Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement between William Technologies, Inc. ("William," "Processor," "we," or "us") and the entity agreeing to these terms ("Customer," "Controller," or "you") for the provision of the William platform and services (the "Services").

This DPA sets forth the terms and conditions under which William will process Personal Data on behalf of Customer in connection with the Services, and reflects the parties' commitment to comply with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable privacy regulations.

2. Definitions

For purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by William on behalf of Customer in connection with the Services.
• "Processing" means any operation performed on Personal Data, including collection, storage, modification, retrieval, use, disclosure, or deletion.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Sub-processor" means any third party engaged by William to process Personal Data on behalf of Customer.
• "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.

3. Scope and Roles

3.1 Customer as Controller

Customer is the Controller of Personal Data and determines the purposes and means of processing Personal Data through the Services. Customer is responsible for ensuring that its collection and use of Personal Data complies with applicable data protection laws.

3.2 William as Processor

William is the Processor of Personal Data and processes Personal Data only on behalf of and in accordance with Customer's documented instructions. William shall not process Personal Data for any purpose other than providing the Services.

4. Data Processing Details

4.1 Subject Matter

The subject matter of data processing is the provision of the William AI-powered legal billing and time tracking platform.

4.2 Duration

Processing will continue for the duration of the Agreement, unless terminated earlier in accordance with the Agreement or this DPA.

4.3 Categories of Data Subjects

Data Subjects may include:

• Customer's employees and contractors
• Customer's clients and their representatives
• Opposing counsel and other third parties referenced in billing records

4.4 Types of Personal Data

Personal Data processed may include:

• Names and contact information
• Professional information (job titles, firm affiliations)
• Time and billing records
• Email metadata and calendar information
• Usage data and activity logs

5. William's Obligations

William agrees to:

• Process Personal Data only on documented instructions from Customer, unless required by applicable law
• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist Customer in responding to Data Subject requests
• Assist Customer in ensuring compliance with security, breach notification, and data protection impact assessment obligations
• Delete or return Personal Data upon termination of the Agreement, at Customer's choice
• Make available information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits and inspections conducted by Customer or an auditor mandated by Customer

6. Sub-processors

6.1 Authorization

Customer provides general authorization for William to engage Sub-processors to process Personal Data. William maintains a list of current Sub-processors, which is available upon request.

6.2 Sub-processor Requirements

William shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA. William remains liable for the acts and omissions of its Sub-processors.

6.3 Notice of Changes

William shall provide Customer with at least 30 days' notice before engaging a new Sub-processor. Customer may object to the engagement of a new Sub-processor by providing written notice within 14 days.

7. Security Measures

William implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of Personal Data in transit and at rest
• Access controls and authentication mechanisms
• Regular security testing and vulnerability assessments
• Incident response and disaster recovery procedures
• Employee security training and awareness programs
• Physical security controls for data center facilities

8. Security Incidents

William shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data. The notification shall include:

• A description of the nature of the incident
• The categories and approximate number of Data Subjects affected
• The likely consequences of the incident
• Measures taken or proposed to address the incident

9. International Data Transfers

William shall not transfer Personal Data to a country outside the European Economic Area or the United Kingdom unless:

• The transfer is to a country deemed adequate by the relevant authority
• Appropriate safeguards are in place, such as Standard Contractual Clauses
• Customer has provided explicit authorization for the transfer

10. Data Subject Rights

William shall assist Customer in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection.

11. Data Retention and Deletion

Upon termination of the Agreement, William shall, at Customer's election, delete or return all Personal Data within 90 days, unless retention is required by applicable law. William shall provide certification of deletion upon request.

12. Audits

William shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits and inspections. Audits shall be conducted with reasonable notice, during normal business hours, and subject to confidentiality obligations.

13. Liability

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Agreement. Nothing in this DPA shall limit either party's liability for breaches of data protection laws where such limitation is prohibited by law.

14. Contact

For questions about this DPA or our data processing practices, please contact: