Drafty AI - AI-powered legal drafting for immigration attorneys

Data Processing Agreement

Last updated: July 2, 2026

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service between you and Drafty AI (the "Agreement") governing your use of the AI-powered legal drafting services provided by DraftyAI, Inc., a Delaware corporation with its principal place of business at 1 Alhambra Plaza, Suite PH, Coral Gables, FL 33134, USA ("Drafty AI", "we", "us", or "Processor"). It applies where, in using the Service, you (the "Customer", "you", or "Controller") provide us with personal data relating to your clients or other individuals so that we may process it on your behalf. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to its subject matter.

Acceptance

This DPA is incorporated by reference into the Agreement. By accepting the Terms of Service when you create or use an account, you also accept this DPA. No separate signature is required for it to take effect. Customers who require a countersigned copy (for example, enterprise customers) may request one by contacting us; the signature block at the end of this DPA is provided for that purpose.

1. Definitions

Capitalized terms not defined here have the meanings given in the Agreement. “Data Protection Laws” means all laws and regulations applicable to the processing of personal data under the Agreement, including, as applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, and U.S. state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”). “Personal Data,” “Controller,” “Processor,” “Data Subject,” “Processing,” and “Supervisory Authority” have the meanings given in the GDPR; “Personal Data” also includes “personal information” as defined under the CCPA. “Customer Personal Data” means personal data that Drafty AI processes on your behalf in providing the Service, as further described in Schedule 1. “Sub-processor” means any third party engaged by Drafty AI to process Customer Personal Data. “Standard Contractual Clauses” (“SCCs”) means the standard contractual clauses approved by the European Commission in Decision (EU) 2021/914 and, where applicable, the UK International Data Transfer Addendum.

2. Roles of the Parties and Scope

With respect to Customer Personal Data, you are the Controller, Drafty AI is the Processor, and Drafty AI may engage Sub-processors as permitted under Section 6. You, as Controller, are responsible for the lawfulness of the Customer Personal Data and of your instructions, including having an appropriate legal basis to process and transfer such data to Drafty AI. Given the nature of the Service (legal drafting for immigration matters), Customer Personal Data may include data relating to immigration status, national origin, family relationships, and other categories that may be treated as sensitive or special-category data; you are responsible for ensuring you have a valid legal basis to process such data. This DPA applies for the duration of the Agreement.

3. Processing of Customer Personal Data

Instructions. Drafty AI shall process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law (in which case Drafty AI shall, where legally permitted, inform you before processing). The Agreement, this DPA, and your configuration and use of the Service constitute your complete and final documented instructions. Purpose limitation. Drafty AI shall process Customer Personal Data solely to provide and support the Service as described in Schedule 1 and shall not retain, use, sell, share, or disclose Customer Personal Data for any other purpose. Drafty AI shall not use Customer Personal Data to train, fine-tune, or improve any artificial-intelligence or machine-learning model, and shall ensure by contract that none of its Sub-processors use Customer Personal Data to train, fine-tune, or improve their own models. Compliance. Drafty AI shall comply with the Data Protection Laws applicable to it as a Processor and shall inform you if, in its opinion, an instruction infringes Data Protection Laws.

4. Confidentiality

Drafty AI shall ensure that any person authorized to process Customer Personal Data is subject to a duty of confidentiality (whether contractual or statutory) and processes the data only on Drafty AI's instructions, unless required to disclose by applicable law.

5. Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects, Drafty AI shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Schedule 2. You are responsible for your own secure use of the Service, including safeguarding account credentials and appropriately configuring available security features such as access controls.

6. Sub-processors

You provide general authorization for Drafty AI to engage Sub-processors to process Customer Personal Data, subject to this Section. The categories of Sub-processors we engage are described in Schedule 3, and a current list of Sub-processors — including their names, processing activities, and locations — is available on request by emailing admin@draftyai.com. Drafty AI shall impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA — including confidentiality, appropriate security measures, and a prohibition on using Customer Personal Data to train, fine-tune, or improve any artificial-intelligence or machine-learning model — and shall remain liable to you for each Sub-processor's performance. Drafty AI shall give you reasonable prior notice of any addition or replacement of a Sub-processor (by email or via the Service). You may reasonably object on data-protection grounds within that period; the parties shall work in good faith to resolve the objection, and failing resolution, you may terminate the affected Service as your sole remedy.

7. Data Subject Rights

Taking into account the nature of the processing, Drafty AI shall provide reasonable assistance, by appropriate technical and organizational measures and insofar as possible, to enable you to respond to requests from Data Subjects exercising their rights under Data Protection Laws. If Drafty AI receives a request from a Data Subject relating to Customer Personal Data, it shall, unless legally prohibited, promptly forward the request to you and shall not respond directly except on your instructions or as legally required.

8. Personal Data Breach Notification

Drafty AI shall notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice shall include the information reasonably available to Drafty AI to enable you to meet your breach-notification obligations under Data Protection Laws. Drafty AI shall take reasonable steps to mitigate the effects of, and to minimize any damage resulting from, the Personal Data Breach.

9. Data Protection Impact Assessments

Drafty AI shall provide reasonable assistance to you with any data protection impact assessments and prior consultations with Supervisory Authorities that you reasonably consider required under Data Protection Laws, in each case solely in relation to the processing of Customer Personal Data and taking into account the information available to Drafty AI.

10. Return and Deletion of Customer Personal Data

Customer Personal Data is retained for as long as your account remains open, so that you can access it and we can assist you. Upon closure or termination of your account, or at your earlier request, Drafty AI shall, at your election, delete or return all Customer Personal Data and delete existing copies, unless applicable law requires continued storage; such deletion is completed within a reasonable period. Certain Sub-processors apply their own limited retention windows: inputs sent to our AI providers are retained by them for a limited period for abuse-monitoring purposes in accordance with their retention practices and then deleted, and are not used for model training; analytics session recordings are retained in accordance with our analytics provider's retention settings.

11. Government and Law Enforcement Access Requests

If Drafty AI receives a legally binding demand from a government body, court, or law enforcement authority for access to Customer Personal Data (a “Government Request”), Drafty AI shall, unless legally prohibited, notify you promptly and before any disclosure so that you may seek a protective order or other appropriate remedy. Where Drafty AI is legally prohibited from notifying you, it shall use reasonable efforts to obtain a waiver of that prohibition in order to share as much information as it is permitted to, as soon as it is able. Drafty AI shall not disclose Customer Personal Data in response to a Government Request unless legally compelled to do so; where it is compelled, it shall disclose only the minimum amount of Customer Personal Data reasonably necessary to respond, and shall, where lawful, challenge any request that it considers overbroad, unlawful, or inconsistent with Data Protection Laws. Recognizing the sensitivity of immigration matters, Drafty AI does not grant any government or immigration authority direct, unfettered, or blanket access to Customer Personal Data.

12. Audits and Records

Drafty AI shall make available to you information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. To the extent permitted by Data Protection Laws, Drafty AI may satisfy audit requests by providing relevant third-party certifications, audit reports, or written responses to a reasonable security questionnaire. On-site audits shall occur no more frequently than is reasonable (absent a Personal Data Breach or regulatory requirement), on reasonable prior notice and during business hours, subject to confidentiality obligations.

13. International Data Transfers

Customer Personal Data is processed and stored in the United States and may be processed in other jurisdictions where Drafty AI or its Sub-processors operate; the categories of our Sub-processors are described in Schedule 3. Where Drafty AI processes Customer Personal Data subject to the GDPR or UK GDPR and transfers it to a country that has not received an adequacy decision, the SCCs (and, for UK data, the UK International Data Transfer Addendum) are incorporated into this DPA by reference and apply to that transfer, with Drafty AI as “data importer” and you as “data exporter.” Schedules 1 and 2 populate the corresponding annexes of the SCCs.

14. U.S. State Privacy Laws (Service Provider Terms)

To the extent the CCPA applies, the parties acknowledge that you disclose Customer Personal Data to Drafty AI solely for the limited and specified business purpose of providing the Service, and that Drafty AI acts as a “service provider.” Drafty AI shall not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement and this DPA, or as otherwise permitted by the CCPA; (c) retain, use, or disclose it outside the direct business relationship between the parties; or (d) combine it with personal information received from other sources, except as permitted by the CCPA. Drafty AI certifies that it understands and will comply with these restrictions.

15. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together.

16. Term and Governing Law

This DPA is effective from your acceptance of the Agreement and continues until Drafty AI has ceased all processing of Customer Personal Data and deleted or returned it in accordance with Section 10. Except as amended by this DPA, the Agreement remains in full force and effect. This DPA is governed by the laws of the State of Delaware, United States, without regard to conflict-of-laws principles, except to the extent the SCCs or Data Protection Laws require otherwise.

Schedule 1 — Details of Processing

Subject matter: Provision of Drafty AI's AI-assisted legal drafting platform for immigration matters. Duration: The term of the Agreement, plus any period until deletion or return of Customer Personal Data under Section 10. Nature and purpose: Hosting, storage, processing, and AI-assisted generation, review, and management of legal drafts and related case materials, in order to provide and support the Service. Categories of Data Subjects: Your personnel and authorized users; and your clients and their family members or beneficiaries who are the subject of immigration matters. Categories of Personal Data: Identification and contact details; immigration and citizenship status; national origin and nationality; biographical, family, employment, and educational information; and the contents of documents, forms, and communications that you upload to or generate within the Service. Special-category / sensitive data: May include data revealing racial or ethnic origin and other sensitive information present in immigration case files. Such data is processed only as necessary to provide the Service and on your instruction. Frequency: Continuous, for the duration of the Agreement. Retention: Retained for as long as your account is open; on account closure, termination, or your request, deleted or returned in accordance with Section 10 within a reasonable period. Inputs sent to AI providers are retained by them for a limited period in accordance with their retention practices and then deleted; analytics session recordings are retained in accordance with our analytics provider's retention settings.

Schedule 2 — Technical and Organizational Security Measures

Drafty AI implements and maintains the following measures: • Encryption of Customer Personal Data in transit (TLS) and at rest using industry-standard encryption. • Role-based access controls and the principle of least privilege for personnel access to Customer Personal Data. • Multi-factor authentication for administrative and production system access. • Confidentiality obligations and security-awareness training for personnel with access to Customer Personal Data. • Regular vulnerability scanning and periodic penetration testing. • Regular backups and a documented disaster-recovery process designed to restore availability and access to Customer Personal Data in a timely manner. • Logging and monitoring of access to production systems. • Assessment of Sub-processors' security measures before engagement and throughout the term.

Schedule 3 — Authorized Sub-processors

Drafty AI engages a limited number of Sub-processors to help provide the Service. To protect commercially sensitive information, we do not publish the specific identities of our Sub-processors in this document. A current and complete list of Sub-processors — including their names, processing activities, and locations — is available on request by emailing admin@draftyai.com. Our Sub-processors fall within the following categories: • Cloud hosting, storage, and infrastructure. • Artificial-intelligence processing for drafting and document generation. • Subscription billing and payment collection. • Application monitoring and logging. • Product analytics. • Customer support and communications. All Sub-processors are located in the United States and are engaged under written terms no less protective than this DPA, including obligations of confidentiality, appropriate security measures, and a prohibition on using Customer Personal Data to train, fine-tune, or otherwise improve their own artificial-intelligence or machine-learning models. Sub-processors process Customer Personal Data only to provide their services to Drafty AI and for no independent purpose.