Data Processing Agreement

Scope and roles

This Data Processing Agreement (the “DPA”) forms part of the agreement between Chamberly and each subscribing firm (the “Firm”). For personal data the Firm stores in its workspace — including data about its clients, opposing parties, and other contacts — the Firm is the data controller and Chamberly is the data processor.

Chamberly processes such personal data only to provide, secure, and support the service, and only on the Firm's documented instructions, which are given through the Firm's configuration and use of the service and through this DPA.

Ghana Data Protection Act alignment

This DPA is aligned with the Ghana Data Protection Act, 2012 (Act 843). Chamberly applies the Act's data-protection principles to its processing, assists the Firm in meeting its controller obligations under the Act, and maintains the technical and organisational safeguards described below.

Acceptance and re-acceptance

The service requires users to accept the current version of this DPA, together with the Terms of Service and Privacy Policy, before performing sensitive actions. Material updates to this DPA trigger a re-acceptance prompt in the product, and each acceptance is recorded with its document version, user, and timestamp.

Confidentiality

Chamberly ensures that personnel authorised to process Firm personal data are bound by appropriate confidentiality obligations and access Firm data only where strictly necessary to operate or support the service, with all such access logged.

Security measures

Chamberly maintains, as a minimum: strict per-tenant data isolation, with no cross-firm access through the service; encryption of personal data in transit and at rest, with document storage segregated per firm; role- and attribute-based access control protected by multi-factor authentication; append-only audit logs covering security-relevant actions; and operational hardening including secrets management, structured logging, rate limiting, and disaster-recovery procedures.

Subprocessors

The Firm authorises Chamberly to engage the subprocessors listed on the Subprocessors page, each bound by data-protection obligations no less protective than this DPA. Chamberly maintains the subprocessor register, gives the Firm advance notice of intended additions or replacements, and gives the Firm the opportunity to object on reasonable data-protection grounds.

Assistance with data-subject rights

Taking into account the nature of the processing, Chamberly assists the Firm with appropriate technical and organisational measures — including permission-filtered search, export tooling, and audit records — so the Firm can respond to data-subject requests for access, correction, or deletion under the Ghana Data Protection Act.

Personal-data breach notification

Chamberly will notify the Firm's designated administrators without undue delay after becoming aware of a personal-data breach affecting the Firm's personal data, and will provide information reasonably required for the Firm to meet its own notification obligations, including the nature of the breach, the categories of data concerned, and the remediation measures taken or proposed.

Retention, return, and deletion

Upon termination of the agreement, the Firm may export its personal data during a defined wind-down period. After that period, Chamberly deletes the Firm's personal data from production systems in accordance with its retention schedule, except where retention is required by law or an active legal hold, in which case the data remains protected under this DPA until deletion.

Audit and information

Chamberly makes available information reasonably necessary to demonstrate compliance with this DPA, including descriptions of its security measures and subprocessor register, and will reasonably cooperate with audits required of the Firm under the Ghana Data Protection Act, in a manner that does not compromise the isolation or security of other firms' data.