Data Processing Agreement (DPA)
Last revised: 2026-05-02
These are the key clauses of the standard personal data processing entrustment contract that the Company (MeshLaw) and the Member (law firm / legal team) enter into under the applicable data protection law. The official contract is sent as a PDF for legal review upon inquiry, and the form may be partially modified after review by the Member’s legal team.
The purpose is to set out the matters required under the applicable data protection law and its enforcement decree regarding the processing of personal data that the Company (the entruster) entrusts to the Member (the processor).
All processing tasks for providing the MeshLaw service, including storage, indexing, AI analysis, and e-litigation integration support of the Member’s case materials (matters).
Case materials, client information, attorney verification information, service usage logs, and the like, entered or uploaded by the Member. As for the retention period, data is permanently deleted within 90 days after the Member withdraws or the entrustment contract ends.
The Company does not sub-entrust the entrusted work to a third party without the Member’s prior written consent. However, infrastructure providers disclosed in advance at the time this contract is entered into (such as AWS Korea, Microsoft Azure Korea, and external AI model providers) are exceptions.
TLS 1.3 encryption in transit, AES-256 encryption at rest, separate encryption of sensitive fields such as resident registration numbers, per-entity data isolation (Row-Level Security), access control and audit logs, daily backups, and 7-day PITR guarantee.
External model calls for AI inference are made only under a ZDR addendum; after inference, user data is not retained in the provider’s systems and is not used to train models.
The Company notifies the Member within 24 hours of becoming aware of a personal data breach and reports it to the Personal Information Protection Commission and KISA in accordance with the applicable data protection law. It provides a report including the cause, scale of harm, and recovery measures.
The Member may request an inspection of the performance of this contract at least once a year, and the Company cooperates with the inspection. The Company’s KISA ISMS-P certification materials (once obtained) may substitute for the inspection.
Upon contract termination, the Member may request a data export (PDF, CSV, JSON) within 30 days. All copies (including backups) are permanently deleted within 90 days after termination, and a deletion certificate is issued.
The Company bears liability for damages under applicable laws for personal data breaches caused by the Company’s intent or gross negligence. The Company is not liable for incidents attributable to the Member or caused by force majeure such as natural disasters.
Addenda such as the ZDR addendum are included in the official form. This page is a preview; a legally binding contract is formed upon execution of the official PDF form.
A PDF form for legal-team review. Upon inquiry, our sales team sends it within one business day.
Request →A detailed document on encryption, access control, audit logs, and incident response procedures.
Security page →