Data Processing Addendum

Last updated: June 2026

1. Scope & Roles

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and SIA VisionBridge, a company registered in the Republic of Latvia (registration No. 40203641390), with its registered office at Avotu iela 54B, Rīga, LV-1009, Latvia, operating LegacyBridge ("LegacyBridge"), for the provision of the LegacyBridge services (the "Services"). It governs the processing of Customer Personal Data and applies to the extent such processing is subject to applicable data protection laws, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the California Consumer Privacy Act as amended ("CCPA/CPRA").

  • Customer acts as the controller (or business) of Customer Personal Data
  • LegacyBridge acts as the processor (or service provider) processing that data on Customer's behalf
  • Where Customer is itself a processor, LegacyBridge acts as a sub-processor and these terms apply accordingly
  • In case of conflict, this DPA prevails over the rest of the agreement on matters of data protection

2. Definitions

Capitalized terms not defined here have the meaning given in applicable data protection law. "Customer Personal Data" means personal data contained in documents, screens, credentials, and other data that LegacyBridge processes on Customer's behalf under the agreement. "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", and "Sub-processor" have the meanings given in the GDPR.

3. Processing Instructions

LegacyBridge will:

  • Process Customer Personal Data only on Customer's documented instructions, including as set out in the agreement, this DPA, and Customer's configuration and use of the Services
  • Process Customer Personal Data solely to provide and support the Services, and not for any independent purpose, including no sale or sharing of personal data and no use for our own marketing or model training
  • Notify Customer if, in our opinion, an instruction infringes applicable data protection law (unless legally prohibited from doing so)
  • Comply with applicable data protection law in our role as processor

CCPA/CPRA. To the extent the CCPA applies, LegacyBridge is a "service provider" and certifies that it understands and will comply with the restrictions in this Section: it will not sell or share Customer Personal Data; will not retain, use, or disclose it for any purpose other than the business purposes specified in the agreement, or as otherwise permitted by the CCPA; will not retain, use, or disclose it outside the direct business relationship with Customer; and will not combine it with personal information from other sources except as permitted by the CCPA. Customer may take reasonable steps to ensure LegacyBridge uses personal information in a manner consistent with these obligations.

4. Confidentiality

LegacyBridge ensures that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and are made aware of the confidential nature of the data. Access is limited to personnel who need it to provide the Services.

5. Security Measures

LegacyBridge implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and accidental loss, destruction, or damage, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures are summarized in Annex B and include:

  • Encryption of credentials and sensitive data at rest, and encryption of data in transit (TLS)
  • Tenant isolation and role-based access controls with least-privilege access
  • Per-organization processing isolation and scoped access tokens
  • Audit logging of access and material actions
  • Network controls, including private connectivity to customer systems and IP allow-listing
  • Regular review of access, secrets, and vulnerabilities

6. Sub-processors

Customer provides general authorization for LegacyBridge to engage sub-processors to support the Services. LegacyBridge:

  • Maintains a current list of sub-processors, available on request, which includes infrastructure, storage, and AI model providers used to deliver the Services
  • Imposes data protection obligations on each sub-processor that are no less protective than those in this DPA
  • Remains responsible for the performance of its sub-processors' obligations
  • Will give Customer notice of the addition or replacement of a sub-processor and an opportunity to object on reasonable data protection grounds

7. Data Subject Rights

Taking into account the nature of the processing, LegacyBridge will provide reasonable assistance to Customer, through appropriate technical and organizational measures, to enable Customer to respond to requests from data subjects to exercise their rights (such as access, rectification, erasure, restriction, portability, and objection). If LegacyBridge receives such a request directly, it will, where permitted, advise the data subject to submit it to Customer.

8. Personal Data Breach

LegacyBridge will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to assist Customer in meeting its breach-notification obligations. LegacyBridge will take reasonable steps to mitigate the effects of the breach.

9. Assistance with DPIAs

Taking into account the nature of processing and the information available to it, LegacyBridge will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, where required by applicable data protection law.

10. International Transfers

Where the provision of the Services involves the transfer of Customer Personal Data outside the EEA, UK, or other restricted region to a country without an adequacy decision, the parties will rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated by reference and completed using the details in the Annexes. Customer may configure the processing region available in the Services where offered.

11. Return & Deletion

Upon termination or expiry of the agreement, and at Customer's choice, LegacyBridge will delete or return Customer Personal Data and delete existing copies, unless retention is required by law. Customer may also delete data through the Services during the term. Documents and operational data follow the retention periods described in the agreement and Privacy Policy; transient and log data are deleted on their stated schedules.

12. Audits

LegacyBridge will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. To minimize disruption, audits will be conducted on reasonable prior notice, no more than once per year (except where required by a supervisory authority or following a breach), and may be satisfied by LegacyBridge providing relevant certifications, reports, or summaries of controls.

13. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the agreement.

14. Annexes

Annex A — Details of Processing.

  • Subject matter: provision of AI-assisted legacy-system automation and document processing
  • Duration: the term of the agreement and any period required for return or deletion
  • Nature & purpose: extracting data from documents, entering it into customer systems via terminal automation, and related monitoring and audit
  • Types of personal data: data contained in customer documents and systems, which may include names, identifiers, contact details, account and claim references, and other categories the customer chooses to process
  • Categories of data subjects: the customer's own customers, patients, members, employees, and other individuals whose data appears in processed documents

Annex B — Security Measures. As described in Section 5 and the Security page.

Annex C — Sub-processors. Current list available on request from the contact below.

15. Contact

For questions about this DPA or to request our sub-processor list, contact us at: [email protected]