How Clerk processes your data, in plain language

This page summarises, in plain language, how Clerk processes personal data on your behalf. It is provided for clarity only. It does not modify, replace or override the executed DPA, and it is not itself a binding agreement.

The executed DPA is provided on request and during onboarding, and forms part of your terms of service. Where this summary and the signed DPA differ, the signed DPA prevails.

The DPA is designed to reflect the requirements for a processor relationship under Article 28 of the GDPR. Nothing here is legal advice.

As the law firm, you decide why and how personal data in your matters is processed. Under the GDPR you act as the data controller.

Clerk processes that personal data only on your documented instructions, in order to provide the workspace. In that role Clerk acts as your data processor within the meaning of Article 28 of the GDPR.

Each party is responsible for its own obligations under applicable data protection law. The DPA sets out the processor commitments Clerk makes to you, including confidentiality, security and assistance.

Clerk processes personal data for one purpose: to deliver the agentic legal workspace you have subscribed to, and to act on your instructions within it.

That includes searching Luxembourg jurisprudence, ingesting and analysing case documents, computing procedural deadlines and indemnités, drafting and exporting documents, and supporting collaboration across your firm and matters.

Processing is limited to what is necessary for these services and to your documented instructions as controller. The nature, duration and subject-matter of processing are set out in the DPA.

The categories of personal data processed are determined by the content you bring into the workspace — chiefly the case files, judgments, contracts and correspondence you upload, together with the matters and conversations you create.

Data subjects may include your clients, opposing parties, witnesses and other individuals named in your files, as well as the firm members who use the workspace.

Personal data is anonymised before any AI processing: identifying details are replaced with placeholders, and a person reviews every replacement before processing continues.

The DPA records the technical and organisational measures Clerk applies to personal data.

These include EU data residency for storage and processing; anonymisation of personal data before any AI processing, with human review of every replacement; access enforced at the database row level rather than only hidden in the interface; firm roles and per-matter roles so people see only what they should, with confidential matters hidden even from admins; and an organisation audit log.

Your content is never used to train third-party models. The architecture is built to be GDPR-compliant by design and aligned with the EU AI Act.

Matters, documents and conversations are stored and processed within EU data residency.

Clerk's design keeps processing within the European Union, so routine personal-data transfers outside the EU do not form part of the standard service.

Where any transfer were ever required, the DPA provides for it to be carried out only under a recognised transfer mechanism consistent with the GDPR.

As controller, you remain responsible for responding to data-subject requests — such as access, rectification, erasure, restriction and objection.

Under the DPA, Clerk assists you with appropriate technical and organisational measures, so far as possible, in responding to those requests.

Clerk also provides reasonable assistance with your data protection impact assessments and any prior consultations with a supervisory authority, and supports notification in the event of a personal data breach.

Clerk retains personal data for as long as needed to provide the workspace to you, and in accordance with your instructions as controller.

On termination of the service, and at your choice, Clerk deletes or returns the personal data it processes on your behalf, subject to any retention required by applicable law.

The specific arrangements for return and deletion are set out in the DPA.

For questions about this summary, to request the executed DPA, or to raise a data protection matter, get in touch and we will route your request to the responsible team.

The signed DPA names the relevant contact for data protection enquiries and sets out how requests are handled.