Data processing
Data Processing Addendum
Effective 12 May 2026
This Data Processing Addendum ("DPA") forms part of the agreement between the firm using Themis Legal (the "Controller") and Arkon Technology Ltd. (the "Processor") when personal data is processed in connection with the Themis service. It is designed to satisfy Article 28 GDPR and equivalent provisions under the UK GDPR and Türkiye's KVKK.
1. Roles
- Controller: the law firm whose employees, clients, and matter parties are the data subjects whose personal data is processed inside the chambers vault.
- Processor: Arkon Technology Ltd., a company registered in England and Wales, operating Themis Legal.
- Data subjects: partners, junior counsel, staff, clients, contacts, parties, witnesses, and any other natural persons whose details are stored.
2. Subject-matter, nature, and purpose
The Processor processes personal data on behalf of the Controller for the purpose of providing the Themis service — authentication, storage, retrieval, billing, and the operational telemetry necessary to operate it. The vault content itself is encrypted on the Controller's devices before it reaches the Processor; the Processor stores ciphertext only and cannot read the underlying records.
3. Categories of personal data
- Names, work emails, locale, and authentication identifiers of firm members.
- Client and party details entered by the firm — names, contacts, correspondence, and case-related personal data. These are stored as ciphertext where the schema permits and as cleartext where the schema requires (for example, client.name is used for sort/search inside the firm scope).
- Operational metadata: IP addresses, user-agent strings, and audit-log entries describing actions taken on the firm's data.
4. Processor obligations
The Processor will:
- process personal data only on documented instructions from the Controller — using the service constitutes such instructions;
- ensure that persons authorised to process personal data are bound by confidentiality;
- implement appropriate technical and organisational measures (see §6);
- engage sub-processors only on the terms set out in §5;
- assist the Controller in responding to data-subject requests, including by providing the Settings → Your data export tooling;
- notify the Controller without undue delay on becoming aware of a personal-data breach;
- on termination, delete or return personal data per the Privacy Policy retention windows.
5. Sub-processors
The Controller authorises the Processor to engage the following sub-processors:
- Supabase, Inc. — managed Postgres and object storage, EU region. Processes both account data and ciphertext.
- Vercel, Inc. — application hosting and edge network. Processes account data and request metadata.
- Clerk, Inc. — authentication. Processes email, name, and authentication tokens.
- LemonSqueezy Inc. / Stripe, Inc. — billing. Processes firm contact details and the metadata needed to invoice.
- Functional Software, Inc. (Sentry) — error monitoring. Processes server and client error metadata. Vault content is never sent.
The Processor will give the Controller at least 30 days' advance notice via the in-app announcement channel of any intended change to this list. The Controller may object on reasonable grounds within that window.
6. Security measures
- Encryption in transit: TLS 1.2+ between client and server and between server and every sub-processor.
- End-to-end encryption at rest for vault content: XChaCha20-Poly1305 with keys derived from the user's vault password via Argon2id; keys never leave the user's devices.
- Row-level security: default-deny RLS on every table; access scoped to the user's firmId by policy.
- Append-only audit log: triggered against UPDATE / DELETE / TRUNCATE at the database layer, with a cryptographic hash chain to detect SUPERUSER-level tampering.
- Daily chain anchor: the current chain tip is published per firm to a public-readable bucket so an external auditor can verify the chain offline.
- Secret rotation: service-role keys and third-party API tokens rotated on documented cadence.
- Access control: production database access is limited to a named on-call rotation and logged.
7. International transfers
Where personal data is transferred outside the European Economic Area or the United Kingdom, the Processor will rely on transfer mechanisms recognised under applicable law, including the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, with supplementary measures where required.
8. Audit rights
The Controller may, on 30 days' written notice and no more than once per calendar year, request reasonable information sufficient to verify the Processor's compliance with this DPA. The Processor will respond in good faith. On-site audits will be considered where third-party certifications and written responses are not sufficient.
9. Liability
The liability provisions in the Terms of Service apply to this DPA. Nothing in this DPA limits a party's liability for breaches of applicable data-protection law to the extent that law prohibits limitation.
Questions about this policy?
Write to support@themis-legal.co and a human will reply. For DPA questions, sub-processor objections, or audit requests, write to support@themis-legal.co with the firm name in the subject line.