The Subscriber agrees that they are a Data Controller and that LEAP is a Data Processor for the purposes of processing Personal Data. The Subscriber shall at all times comply with the GDPR in connection with the processing of Personal Data. The Subscriber shall ensure all instructions given by it to LEAP in respect of Personal Data shall at all times be in accordance with the GDPR.
2.1 LEAP, acting as the Data Processor, shall process Personal Data in compliance with the obligations placed under it under the GDPR. LEAP shall:
(a) act only on instructions from the Subscriber or the Regulator in respect of any Personal Data processed by LEAP;
(b) have technical and organisational measures in place, having regard to the state of technological development and the cost of implementing any measures, against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by it, appropriate to the harm that might result from such unauthorised or unlawful processing or loss, destruction or damage to Personal Data and the nature of the Personal Data;
(c) take reasonable steps, having regard to the state of technological development and the cost of implementing any measures, to ensure the reliability of any of its staff who have access to Personal Data processed in connection with the Terms and Conditions; and
(d) not transfer the Personal Data provided by the Subscriber to a country or territory outside the EEA without ensuring the Personal Data is afforded adequate protection within the meaning of the GDPR.
2.2 The Subscriber acknowledges that, with certain exceptions, LEAP does not have access to Personal Data and will require permission from a User if asked to provide services related to the LEAP Software. The Subscriber shall provide access to the LEAP personnel only on an as-needed basis and to terminate such access promptly after the need for such access has expired. In the performance of Helpdesk support where file-sharing is used, it is the responsibility of Users to ensure that all sharing sessions are terminated.
3.1 The data contained within LEAP remains the property of the Subscriber.
3.2 If a Subscriber ends their agreement, LEAP will retain the Subscribers data for a period of seven (7) years before having it destroyed.
3.3 During the seven (7) years following termination, a subscription can be reactivated to gain access to the data held.
3.4 The Subscriber can request that their data be deleted upon their termination, or at any time before the seven (7) year expiration date.
3.5 LEAP will enable The Subscriber to delete Personal Data.
3.6 LEAP will enable The Subscriber to extract Personal Data on request.
4.1 The Subscribers data, including Personal Data, is housed in a highly available, active-active scalable solution situated in the ISO 27001 certified AWS datacentres in Dublin.
4.2 Personal Data may be shared with Trusted Third Party applications to provide their services.
4.3 No Personal Data is shared with other applications or integrations without the written consent of the Subscriber excluding those provided as part of the Service.
5.1 Each LEAP application is accessed via HTTPS using Transport Layer Security (TLS). TLS is a cryptographic protocol designed to protect information transmitted over the internet, against eavesdropping, tampering, and message forgery.
5.2 All stored data is encrypted at rest, using AES-256, military grade encryption. This is done to protect data in the event a LEAP server is compromised by an unauthorised party.
Taking into account the state of technical development and the nature of processing, LEAP shall implement and maintain the technical and organisational measures set out in Appendix 3 to protect the data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
LEAP shall, in accordance with GDPR, make available to the Subscriber such information that is in its possession or control as is necessary to demonstrate the LEAP's compliance with the obligations on each party imposed by Article 28 of the GDPR, and allow for and contribute to audits, by the LEAP’s Third Party Auditor (subject to a maximum of one audit request in any 36 month period).
LEAP has a dedicated team of Information Security Specialists who continually monitor the AWS infrastructure and LEAP Services. Each team member with direct access to the infrastructure must go through an extensive vetting process, including police background checks.
LEAP servers are backed up multiple times daily, weekly and monthly, and are monitored 24 hours a day, 7 days a week, 365 days a year.
LEAP shall notify the Subscriber without undue delay and in writing on becoming aware of any Data Breach in respect of any Personal Data.
If a vulnerability is identified or data is available publicly outside of the LEAP Software, please contact LEAP immediately via secure@leap.com.au.
Unless otherwise defined in this policy, all terms in bold will have the meanings given them to them below:
AWS means Amazon Web Services based in the Dublin Region
Data Breach has the meaning defined in the GDPR
Data Controller has the meaning defined in the GDPR
Data means all data entered into the Services
Data Processor has the meaning defined in the GDPR
EEA means the European Economic Area
GDPR means the General Data Protection Regulation (EU) 2016/679
ISO 27001 certification means an ISO/IEC 27001:2013 certification or a comparable certification for the Audited Services.
LEAP means LEAP Legal Software Ltd and its associated entities of 10 John Street, London, WC1N 2EB
LEAP Services means the LEAP Desktop, iOS, Android, Web and LawConnect applications and all other future applications or services provided by LEAP
LEAP’s Third Party Auditor means a LEAP-appointed, qualified and independent third party auditor, whose then-current identity LEAP will disclose to Subscriber
Personal Data has the meaning defined in the GDPR
Regulator means the Solicitors Regulatory Authority, The Law Society of Scotland, The Law Society of Northern Scotland or The Law Society of Scotland
Subscriber means a person or organisation who pays monthly for access to the LEAP Software and Services
Term means the period from the installation date until the end of LEAP’s provision of the Services, including, if applicable, any period during which provision of the LEAP Services may be suspended and any post-termination period during which LEAP may continue providing the Services for transitional purposes
Trusted Third Parties means Infotrack, Perfect Portal and Advocate
Subject Matter
LEAP’s provision of the Services to The Subscriber.
Duration of the Processing
The Term plus the period from the expiry of the Term until deletion of all Data by LEAP in accordance with the Security Policy.
Nature and Purpose of the Processing
LEAP will process Personal Data for the purposes of providing the Services to the Subscriber in accordance with the Security Policy.
Categories of Data
Data relating to individuals provided to LEAP via the Services, by (or at the direction of) the Subscriber or by the Subscriber’s customer.
Data Subjects
Data subjects include the individuals about whom data is provided to LEAP via the Services by (or at the direction of) the Subscriber or by the Subscriber’s customer.
LEAP utilises multiple layers of security controls (software, physical and process based) to protect data. This includes, but not limited to;