The Justice Platform Ltd. t/a Legl (“Legl”) may engage and use certain third-party data processors in providing the Services, as described in the Legl Services Agreement (“LSA”). This Policy provides important information about the identity and role of each Sub-Processor. This Policy does not give Clients any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Legl’s engagement process for sub-processors as well as to provide the list of principal third-party sub-processors used by Legl in the delivery and support of the Services as at the date of this Policy. Terms used in this Policy but not defined have the meaning set forth in the LSA.
Legl undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors.
Legl generally requires its sub-processors to satisfy equivalent obligations as those required by Legl as set forth in the LSA, including but not limited to the requirements to:
- process Personal Data in accordance with data controller’s (i.e., Client’s) documented instructions (as communicated in writing to the relevant sub-processor by Legl);
- comply with the Privacy Laws and any other legislation that may be applicable;
- in connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
- provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
- implement and maintain appropriate technical and organisational measures
- promptly inform Legl about any actual or potential security breach; and
- cooperate with Legl in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
Process to Engage New Sub-processors
Legl will provide notice via email or within your Legl environment of updates to this Policy, including updates to the list of sub-processors utilised or which Legl proposes to utilise to deliver its Services. Legl undertakes to keep this list updated regularly to enable its Clients to stay informed of the scope of sub-processing associated with the Services. A Client may object in writing to the processing of its Personal Data by a newly appointed sub-processor within ten calendar days following the update of this Policy and such objection shall describe Client’s legitimate reason(s) for objection. If a Client does not object during such time period, the new sub-processor(s) shall be deemed accepted.
Legl’s sub-processors are best-in-class and have been selected based on their reliability and security. As of 14 August 2023, Legl’s principal sub-processors in respect of the Services include:
Our payment administration system is powered by Stripe Payments Europe, Ltd., which maintains best in class PCI Level 1 certification and is regulated by the Financial Conduct Authority (the “FCA”). Banked Ltd. provides open banking payment initiation services, and is also regulated by the FCA. Depending on the context of the processing, each of Stripe and Banked act as either a controller or processor of Personal Data.
Updates to Our Sub-Processors
22 August 2023: Appointment of Microsoft Ireland Operations Limited (“Microsoft”) as Sub-Processor for Legl Assist
Legl has engaged Microsoft as a new sub-processor for Legl Assist. Microsoft is a generative AI provider which will be used to improve the speed and efficiency of Legl’s services.
Microsoft’s Commitment to Privacy
Microsoft holds a suite of globally recognised compliance standards including ISO 27001, ISO 27018, SOC 1, SOC 2 and SOC 3. A full list can be accessed here.
22 August 2023: Appointment of Datadog, Inc. (“Datadog”) as Sub-Processor
Legl has engaged Datadog as a new sub-processor for logging and monitoring purposes. Data will be hosted in Europe.
Datadog’s Commitment to Privacy
Datadog will maintain SSAE 18 SOC 2 certification, or comparable certification, for the term of Legl’s agreement with it.
We don’t require you to take any action relative to this update – Legl will commence offering the additional services from the effective date provided above. In accordance with this Policy and the Privacy Laws, you have the right to object to the use of sub-processors. However, you must do so within ten days of this notice. If you choose to object or have any other questions, please reach out to us at [email protected] and we will be glad to assist you with your request.