Silkworm Data Processing Agreement

Effective date: 26/01/2026
Version: 1.0

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Silkworm Systems Ltd (“Processor”) and the user of the Silkworm platform (“Controller”).

This DPA applies where the Processor processes personal data on behalf of the Controller in the course of providing the Service.

1. Definitions

Terms used but not defined in this DPA have the meanings given in:

• the UK GDPR, and
• the Terms of Service.

“Personal Data”, “Processing”, “Controller”, and “Processor” have the meanings given in UK GDPR.

2. Scope and Roles

2.1 The Controller determines:

• the purposes for which Personal Data is processed, and
• the content of documents uploaded to the Service.

2.2

The Processor processes Personal Data solely on the documented instructions of the Controller, as necessary to provide the Service.

2.3 The parties acknowledge that:

• the Controller is the data controller
• the Processor is the data processor

3. Nature and Purpose of Processing

3.1 Nature of processing

Processing activities may include:

• ingestion, parsing, and analysis of uploaded documents
• extraction and structuring of information
• temporary storage and retrieval
• generation of analytical outputs

3.2 Purpose of processing

Processing is limited to:

• providing the Silkworm Service
• maintaining, securing, and improving the Service (excluding model training on customer data)

4. Categories of Data and Data Subjects

4.1 Data subjects

May include:

• defendants
• complainants
• witnesses
• victims
• legal professionals
• third parties referenced in case materials

4.2 Categories of personal data

May include:

• identity data
• case-related factual information
• procedural information
• communications content

4.3 Special category and criminal offence data

Processing may include:

• data relating to criminal offences and proceedings
• data falling under Article 10 UK GDPR

The Controller confirms it has a lawful basis to process and disclose such data.

5. Processor Obligations

The Processor shall:

5.1 Process Personal Data only on documented instructions from the Controller, unless required by law.

5.2 Ensure that persons authorised to process Personal Data:

• are bound by confidentiality obligations
• receive appropriate data protection training

5.3 Implement appropriate technical and organisational measures to protect Personal Data against:

• unauthorised or unlawful processing
• accidental loss, destruction, or damage

5.4 Not use Personal Data to train general-purpose or cross-customer models.

5.5 Not access Personal Data except:

• to provide the Service
• for security, support, or legal compliance purposes

6. Sub-processors

6.1 The Controller authorises the Processor to engage sub-processors as necessary to provide the Service, including:

• cloud infrastructure providers
• AI model providers
• security and monitoring services

6.2 The Processor shall:

• ensure sub-processors are subject to equivalent data protection obligations
• remain responsible for sub-processor performance

6.3 A current list of sub-processors shall be made available upon request.

7. Data Location and Transfers

7.1 Personal Data is hosted and processed on servers located in the European Economic Area.

7.2 Where international transfers are required:

• appropriate safeguards will be applied
• transfers will comply with UK GDPR requirements

8. Security Measures

The Processor implements measures including, as appropriate:

• access controls and authentication
• encryption in transit and at rest
• logical separation of customer data
• monitoring and incident detection

Further details may be provided upon reasonable request.

9. Personal Data Breaches

9.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach.

9.2 The notification shall include, where available:

• the nature of the breach
• likely consequences
• measures taken or proposed

10. Data Subject Rights

The Processor shall:

• assist the Controller in responding to data subject requests
• not respond directly to data subjects unless instructed

Assistance will be provided insofar as reasonably possible given the nature of the Service.

11. Deletion or Return of Data

11.1 Upon termination of the Service, the Processor shall:

• delete or return Personal Data, at the Controller’s option
• unless retention is required by law

11.2 Backup data will be deleted in accordance with normal retention cycles.

12. Audits

12.1 The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

12.2 On-site audits are limited to:

• reasonable scope
• reasonable notice
• no more than once per year
• subject to confidentiality obligations

13. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service.

14. Precedence

In the event of conflict:

• this DPA prevails with respect to data protection matters
• the Terms of Service govern all other matters

15. Governing Law

This DPA is governed by the laws of England and Wales.