Data Protection Addendum
1. INTRODUCTION
1.1 This Data Protection Addendum ("DPA") is incorporated into the Terms of Service or other related agreement(s) (the "Agreement") in place between HLTech Legal Technology & Consulting BV ("ELTEMATE" or "Processor") and the Customer ("Customer" or "Controller") (each a "Party" and collectively the "Parties") and sets out obligations of both Parties with respect to the Processing of Customer Personal Data in connection with the Agreement.
1.2 In the event of any conflict between the terms of this DPA and any other Agreement(s) between ELTEMATE and the Customer, the terms of this DPA shall prevail unless specifically stated otherwise. If the Parties have executed a separate Data Processing Agreement, the terms of that Data Processing Agreement shall prevail over this DPA.
2. DEFINITIONS
The following terms shall have the meanings ascribed below. Capitalized terms not defined herein shall have the same meaning set forth in the Agreement or in Applicable Data Protection Laws. "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Processing" and "Data Protection Authority" shall have the meaning set out under Applicable Data Protection Laws, or where not specifically defined, the same meaning as analogous terms in Applicable Data Protection Laws.
2.1 "Affiliate" of a Party shall mean any entity that is controlled by, in control of or under common control with such Party. Affiliates of ELTEMATE include any entity that directly or indirectly controls, is controlled by or in under common control with ELTEMATE, and, additionally includes Hogan Lovells International LLP, Hogan Lovells US LLP and any legal entity controlling, controlled by or under common control with Hogan Lovells US LLP or Hogan Lovells International LLP, as well as any entity, which provides legal services or other related services under a name or brand including the words or letters "Hogan Lovells" or "HL" or "Eltemate". For purposes of this definition, the term "control" (including the terms "controlling", "controlled by" and "under common control with") means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a Party, whether through ownership of voting securities or otherwise.
2.2 "Agreement" means the Terms of Service found here or other agreement(s) between ELTEMATE and the Customer, to which this DPA may be an addendum.
2.3 "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of ELTEMATE Personal Data under this DPA, including, without limitation, the laws and regulations of the United States, Singapore, Brazil, the European Union/European Economic Area (EU/EEA) and its member states, the United Kingdom, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018, including the Data (Use and Access) Act 2025 ("DUAA"), California Consumer Privacy Act ("CCPA") as amended by California Privacy Rights Act of 2020, Cal. Civ Code § 1798.100 et seq. ("CPRA"), Colorado Privacy Act, Col. Rev. Stat. § 6-1-1301 et seq., Virginia Consumer Data Protection Act, Va. Code, 59.1-571 et seq., Singapore Personal Data Protection Act of 2012 (as amended) ("PDPA") and Brazil’s Lei Geral de Proteção de Dados Pessoais (Lei 13709/2018) ("LGPD").
2.4 "Customer" means a legal entity which has directly entered into the Agreement for Services with ELTEMATE or its Affiliates.
2.5 "Customer Personal Data" means the Personal Data that the Customer or its Affiliates provide under the Agreement for ELTEMATE to Process on behalf of the Customer in connection with the Services. It excludes Personal Data that has been anonymised, information that does not relate to an identified or identifiable natural person, or any Personal Data that the Applicable Data Protection Laws expressly state that does not constitute Personal Data.
2.6 "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
2.7 "DPO" means the Data Protection Officer of ELTEMATE.
2.8 "Data Transfer" means the international transfer of Customer Personal Data from the jurisdiction of origin to another jurisdiction.
2.9 "ELTEMATE" means HLTech Legal Technology & Consulting B.V., and its present and future subsidiaries, including HLTech (Singapore) PTE. LTD, HLTech Legal Technology & Consulting Ltda., and HLTech Technology & Consulting LLC.
2.10 "Personnel" means individually and collectively, all directors, employees, secondees, trainees, contractors, business and secretarial services and all temporary staff of ELTEMATE.
2.11 "Services" means the services provided or received by the Parties pursuant to the Agreement.
2.12 "Sub-processor" means any Processor engaged by ELTEMATE, or by any other Processor engaged by ELTEMATE, to Process Customer Personal Data on ELTEMATE’s behalf in connection with the provision of the Services.
2.13 "Standard Contractual Clauses" means those model contractual clauses approved pursuant to Applicable Data Protection Laws that allows for the transfer of Customer Personal Data to other jurisdictions that may not have an equivalent level of protection, including but not limited to the EU Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum or the UK International Data Transfer Agreement approved by the UK Information Commissioner ("ICO"), Standard Contractual Clauses approved by the Brazilian Data Protection Authority ("ANPD"), the EU Standard Contractual Clauses adapted by the Swiss Federal Data Protection and Information Commissioner ("FDPIC"), and the ASEAN Model Contractual Clauses ("MCCs") approved by the Singaporean Personal Data Protection Commission ("PDPC").
3. GENERAL TERMS
3.1 Purpose and Scope. This DPA governs the Processing of Customer Personal Data by ELTEMATE, on behalf of the Customer, in connection with the Services under the Agreement, establishing the respective obligations of ELTEMATE and the Customer regarding such Processing, and ensuring the Processing is in accordance with the Applicable Data Protection Laws.
3.2 Parties' Obligations. With respect to the Processing of Customer Personal Data in connection with the Services, the Parties agree that
(a) Customer is the Controller of Customer Personal Data and, consequently, ELTEMATE is a Processor thereof, whereby the Parties agree that the Customer Personal Data is being disclosed to and Processed by ELTEMATE only for such limited and specified purposes set forth in this DPA and Agreement, including any relevant order forms;
(b) each Party will inform the other if, in its reasonable opinion, an instruction infringes on its own obligations under Applicable Data Protection Laws, or if it determines that it can no longer comply with Applicable Data Protection Laws, and upon reasonable request, provide assistance to ensure compliance with any requirements under Applicable Data Protection Laws, such as support with respect to data protection impact assessments or cooperation with the relevant Data Protection Authority.
3.3 Lawful Basis. Where required by Applicable Data Protection Laws, the lawful basis on which ELTEMATE primarily relies to Process Customer Personal Data is ELTEMATE's legitimate interests in performing such processing as may be necessary to provide the Services, as well as the support and related Services referred to below in Section 4.2 provided by ELTEMATE's Sub-Processors.
3.4 Processing of Customer Personal Data. ELTEMATE may Process Customer Personal Data that it receives from the Customer for the following purposes:
(a) Providing ELTEMATE's Services to the Customer;
(b) Sending newsletters, marketing communications, and other information or materials to the Customer that may interest the Customer;
(c) Maintaining ELTEMATE's lists of contacts;
(d) Submitting invoices;
(e) Detecting, preventing, and responding to actual or potential fraud, illegal activities, or intellectual property infringement;
(f) Complying with ELTEMATE's legal obligations;
(g) Responding to legal process or requests for information issued by governmental authorities or other third parties; or
(h) Protecting Customer's, ELTEMATE's, or others’ rights.
3.5 Receipt of Customer Personal Data. ELTEMATE may receive Personal Data relating to the Customer's organization and/or Customer's Personnel either directly from the Customer or from third parties, in connection with the Agreement with the Customer and for the purposes of ELTEMATE performing the agreed Services. This may occur during the normal course of providing the Services, or prior to ELTEMATE's acceptance of instructions, when ELTEMATE is carrying out due diligence procedures.
3.6 Limitations on Processing. ELTEMATE Processes Customer Personal Data, only to the extent necessary for the purposes of providing ELTEMATE's Services under the Agreement with the Customer, and only in accordance with the Customer’s written instructions, including those contained in the Agreement. ELTEMATE will inform the Customer in advance of any additional legal requirements that require ELTEMATE to process Customer Personal Data in ways that contravene Customer's instructions, unless such requirements prohibit ELTEMATE from doing so on important grounds of public interest.
3.7 Disclosure of Customer Personal Data. ELTEMATE may disclose Customer Personal Data to third-party service providers (considered as Sub-Processors) that perform Services on ELTEMATE's behalf, such as web-hosting companies, mailing vendors, analytics providers, event hosting services, and information technology providers; to law enforcement bodies, other government authorities, or third parties (within or outside the jurisdiction in which the Customer resides) as may be permitted or required by the laws of any jurisdiction that may apply to ELTEMATE; as provided for under the Agreement; or as ELTEMATE deems reasonably necessary to provide the Services. In these circumstances, ELTEMATE take reasonable efforts to notify the Customer before disclosing Customer Personal Data that may reasonably identify the Customer, unless prior notice is prohibited by applicable law or is not possible or reasonable in the circumstances. ELTEMATE may also need to disclose Customer Personal Data to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a transaction in which ELTEMATE acquired by or merged with another company or in which ELTEMATE sell, liquidate, or transfer all or a portion of our assets.
3.8 Personnel Training. ELTEMATE takes reasonable steps to ensure the reliability of any of its Personnel who will have access to Customer Personal Data, ensuring that any such Personnel are
(a) adequately trained in their duties; and,
(b) obliged to maintain the confidentiality of Customer Personal Data (either by the terms of their employment agreement with ELTEMATE or under the terms of any statutory obligation of confidentiality).
3.9 Data Subject Rights. Data Subjects, i.e., individuals have certain rights regarding the Personal Data that ELTEMATE Processes about them. ELTEMATE may hold Personal Data in the capacity of a Data Controller, or in the capacity of a Data Processor on behalf of the Customer. Where ELTEMATE holds Personal Data in the capacity of a Data Controller, Data Subjects can request ELTEMATE to access Personal Data ELTEMATE Processes about them, to correct any Personal Data that is inaccurate, and in some cases to erase Personal Data or object to ELTEMATE’s use of it, in addition to any other rights conferred on Data Subjects by Applicable Data Protection Laws. Data Subjects may also have the right to complain to their local Data Protection Authority. ELTEMATE will provide the Customer with reasonable and timely assistance and notify the Customer without undue delay if ELTEMATE receives a request from a Data Subject to exercise any of his/her rights under Applicable Data Protection Laws that pertain to the Customer Personal Data.
3.10 Audits. ELTEMATE shall make available to the Customer documentation and evidence reasonably required to demonstrate ELTEMATE’s compliance with this DPA and Applicable Data Protection Laws. Where feasible and where mutually agreed between ELTEMATE and the Customer, and where such materials are insufficient to prove compliance with this DPA and Applicable Data Protection Laws, the Customer may, upon reasonable written notice and no more than once per year, conduct a proportionate inspection through its representative (or an auditor appointed by the Customer). The Customer shall bear its own costs, and ELTEMATE may charge a reasonable fee for facilitating any audit. The Parties acknowledge that Applicable Data Protection Laws may afford the Customer the right to take measures to stop or prevent any unauthorized processing of Customer Personal Data.
3.11 CCPA Derogations. To the extent the CCPA applies to the Processing of Personal Data under this DPA, ELTEMATE shall not
(a) “sell” Customer Personal Data, as “sell” (or any derivative thereof) is defined under the CCPA;
(b) “share” Customer Personal Data, as “share” (or any derivative thereof) is defined under the CCPA;
(c) Process Customer Personal Data for any purpose outside the direct business relationship between the Parties; or
(d) combine Customer Personal Data with Personal Data received from or on behalf of any other third party or obtained through ELTEMATE’s own interactions with Data Subjects, except where such combining is conducted for a specific business purpose at the Customer’s direction or as otherwise permitted under the CCPA and other applicable law.
4. SUB-PROCESSORS
4.1 Use of Sub-Processors. The Customer agrees that ELTEMATE may use the following Sub-Processors. ELTEMATE will inform the Customer if ELTEMATE wishes to add or change any of the Sub-Processors listed below by updating this Section 4.2.
4.2 List of Sub-Processors.
| Sub-Processor |
Service(s) |
Description |
Sub-Processor Country |
| |
|
|
|
| Epiq eDiscovery Solutions |
eDiscovery services, including Relativity |
Provision of data processing and hosting infrastructure and services. |
US, UK & Germany |
|
|
|
|
| Lineal Worldwide Holdings, LLC |
eDiscovery services, including Relativity |
Provision of data processing and hosting infrastructure and services. |
US, UK & Germany |
| |
|
|
|
| Thomson Reuters (Professional) UK Limited |
HighQ Collaborate |
Online database and project management solution. |
Germany & US |
| |
|
|
|
| Microsoft Inc.* |
Azure |
Cloud service for data hosting. |
Germany |
| |
|
|
|
| Workshare Limited trading as Litera |
KIRA & Transact |
Automated contract analysis and transaction management. |
Ireland & Germany |
| |
|
|
|
| Okta, Inc. |
Auth0 |
Identity management. |
Germany |
| |
|
|
|
| Twilio, Inc. |
Twilio & Sendgrid |
Messaging services (Email and SMS). |
Germany & Ireland |
|
|
|
|
| Grafana Labs Ltd. |
Grafana |
Analytics and usage monitoring. |
UK |
|
|
|
|
| Functional Software Inc. |
Sentry |
Error logs monitoring. |
US |
|
|
|
|
| Atlassian Corporation Plc. |
Confluence, Jira & BitBucket |
Integrated platform for coding, tracking work, and documentation. |
Germany |
|
|
|
|
| Opus 2 International Inc. |
Opus2 |
Online database for litigation management |
US, UK & Germany |
|
|
|
|
*Currently relying on the license of Hogan Lovells to Process Personal Data through this Sub-Processor.
5. DATA TRANSFERS
5.1 Data Transfers. Where ELTEMATE processes Customer Personal Data in a particular jurisdiction such as the EU/EEA, UK, Brazil and Singapore, and carries out Data Transfers, ELTEMATE will only do so in accordance with this DPA; and only if such Data transfers are necessary to provide the Services
to the Customer or if the Customer consents to such Data Transfers. Where the Customer executes the Agreement, the Customer consents to such Data Transfers.
5.2 International Data Transfers Mechanisms. Where applicable, and where ELTEMATE carries out Data Transfers of Customer Personal Data from the EU/EEA, UK, Switzerland, Singapore and Brazil, ELTEMATE normally does so by relying on Standard Contractual Clauses available in the hyperlinks provided in this Section 4.2. ELTEMATE may also rely on other appropriate Data Transfer mechanisms available under Applicable Data Protection Laws.
6. SECURITY OF CUSTOMER PERSONAL DATA
6.1 Appropriate Safeguards. ELTEMATE provides a level of protection of Customer Personal Data that is consistent with the requirements of Applicable Data Protection Laws. ELTEMATE implements administrative, technical, and physical safeguards designed to comply with Applicable Data Protection Laws and to safeguard Customer Personal Data that ELTEMATE Processes. Where required, appropriate, and feasible, ELTEMATE also obtains written assurances from third parties that may access Customer Personal Data confirming that they will protect the Customer Personal Data with safeguards designed to provide a level of protection equivalent to that adopted by ELTEMATE.
6.2 Technical and Organizational Measures. ELTEMATE implements at least the below measures to ensure a level of security appropriate to the risk presented by the Processing; taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed, and the varying likelihood and severity for the rights and freedoms of Data Subjects, which shall include (where appropriate in each case)
(a) encryption of Customer Personal Data;
(b) measures designed to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(c) measures to restore the availability of, and access to, Customer Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
6.3 Limitations. No information system can be completely secure, and therefore ELTEMATE cannot assure or warrant the absolute security of Customer Personal Data in ELTEMATE's possession. Moreover, ELTEMATE is not responsible for the security of information Customers transmit to ELTEMATE over networks that ELTEMATE does not control, including the internet and/or wireless networks.
6.4 Data Breach Notification and Assistance. ELTEMATE will inform the Customer without undue delay if ELTEMATE becomes aware of any accidental or unlawful destruction or loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, and provide the Customer with all reasonable assistance in investigating and mitigating the impact of any such Data Breach. ELTEMATE will also provide all reasonable assistance to the Customer to fulfil the necessary obligations, including to provide adequate notifications to the relevant Data Protection Authorities and affected Data Subjects.
7. DATA RETENTION AND DELETION
7.1 Data Retention. ELTEMATE retains Customer Personal Data it Processes if is reasonably necessary to fulfil the purposes for which ELTEMATE collects the Customer Personal Data, such as to provide the Services to the Customer, and to comply with ELTEMATE's legal obligations. ELTEMATE shall not retain Customer Personal Data for longer than is necessary to fulfil its obligations under the Terms of Service and any other agreement with the Customer, or as required by applicable law or Applicable Data Protection Laws.
7.2 Return or Deletion of Customer Personal Data. Upon termination or expiry of the Agreement or the DPA, ELTEMATE shall return to the Customer all Customer Personal Data (and all copies). At the Customer’s written instruction, ELTEMATE shall take reasonable steps to securely destroy all remaining copies. If ELTEMATE is prevented by applicable law from returning or destroying any Customer Personal Data, ELTEMATE shall keep such data confidential and shall not actively Process it for any purpose other than to the extent, and for the period, required by applicable law.
8. CONTACT
For further assistance or inquiries regarding this DPA or how ELTEMATE Processes Personal Data, please contact the DPO at dpo@eltemate.com.
Last Date of Update: 16 March 2026