Data Processing Agreement
Last updated: April 16, 2026
1. Overview
Vaquill AI offers a standard DPA to customers whose firms require one. The DPA is pre-executed by Vaquill AI and available to attach to any paid subscription (Professional, Power, or Enterprise). It governs how Vaquill AI, the service operated by Aralsura Solutions LLP (an India-registered limited liability partnership), processes personal information on behalf of your organization when you use the Service.
The DPA is intentionally tailored for US solo lawyers and firms of 1 to 15 lawyers, straightforward, readable, and not overloaded with AmLaw-enterprise boilerplate. It aligns with the California Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Texas Data Privacy and Security Act (TDPSA), the Utah Consumer Privacy Act (UCPA), the GDPR and UK GDPR (where applicable to EEA or UK data subjects), and incorporates the new EU Standard Contractual Clauses for any cross-border transfers.
2. Key DPA Terms
The DPA is the controlling legal document, this page is a plain-English summary. If the summary and the DPA conflict, the DPA governs.
2.1 Roles of the Parties
Your firm is the “Business” and “Controller” of the personal information processed through the Service. Vaquill AI acts as the “Service Provider” under the CCPA/CPRA and as the “Processor” under the GDPR and US state-law equivalents.
2.2 Purpose of Processing
Vaquill AI processes personal information solely to provide, secure, and support the subscribed Service. We do not use personal information for our own commercial purposes, and we do not combine it with data from other customers or third parties except as strictly necessary to operate the Service.
2.3 Zero-Data-Retention
Vaquill AI and its LLM sub-processors do not retain Customer Content beyond what is needed to deliver a response or to maintain the Service. Our LLM sub-processors (OpenAI and Anthropic) operate under zero-data-retention (ZDR) agreements, meaning prompts and outputs are not persisted on their systems after the response is returned.
2.4 No Training on Customer Data
The DPA contractually commits Vaquill AI and its sub-processors not to use Customer Data or Outputs to train, fine-tune, or improve any AI or machine-learning model.
2.5 US Data Residency
All primary Customer Data is stored and processed in Amazon Web Services (AWS) United States regions. The DPA documents this residency commitment and requires written notice before any change.
2.6 Sub-processors
A current list of authorized sub-processors is available to customers and their counsel on request at contact@vaquill.ai. Vaquill AI will give customers at least 30 days’ advance notice before adding a new sub-processor. Customers who object to a new sub-processor may terminate their subscription as described in the DPA.
2.7 Security Measures
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Logical tenant isolation so one firm’s data cannot be accessed by another firm
- Role-based access controls, MFA for Vaquill AI personnel, and least-privilege permissions
- Administrative and system audit logs
- A documented incident-response program and routine vulnerability management
2.8 Incident Notification
Vaquill AI will notify affected customers without undue delay and, in any event, within 72 hoursof becoming aware of a personal-data breach that affects their Customer Data. Notices are sent to the firm administrator on file and will include the nature of the incident, the categories of data affected, and the remediation steps being taken.
2.9 Consumer & Data-Subject Rights
Vaquill AI will assist Customer in responding to verified requests from consumers and data subjects to access, delete, correct, or port their personal information, as required by CCPA/CPRA, VCDPA, CPA, CTDPA, TDPSA, UCPA, GDPR, and UK GDPR. Assistance is provided at no additional charge within reasonable limits.
2.10 Deletion on Termination
On termination of the subscription, customers have a 30-day window to export Customer Data. After the export window, Customer Data is deleted from production systems and anonymized in backups according to our standard backup-rotation schedule.
2.11 Auditing
Vaquill AI will provide annual third-party audit summaries on request (SOC 2 Type II once available). In the meantime, customers may request a written security-questionnaire response or a summary of our internal security reviews.
2.12 Liability
Liability under the DPA is governed by the Master Subscription Agreement and Terms of Service. The aggregate cap is the greater of (a) the fees paid by the customer in the twelve (12) months immediately preceding the event giving rise to the claim, or (b) one hundred US dollars ($100).
2.13 Governing Law
The DPA is governed by the laws of the State of Delaware, consistent with the Terms of Service.
3. How to Get the DPA
Paid subscribers (Professional, Power, or Enterprise) can request a pre-signed DPA by emailing contact@vaquill.ai. Please include:
- Your firm’s legal entity name (as you want it to appear on the signature block)
- Your firm’s registered business address
- The primary lawyer contact name, title, and email
- The Vaquill AI account email the subscription is associated with
We typically return an executed DPA within 2 business days. There is no additional cost for the standard DPA.
4. Custom Terms
For firms that require bespoke DPA terms, for example, to match a client’s outside-counsel guidelines or a specific industry standard, contact contact@vaquill.ai to discuss. We can accommodate reasonable modifications for annual subscribers, subject to review.
5. Related Documents
The DPA incorporates by reference Vaquill AI’s Privacy Policy and Terms of Service. Please review each document alongside the DPA.
Questions?
Email contact@vaquill.ai and we will route your question to the right person.