Data Processing Agreement

Last Updated: September 7, 2025

Definitions

For the purposes of this Data Processing Agreement (DPA):

  • Controller: The law firm, arbitration center, or legal entity using TERES services
  • Processor: TERES Legal Technology Pte Ltd
  • Personal Data: Legal documents, transcripts, and case materials containing identifiable information
  • Processing: Transcription, storage, analysis, and management of legal data
  • DASH Platform: Our secure document management and case handling system

Scope and Application

This DPA applies to all personal data processing activities performed by TERES as a processor on behalf of Controllers, including:

  • AI-powered transcription of hearings and depositions
  • Document storage and management through DASH platform
  • Real-time hearing support and recording services
  • E-discovery and document analysis services
  • Electronic hearing bundle preparation

This DPA supplements our Master Service Agreement and applies to EU/UK GDPR and other applicable data protection laws.

Data Processor Obligations

TERES commits to:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorized to process personal data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage sub-processors without prior written authorization
  • Assist with data subject rights requests within legal timeframes
  • Maintain records of all processing activities
  • Delete or return personal data upon contract termination

Data Controller Responsibilities

The Controller shall:

  • Ensure lawful basis for processing exists
  • Provide clear and specific processing instructions
  • Ensure data subjects have been informed of processing
  • Conduct Data Protection Impact Assessments where required
  • Respond to data subject rights requests
  • Notify relevant supervisory authorities of data breaches

Security Measures

TERES implements comprehensive security measures:

Technical Safeguards

  • AES-256 encryption for data at rest and in transit
  • Multi-factor authentication for all platform access
  • Role-based access controls with least privilege principle
  • Regular security monitoring and threat detection
  • Secure API endpoints with OAuth 2.0 authentication

Organizational Measures

  • ISO 27001:2022 certified information security management
  • Regular staff training on data protection and confidentiality
  • Incident response procedures and breach notification protocols
  • Annual third-party security audits and penetration testing

Sub-processors

TERES may engage the following sub-processors for specific services:

  • Amazon Web Services (AWS): Cloud infrastructure and storage
  • Microsoft Azure: AI transcription processing
  • Twilio: Communication and notification services

All sub-processors are bound by equivalent data protection obligations and undergo regular compliance assessments.

International Data Transfers

Data processing occurs primarily in Singapore with the following transfer mechanisms:

  • EU Standard Contractual Clauses for EU/UK data
  • Adequacy decisions where applicable
  • Binding Corporate Rules for intra-group transfers

No data is transferred to countries without adequate protection or appropriate safeguards.

Data Subject Rights

TERES assists Controllers with data subject rights requests including:

  • Access to personal data and processing information
  • Rectification of inaccurate or incomplete data
  • Erasure of personal data (right to be forgotten)
  • Restriction of processing activities
  • Data portability in structured formats
  • Objection to specific processing activities

Response time: Within 10 business days of receiving Controller's instruction.

Data Breach Procedures

In the event of a personal data breach, TERES will:

  1. Notify the Controller within 24 hours of becoming aware
  2. Provide detailed breach assessment and impact analysis
  3. Implement immediate containment and remediation measures
  4. Cooperate with Controller's breach notification obligations
  5. Conduct post-incident review and preventive measures

Emergency contact: +65 6665 7125 (24/7 security hotline)

Audit and Compliance

Controllers may conduct compliance audits subject to:

  • Reasonable prior notice (minimum 30 days)
  • Confidentiality agreements protecting other clients' data
  • Coordination with existing audit schedules
  • Cost-sharing for audit expenses where reasonable

TERES provides annual SOC 2 Type II reports and ISO 27001 certificates as evidence of compliance.

Termination and Data Return

Upon contract termination or expiry:

  • All personal data will be securely deleted within 90 days
  • Data can be returned in commonly used formats upon request
  • Certified deletion certificates provided upon completion
  • Legal holds and regulatory requirements supersede deletion timelines

Contact Information

For data protection matters:

Data Protection Officer: dpo@teres.ai

Legal Team: legal@teres.ai

Emergency Hotline: +65 6665 7125

TERES Legal Technology Pte Ltd
32 Maxwell Road
Singapore 069115

This Data Processing Agreement forms an integral part of our Master Service Agreement and shall remain in effect for the duration of our processing activities.

Privacy PolicyTerms & ConditionsService Level Agreement