Adam LegalBack to Home

GDPR Compliance

Last updated: January 6, 2026

1. Our Commitment to GDPR

Adam Legal Systems is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This page outlines how we comply with GDPR requirements and your rights as a data subject.

2. Data Controller and Processor Roles

Adam Legal Systems acts in two capacities under GDPR:

As Data Controller

For personal data we collect directly from you (account information, billing details, usage data), Adam Legal Systems is the data controller.

As Data Processor

For personal data you upload to the platform (client information, case data, documents), you are the data controller and Adam Legal Systems acts as your data processor.

Data Protection Officer:
Email: dpo@adamlegalsystems.com

3. Legal Basis for Processing

We process personal data under the following legal bases as defined in GDPR Article 6:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide our services to you
  • Legitimate Interests (Art. 6(1)(f)): Processing for our legitimate business interests, such as improving our services, security, and fraud prevention
  • Legal Obligation (Art. 6(1)(c)): Processing required to comply with legal requirements
  • Consent (Art. 6(1)(a)): Where you have given explicit consent for specific processing activities, including certain AI features

4. AI Processing and GDPR

Adam Legal Systems uses artificial intelligence to provide certain features. Under GDPR, we ensure:

  • Transparency: We inform you when AI is being used to process your data
  • No Automated Decision-Making: We do not make solely automated decisions with legal or significant effects without human oversight (GDPR Article 22)
  • Data Minimization: AI processing uses only necessary data
  • Right to Opt-Out: You can disable AI processing in your account settings
  • Human Review: All AI outputs affecting legal matters require human review

For complete details on our AI practices, please see our AI Policy.

5. Your Rights Under GDPR

As a data subject, you have the following rights:

Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and access to that data, including: the purposes of processing, categories of data, recipients, retention periods, and information about your rights.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data without undue delay. You can update most information directly in your account settings.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data when: it's no longer necessary, you withdraw consent, you object to processing, it was unlawfully processed, or for legal compliance.

Right to Restrict Processing (Article 18)

You have the right to request restriction of processing when: you contest data accuracy, processing is unlawful but you oppose erasure, we no longer need the data but you need it for legal claims, or you've objected to processing.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests, including profiling, and to processing for direct marketing purposes at any time.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or significant effects. Our AI features are designed to assist human decision-making, not replace it.

6. Data Processing Agreement

For customers who use Adam Legal Systems to process personal data of their clients (data subjects), we offer a Data Processing Agreement (DPA) that complies with GDPR Article 28 requirements. The DPA includes:

  • Subject matter, duration, nature, and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the controller
  • Sub-processor requirements and list
  • Technical and organizational security measures
  • Data breach notification procedures
  • Data deletion and return upon termination

To request a DPA, contact us at dpo@adamlegalsystems.com

7. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): EU Commission-approved clauses for transfers to third countries
  • Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
  • Binding Corporate Rules: Where applicable for intra-group transfers
  • Supplementary Measures: Additional technical and organizational measures as needed following EDPB recommendations

Our primary infrastructure is located in the United States. We use Standard Contractual Clauses as our primary transfer mechanism and conduct Transfer Impact Assessments as required.

8. Data Security Measures

In accordance with GDPR Article 32, we implement appropriate technical and organizational measures:

  • AES-256 encryption of data at rest
  • TLS 1.3 encryption for data in transit
  • Pseudonymization and anonymization where appropriate
  • Regular security testing and vulnerability assessments
  • Access controls based on least privilege principle
  • Multi-factor authentication
  • Comprehensive audit logging
  • Employee security training
  • Incident response procedures
  • Business continuity and disaster recovery plans

9. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours where feasible (Article 33)
  • Document all breaches, including facts, effects, and remedial actions
  • Notify affected data subjects without undue delay if the breach is likely to result in high risk to their rights and freedoms (Article 34)
  • Notify you (as a data controller) immediately if a breach affects data you've entrusted to us

10. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) in accordance with GDPR Article 35 for processing activities that are likely to result in high risk to individuals' rights and freedoms, including:

  • Systematic evaluation of personal aspects (profiling)
  • Large-scale processing of special categories of data
  • Systematic monitoring of publicly accessible areas
  • New technologies that may affect data subjects' rights
  • AI and machine learning implementations

11. Sub-Processors

We use carefully selected sub-processors to help deliver our services. Each sub-processor is bound by data processing agreements requiring GDPR compliance. We maintain an up-to-date list of sub-processors available upon request.

We will provide notice of new sub-processors, and you have the right to object to new sub-processors as specified in your DPA.

12. Exercising Your Rights

To exercise any of your rights under GDPR, please contact our Data Protection Officer:

Data Protection Officer

Email: dpo@adamlegalsystems.com

You can also exercise many rights directly through your account settings, including data export (portability) and account deletion (erasure).

We will respond to your request within 30 days. If we need more time (up to an additional 60 days for complex requests), we will inform you of the reason and extension period within the initial 30 days.

13. Right to Lodge a Complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU member state of your residence, place of work, or where the alleged infringement occurred.

We encourage you to contact us first so we can address your concerns. Our DPO is committed to resolving any issues promptly and fairly.

14. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

  • Account Data: Retained while your account is active, deleted within 90 days of account closure
  • Customer Data: Retained according to your instructions or DPA terms
  • Billing Records: Retained for 7 years for legal and tax compliance
  • Audit Logs: Retained for 7 years for security and compliance
  • Backup Data: Purged within 30 days of primary data deletion

15. Updates to This Policy

We may update this GDPR compliance page to reflect changes in our practices, technology, legal requirements, or regulatory guidance. We will notify you of material changes and encourage you to review this page periodically.

Related policies: Privacy Policy | Terms of Service | AI Policy | Cookie Policy

© 2026 Adam Legal Systems. All rights reserved.

ADAM Legal provides AI-assisted analysis for informational purposes only and does not provide legal advice. Attorney review required.