VISALAW AI | Data Processing Addendum

VISALAW AI

Data Processing Addendum

Data Protection and Processing Framework

Last Updated: 03/17/2026

Visalaw Ventures, INC

VISALAW AI | Data Processing Addendum

1. Important Terms

"This Visalaw AI Data Processing Addendum (the "DPA") governs Visalaw Ventures, INC's

("Visalaw") processing of DPA Data that is required to provide the Service under the Terms

between You and Visalaw. This DPA is incorporated by reference into the Agreement and Terms.

You and Visalaw each agree to comply with their respective obligations under Data Protection

Law."

Data Processing Roles

As between You and Visalaw, You are the Data Controller, and Visalaw is the Data Processor,

processing DPA Data on Your behalf.

Data Processing Purposes

Visalaw will process DPA Data as Your Data Processor for the purpose of providing or maintaining

the Service and in accordance with the Instructions. Visalaw will not process DPA Data for any

other purpose unless required by applicable law.

No Training Commitment

Visalaw will not train any AI models using Your Content or Customer Data. Visalaw’s third-party

model providers (Subprocessors) will not train any AI models using Your Content or Customer

Data. This commitment is contractually enforced through Visalaw’s subprocessor agreements.

Categories of Personal Data

Personal Data contained within Customer Data and Content. Examples include name, contact

information, immigration case details, employment history, nationality, passport numbers, visa

status, and other information relevant to immigration legal services.

Categories of Data Subjects

Individuals identified in Customer Data and Content. Examples include users of Visalaw’s

applications, users’ clients, and beneficiaries of immigration legal services.

Duration of Processing

Subject to the Terms and Section 14 of this DPA, DPA Data will be processed for the term of the

Agreement.

VISALAW AI | Data Processing Addendum

2. Definitions

The definitions in Section 16 (Defined Terms) apply to this DPA. All terms in quotation marks in the

body of this DPA are also defined terms.

3. Processing Requirements

As a Data Processor, Visalaw will:

• process DPA Data on Your behalf, according to the Instructions, and only in a manner necessary for the performance of the Service;
• promptly notify You in writing if it cannot comply with the requirements of this DPA;
• promptly inform You if, in Visalaw’s opinion, an instruction from You infringes applicable Data Protection Law; and
• ensure that all persons authorized by Visalaw to process DPA Data are subject to a duty of confidentiality.

VISALAW AI | Data Processing Addendum

4. Subprocessors

Visalaw will:

• engage the organizations or persons listed in the Subprocessor List (available in the Trust Portal and by request) (the “Subprocessor List”) as necessary to perform the Service. Visalaw will provide at least 60 days’ notice before adding a new Subprocessor or materially changing an existing Subprocessor’s scope, consistent with Visalaw’s internal Change Management Policy; You may, within fifteen (15) days of receiving the notice of the change, reasonably object to Visalaw’s use of a Subprocessor on reasonable grounds relating to the protection of DPA Data by sending Visalaw written notice (“Objection Notice”). If You object, the parties will discuss the concern in good faith. Following such discussion:
• Visalaw will offer an alternative to provide its Service without such Subprocessor;
• Visalaw will take the corrective steps requested by You in the Objection Notice and proceed to use the Subprocessor;
• Visalaw may cease to provide, or You may agree not to use, whether temporarily or permanently, the particular aspect or feature of the Service that involves the use of the Subprocessor;
• You may cease providing DPA Data to Visalaw for processing. If none of the above options are commercially feasible, in Visalaw’s reasonable judgment, and the Objection has not been resolved to the satisfaction of both parties within thirty (30) days of Visalaw’s receipt of the Objection Notice, either party may terminate the affected Service.
• enter into contractual arrangements with each Subprocessor binding them to provide the same level of data protection and information security as required under this DPA, including data residency restrictions and geographic limits on where data can be stored or transmitted, consistent with Visalaw’s Vendor Management Policy.

5. Notice to Customer

Visalaw will inform You, to the extent legally permitted, if Visalaw receives:

• any legally binding request for disclosure of DPA Data by a law enforcement authority. If Visalaw is legally prohibited from notifying You, Visalaw will use commercially reasonable efforts to obtain a waiver of that prohibition;
• any notice, inquiry, or investigation by a Supervisory Authority with respect to DPA Data; or
• any complaint or request from a Data Subject (including “verifiable consumer requests” as defined by CCPA) exercising their right under Data Protection Law with respect to DPA Data.

VISALAW AI | Data Processing Addendum

6. Personal Data Breach

If Visalaw experiences a breach of security leading to any accidental or unlawful destruction, loss,

alteration, unauthorized disclosure of, or access to, DPA Data (“Personal Data Breach”), Visalaw will

notify You without undue delay and in any event within 24 hours after becoming aware of the

breach. Notification will include, to the extent known at the time:

• The nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned;
• The name and contact details of Visalaw’s data protection point of contact;
• The likely consequences of the Personal Data Breach;
• The measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects;
• Any other information required by applicable Data Protection Law.

VISALAW AI | Data Processing Addendum

7. Assistance to Customer and Audits

Upon Your written request, Visalaw will provide reasonable assistance to You regarding:

• Your obligations to respond to Data Subject Requests relating to Visalaw’s Processing of DPA Data;
• Your preparation of data protection impact assessments with respect to the processing of DPA Data by Visalaw and, where necessary, carrying out prior consultations with any Supervisory Authority;
• information, assessments, or audits, to the extent required by Data Protection Law, and as necessary to confirm that Visalaw is processing Personal Data in accordance with this DPA and the Instructions.

8. Required Processing

If Visalaw is required by applicable law to Process DPA Data outside of Your Instructions, Visalaw

will inform you of this requirement in advance of such Processing, unless legally prohibited from

doing so.

9. Security

Visalaw will:

• implement and maintain a written information security program with the data security measures set out in the Security Addendum to protect against the destruction, loss, unauthorized disclosure of, and access to DPA Data; and
• take appropriate steps to confirm that all Visalaw personnel and persons or entities authorized to Process DPA Data on Visalaw’s behalf are subject to a duty of confidentiality.

10. US Specific Data Protection Obligations

To the extent applicable under US State Privacy Law, Visalaw certifies that it understands and will

comply with its obligations under US State Privacy Law and agrees to:

• only process DPA Data for the purposes set out in this DPA, the Agreement, or the Terms, unless otherwise permitted by law;
• not “sell” or “share” (as defined by CCPA) DPA Data;
• not retain, use or disclose DPA Data outside of the direct business relationship between Visalaw and Customer unless otherwise required or permitted by law;
• Process DPA Data in a manner that provides no less than the level of privacy protection required by US State Privacy Law;

VISALAW AI | Data Processing Addendum

• not combine any DPA Data with Personal Data that Visalaw receives from or on behalf of a third party other than You or collects from Visalaw’s own interaction with an individual;
• not attempt to reidentify any deidentified data You provide to Visalaw, except for the sole purpose of determining whether the deidentification processes are compliant; and
• grant You the right to take reasonable and appropriate steps to (i) ensure that Visalaw uses DPA Data in a manner consistent with Data Protection Law and (ii) stop and remediate unauthorized use of DPA Data.

VISALAW AI | Data Processing Addendum

11. De-Identification Standards

To the extent Visalaw de-identifies any DPA Data or generates De-Identified Data (as defined in the

Agreement):

Scope and Primary Safeguard

Visalaw’s primary data protection mechanism is tenant isolation, not de-identification. Customer

Data and Content—including all matter-level content—remains within the Customer’s dedicated

tenant environment and is not pooled, commingled, or aggregated with any other customer’s data.

De-identification applies only to the limited category of operational metadata (e.g., system

performance metrics, feature usage patterns, error rates, and query behavior patterns) that Visalaw

may aggregate for product improvement purposes. De-identification does not apply to matter-level

content, which is never extracted from the Customer’s tenant environment for any analytics or

product improvement purpose.

Standard

Visalaw will apply a zero-tolerance de-identification standard: a data set that contains any amount

or type of personal information in any form will not be considered de-identified. This standard

exceeds the CCPA definition of “deidentified” information and is consistent with the NIST Special

Publication 800-188 guidelines.

Process

For operational metadata subject to cross-tenant aggregation, de-identification will include removal

of all direct identifiers (name, email, phone, address, government-issued ID numbers, including

immigration-specific identifiers such as A-numbers and case receipt numbers). Visalaw

acknowledges that in the immigration context, unique combinations of secondary details (such as

work history, educational background, publications, visa type, employer, and filing dates) may

enable re-identification even in the absence of direct identifiers. Visalaw’s architecture addresses

this risk through tenant isolation: matter-level content containing such details is not extracted,

aggregated, or made available outside the Customer’s tenant environment. If Visalaw introduces

any analytics beyond operational metadata in the future, Visalaw will implement additional

safeguards appropriate to the data involved, including quasi-identifier generalization and statistical

validation techniques, and will notify Customer in advance of any such change.

No Re-Identification

Visalaw will not attempt to re-identify any de-identified data and will contractually prohibit any

downstream recipients from doing so.

No Pooling

De-identified data derived from Your DPA Data will not be pooled or commingled with de-identified

data derived from any other customer’s data in a manner that could enable re-identification of

VISALAW AI | Data Processing Addendum

individual customer sources or data subjects. Matter-level content will not be pooled across

customers under any circumstances.

Audit

Upon reasonable request, Visalaw will provide documentation describing its de-identification

methodology and will cooperate with Your reasonable efforts to verify the adequacy of the de-

identification process.

12. Obligations of Customer

• You represent, warrant and covenant that You have and shall maintain throughout the term all necessary rights, consents and authorizations to provide DPA Data to Visalaw for processing.
• You shall reasonably cooperate with Visalaw to assist Visalaw in performing any of its obligations under Data Protection Law in relation to DPA Data.
• You acknowledge and agree that You, rather than Visalaw, are responsible for certain configurations and design decisions for the Service and that Visalaw’s ability to comply with Data Protection Law may depend upon Your actions.
• You shall not provide DPA Data to Visalaw except through agreed mechanisms. For example, You shall not include DPA Data in technical support requests unless using a secure channel agreed upon with Visalaw.

13. Cross-Border Data Transfers

You acknowledge that, unless You and Visalaw have agreed, in your currently operative order form

or otherwise in writing, to process and store DPA Data in a specific geographic region, Visalaw may

process and store DPA Data in the United States. By default, Customer Data is hosted on AWS US

East 1 and MongoDB US East 1 regions, with data replicated across multiple regions within the

United States for redundancy and disaster recovery. All replicated regions are within the United

States. If applicable Data Protection Law requires the use of a Data Transfer Mechanism for cross-

border transfers, the parties will execute the appropriate mechanism.

VISALAW AI | Data Processing Addendum

14. Future AI Regulations

In the event that new legislation and regulations are implemented that specifically govern the use

of artificial intelligence solutions, both parties shall cooperate in good faith to amend this DPA as

necessary to ensure compliance with such regulations.

If substantial modifications are required to render this DPA compliant with any regulations

implemented following its Effective Date, both parties shall negotiate such amendments in good

faith within a reasonable period.

Should new regulations render the continued provision of services under this contract infeasible or

unlawful, either party may initiate termination of this DPA in accordance with the Agreement’s

termination provisions.

The termination of this DPA due to the aforementioned regulations shall not relieve either party

from any outstanding obligations or liabilities accrued prior to the date of termination.

15. Retention Period

This DPA shall remain in effect until (i) the Service is terminated and (ii) Visalaw no longer

processes DPA Data on Your behalf. Within 30 days of termination, Visalaw will, at Your election,

return or delete DPA Data and certify such deletion in writing, in accordance with Visalaw’s Data

Protection Policy deletion methods (including software-based erasure, API-based deletion, and

automated retention policies).

16. Defined Terms

“Data Controller” means the person or entity that determines the purposes and means of

Processing DPA Data, which may include, as applicable, equivalent designations under US State

Privacy Law (e.g., “business” under CCPA).

“Data Processor” means the person or entity that Processes DPA Data on behalf of the Data

Controller, which may include, as applicable, equivalent designations under US State Privacy Law

(e.g., “service provider” under CCPA).

“Data Protection Law” means privacy and data protection law applicable in connection with your

use of the Service. Data Protection Law may include, as applicable, EU GDPR, UK GDPR, US State

Privacy Laws (including CCPA/CPRA), and other applicable privacy and data protection laws.

“Data Subject” means an identified or identifiable natural person to which DPA Data relates, to the

extent their Personal Data is protected under Data Protection Law.

“Data Transfer Mechanism” means a transfer mechanism that enables the lawful cross-border

transfer of DPA Data under Data Protection Law. This may include EU Standard Contractual Clauses

or an equivalent mechanism.

VISALAW AI | Data Processing Addendum

“DPA Data” means Customer Data or Your Content that is provided through the Service and that is

Personal Data.

“Instructions” means any (i) documented communication from You which includes actions taken

or input provided through the Service; or (ii) a direction from You to Visalaw to Process DPA Data.

“Personal Data” means any information relating to an identifiable natural person which is

protected under Data Protection Law and Processed by Visalaw on Your behalf.

“Processing” means any operation or set of operations which is performed on Your behalf on DPA

Data, whether or not by automated means, such as collection, recording, organization, structuring,

storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,

dissemination or otherwise making available, alignment or combination, restriction, erasure or

destruction.

“Security Addendum” means the Security Addendum provided as part of the enterprise agreement

suite.

“Subprocessor” means an entity Visalaw engages to Process DPA Data on Visalaw’s behalf, to carry

out specific processing activities on Your behalf.

“Supervisory Authority” means an independent public authority which is (i) established by a

member state pursuant to Article 51 of the GDPR; (ii) a comparable authority in the UK or

Switzerland; or (iii) a comparable authority under US State Privacy Law.

“US State Privacy Law” means all state laws relating to the protection and processing of Personal

Data in effect in the United States of America, including CCPA/CPRA, Virginia CDPA, Colorado

Privacy Act, Connecticut Data Privacy Act, and Utah Consumer Privacy Act.

“You” means the organization contracting for the use of the Service.