Steno Data Processing Addendum

Effective as of March 3, 2025

This Data Privacy Addendum (“Addendum”) between Steno (“Steno”, “we”, “us”, or “our”) and the entity using the Steno Services (“Customer”, “you”, or “your”), amends the current version of the agreement or terms and conditions between you and us (the “Agreement”).  Steno and Customer are together referred to herein as the “Parties.”  If any terms of this Addendum conflict with any terms of the Agreement, the terms of this Addendum govern.  

1. Scope.  In connection with the services we provide you under the Agreement (“Services”), you may provide to us Personal Information of End Users that you authorize to use the Services through your account (e.g., paralegals, legal assistants), clients, and other individuals.  This Addendum governs how we Process such Personal Information and our security requirements with respect to such Personal Information.    

2. Definitions. 

1. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Information, including without limitation, to the extent applicable, the EU General Data Protection Directive as well as the equivalent implementations in EU member states, the UK, and Switzerland (“GDPR”); the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); and similar privacy laws in effect in any other U.S. states.  If our Processing activities involving Personal Information are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum. For example, if a Data Privacy Law applies to only residents of a certain state, our obligations under this Addendum that relate to such Data Privacy Law will only apply to Data Subjects who are residents of that state.
2. “Data Subject” means an identified or identifiable natural person about whom Personal Information relates.
3. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as set forth in Section 10 below.
4. “Personal Information” includes “personal information,” “personal data,” and “personally identifiable information" that you provide to us about Data Subjects pursuant to the Agreement and such terms will have the same meaning as defined by applicable Data Privacy Laws.
5. “Process” and “Processing” mean any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
6. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information of one or more Data Subjects.
7. “Subprocessor” means a party other than Customer or Steno, who assists Steno in providing the Services.
8. “Third Party” means an entity that is not Steno or Customer.
9. "UK SCCs" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).

3. Scope and Purposes of Processing. We will Process any Data Subject’s Personal Information: (a) to fulfill our obligations to you under the Agreement, including this Addendum; (b) on your behalf and per any written instructions you provide us; and (c) in compliance with applicable Data Privacy Laws. 

4. Personal Information Processing. Steno will:

1. Ensure that the persons we authorize to Process Personal Information are bound to confidentiality obligations and comply with all applicable provisions of Data Privacy Laws;
2. Upon your written request, provide you reasonable assistance in fulfilling your obligation to respond to bona fide requests from Data Subjects to exercise their rights under Data Privacy Laws (e.g., access or deletion requests);
3. Promptly notify you of any bona fide requests for access to or information about our Processing of any Data Subject’s Personal Information on your behalf, unless prohibited by Data Privacy Laws;
4. Provide you reasonable assistance in connection with fulfilling your obligations required by applicable Data Privacy Laws to they extent they involve our Processing of Personal Information;
5. Not “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising”  (as defined by applicable Data Privacy Laws) any Personal Information;
6. Not retain, use, or disclose Personal Information outside of the direct business relationship between you and us;
7. Not attempt to (i) re-identify any de-identified, anonymized, or aggregate Personal Information, or (ii) link or otherwise create a relationship between Personal Information and non-Personal Information or any other information, without your express written permission;
8. Comply with any applicable restrictions under applicable Data Privacy Laws on combining Personal Information with personal information that we receive from, or on behalf of, another person or persons, or that we collect from any interaction between us and any individual; and
9. Promptly notify you if we determine that (i) we can no longer meet our obligations under this Addendum or applicable Data Privacy Laws; or (ii) in our opinion, an instruction from you infringes applicable Data Privacy Laws.

5. Duties of Customer 

1. You shall provide Personal Information for the purposes of the Addendum in compliance with Data Privacy Laws.
2. You shall notify Steno promptly of any known or suspected unauthorized access to the Services. You will assist Steno in any efforts by Steno to investigate and respond to any unauthorized access. 

6. Data Security. We will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Information consistent with industry standards.  For example: (a) reasonable technical and organizational measures to protect against unauthorized or unlawful processing of such Personal Information and accidental loss of or damage to such Personal Information; (b) physical access controls; (c) data access and data transfer controls; (d) internal and external vulnerability scans; and (e) incident response procedures. You have the right to take reasonable and appropriate steps to stop and remediate unauthorized Processing of Personal Information.

7. Security Breach. We will notify you promptly following our confirmation of any Security Breach.  We will comply with the Security Breach-related obligations directly applicable to us under Data Privacy Laws and will assist you in your compliance with your Security Breach-related obligations, including (a) taking reasonable steps to mitigate the adverse effects of the Security Breach, and (b) providing you information, to the extent known, about the nature of the Security Breach, the likely consequences of the Security Breach, and the measures we have taken to address the Security Breach.

8. Subprocessors. You acknowledge and agree that we may use affiliates and Subprocessors to Process Personal Information in accordance with the provisions within this Addendum and Data Privacy Laws, provided we are responsible for their compliance with the relevant obligations of this Agreement (including this Addendum).   If we engage any Subprocessors to Process Personal Information, we will: 

1. Take reasonable steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures.  
2. Enter into a written contract requiring each Subprocessors to comply with obligations that are no less restrictive than those imposed on us under this Addendum; and
3. Maintain an up-to-date list of Subprocessors available upon request. Where required by applicable Data Privacy Laws, we will provide you with reasonable notice of any new Subprocessors added to the list prior to transferring or making available Personal Information to such new Subprocessors. In the event you object to a new Subprocessors, we will cooperate in good faith to resolve the objection.

9. Audits. We will make available to you all information necessary to demonstrate compliance with this Addendum and will allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, and that is not reasonably objected to by us; provided that such audit shall occur not more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent our personnel are required to cooperate therewith, only during our normal business hours.

10. Data Transfers.

1. We will not engage in any cross-border Processing of Personal Information, or transmit, directly or indirectly, any Personal Information to any country outside of the country from which such Personal Information was collected, without complying with applicable Data Privacy Laws. Where we engage in an onward transfer of Personal Information, we will ensure that a lawful data transfer mechanism is in place prior to transferring Personal Information from one country to another. 
2. To the extent legally required, by signing this Addendum, the Parties are deemed to have signed the EU SCCs, which form part of this Addendum and (except as described in Section 10(c) and (d) below) will be deemed completed as follows:  Module 2 of the EU SCCs applies to transfers of Personal Information from you (as a controller) to us (as a processor); Clause 7 (the optional docking clause) is included; Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization); Under Clause 11 (Redress), the optional language regarding an independent dispute resolution body shall not be deemed to be included; Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights) and the Parties select the laws of Ireland; Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland; Annex I(A) and I(B) (List of Parties) is as provided in the Agreement; Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission; and Annex II (Technical and organizational measures) is as provided in Section 6 above.
3. With respect to Personal Information transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this Addendum and takes precedence over the rest of this Addendum as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:  (i) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer; (ii) the Key Contacts shall be the contacts provided in the Agreement; (iii) the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties; (iv) Annex 1A, 1B, II, and III shall be set as forth in the Agreement and this Addendum; (v) either Party may end this Addendum as set out in Section 19 of the UK SCCs; and (vi) by entering into this Addendum, the Parties are deemed to be signing the UK SCCs and agree that the Addendum will be governed by the laws of England and Wales and enforced by the courts and relevant supervisory authorities in England and Wales.
4. For transfers of Personal Information that are subject to the FADP, the EU SCCs form part of this Addendum as set forth in Section 10(b) of this Addendum, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iii) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).

11. Term; Survival; Return or Destruction of Personal Information. The effective date of this Addendum is the date of the Agreement.  The provisions of this Addendum survive the termination or expiration of the Agreement for so long as we or our Subprocessors Process any Data Subject’s Personal Information.  Upon your written request at termination of the Agreement, we will (a) return and/or securely destroy all Personal Information in our possession, except to the extent required otherwise by Data Privacy Laws, and (b) certify our compliance with this Section.