Legal & Compliance

Data Processing Addendum

Last updated: 10 May 2026 · Effective date: 10 May 2026

1. Background and scope

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (the “Agreement”) between Big Berri Limited (company number 16562429 ), trading as Writford (“Writford”, “we”, “us”), and the customer that accepts the Agreement (“Customer”, “you”).

This DPA applies to the processing of Customer Personal Data by Writford as a processor acting on behalf of the Customer. To the extent of any inconsistency between this DPA and the Agreement, this DPA prevails for the subject matter of processing of personal data.

This DPA is incorporated into and forms part of the Terms of Service. By accepting the Terms of Service, the Customer also accepts this DPA. No separate signature is required, acceptance of the Terms of Service constitutes acceptance of this DPA in accordance with UK GDPR Article 28(9), which permits contracts to be concluded “in another electronic form.”

2. Definitions

The following terms have the meanings given to them in the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018:

  • Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” and “Special Categories of Personal Data” have the meanings given in the UK GDPR.
  • Customer Personal Data” means personal data that the Customer (or its end users) submits to or which is generated through the Customer's use of Writford.
  • Sub-processor” means any third party engaged by Writford to process Customer Personal Data on Writford's behalf.
  • Applicable Data Protection Laws” means UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), and any binding regulator guidance issued by the Information Commissioner's Office (“ICO”).

3. Roles of the parties

For Customer Personal Data submitted by or through the Customer (including chat messages, matter facts, uploaded documents and the AI responses returned about that content), the Customer is the Controller and Writford is the Processor.

Writford is itself a Controller of personal data that it determines the purposes and means for, such as account registration data, billing and contact data, security and audit logs, and aggregated platform metrics. The processing of that data is governed by the Privacy Policy rather than this DPA.

4. Subject matter, duration, nature and purpose of processing

Subject matter. Provision of the Writford services: AI-assisted UK legal research, drafting, document analysis and matter management features described in the Agreement.

Duration. The term of the Agreement, plus any subsequent return or deletion period set out in clause 11 below.

Nature and purpose. Hosting, storing, retrieving, transmitting, searching, displaying and AI-processing Customer Personal Data so the Customer can deliver legal services to its own clients. Writford does not use Customer Personal Data for its own product development, marketing or AI model training.

Categories of Data Subjects.Customer's personnel; the Customer's own clients and counterparties to the extent the Customer chooses to submit such information; witnesses, judges, opposing solicitors and other persons named in matter documents.

Categories of Personal Data. Identifiers (names, email addresses), contact details, matter narratives, drafts and uploaded documents, AI conversation history, and other personal data which the Customer chooses to submit. Customers are encouraged to minimise the personal data they submit; see clause 6.4.

Special category data. Customer is responsible for ensuring it has a lawful basis under UK GDPR Article 9 for any special-category personal data it chooses to submit (for example health, criminal-offence or trade-union data in matter facts). Writford does not require special-category data to deliver the service.

Special category data that may foreseeably appear in matter documents submitted by solicitors includes: health data (in personal injury, clinical negligence or mental-health tribunal matters); criminal conviction or offence data (in criminal proceedings or DBS-related matters); and trade union membership data (in employment proceedings). If a Customer anticipates systematic or large-scale processing of Article 9 data through the Service, they should notify Writford at info@writford.co.uk so that appropriate supplementary measures can be agreed.

5. Customer's instructions and obligations

Customer instructs Writford to process Customer Personal Data only:

  1. to provide and maintain the Writford services in accordance with the Agreement and the Customer's configured account settings;
  2. as documented in any written and reasonable instruction given by the Customer (including via support requests);
  3. as required to comply with Applicable Data Protection Laws or other binding UK law.

Customer warrants that it has a valid lawful basis under UK GDPR Article 6 (and, where relevant, Article 9) for the processing it directs Writford to perform; that it has provided any required notices to its end users and clients; and that it will not submit personal data which it has no lawful basis to disclose.

6. Writford's processor obligations

Writford will:

  1. Documented instructions. Process Customer Personal Data only on the documented instructions of the Customer, except where required by UK law (in which case Writford will, where legally permitted, inform the Customer of that legal requirement before processing).
  2. Confidentiality. Ensure that personnel authorised to process Customer Personal Data are bound by appropriate contractual or statutory confidentiality obligations.
  3. Security. Implement appropriate technical and organisational measures as described in clause 8 and in the Security page.
  4. Sub-processors. Engage Sub-processors only on terms which comply with this DPA, as described in clause 9.
  5. Assistance with data-subject requests. Provide reasonable assistance to the Customer in responding to UK GDPR data-subject rights requests (access, rectification, erasure, restriction, portability and objection), taking into account the nature of the processing.
  6. Assistance with DPIAs and prior consultation. Provide reasonable assistance to the Customer with data protection impact assessments and prior consultation with the ICO where required under UK GDPR Articles 35 and 36.
  7. Personal data breach. Notify the Customer without undue delay (and in any event within seventy-two (72) hours of becoming aware) of any personal data breach affecting Customer Personal Data, with the information required by UK GDPR Article 33(3) to the extent then known.
  8. Deletion or return. At the Customer's choice, return or delete Customer Personal Data at the end of the provision of services, in accordance with clause 11.
  9. Audit and information. Make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, as described in clause 10.

7. Confidentiality and solicitor privilege

Writford recognises that Customer Personal Data may include information which is subject to legal professional privilege and the confidentiality duty in paragraph 6.3 of the SRA Code of Conduct. Writford's personnel are bound by written confidentiality obligations that survive termination of their engagement with Writford and that expressly extend to such material.

8. Security measures

Writford implements appropriate technical and organisational measures designed to provide a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing. These measures include (without limitation):

  • encryption of Customer Personal Data in transit using TLS 1.2+ and at rest using provider-managed encryption keys (AWS S3, MongoDB Atlas);
  • access control on a need-to-know basis, role-based authorisation, and multi-factor authentication for production administrative access;
  • structured audit logging of access to production systems;
  • secrets management via the hosting provider's key store rather than source-code or shared media;
  • regular updates of operating-system, library and dependency components;
  • backup and disaster-recovery procedures consistent with the hosting provider's standard offering;
  • a documented incident-response procedure (see clause 6.7).

Detailed and current security commitments are maintained on the Security page; that page is incorporated by reference into this DPA.

9. Sub-processors

The Customer provides a general written authorisation to Writford to engage Sub-processors to perform processing activities on Customer Personal Data, subject to the conditions in this clause.

Writford maintains a current list of Sub-processors at /sub-processors, including identity, purpose, data categories and processing location. Writford will give the Customer notice (by updating that page and, for account administrators on a paid plan, by email) at least thirty (30) days before adding or replacing a Sub-processor.

For each Sub-processor, Writford will impose data-protection obligations in writing that are no less protective than those in this DPA. Writford remains fully liable to the Customer for the performance of its Sub-processors under this DPA.

If the Customer reasonably objects to a new Sub-processor on data-protection grounds, the Customer and Writford will discuss the objection in good faith. If the parties cannot reach a resolution, the Customer's sole remedy is to terminate the affected service within thirty (30) days of the objection notice in accordance with the Agreement, without prejudice to the Customer's rights under Applicable Data Protection Laws.

10. Audit rights

Writford will make available to the Customer, on written request, information reasonably necessary to demonstrate compliance with this DPA. This typically comprises Writford's policy and security documentation, the public Securitypage, and the most recent third-party certifications (where any) or self-assessment summaries from Writford's hosting and AI providers.

Where the Customer is required to perform an on-site audit under Article 28(3)(h) UK GDPR, the parties will discuss in good faith the scope, timing and confidentiality of such audit. Audits will be at the Customer's expense, subject to reasonable advance notice (no less than thirty (30) days), conducted during normal business hours, and conducted in a manner that does not interfere with Writford's normal business operations or with the data of other customers.

11. Return or deletion of Customer Personal Data

At the Customer's written request made within thirty (30) days after termination or expiry of the Agreement, Writford will either (i) make Customer Personal Data available to the Customer for export in a structured, commonly-used and machine-readable format, or (ii) delete Customer Personal Data from Writford-controlled production systems.

If no request is received within that thirty (30) day window, Writford will delete Customer Personal Data from production systems within a further ninety (90) days, save for personal data that Writford is required to retain to comply with Applicable Data Protection Laws or other binding UK law (in which case it will be retained only as long as required and subject to continuing security obligations). Backups containing Customer Personal Data are overwritten in line with the hosting provider's rolling backup cycle.

12. International transfers

Writford is established in the United Kingdom. All production hosting, AI processing, and database services operate within the AWS London region or EU region. Customer Personal Data does not leave the UK or EEA during normal processing.

Where the Customer's use of Writford triggers a restricted transfer of Customer Personal Data outside the United Kingdom (for example, when a Sub-processor operates from outside the United Kingdom), Writford relies on one or more of the following safeguards: (a) the recipient country is the subject of UK adequacy regulations; (b) the parties enter into the International Data Transfer Agreement issued by the ICO, or the EU Standard Contractual Clauses as supplemented by the UK Addendum; or (c) another transfer mechanism permitted under UK GDPR.

The current location of each Sub-processor is recorded in the Sub-Processor List.

13. Liability and indemnity

Each party's liability arising from or in connection with this DPA, whether in contract, tort (including negligence), or otherwise, is subject to the limitations and exclusions of liability set out in the Agreement.

14. Term and termination

This DPA takes effect on the effective date of the Agreement and continues until the Agreement is terminated or expires. Termination of the Agreement automatically terminates this DPA, save for any obligations which by their nature should survive termination (including clauses 7, 8, 11, 12 and 13).

15. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, subject to the right of either party to seek interim or injunctive relief in any court of competent jurisdiction.

16. Contact

Questions about this DPA, requests for the executable form, or notifications under clause 6.7 should be sent to info@writford.co.uk.

This DPA forms part of the Terms of Service and takes effect on the date you accept those Terms. Where the Customer requires a separately signed version, or an International Data Transfer Agreement or UK Addendum to the EU SCCs, please contact info@writford.co.uk.