Last Updated: April 2026
This Data Processing Addendum ("DPA") forms part of the LegalBridge Terms and Conditions, or other agreement governing the use of LegalBridge's services ("Agreement"), entered by and between you ("you," "your," "Subscriber") and Open Sphere Corporation ("LegalBridge," "we," "us," or "our"). This DPA sets out the terms that apply to the Processing of Personal Data by LegalBridge, on behalf of Subscriber, in the course of providing the Services to Subscriber under the Agreement.
All capitalized terms not defined herein will have the meanings set forth in the Agreement. By using the Services, Subscriber accepts this DPA.
1. Definitions
1.1 "Applicable Data Protection Laws" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, EU Data Protection Law, the UK GDPR, the California Consumer Privacy Act ("CCPA"), the California Privacy Rights Act ("CPRA"), the Personal Information Protection and Electronic Documents Act ("PIPEDA"), and any other applicable privacy laws.
1.2 "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Subscriber is the Controller.
1.3 "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates, including but not limited to Subscriber's clients, visa applicants, petitioners, beneficiaries, and other individuals whose data is processed through the Services.
1.4 "EU Data Protection Law" means (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or "GDPR"); and (b) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, as may be amended, superseded, or replaced.
1.5 "Personal Data" means any information relating to an identified or identifiable natural person that is included in Customer Data and Processed by LegalBridge on behalf of Subscriber through the Services.
1.6 "Processing" (and "Process") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
1.7 "Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. For purposes of this DPA, LegalBridge is the Processor.
1.8 "Security Breach" means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.9 "Sensitive Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation, immigration status, government-issued identification numbers (including Social Security numbers, passport numbers, Alien Registration Numbers, and visa numbers), and criminal convictions or offenses.
1.10 "Standard Contractual Clauses" means (a) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"); (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (version B.1.0), as incorporated through Schedule 2 hereto ("UK Addendum"); and (c) in respect of transfers subject to the Swiss Federal Act on Data Protection, the terms set forth in Schedule 3 hereto ("Switzerland Addendum").
1.11 "Sub-Processor" means any third-party service provider engaged by LegalBridge that Processes Personal Data under the instruction or supervision of LegalBridge. The current list of Sub-Processors is available at legalbridge.ai/sub-processors.
2. Scope and Roles
2.1 Roles. The parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA, Subscriber is the Controller and LegalBridge is the Processor.
2.2 Scope. This DPA applies to LegalBridge's Processing of Personal Data as part of providing the Services pursuant to the Agreement.
2.3 CCPA Compliance. For purposes of the CCPA and CPRA, LegalBridge is a "Service Provider" and Subscriber is a "Business." LegalBridge shall not (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than providing the Services as specified in the Agreement, including for a commercial purpose other than providing the Services; or (c) retain, use, or disclose Personal Data outside of the direct business relationship between LegalBridge and Subscriber. LegalBridge certifies that it understands and will comply with these obligations.
3. Processing of Personal Data
3.1 Processing Instructions. LegalBridge shall only Process Personal Data in accordance with Subscriber's documented instructions, which include: (a) Processing to provide and ensure proper operation of the Services in accordance with the Agreement; (b) Processing initiated or instructed by Authorized Users in their use of the Services; (c) Processing to comply with other reasonable instructions provided by Subscriber where such instructions are consistent with the Agreement; (d) sharing Personal Data with, or receiving Personal Data from, third parties in accordance with Subscriber's instructions or pursuant to Subscriber's use of integrations; (e) rendering Personal Data fully and irrevocably anonymous for the purposes described in the Agreement; and (f) Processing as required under any applicable laws to which LegalBridge is subject.
3.2 Details of Processing. The subject matter, duration, nature, purpose, categories of Data Subjects, and types of Personal Data Processed under this DPA are described in Schedule 1 (Description of Processing Activities).
3.3 Subscriber Obligations. Subscriber shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Subscriber acquired Personal Data. Subscriber will provide all necessary notices to relevant Data Subjects and secure all necessary permissions, consents, or other applicable lawful grounds for Processing Personal Data pursuant to this DPA and under Applicable Data Protection Laws. Subscriber acknowledges that Personal Data processed through the Services may include Sensitive Personal Data (including immigration status, government identification numbers, and health-related information) and accepts responsibility for ensuring lawful grounds for processing such data.
4. Sub-Processing
4.1 Authorized Sub-Processors. Subscriber provides general authorization for LegalBridge to engage Sub-Processors to Process Personal Data on Subscriber's behalf. The current list of Sub-Processors is maintained at legalbridge.ai/sub-processors.
4.2 Sub-Processor Obligations. LegalBridge shall: (a) enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those set forth in this DPA; (b) remain responsible for the acts and omissions of its Sub-Processors to the same extent LegalBridge would be liable if performing the Processing directly; and (c) conduct appropriate due diligence on each Sub-Processor's security practices.
4.3 Notification of Changes. LegalBridge will notify Subscriber at least thirty (30) days before engaging any new Sub-Processor by updating the Sub-Processor list and sending notice to Subscriber's Administrator email address. If Subscriber objects to a new Sub-Processor on reasonable data protection grounds, Subscriber shall notify LegalBridge in writing within fifteen (15) days of receiving notice. The parties will work together in good faith to find a mutually acceptable resolution. If no resolution can be reached within thirty (30) days, Subscriber may terminate the affected Services without penalty by providing written notice to LegalBridge.
5. Security
5.1 Security Measures. LegalBridge shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against Security Breaches, including the measures described at legalbridge.ai/security. These measures shall include, at minimum: (a) encryption of Personal Data at rest and in transit using industry-standard protocols; (b) access controls and authentication mechanisms, including role-based access and multi-factor authentication; (c) regular security assessments, vulnerability scanning, and penetration testing; (d) employee security training and background checks; (e) network security measures including firewalls, intrusion detection, and monitoring; (f) physical security measures at data center facilities; and (g) business continuity and disaster recovery procedures.
5.2 Confidentiality. LegalBridge shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Attorney-Client Privilege. LegalBridge acknowledges that Personal Data and Customer Data may include attorney-client privileged information and attorney work product. LegalBridge shall not access, review, or disclose such data except as technically necessary to provide the Services, and shall implement access controls designed to minimize human access to Customer Data.
6. Security Breach Notification
6.1 Notification. LegalBridge shall notify Subscriber without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed Security Breach affecting Personal Data.
6.2 Content of Notification. Such notification shall include, to the extent reasonably available: (a) a description of the nature of the Security Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of LegalBridge's point of contact; (c) a description of the likely consequences of the Security Breach; and (d) a description of the measures taken or proposed to be taken to address the Security Breach, including measures to mitigate its possible adverse effects.
6.3 Cooperation. LegalBridge shall cooperate with Subscriber and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of any Security Breach. LegalBridge shall not inform any third party of a Security Breach involving Personal Data without first obtaining Subscriber's prior written consent, except where required by law.
7. Data Subject Rights
7.1 Assistance. Taking into account the nature of the Processing, LegalBridge shall reasonably assist Subscriber, by appropriate technical and organizational measures, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including requests for access, rectification, erasure, data portability, restriction of processing, and objection to processing.
7.2 Notification. If LegalBridge receives a request from a Data Subject directly, LegalBridge shall promptly redirect the Data Subject to Subscriber and notify Subscriber of the request, unless otherwise prohibited by law. LegalBridge shall not respond to any Data Subject request without Subscriber's prior written authorization, unless required by applicable law.
8. Data Protection Impact Assessments
LegalBridge shall provide reasonable assistance to Subscriber with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Laws and taking into account the nature of Processing and the information available to LegalBridge.
9. International Data Transfers
9.1 Data Location. Personal Data will be stored and processed in data centers located across the globe, unless otherwise agreed in writing.
9.2 Transfer Mechanisms. To the extent that LegalBridge's Processing of Personal Data involves the transfer of Personal Data from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, the parties agree that such transfers shall be governed by the Standard Contractual Clauses as set forth in Schedule 2. Where applicable, LegalBridge shall also rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework.
9.3 Additional Safeguards. LegalBridge shall implement supplementary measures, where necessary, to ensure that the level of protection of Personal Data is not undermined by the transfer, taking into account guidance issued by relevant supervisory authorities.
10. Audits
10.1 On-Site Audits. If a third-party audit report is insufficient to demonstrate compliance, Subscriber may conduct, or engage a qualified and independent third-party auditor to conduct, an audit of LegalBridge's compliance with this DPA, subject to the following: (a) Subscriber shall provide at least thirty (60) days' prior written notice; (b) audits shall be conducted during regular business hours with minimal disruption; (c) the auditor shall execute a confidentiality agreement; and (d) Subscriber shall bear the costs of any such audit. LegalBridge may object to an auditor if the auditor is a competitor of LegalBridge, in which case the Subscriber shall appoint an alternative auditor.
11. Data Retention and Deletion
11.1 Duration. LegalBridge shall Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law.
11.2 Deletion. Upon termination or expiration of the Agreement, LegalBridge shall, within thirty (30) days following Subscriber's request (or within thirty (30) days following termination if no request is made), delete all Personal Data in its possession or control. This requirement shall not apply to the extent LegalBridge is required by applicable law to retain some or all of the Personal Data, in which case LegalBridge shall isolate and protect such data from further Processing except as required by law.
11.3 Certification. Upon Subscriber's written request, LegalBridge shall provide written certification that it has complied with its deletion obligations under this section.
12. General
12.1 Conflict. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.
12.2 Governing Law. This DPA shall be governed by the laws specified in the Agreement, except where Applicable Data Protection Laws require otherwise.
12.3 Liability. Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement.
12.4 Amendments. LegalBridge may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or LegalBridge's Processing practices. LegalBridge will provide Subscriber with at least thirty (30) days' advance notice of material changes.
Schedule 1: Description of Processing Activities
Subject Matter of Processing: Provision of the LegalBridge platform for immigration case management, document classification, letter drafting, form automation, and related legal technology services.
Duration of Processing: For the term of the Agreement between Subscriber and LegalBridge, plus any period required for data deletion or return.
Nature and Purpose of Processing: LegalBridge Processes Personal Data to provide the Services, including: hosting and storing Customer Data; classifying and organizing immigration documents; generating draft letters, forms, and filings using AI-powered tools; providing case management and tracking features; facilitating communication between Subscriber and its clients; and processing payments.
Categories of Data Subjects:
Subscriber's employees, partners, and staff (Authorized Users)
Subscriber's clients (visa applicants, petitioners, beneficiaries)
Family members and dependents of visa applicants
Employers and sponsors referenced in visa applications
Recommenders, colleagues, and other individuals referenced in supporting documentation
Types of Personal Data Processed:
Contact information (name, email, phone, address)
Professional information (employment history, job titles, compensation, employer details)
Educational information (degrees, institutions, transcripts, certificates)
Government-issued identifiers (passport numbers, A-numbers, Social Security numbers, visa numbers, I-94 records)
Immigration history (prior visa applications, travel history, immigration status)
Biographical data (date of birth, country of birth, nationality, marital status)
Financial information (bank statements, tax returns, pay stubs, investment records)
Health-related information (where required for immigration applications)
Criminal history (where required for immigration applications)
Supporting evidence (publications, awards, media coverage, recommendation letters)
Attorney work product and case notes
Communication records between Subscriber and clients
Types of Sensitive Personal Data Processed:
Immigration status and history
Government-issued identification numbers
Racial or ethnic origin (where provided in immigration forms)
Health data (where required for visa applications)
Criminal history (where required for immigration background checks)
Schedule 2: Standard Contractual Clauses
For transfers of Personal Data from the EEA to countries not recognized as providing adequate data protection, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and apply as follows:
Module Two (Controller to Processor) applies where Subscriber is the Controller and LegalBridge is the Processor.
Clause 7 (Docking Clause): The optional docking clause is included.
Clause 9(a) (Sub-Processors): Option 2 (General Written Authorization) applies, with the notification period set at thirty (30) days.
Clause 11 (Redress): The optional language is not included.
Clause 17 (Governing Law): The laws of Ireland shall govern.
Clause 18(b) (Forum): The courts of Ireland shall have jurisdiction.
Annex I.A (List of Parties): As identified in the Agreement.
Annex I.B (Description of Transfer): As set forth in Schedule 1 above.
Annex I.C (Competent Supervisory Authority): The Irish Data Protection Commission.
Annex II (Technical and Organizational Measures): As described at legalbridge.ai/security.
UK Addendum: For transfers from the UK, the International Data Transfer Addendum (version B.1.0) is incorporated and modifies the EU SCCs as necessary to comply with UK data protection law.
Switzerland Addendum: For transfers from Switzerland, the EU SCCs are modified as necessary to comply with the Swiss Federal Act on Data Protection, with the competent supervisory authority being the Swiss Federal Data Protection and Information Commissioner.
Contact
For questions about this DPA, contact:
Open Sphere Corporation 8 The Green, Dover, DE 19901, United States Email: legal@opensphere.ai