Document Format Options
You are viewing the interactive web version of this document. For a traditional legal document format suitable for records, printing, or legal review, use the options below.
1. Introduction and Scope
This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement or Terms of Service (“Agreement”) between RUNO Legal Technology Limited (“Processor” or “RUNO”) and the entity agreeing to these terms (“Controller” or “Customer”).
This DPA applies to the processing of Personal Data by RUNO on behalf of the Customer in connection with the provision of the RUNO legal intelligence platform and related services (“Services”).
This DPA is designed to comply with the requirements of the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the Protection of Personal Information Act 2013 (“POPIA”), and other applicable data protection legislation.
2. Definitions
“Personal Data”
Any information relating to an identified or identifiable natural person processed by RUNO on behalf of the Customer in connection with the Services.
“Processing”
Any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
“Sub-Processor”
Any third-party processor engaged by RUNO to process Personal Data on behalf of the Customer.
“Data Breach”
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
“Standard Contractual Clauses” (SCCs)
The standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission.
3. Details of Processing
| Attribute | Description |
|---|---|
| Subject Matter | Provision of the RUNO legal intelligence platform, including contract management, practice management, document intelligence, employment tribunal tools, and AI-powered legal analysis. |
| Duration | For the term of the Agreement plus any data retention period specified in the Agreement or required by applicable law. |
| Nature & Purpose | Storage, organisation, retrieval, and analysis of legal documents, contracts, client records, and practice management data to provide the Services. |
| Categories of Data Subjects | Customer employees and staff; Customer's clients and their representatives; Parties to contracts and legal documents; Witnesses and tribunal participants. |
| Types of Personal Data | Names, contact details, professional information, financial data within contracts, employment records, case details, and any Personal Data contained within documents uploaded to the platform. |
Special Category Data
The Services are not designed to process special category data (Article 9 GDPR). If Customer uploads documents containing such data, Customer is responsible for ensuring an appropriate lawful basis exists.
4. Obligations of the Processor
RUNO, as Processor, shall:
Process Personal Data only on documented instructions from the Controller, unless required by applicable law
Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 5)
Not engage another processor (Sub-Processor) without prior specific or general written authorisation of the Controller
Assist the Controller in ensuring compliance with obligations under Articles 32-36 GDPR
At the Controller's choice, delete or return all Personal Data after the end of the provision of Services
Make available to the Controller all information necessary to demonstrate compliance with GDPR obligations
Immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other data protection provisions
Never use Customer Personal Data for AI model training or any purpose beyond providing the Services
5. Technical and Organisational Security Measures
Encryption
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Encrypted database backups
- Key management via AWS KMS
Access Controls
- Role-based access control (RBAC)
- Multi-factor authentication (MFA)
- Least privilege principle
- Quarterly access reviews
Infrastructure
- Hosting on SOC 2 Type II certified infrastructure (Railway/AWS)
- Network segmentation and firewalls
- Intrusion detection systems (IDS)
- DDoS protection
Monitoring & Logging
- Immutable audit trails
- 24/7 security monitoring
- Automated vulnerability scanning
- Annual penetration testing
6. Sub-Processors
The Customer provides general authorisation for RUNO to engage Sub-Processors. RUNO shall:
Maintain an up-to-date list of Sub-Processors at runox.ai/sub-processors
Notify the Customer at least 30 days before adding or replacing a Sub-Processor
Impose equivalent data protection obligations on all Sub-Processors via written contract
Remain fully liable to the Customer for the performance of each Sub-Processor's obligations
Provide the Customer with the opportunity to object to new Sub-Processors within the 30-day notice period
7. Data Breach Notification
In the event of a Data Breach involving Personal Data processed on behalf of the Customer, RUNO shall:
Notify the Customer of the breach without undue delay and in any event within 24 hours of becoming aware.
Provide full details including nature of breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
Cooperate with the Customer to investigate, remediate, and mitigate the breach. Assist with regulatory notifications as required.
8. International Data Transfers
RUNO shall not transfer Personal Data to a country outside the European Economic Area (EEA) or the United Kingdom unless adequate safeguards are in place:
EU-approved Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914
UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
Adequacy decisions by the European Commission or UK Secretary of State
Binding Corporate Rules where applicable
Transfer Impact Assessments conducted for each transfer mechanism
RUNO's approach: Customer data is primarily stored in the EU (AWS eu-west-1, Ireland) and UK (AWS eu-west-2, London). Transfers to Sub-Processors outside the EEA/UK are covered by SCCs supplemented by additional technical measures.
9. Assistance with Data Subject Rights
RUNO shall assist the Customer in responding to requests from data subjects exercising their rights under GDPR, including:
Right of Access (Art. 15)
Export tools to provide copies of all Personal Data
Right to Rectification (Art. 16)
Edit functionality across all modules
Right to Erasure (Art. 17)
Secure deletion with confirmation audit trail
Right to Restriction (Art. 18)
Ability to restrict processing per data subject
Right to Portability (Art. 20)
Data export in machine-readable formats (JSON, CSV)
Right to Object (Art. 21)
Mechanisms to cease processing on objection
RUNO will respond to Controller requests for assistance within 5 business days. RUNO will not respond to data subject requests directly unless authorised by the Controller.
10. Audit Rights
RUNO shall make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
Sub-processor SOC 2 Type II audit reports are available upon request under NDA
RUNO is actively working towards SOC 2 Type II and ISO 27001 certifications
On-site or remote audits permitted with 30 days' prior written notice
Audit costs borne by the Customer unless the audit reveals material non-compliance
RUNO shall promptly remediate any non-compliance identified during an audit
11. Data Retention and Deletion
Upon termination of the Agreement or upon the Customer's written request:
RUNO shall delete or return all Personal Data within 30 days, at the Customer's choice
All copies of Personal Data shall be securely destroyed, including from backups within 90 days
RUNO shall provide written certification of deletion upon request
Data required to be retained by applicable law shall be isolated and protected until deletion is permitted
Customer may export all data in machine-readable format before termination
12. AI-Specific Data Processing Provisions
Given that RUNO's Services include AI-powered features, the following additional provisions apply:
Customer Personal Data is NEVER used for training, fine-tuning, or improving AI models
AI processing is performed in isolated environments with no data persistence beyond the request lifecycle
AI outputs are generated in real-time and not stored separately from the Customer's workspace
Third-party AI providers (e.g., Anthropic for Claude) are bound by equivalent data protection terms
Customers may disable AI features at any time without affecting core platform functionality
RUNO maintains a register of AI systems in compliance with the EU AI Act
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits either party's liability for:
- Death or personal injury caused by negligence
- Fraud or fraudulent misrepresentation
- Any liability that cannot be lawfully excluded or limited
- Either party's obligations under applicable data protection law
14. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws that govern the Agreement. Where the Agreement is silent on governing law:
- For Customers in the United Kingdom: the laws of England and Wales, subject to the exclusive jurisdiction of the courts of England and Wales
- For Customers in the European Union: the laws of Ireland, subject to the exclusive jurisdiction of the courts of Ireland
- For all other Customers: the laws of England and Wales, subject to the exclusive jurisdiction of the courts of England and Wales
15. Contact Information
16. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | January 2026 | Legal / DPO | Initial release |
Next Review: July 2026
This Data Processing Agreement is provided as part of RUNO's commitment to data protection and transparency. For questions about this DPA or to request a signed copy, please contact legal@runo.legal.