Data processing agreement
How we process data on behalf of institutional subscribers.
Last updated: March 2026
Overview
This Data Processing Agreement (“DPA”) applies where Caribbean JURIST processes personal data on behalf of a Subscriber (the “Data Controller”) in the course of providing the JURIST platform. This DPA supplements the Terms of Use and ensures compliance with the Jamaica Data Protection Act 2020 and applicable data protection legislation.
1. Scope of processing
Caribbean JURIST processes personal data only to the extent necessary to provide Platform services. This includes processing queries containing personal data, delivering AI-generated research outputs, account management, and security and fraud prevention.
2. Controller obligations
The Controller warrants that:
- It has all necessary legal bases and consents for processing personal data through the Platform;
- Personal data submitted has been collected lawfully; and
- It has provided all required notices to data subjects whose data will be processed.
3. Processor obligations
Caribbean JURIST shall:
- Process personal data only on the documented instructions of the Controller;
- Ensure persons authorised to process data are subject to confidentiality obligations;
- Implement appropriate technical and organisational security measures;
- Assist the Controller in responding to data subject requests;
- Delete or return all personal data upon termination of the subscription; and
- Make available information necessary to demonstrate compliance.
4. Sub-processors
The Controller provides general authorisation for Caribbean JURIST to engage sub-processors. Current sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA |
| Anthropic | AI model inference | USA |
| Voyage AI | Text embedding | USA |
| Resend | Transactional email | USA |
Caribbean JURIST will notify the Controller of any intended changes to sub-processors at least thirty (30) days in advance and provide an opportunity to object on reasonable data protection grounds.
5. Security measures
Caribbean JURIST implements appropriate measures including: encryption (TLS 1.2+ in transit, encryption at rest), role-based access control, Row-Level Security for tenant isolation, MFA for administrative access, security event logging, and documented incident response procedures.
6. Data breach notification
Caribbean JURIST will notify the Controller of any personal data breach within forty-eight (48) hours of becoming aware, and cooperate in investigating, remediating, and fulfilling notification obligations.
7. Data subject rights
Caribbean JURIST will assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection). Direct requests from data subjects will be forwarded to the Controller.
8. Audit rights
The Controller may conduct an audit of Caribbean JURIST's data processing activities upon thirty (30) days' written notice, during business hours, subject to reasonable confidentiality obligations.
9. Termination
Upon termination of the subscription, Caribbean JURIST will delete or return all personal data within thirty (30) days at the Controller's election. Data may be retained only where required by applicable law.
10. International transfers
Where personal data is transferred outside Jamaica, appropriate safeguards are implemented including contractual clauses requiring adequate data protection standards.
11. Request a copy
For a signed copy of this Data Processing Agreement, or for questions, contact us at admin@juristpro.ai.