Enterprise Legal

Data Processing Agreement

We process zero data. There is nothing to agree about. But here's the DPA anyway, because your procurement team needs a PDF to put in the folder.

Last updated: February 1, 2026

The Shortest DPA in Legal Tech

Most DPAs are 20+ pages of legal language governing how a vendor handles your data on their servers, what sub-processors they use, how they protect data in transit, and what happens during a breach.

FrameCounsel processes zero data on our servers. All processing occurs entirely on your local device. There are no sub-processors, no cloud storage, no data transfers, no cross-border data flows, and no server-side processing of any kind. This makes the entire DPA almost absurdly simple: we don't touch your data, so there's very little to regulate.

The Honest Version

If we could write a DPA that just said “We don't process your data. Full stop. Signed, FrameCounsel,” we would. But procurement teams need a real document with real sections and real legal language. So here it is — a proper DPA that happens to say “not applicable” to most of the things DPAs normally cover. We consider this a feature, not a bug.

1. Definitions

1.1 “Agreement” means the underlying service agreement, license agreement, or terms of service between FrameCounsel and the Customer governing Customer's use of the Software.

1.2 “Customer” (also referred to as “Controller”) means the entity that has entered into the Agreement with FrameCounsel.

1.3 “Customer Data” means any personal data, case files, video evidence, transcriptions, analysis results, or other data processed by the Software on the Customer's local device.

1.4 “Data Protection Laws” means all applicable data protection and privacy legislation, including but not limited to the EU General Data Protection Regulation (GDPR) (Regulation 2016/679), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and any other applicable state, federal, or international data protection laws.

1.5 “FrameCounsel” (also referred to as “Processor”) means FrameCounsel and its affiliated entities.

1.6 “Personal Data” has the meaning given to it under applicable Data Protection Laws.

1.7 “Processing” has the meaning given to it under applicable Data Protection Laws and includes any operation performed on Personal Data.

1.8 “Software” means the FrameCounsel desktop application, including all AI models, analysis engines, and related components installed on the Customer's local device.

1.9 “Sub-processor” means any third party engaged by FrameCounsel to process Customer Data on behalf of the Customer.

2. Scope of Processing

The Key Fact

FrameCounsel does not process Customer Data on any server, cloud infrastructure, or system outside the Customer's local device. We have zero access to your data. We have zero ability to access your data. This is not a policy — it is an architectural constraint.

2.1 FrameCounsel does not process Customer Data on any server, cloud infrastructure, or system outside the Customer's local device. All data processing occurs entirely on hardware owned and controlled by the Customer.

2.2 The Software performs the following processing activities exclusively on the Customer's local device:

Video file analysis (frame-by-frame object detection, motion analysis)
Audio transcription using on-device MLX Whisper models
Face recognition using on-device ArcFace models
Natural language processing for contradiction detection
Report generation and export
Encrypted local storage of project files (AES-256)

2.3 FrameCounsel has no access to or knowledge of any data subjects whose data may be processed locally by the Customer.

2.4 All Personal Data remains exclusively on the Customer's local device at all times.

3. Controller and Processor Obligations

3.1 Customer Obligations (as Controller)

The Customer, as the data controller, is solely responsible for:

Ensuring a lawful basis for processing Personal Data using the Software
Complying with all applicable Data Protection Laws in its jurisdiction
Implementing appropriate access controls on the device running the Software
Maintaining backups and managing data retention in accordance with organizational policies
Fulfilling data subject rights requests, as FrameCounsel has no access to Customer Data

3.2 FrameCounsel Obligations (as Processor)

FrameCounsel commits to:

Maintaining the on-device architecture such that no Customer Data is transmitted to FrameCounsel servers or any third party
Not accessing, collecting, or processing Customer Data for any purpose
Providing Software that implements AES-256 encryption for all locally stored project files
Ensuring the Software contains no telemetry, analytics, or data transmission capabilities
Providing reasonable assistance to the Customer in responding to data subject requests and regulatory inquiries, to the extent applicable

4. Sub-processors

Zero Sub-processors

FrameCounsel engages ZERO sub-processors. None. Not one. All data processing occurs exclusively on the Customer's local device using AI models bundled with the Software. There is no third party in the picture. This is the section of the DPA that usually runs for pages. For us, it's one word: none.

4.1 FrameCounsel does not engage any sub-processors for the processing of Customer Data. No Customer Data is transmitted to, processed by, or stored on any third-party infrastructure.

4.2 FrameCounsel does not use cloud AI services (including but not limited to OpenAI, Google, Anthropic, or Amazon Web Services) for any processing of Customer Data.

4.3 In the event FrameCounsel intends to engage any sub-processor in the future, FrameCounsel will provide the Customer with at least 30 days' prior written notice. The Customer will have the right to object.

5. Data Subject Rights

5.1 Because FrameCounsel has no access to Customer Data, the Customer is solely responsible for responding to data subject requests.

5.2 FrameCounsel will provide reasonable technical documentation and support to assist the Customer in fulfilling data subject requests, to the extent such requests relate to the functionality of the Software.

5.3 The Software provides built-in capabilities for data management, including project deletion, selective file removal, and export functionality.

6. Security Measures

6.1 FrameCounsel implements the following technical measures within the Software:

Encryption at rest: AES-256 encryption for all project files stored on the local device
Air-gapped operation: Zero network connectivity required or used during data processing
Chain of custody: SHA-256 cryptographic hashing for evidence integrity verification
Audit logging: Tamper-evident logging of all operations with cryptographic signatures
Code signing: Apple Developer ID code signing and notarization
Sandboxed execution: Hardened Runtime environment on macOS
Memory safety: Core engine written in Swift with memory-safe patterns; sensitive data zeroed after use

6.2 The Customer is responsible for implementing physical security, device access controls, and network security on the hardware running the Software.

7. Breach Notification

7.1 Because FrameCounsel does not process or store Customer Data on its systems, the risk of a data breach originating from FrameCounsel's infrastructure is effectively zero. However, in the unlikely event of a security incident affecting the Software itself (such as a vulnerability in the application code), FrameCounsel commits to:

72-hour notification: FrameCounsel will notify affected Customers within 72 hours of becoming aware of any security incident
Incident details: Notification will include the nature of the incident, affected components, potential impact, and remediation steps
Remediation: FrameCounsel will provide a security patch as soon as reasonably practicable
Cooperation: FrameCounsel will cooperate with the Customer and relevant regulatory authorities

7.2 The Customer is responsible for detecting, reporting, and responding to any data breaches affecting their local device or network infrastructure.

8. Data Deletion and Return

8.1 All Customer Data resides exclusively on the Customer's local device. Data deletion and return are entirely within the Customer's control. There is nothing for FrameCounsel to delete or return, because we never had it.

8.2 The Software provides complete project deletion with secure file removal, selective deletion, and data export in standard formats.

8.3 Uninstalling the Software does not delete project data stored on the Customer's device.

8.4 FrameCounsel has no data to delete or return upon termination, as it never possesses Customer Data.

9. Audit Rights

9.1 The Customer has the right to audit FrameCounsel's compliance with this DPA.

9.2 The simplest audit method: run the built-in network activity monitor and verify zero data transmission during operation. If you want to go further, use any external packet sniffer.

9.3 Additional audit methods include review of security documentation, third-party penetration test results, and on-site or remote audit with reasonable advance notice.

9.4 Audits shall be conducted at the Customer's expense, with minimum 30 days notice, no more than once per twelve-month period unless required by a regulatory authority.

10. International Data Transfers

No International Transfers

Your data is on your machine. It doesn't cross any border. This section exists because DPAs are supposed to have it. For FrameCounsel, it's not applicable.

10.1 FrameCounsel does not transfer Customer Data internationally or to any jurisdiction outside of the Customer's local device. There are no cross-border data flows.

10.2 Standard Contractual Clauses and similar transfer mechanisms are not applicable, as no data transfer occurs.

11. Liability

11.1 Each party's liability under this DPA shall be subject to the limitations set forth in the Agreement.

11.2 FrameCounsel's liability is limited to ensuring the Software functions as described: local-only processing, no data transmission, encryption at rest.

11.3 The Customer bears sole responsibility for the security of their local device, network environment, physical access controls, and compliance with applicable Data Protection Laws.

12. Term and Termination

12.1 This DPA remains in effect for the duration of the Agreement and terminates automatically upon termination of the Agreement.

12.2 Provisions that by their nature should survive termination (including Sections 8, 9, and 11) shall survive.

12.3 Either party may terminate this DPA immediately upon written notice if the other party materially breaches and fails to cure within 30 days.

13. Governing Law

13.1 This DPA shall be governed by the laws specified in the Agreement.

13.2 Where the Agreement does not specify governing law, this DPA shall be governed by the laws of the State of California.

13.3 To the extent this DPA conflicts with the Agreement, this DPA shall prevail with respect to data protection and privacy matters.

Request a Signed DPA

Need a signed copy for your procurement folder? Our legal team will execute a signed DPA within two business days. It will be the shortest DPA your procurement team has ever read.

Request Signed DPA Security Architecture

Contact

For questions about this Data Processing Agreement, contact:

FrameCounsel Legal & Data Protection

Email: legal@framecounsel.com

DPA Requests: dpa@framecounsel.com