Counsel
Terms of ServicePrivacy PolicyCookie PolicyDPAAviso LegalAccessibility

Data Processing Agreement

Last updated: 25 April 2026  ·  Based on EU Standard Contractual Clauses (Commission Decision 2021/914)

1. When Do You Need a DPA?

Under GDPR Article 28, when a company (the “controller”) engages a service provider (the “processor”) to process personal data on its behalf, a Data Processing Agreement must be in place. If your organisation is subject to GDPR and you use Counsel to process personal data of your employees, customers, or other individuals, you need a DPA with us.

A signed DPA is available on request for all paid tiers (Starter, Growth, Scale). Free tier users can also request a DPA.

2. Our Roles

When you use Counsel, the roles under GDPR Article 28 are as follows:

  • You are the data controller. You determine the purposes and means of processing the personal data you enter into Counsel (company context, uploaded documents, consultation questions). You are responsible for having a lawful basis for that processing and for respecting the rights of the individuals whose data you provide.
  • Counsel is the data processor. We process personal data only on your instructions (by operating the Service as you direct) and not for our own purposes.

Note: Counsel is an independent controller for the personal data of your workspace members (email addresses, names) used to manage your account and subscription. For this processing, Counsel’s Privacy Policy applies.

3. What We Process on Your Behalf

As your data processor, Counsel may process the following personal data:

  • Personal data of individuals mentioned in your company context (e.g., references to employees, customers, or partners by role or name).
  • Personal data contained in documents you upload to the Service.
  • Personal data included in consultation questions or follow-up context you provide.

Data minimisation recommendation: We recommend that you avoid uploading documents containing unnecessary personal data. Use anonymised or pseudonymised data where possible. The AI agents do not need to know the names of individuals to provide strategic advice — they reason about roles and situations, not named individuals.

4. How We Process It

We process personal data solely for the purpose of providing the Service to you, which includes:

  • Storing data in our Convex database (EU, Frankfurt).
  • Transmitting relevant context to Anthropic’s API for AI inference during consultations.
  • Returning AI-generated recommendations to you.
  • Maintaining consultation history in your Decisions Log.

We do not process personal data for any purpose other than providing the Service. We do not sell personal data. We do not use personal data to train AI models.

5. Sub-Processors

Counsel uses the sub-processors listed in our Privacy Policy (Section 4). We ensure that each sub-processor provides sufficient guarantees under GDPR Article 28(4), through:

  • Signed DPAs with all sub-processors before processing begins.
  • EU Standard Contractual Clauses or Data Privacy Framework certification for transfers to US-based sub-processors.
  • Annual review of sub-processor DPA status.

We will notify you of any intended changes to our sub-processor list that may affect the protection of your data, giving you the opportunity to object.

6. Security Measures

We implement the following technical and organisational measures to protect personal data we process on your behalf:

  • Encryption in transit (TLS 1.2+) for all data transmissions.
  • Encryption at rest (AES-256 via Convex’s infrastructure) for stored data.
  • Multi-tenancy isolation: all data is scoped to your workspace and cannot be accessed by other customers.
  • Role-based access controls: only authorised workspace members can access your data.
  • Audit logging of all sensitive data access and modification events.
  • Multi-factor authentication available to all users (configurable in account settings).

7. Data Subject Rights Assistance

We will assist you in responding to requests from individuals exercising their GDPR rights (access, erasure, restriction, portability, rectification) to the extent that the request concerns data we process on your behalf. We will respond to such requests within 5 business days of receiving them from you.

The tools for data export and deletion are available directly in the application (Settings → Data & Privacy), which you can use to fulfil data subject requests without needing to contact us.

8. Breach Notification

In the event of a personal data breach affecting data we process on your behalf, we will notify you without undue delay (and within 72 hours where feasible) with sufficient information for you to notify the relevant supervisory authority and affected individuals as required by GDPR Articles 33 and 34.

9. Duration and Termination

This DPA applies for as long as we process personal data on your behalf under the Terms of Service. On termination of the Service:

  • We will delete all personal data we hold on your behalf within 30 days, unless retention is required by law.
  • At your request, we will provide a data export (JSON format) before deletion.

10. How to Request a Signed DPA

To receive a signed copy of our DPA (based on the EU Standard Contractual Clauses, Commission Decision 2021/914):

  1. Email legal@mycounsels.com with the subject line “DPA Request”.
  2. Include your company name, registered address, and the email address associated with your Counsel account.
  3. We will send you the DPA document for your review and countersignature.
  4. We aim to respond within 5 business days.

11. Contact

Data protection queries: legal@mycounsels.com

Counsel  ·  Barcelona, Spain