to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures take into account the nature, scope, context, and purposes of the processing, and the risks to Data Subjects, including the sensitive nature of litigation case data and other professional services records subject to confidentiality obligations.

6. Subprocessors

Customer authorizes Suture to engage Subprocessors as listed at /legal/subprocessors, which is incorporated as Annex Bof this DPA and updated from time to time as Suture’s vendor stack changes.

Suture will give Customer at least thirty (30) days’ prior written notice of any new Subprocessor that will process Personal Data on Customer’s behalf, including by updating the public list at the URL above and by emailing Customer’s designated billing contact. Customer may reasonably object on data-protection grounds within that thirty-day window. If the parties cannot agree on a resolution (such as a Tool configured to avoid the new Subprocessor), the Customer may terminate the affected portion of the Service for convenience without liability for prepaid but unused fees attributable to that portion of the Service.

Suture remains liable for the acts and omissions of its Subprocessors to the same extent as if Suture had performed the Subprocessor’s obligations itself.

7. Data Subject Requests

Taking into account the nature of the processing, Suture will assist Customer by appropriate technical and organizational measures in fulfilling Customer’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (such as rights of access, correction, deletion, or portability).

If Suture receives a Data Subject request directly that relates to Personal Data processed on Customer’s behalf, Suture will not respond to the request directly except to acknowledge receipt and direct the Data Subject to Customer. Suture will notify Customer of the request within ten (10) business days. Where Customer requires Suture’s technical assistance to respond, Suture will provide that assistance at no additional charge for reasonable requests.

8. Personal Data Breach

Suture will notify Customer of a confirmed Personal Data Breach affecting Customer’s Personal Data without undue delay and in any event within twenty-four (24) hours after Suture becomes aware of the breach. Such notice will include, to the extent then known: (a) the nature of the breach including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the breach; (c) the measures Suture has taken or proposes to take to address the breach and mitigate its possible adverse effects; and (d) the contact point at Suture from whom further information can be obtained.

Suture will cooperate in good faith with Customer’s investigation and remediation efforts and will not make any public statement about the breach that identifies Customer without Customer’s prior written consent, except where compelled by applicable law.

9. Audit Rights

Customer may audit Suture’s compliance with this DPA once per twelve-month period on at least thirty (30) days’ prior written notice, during normal business hours, and at Customer’s expense, subject to reasonable confidentiality undertakings by the auditor. Audits must not unreasonably interfere with Suture’s operations or compromise the security or confidentiality of other customers’ data.

In lieu of an in-person audit, Suture may satisfy this Section by providing Customer with a recent SOC 2 Type II report, ISO 27001 certification, or other independent third-party attestation of Suture’s security and processing practices. Where Suture has obtained such an attestation, Customer agrees to accept it as a reasonable alternative to an on-site audit absent specific cause to believe it inadequate.

10. Return or Deletion of Personal Data

On termination of the Service or at Customer’s earlier written request, Suture will, at Customer’s option, return or delete all Personal Data processed on Customer’s behalf. Customer will have thirty (30) days following termination during which it may export Personal Data through the Service’s export tooling. After that thirty-day window, Suture will delete Personal Data from its production systems, subject to (a) signed-contract retention obligations described in the Terms of Service and (b) any other retention legally required. Backups containing Personal Data are overwritten on the standard backup rotation, not longer than ninety (90) days after termination.

11. Liability & Indemnification

The liability of each party under or in connection with this DPA is subject to the Limitation of Liability provisions in the Terms of Service (Section 12) or executed MSA, as applicable. The indemnification provisions in the Terms of Service (Section 13) or MSA apply to claims arising under this DPA without modification.

12. Term

This DPA takes effect when the Customer accepts the Terms of Service (or executes an MSA that incorporates this DPA) and remains in effect for the duration of Suture’s processing of Personal Data on Customer’s behalf. Sections that by their nature should survive termination (including Sections 4, 8, 9, 10, and 11) will survive.

13. Governing Law

This DPA is governed by the laws of the State of California for Customers based in California or any state west of the Mississippi River, and by the laws of the State of Florida for Customers based in Florida or any state east of the Mississippi River, in each case consistent with the governing-law provisions of the Terms of Service. Disputes arising under California law shall be resolved exclusively in the state or federal courts located in San Diego County, California; disputes arising under Florida law shall be resolved exclusively in the state or federal courts located in Pinellas County, Florida. Where Applicable Data Protection Law provides for mandatory data-subject protections in addition to those described here, those mandatory protections apply.

14. Order of Precedence

In the event of any conflict between this DPA and the Terms of Service relating to the processing of Personal Data, this DPA controls. In the event of any conflict between this DPA and an executed MSA relating to the processing of Personal Data, the MSA controls for the parties to that MSA. The Privacy Policy informs but does not modify this DPA.

Annex A — Security Measures

Suture maintains the following technical and organizational measures. These measures may evolve over time, but Suture will not materially reduce the overall level of protection without Customer’s consent.

A.1 Encryption

OAuth refresh tokens for Gmail, MyCase, and similar integrations are encrypted at rest using AWS KMS-wrapped Data Encryption Keys (DEKs). Each row carries a unique DEK; the encryption context binds the DEK to {firmId, connectionId} so a DEK cannot be used to decrypt another row.
Platform-administrator OAuth tokens are stored in a separate PlatformOAuthConnection table with its own encryption context ({platformAdminUserId, connectionId}) that cannot cross-decrypt with firm-side tokens.
Cipher: AES-256-GCM with 12-byte IVs and 16-byte authentication tags.
All API calls and webhook deliveries use TLS 1.2 or higher.
Database encryption at rest is provided by Supabase.

A.2 Access Control

Per-firm row-level isolation enforced at the Prisma query layer; every query requires a resolved firmId.
An ESLint rule blocks prisma.*.findMany(...) calls without a where: { firmId } clause in firm-scoped code paths, with explicit allowlist comments for the rare exceptions.
Platform-administrator role is conferred only via Clerk publicMetadata.role='platform_admin' set manually by Suture founders.
Administrative routes return 404 (not 403) to non-administrators to prevent route enumeration.
Platform-administrator impersonation requires an explicit cookie set through a server action; every impersonated request re-verifies the role and writes an audit row.

A.3 Audit Logging

Append-only AuditEvent table records platform-administrator actions including firm CRUD, tool enablement, contract send / sign, subscription changes, expense changes, vendor changes, KB edits, and support ticket transitions.
Audit metadata is allowlisted per action type; no req.body literals, no prompt or AI response text, no client document content.

A.4 Webhook Integrity

Stripe HMAC signature verification on the raw req.text().
Clerk Svix signature verification on inbound user/session events.
AssemblyAI per-job shared secret verified against the job’s persisted secret.
AWS SNS message signature verification for Textract job-completion notifications.
Two-phase webhook deduplication (INSERT processedAt = null → process → UPDATE processedAt = NOW()) so handler failures stay re-attemptable on retry.

A.5 AI Provider Configuration

AWS Bedrock: zero-data-retention is the default; prompts and responses are not retained.
Google Vertex AI: configured under data-processing terms that exclude customer data from model training.
AssemblyAI: HIPAA-eligible tier; audio files deleted post-processing per the AssemblyAI contract. A Business Associate Agreement is on file with AssemblyAI, signed May 1, 2026.
Suture itself does not train or fine-tune models on Customer content.

A.6 Breach Response & Continuity

24-hour Personal Data Breach notification to affected Customers (Section 8 above).
Cloud-native infrastructure (Vercel + Supabase + AWS) with provider-native backups and regional redundancy.
Annual third-party security review (initial review pending; cadence to formalize as Suture scales).

Annex B — Subprocessors

The current list of Subprocessors that may process Personal Data on Customer’s behalf is maintained at /legal/subprocessorsand is part of this DPA by reference. The list is updated as Suture’s vendor stack changes, with the thirty-day prior-notice mechanism described in Section 6 above.