Legal · data processing

Data processing addendum.

Our standard DPA is incorporated into your Order Form by reference. The full executable PDF is available on request; this page captures the highlights and the live sub-processor list.

Last updated · 2026-05-20

1 · Roles

Customer is the controller of personal data submitted to the service. Cognoverge is the processor, acting only on Customer's documented instructions. For service-related operational data (billing, telemetry) Cognoverge acts as an independent controller.

2 · Scope of processing

Cognoverge processes the following categories of personal data on behalf of Customer:

Identifiers — names, work email addresses, role.
Workspace metadata — firm name, practice areas, jurisdiction.
Submissions — audit requests, draft content, citation submissions.
Usage and access logs.

3 · Standard Contractual Clauses

For transfers of EU/UK personal data outside the EEA, the EU SCCs (Module Two) and the UK International Data Transfer Addendum are incorporated by reference. EU and UK data residency options are available on Counsel and Enterprise.

4 · Security measures

The technical and organizational measures are detailed at /security. Highlights:

TLS 1.3 in transit, AES-256 at rest, customer-managed keys on Enterprise.
Single-tenant infrastructure option on Enterprise.
SOC 2 Type II and ISO 27001.
Workspace-level access controls; full audit trail.
Quarterly third-party penetration tests; annual SOC 2 audits.

5 · Sub-processors

The current sub-processor list:

Amazon Web Services — primary hosting and storage. US, EU, UK regions.
Stripe — payments and billing.
Postmark — transactional email.
Cloudflare — DDoS protection and global edge.
Sentry — error and performance telemetry (PII-scrubbed).
Linear — engineering issue tracking (operational data only).

Cognoverge maintains a sub-processor change log. We provide 30 days' advance notice of new sub-processors via email and the customer dashboard. Customer may object in writing during this period.

6 · Data subject requests

Cognoverge assists Customer in responding to requests from data subjects, including access, rectification, erasure, restriction, portability, and objection. Email dpo@cognoverge.com.

7 · Audit rights

Customer may request a copy of our latest SOC 2 Type II report under NDA. On-site audits are available for Enterprise customers subject to the MSA.

8 · Breach notification

We notify Customer of a personal-data breach affecting Customer data without undue delay, and in any case within 24 hours of confirmation.

9 · Termination

On termination, Cognoverge returns or deletes all Customer personal data within 30 days at Customer's election, subject to legal hold or backup retention (35 days).

Email dpo@cognoverge.com to request the executable DPA or to add Customer-specific terms.

loading workspace…

4 · Security measures

The technical and organizational measures are detailed at /security. Highlights:

TLS 1.3 in transit, AES-256 at rest, customer-managed keys on Enterprise.

Single-tenant infrastructure option on Enterprise.

SOC 2 Type II and ISO 27001.

Workspace-level access controls; full audit trail.

Quarterly third-party penetration tests; annual SOC 2 audits.

5 · Sub-processors

The current sub-processor list:

Amazon Web Services — primary hosting and storage. US, EU, UK regions.

Stripe — payments and billing.

Postmark — transactional email.

Cloudflare — DDoS protection and global edge.

Sentry — error and performance telemetry (PII-scrubbed).

Linear — engineering issue tracking (operational data only).

Cognoverge maintains a sub-processor change log. We provide 30 days' advance notice of new sub-processors via email and the customer dashboard. Customer may object in writing during this period.