Counsel
Terms of ServicePrivacy PolicyCookie PolicyDPAAviso LegalAccessibility

Data Processing Agreement

Last updated: 25 April 2026  ·  Based on EU Standard Contractual Clauses (Commission Decision 2021/914)

1. The DPA Is Legally Required

Under GDPR Article 28, when a company (the “controller”) engages a service provider (the “processor”) to process personal data on its behalf, a Data Processing Agreement is legally required — it is not optional. If your organisation is subject to GDPR and you use Counsel to process personal data of your employees, customers, or other individuals (even incidentally), you are required by law to have a DPA in place.

Paid tier customers (Starter, Growth, Scale) automatically enter into this Data Processing Agreement upon accepting the Terms of Service at account creation. No additional steps are required to establish a valid DPA. A countersigned PDF version remains available on request for enterprise procurement requirements (see Section 10).

Free tier users who process personal data of third parties in Counsel should contact us at legal@mycounsels.com to establish a DPA.

2. Our Roles

When you use Counsel, the roles under GDPR Article 28 are as follows:

  • You are the data controller. You determine the purposes and means of processing the personal data you enter into Counsel (company context, uploaded documents, consultation questions). You are responsible for having a lawful basis for that processing and for respecting the rights of the individuals whose data you provide.
  • Counsel is the data processor. We process personal data only on your instructions (by operating the Service as you direct) and not for our own purposes.

Note: Counsel is an independent controller for the personal data of your workspace members (email addresses, names) used to manage your account and subscription. For this processing, Counsel’s Privacy Policy applies.

3. What We Process on Your Behalf

As your data processor, Counsel may process the following personal data:

  • Personal data of individuals mentioned in your company context (e.g., references to employees, customers, or partners by role or name).
  • Personal data contained in documents you upload to the Service.
  • Personal data included in consultation questions or follow-up context you provide.

Data minimisation recommendation: We recommend that you avoid uploading documents containing unnecessary personal data. Use anonymised or pseudonymised data where possible. The AI agents do not need to know the names of individuals to provide strategic advice — they reason about roles and situations, not named individuals.

4. How We Process It

We process personal data solely for the purpose of providing the Service to you, which includes:

  • Storing data in our Convex database (EU, Frankfurt).
  • Transmitting relevant context to Anthropic’s API for AI inference during consultations.
  • Returning AI-generated recommendations to you.
  • Maintaining consultation history in your Decisions Log.

We do not process personal data for any purpose other than providing the Service. We do not sell personal data. We do not use personal data to train AI models.

5. Sub-Processors

Counsel uses the sub-processors listed in our Privacy Policy (Section 4). We ensure that each sub-processor provides sufficient guarantees under GDPR Article 28(4), through:

  • Signed DPAs with all sub-processors before processing begins.
  • EU Standard Contractual Clauses or Data Privacy Framework certification for transfers to US-based sub-processors.
  • Annual review of sub-processor DPA status.

We will notify you of any intended addition or replacement of sub-processors at least 30 days before the change takes effect, giving you the opportunity to object to the change within that period. If you object and we cannot accommodate your objection without material change to the Service, you may terminate the agreement without penalty. Notification will be sent to the email address associated with your account.

6. Security Measures

We implement the following technical and organisational measures to protect personal data we process on your behalf:

  • Encryption in transit (TLS 1.2+) for all data transmissions.
  • Encryption at rest (AES-256 via Convex’s infrastructure) for stored data.
  • Multi-tenancy isolation: all data is scoped to your workspace and cannot be accessed by other customers.
  • Role-based access controls: only authorised workspace members can access your data.
  • Audit logging of all sensitive data access and modification events.
  • Multi-factor authentication available to all users (configurable in account settings).

7. Right of Audit

In accordance with GDPR Article 28(3)(h), you have the right to audit Counsel’s data processing activities, or commission a third-party auditor approved by us in advance, to verify compliance with the obligations under this DPA. You must provide at least 30 days’ written notice before conducting any audit.

Audits must be conducted during normal business hours, in a manner that minimises disruption to Counsel’s operations. Auditors are subject to reasonable confidentiality obligations. Counsel may decline to provide access to information that would compromise the security of other customers or violate applicable law.

In lieu of a direct audit, Counsel may satisfy this requirement by providing relevant third-party audit reports, certifications, or security questionnaire responses, where these reasonably address your audit objectives.

8. Data Subject Rights Assistance

We will assist you in responding to requests from individuals exercising their GDPR rights (access, erasure, restriction, portability, rectification) to the extent that the request concerns data we process on your behalf. We will respond to such requests within 5 business days of receiving them from you.

The tools for data export and deletion are available directly in the application (Settings → Data & Privacy), which you can use to fulfil data subject requests without needing to contact us.

9. Breach Notification

In the event of a personal data breach affecting data we process on your behalf, we will notify you without undue delay (and within 72 hours where feasible) with sufficient information for you to notify the relevant supervisory authority and affected individuals as required by GDPR Articles 33 and 34.

10. Duration and Termination

This DPA applies for as long as we process personal data on your behalf under the Terms of Service. On termination of the Service:

  • We will delete all personal data we hold on your behalf within 30 days, unless retention is required by law.
  • At your request, we will provide a data export (JSON format) before deletion.

11. How to Request a Countersigned DPA

To receive a signed copy of our DPA (based on the EU Standard Contractual Clauses, Commission Decision 2021/914):

  1. Email legal@mycounsels.com with the subject line “DPA Request”.
  2. Include your company name, registered address, and the email address associated with your Counsel account.
  3. We will send you the DPA document for your review and countersignature.
  4. We aim to respond within 5 business days.

12. Contact

Data protection queries: legal@mycounsels.com

Counsel  ·  Barcelona, Spain