Security and Data Protection

# Assist Mi Legal Privacy Policy Version 1.0 Effective Date: ___________ ## 1. Introduction Assist Mi Legal ("Assist Mi Legal," "Company," "we," "our," or "us") respects your privacy and is committed to protecting information entrusted to us. This Privacy Policy describes how we collect, use, disclose, process, retain, and protect information when you access or use our websites, applications, services, integrations, communications, and related offerings (collectively, the "Services"). Please read this Privacy Policy carefully. ## 2. Scope This Privacy Policy applies to: Website visitors Trial users Subscribers Tenant administrators Attorneys Staff users Connected application users This Privacy Policy does not govern third-party services that may be connected to the platform. ## 3. Information We Collect Account Information We may collect: Name Email address Organization name Job title User role Authentication information Subscription Information We may collect: Subscription details Billing information Payment status Licensing information Payment card information may be processed by third-party payment providers. Assist Mi Legal does not store full payment card information unless explicitly stated. User Content Users may provide: Matter information Documents Notes Communications Emails Contacts Calendar information Tasks Billing entries Uploaded files This information is collectively referred to as "User Content." Connected Application Data When authorized by users, we may receive information from Connected Services, including: Email metadata Calendar events Contacts Documents Matter information Accounting information The information received depends upon permissions granted by the user. Technical Information We may collect: IP address Browser information Device information Operating system information Application logs Diagnostic information Usage Information We may collect information relating to: Features used Pages visited Workflow activity Search activity Configuration settings User interactions ## 4. How We Use Information We may use information to: Provide Services Authenticate users Process requests Operate workflows Deliver AI functionality Improve user experience Maintain security Prevent abuse Provide support Communicate with users Comply with legal obligations ## 5. AI Processing Assist Mi Legal includes AI-powered functionality. Information submitted to the platform may be processed to: Generate summaries Draft content Organize information Categorize communications Generate recommendations Support workflow automation AI-generated output may be reviewed by users and should not be treated as legal advice. Additional information regarding AI usage is described in the AI Use Policy. ## 6. Email Processing If Email Assistant functionality is enabled, information contained within emails may be processed to: Categorize communications Create matters Generate drafts Create tasks Support workflow automation Email processing is governed by applicable platform agreements. ## 7. Legal Basis for Processing Where applicable, we process information based upon: Contractual necessity Legitimate business interests User consent Compliance with legal obligations ## 8. Information Sharing We do not sell personal information. We may share information with: Service Providers Providers assisting with: Hosting Authentication Monitoring Payment processing Email delivery Infrastructure operations Customer support AI Providers Authorized AI service providers used to deliver platform functionality. Connected Services Systems connected by Customer authorization. Legal Requirements When required by law, regulation, court order, or legal process. Business Transactions In connection with mergers, acquisitions, financing events, reorganizations, or sale of assets. ## 9. Data Retention We retain information for as long as reasonably necessary to: Provide Services Comply with legal obligations Resolve disputes Enforce agreements Retention periods may vary based on: Subscription status Regulatory requirements Customer requests Operational needs ## 10. Security We implement commercially reasonable safeguards designed to protect information from unauthorized access, disclosure, alteration, and destruction. No method of transmission or storage is completely secure. Users are responsible for maintaining account security. ## 11. User Rights Subject to applicable law, users may have rights relating to: Access Correction Deletion Restriction Portability Objection to processing Requests may be submitted through available support channels. ## 12. California Privacy Rights California residents may possess additional privacy rights under applicable California law. Assist Mi Legal will respond to qualifying requests in accordance with applicable requirements. We do not sell personal information. ## 13. International Transfers Information may be processed in jurisdictions where Assist Mi Legal or its service providers operate. By using the Services, users acknowledge that information may be transferred and processed outside their state, province, or country of residence. ## 14. Cookies and Similar Technologies Our websites and applications may use: Cookies Session identifiers Authentication tokens Analytics technologies Similar technologies These technologies support functionality, security, performance, and analytics. ## 15. Children's Privacy The Services are intended for business and professional use. The Services are not directed toward children under 13 years of age. We do not knowingly collect personal information from children under 13. ## 16. Changes to this Policy We may update this Privacy Policy from time to time. Material changes will be communicated through reasonable means. Continued use of the Services after updates constitutes acknowledgment of the revised Privacy Policy. ## 17. Contact Information Questions regarding this Privacy Policy may be directed to: Privacy Officer Assist Mi Legal Email: privacy@assistmi.com Address: ___________________________ ## 18. Acknowledgment By accessing or using the Services, you acknowledge that you have reviewed this Privacy Policy and understand how information may be collected, used, disclosed, and protected.

# Assist Mi Legal Third-Party Integration Terms Version 1.0 Effective Date: ___________ ## 1. Purpose These Third-Party Integration Terms ("Integration Terms") govern the use of external services connected to Assist Mi Legal. These terms supplement the: Terms of Service User Agreement AI Use Policy Email Assistant Terms By connecting a third-party service, Customer agrees to these Integration Terms. ## 2. Connected Services Assist Mi Legal may support integration with third-party platforms including, but not limited to: Microsoft 365 Google Workspace Outlook Gmail Microsoft Teams SharePoint OneDrive Google Drive Dropbox Box QuickBooks Clio Zoom RingCentral OpenPhone DocuSign Adobe Sign and future third-party services. These services are collectively referred to as "Connected Services." ## 3. Authorization By connecting a Connected Service, Customer authorizes Assist Mi Legal to: Access authorized data Synchronize authorized records Import information Export information Update information Create records Execute approved workflows within the scope of permissions granted by Customer. ## 4. User Responsibility Customer is responsible for: Reviewing requested permissions Understanding permission scopes Managing connected accounts Managing user access Revoking access when appropriate Customer should only connect services for which it possesses appropriate authority. ## 5. Permission Scopes Connected Services may provide access to: Email Calendars Contacts Documents Matters Billing records Financial records Communication records Assist Mi Legal accesses only information authorized by Customer and supported by the integration. ## 6. Synchronization Activities Connected Services may be used to: Import documents Export documents Synchronize contacts Synchronize calendar items Synchronize matters Synchronize billing records Publish updates Execute workflows Synchronization may be manual, scheduled, or event-driven. ## 7. Third-Party Terms Customer acknowledges that Connected Services are governed by separate agreements between Customer and the third-party provider. Customer remains responsible for complying with: Microsoft terms Google terms Clio terms QuickBooks terms Other applicable provider terms Nothing in this Agreement modifies Customer's obligations to those providers. ## 8. Third-Party Availability Assist Mi Legal does not control Connected Services. Company is not responsible for: Service outages API changes Permission changes Rate limits Provider restrictions Data access limitations Service discontinuations Third-party providers may change functionality without notice. ## 9. Data Accuracy Data synchronized through Connected Services may be: Delayed Incomplete Duplicated Modified Unavailable Customer is responsible for verifying information before relying upon it. ## 10. Connected Service Security Customer is responsible for: Securing connected accounts Managing credentials Managing administrator permissions Monitoring connected applications Compromise of a Connected Service may impact platform functionality. ## 11. Revocation of Access Customer may revoke integration access at any time through: Connected application settings Third-party provider settings Administrative controls Revocation may disable associated functionality. ## 12. Workflow Automation Connected Services may participate in automated workflows. Examples include: Matter creation Calendar synchronization Email processing Document publishing Billing activities Reporting Customer remains responsible for reviewing and approving workflow configurations. ## 13. AI-Assisted Processing Connected Service data may be used by platform features, including AI-powered functionality, to: Organize information Generate summaries Draft communications Suggest actions Create workflows Such use remains subject to the AI Use Policy. ## 14. Confidential Information Customer is responsible for determining whether information synchronized through Connected Services may appropriately be processed through the platform. Nothing in these Integration Terms constitutes legal advice regarding confidentiality, privilege, privacy obligations, or regulatory compliance. ## 15. Compliance Responsibilities Customer remains responsible for: Regulatory compliance Ethical obligations Privacy obligations Data retention requirements Recordkeeping obligations Assist Mi Legal does not guarantee compliance with any particular regulatory framework. ## 16. Suspension Assist Mi Legal may suspend or disable integrations when necessary to: Protect platform security Respond to abuse Comply with provider requirements Address technical issues ## 17. Limitation of Liability Assist Mi Legal is not responsible for damages arising from: Third-party outages API failures Synchronization failures Provider policy changes Provider security incidents Provider service interruptions Customer assumes responsibility for supervising integration usage. ## 18. Acceptance By connecting a third-party service, Customer acknowledges and agrees that: 1. Assist Mi Legal may access authorized data. 2. Synchronization activities may occur. 3. Third-party services are governed by separate agreements. 4. Third-party outages may impact functionality. 5. Customer remains responsible for reviewing synchronized information. 6. Customer remains responsible for compliance obligations. I have read and agree to the Assist Mi Legal Third-Party Integration Terms.

# Assist Mi Legal Data Processing Addendum Version 1.0 Effective Date: ___________ This Data Processing Addendum ("DPA") forms part of the Assist Mi Legal Terms of Service, Enterprise Agreement, or other governing agreement between Customer and Assist Mi Legal. This DPA applies whenever Assist Mi Legal processes Personal Data on behalf of Customer. ## 1. Definitions Customer The organization subscribing to the Services. Controller The entity that determines the purposes and means of processing Personal Data. Processor The entity processing Personal Data on behalf of a Controller. Personal Data Information relating to an identified or identifiable individual. Processing Any operation performed on Personal Data, including collection, storage, organization, retrieval, disclosure, transmission, deletion, or destruction. Subprocessor A third party engaged by Assist Mi Legal to support delivery of the Services. ## 2. Roles Customer acts as Controller of Personal Data submitted to the Services. Assist Mi Legal acts as Processor of such Personal Data. Assist Mi Legal will process Personal Data only: To provide the Services To comply with documented Customer instructions To satisfy legal obligations ## 3. Processing Activities Processing may include: Storage Retrieval Search Organization Workflow automation AI-assisted processing Reporting Synchronization Security monitoring Processing is limited to activities reasonably necessary to provide the Services. ## 4. Customer Instructions Customer instructs Assist Mi Legal to process Personal Data as necessary to: Deliver Services Maintain Services Support integrations Perform authorized workflows Deliver AI-powered functionality Additional documented instructions may be provided by Customer. ## 5. Confidentiality Assist Mi Legal shall ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations. ## 6. Security Measures Assist Mi Legal shall maintain commercially reasonable administrative, technical, and organizational safeguards designed to protect Personal Data. Examples may include: Access controls Authentication controls Encryption in transit Encryption at rest where applicable Audit logging Monitoring Backup procedures Security review processes No system can guarantee absolute security. ## 7. Subprocessors Customer authorizes Assist Mi Legal to engage Subprocessors as reasonably necessary to provide Services. Subprocessors may include providers supporting: Cloud hosting Authentication Email delivery Monitoring Infrastructure AI processing Customer support Assist Mi Legal shall maintain responsibility for Subprocessor compliance consistent with this DPA. ## 8. AI Service Providers Customer acknowledges that AI-powered functionality may utilize third-party AI providers. Such providers may process Customer data solely to provide requested functionality. Use of AI functionality remains subject to: Terms of Service AI Use Policy Applicable agreements ## 9. International Transfers Customer acknowledges that Personal Data may be processed in jurisdictions where Assist Mi Legal or its service providers operate. Assist Mi Legal shall take commercially reasonable measures to support lawful transfers where required. ## 10. Security Incidents Assist Mi Legal shall notify Customer without unreasonable delay upon becoming aware of a confirmed Security Incident affecting Personal Data processed on behalf of Customer. Notification may include: Nature of incident Categories of affected information Known impact Mitigation efforts Recommended actions Notification does not constitute an admission of fault or liability. ## 11. Assistance Where reasonably feasible, Assist Mi Legal will provide information necessary to assist Customer in responding to: Access requests Deletion requests Correction requests Applicable privacy obligations ## 12. Audits Customer may request reasonable information regarding Assist Mi Legal's security practices. Assist Mi Legal may satisfy such requests through: Security documentation Compliance reports Questionnaires Certifications Customer audits shall be reasonable in scope and frequency. ## 13. Data Retention Customer controls retention of Customer data subject to platform functionality and legal obligations. Assist Mi Legal may retain information: As required by law For security purposes For backup purposes For dispute resolution ## 14. Return and Deletion Upon termination of Services and subject to applicable legal requirements: Customer may request export of Customer data. Assist Mi Legal will delete or render inaccessible Customer data within a commercially reasonable period. Certain information may be retained as required by law or operational necessity. ## 15. Liability Liability arising under this DPA shall be governed by the liability provisions contained within the governing agreement. ## 16. Order of Precedence In the event of conflict: 1. Enterprise Agreement or MSA 2. This DPA 3. Terms of Service ## 17. Acceptance Execution of the governing agreement or continued use of Enterprise Services constitutes acceptance of this DPA.

# Assist Mi Legal Security Addendum Version 1.0 Effective Date: ___________ This Security Addendum describes the administrative, technical, and organizational safeguards used by Assist Mi Legal to support the security, confidentiality, integrity, and availability of customer information. This Security Addendum supplements the Terms of Service, Data Processing Addendum, and other applicable agreements. ## 1. Purpose Assist Mi Legal is committed to maintaining a security program designed to protect customer information from unauthorized access, disclosure, alteration, destruction, or misuse. Security controls may evolve over time as threats, technologies, and business requirements change. ## 2. Shared Responsibility Model Security is a shared responsibility between Assist Mi Legal and Customer. Assist Mi Legal Responsibilities Assist Mi Legal is responsible for: Platform security Infrastructure management Application security controls Tenant isolation Authentication controls Monitoring and logging Vendor management Incident response Customer Responsibilities Customer is responsible for: User management Permission management Device security Password management User training Data governance Workflow configuration Review processes ## 3. Hosting Environment Assist Mi Legal utilizes cloud infrastructure providers to operate the Services. Infrastructure may include: Cloud-hosted compute resources Managed databases Managed storage services Networking services Monitoring services Infrastructure providers are selected based on security, reliability, and operational requirements. ## 4. Data Segregation The platform is designed to logically segregate customer information between tenants. Controls are intended to prevent unauthorized access between: Organizations Workspaces Matters Users Tenant isolation controls are regularly reviewed as part of platform development and testing. ## 5. Authentication Access to the platform may be protected through: Username and password authentication Single Sign-On (SSO) Multi-Factor Authentication (MFA) Identity provider integrations Assist Mi Legal strongly recommends MFA for all users. Enterprise customers may require MFA enforcement. ## 6. Authorization and Access Control The platform utilizes role-based access controls designed to restrict access based on business need. Examples include: Administrator roles Attorney roles Staff roles Read-only roles Matter-specific permissions Access should be granted according to the principle of least privilege. ## 7. Matter-Level Security Assist Mi Legal supports controls intended to limit access to information based on matter assignment and authorization. Organizations are responsible for configuring permissions appropriate to their operational requirements. ## 8. Encryption Information may be protected using industry-standard encryption technologies. Data in Transit Communications between users and the platform are protected using encrypted transport protocols. Data at Rest Stored information may be protected through encryption technologies provided by infrastructure providers and platform services. ## 9. Audit Logging Assist Mi Legal maintains audit records relating to platform activity. Examples may include: Authentication events User actions Administrative actions Workflow execution Integration activity Assistant activity Audit records support: Security monitoring Compliance investigations Troubleshooting Operational review ## 10. Monitoring and Detection Assist Mi Legal maintains monitoring capabilities designed to identify: Service disruptions Operational issues Security anomalies Unauthorized access attempts Infrastructure concerns Monitoring technologies may evolve over time. ## 11. Vulnerability Management Assist Mi Legal employs practices intended to identify and address security weaknesses. Examples may include: Security reviews Dependency monitoring Patch management Vulnerability remediation Code review processes Remediation priorities may vary based on risk and operational considerations. ## 12. Application Security Security considerations are incorporated throughout the software development lifecycle. Practices may include: Code review Automated testing Dependency analysis Security-focused development practices Release validation procedures ## 13. Backups and Recovery Assist Mi Legal maintains backup and recovery procedures designed to support service restoration. Backup frequency, retention, and recovery procedures may vary based on operational requirements. No backup system guarantees prevention of all data loss scenarios. ## 14. Business Continuity Assist Mi Legal maintains operational procedures intended to support service continuity during adverse events. Business continuity plans may be updated periodically. ## 15. Incident Response Assist Mi Legal maintains procedures for responding to security incidents. Response activities may include: Investigation Containment Remediation Recovery Customer notification when appropriate ## 16. Security Incident Notification When Assist Mi Legal becomes aware of a confirmed security incident affecting customer information, notification will be provided without unreasonable delay and in accordance with applicable agreements and legal obligations. Notifications may include: Description of the incident Known impact Mitigation efforts Recommended actions ## 17. Personnel Security Personnel with access to customer information are granted access based on business need. Assist Mi Legal may utilize: Confidentiality obligations Security awareness training Access management procedures to support security objectives. ## 18. Vendor Management Assist Mi Legal may utilize third-party providers supporting: Hosting Authentication Email delivery Monitoring Artificial intelligence functionality Infrastructure operations Providers are selected and managed according to operational and security considerations. ## 19. AI Provider Governance Assist Mi Legal may utilize third-party AI providers to deliver AIpowered functionality. Assist Mi Legal seeks to: Limit data sharing to what is necessary Evaluate provider capabilities Monitor provider changes Review provider security practices AI-generated output remains subject to human review requirements. ## 20. Connected Applications The platform may integrate with external services. Customers remain responsible for: Reviewing permissions Managing connected accounts Configuring access appropriately Security of third-party platforms remains the responsibility of those providers. ## 21. Security Requests Enterprise customers may request reasonable security information. Assist Mi Legal may satisfy such requests through: Security documentation Questionnaires Compliance materials Architecture reviews Vendor assessments ## 22. Security Program Evolution Security controls may be modified as technology, threats, regulations, and platform capabilities evolve. Assist Mi Legal reserves the right to improve or replace controls while maintaining appropriate security objectives. ## 23. Contact Information Security inquiries may be directed to: security@assistmi.com or other designated security contact channels. ## 24. Acknowledgment This Security Addendum describes Assist Mi Legal's security practices and forms part of the applicable customer agreement where incorporated by reference.