Privacy Policy and Data Protection Concept

The data controller within the meaning of the GDPR is: SDN IT-Services GmbH Monetweg 8 D-60438 Frankfurt am Main Germany Phone: +49 69 90750132 Email: info@lexatech.de Managing Director: Dragisa Dragisic Commercial Register: Amtsgericht Frankfurt am Main, HRB 85609

Our Data Protection Officer can be reached at: Email: datenschutz@lexatech.de Phone: +49 69 90750132 Address: SDN IT-Services GmbH, Monetweg 8, D-60438 Frankfurt am Main

This privacy policy applies to: • The LEXA website (landing page, information pages) • The LEXA application (law firm management software as a cloud-based SaaS) • The client intake form through which prospective clients can submit inquiries • All API interfaces related to the platform This policy is addressed to: • Law firm staff (attorneys, secretariat, firm administrators) who use LEXA • Clients and prospects whose data is processed within firm management • Website visitors who seek information about the service

• Client (Law Firm): A law firm or attorney using LEXA as software, referred to as a "Tenant" in the platform. • User: A natural person working with LEXA on behalf of a client (law firm) — attorneys, secretarial staff, or administrators. • Data Subject / End Client: A natural or legal person whose data is managed by a law firm via LEXA — firm clients, opposing parties, participants. • Data Controller: SDN IT-Services GmbH as the platform provider — for processing related to platform operations. The using law firm is itself the controller for the substantive processing of client data. • Data Processor: SDN IT-Services GmbH acts as processor vis-à-vis the using law firm regarding client-related data pursuant to Art. 28 GDPR.

5.1 Law Firm Account Data (Client/Tenant) • Firm name and legal form • Contact data: email addresses, phone numbers, fax numbers, mobile numbers, website • Addresses: firm address, mailing address, billing address, registration address • Banking details: IBAN, BIC, account holder, bank name (for billing purposes) • Tax information: tax number, VAT ID, responsible tax office, tax rate • Subscription data: selected plan, billing period, status • Payment data: payment method (only reference tokens stored — no full card data) 5.2 User Data (Firm Staff) • Name (first name, last name, title, salutation) • Email address (also used as login credential) • Role in the firm (administrator, attorney, secretariat) • Optional profile data: phone, mobile number, bar association, practice areas • Language setting and timezone • Authentication data: passwords stored exclusively encrypted; SDN IT-Services GmbH has no access to plaintext passwords • Usage log: login times, session counts, actions (anonymized and aggregated) 5.3 Client Data / Case Data (on behalf of the law firm) Processed by SDN IT-Services GmbH as data processor on behalf of the firm: • Inquiries/Leads: name, email, description, legal area, source, consent flags, risk assessments, uploaded files • Cases: file numbers, case description, legal area, status, assigned attorney, procedural data, deadlines, data classification • Parties: natural persons (name, date of birth), organizations (company name, registration number), contact data, role in proceedings • Documents: uploaded and generated documents, file metadata, SHA-256 checksums, versioning • Tasks, appointments, deadlines: with descriptions, status, priority, participants, reminders 5.4 Log and Usage Data • Audit log: every data-relevant action with timestamp, tenant ID, user ID, and action type • Usage metrics: anonymized and aggregated for billing and optimization • Technical log data: IP address, access time, HTTP method and status code 5.5 Website Data (Landing Page) • IP address (potentially truncated), date and time, requested URL, browser type, referrer 5.6 Consent Records • User ID, document version accepted, timestamp, channel, hashed IP address and user agent

We process personal data exclusively for: • Platform provision: operation of LEXA including user management, authentication, roles • Firm management: cases, inquiries, parties, documents, tasks on behalf of the firm • Document processing: creation, storage, versioning, collaborative editing • Intake management: receiving and processing prospective client inquiries • Communication: notifications about status changes, deadline reminders • Billing and usage measurement: tracking usage per selected plan • Security and abuse prevention: protecting against unauthorized access • Audit and compliance: traceability of all operations • Platform improvement: anonymized and aggregated usage analysis

Art. 6(1)(b) GDPR — Contract Performance: • Platform provision per the service agreement • User account and firm access management • Billing Art. 6(1)(f) GDPR — Legitimate Interest: • IT security and platform availability • Abuse detection and prevention • Anonymized usage analytics • Technical logging Art. 6(1)(a) GDPR — Consent: • Data submitted via the intake form • Non-essential cookies • Voluntary extended profile data Consent may be withdrawn at any time (see Section 14). Art. 6(1)(c) GDPR — Legal Obligation: • Retention of tax-relevant data • Fulfillment of documentation obligations Art. 28 GDPR — Data Processing Agreement: Where SDN IT-Services GmbH processes client-related data on behalf of a law firm, this is governed by a DPA pursuant to Art. 28 GDPR.

Dual Responsibility: 1. SDN IT-Services GmbH as Controller — for account and user data for platform operation, authentication, and billing. 2. The Law Firm as Controller — for all client-related data (cases, parties, documents, correspondence) managed via LEXA. SDN IT-Services GmbH acts as processor. Tenant Separation: The platform ensures strict logical separation of data between law firms. Every data request is automatically scoped to the respective firm's data. Cross-firm data access is technically impossible. Role-Based Access Control: • Firm Administrator: full access to all data and settings of their own firm • Attorney: access to cases, inquiries, parties, documents, and tasks • Secretariat: restricted access as defined by the firm SDN IT-Services GmbH platform administrators may access firm data for support purposes only, subject to strict logging and access restrictions.

SDN IT-Services GmbH has implemented comprehensive measures pursuant to Art. 32 GDPR: Confidentiality: • All communication via TLS-encrypted connections (HTTPS) only • All data encrypted at rest in both database and document storage • Authentication via a specialized identity service with hashed passwords • Role-based access permissions • Automatic tenant data scoping on all database queries Integrity: • Immutable audit log of all data-relevant actions • SHA-256 cryptographic checksums on uploaded documents • Document versioning for change traceability • Server-side input validation Availability and Resilience: • Redundant infrastructure across multiple availability zones in EU data centers • Automatic scaling • Regular automated backups with point-in-time recovery • Document storage with 99.999999999% durability Recoverability: • Documented disaster recovery procedures • Automated database snapshots Regular Review: • Periodic security audits and access reviews • Automated monitoring and alerting • Logging of all administrative access

All data is stored exclusively in EU data centers, specifically in Frankfurt am Main, Germany (region eu-central-1). This applies to: • The database with all firm, user, and case data • The document storage with all uploaded and generated files • The authentication service • All log and usage data No personal data is transferred to third countries outside the EU/EEA unless adequate safeguards are in place (see Section 13). All data is encrypted both in transit (TLS/HTTPS) and at rest, with dedicated key management and automatic key rotation.

Personal data is retained only as long as necessary for its purpose or as required by law. Retention Periods: • Firm account data: duration of contract + 10 years (§ 257 HGB, § 147 AO) • User data: duration of account + 30 days after deletion • Client-related data: per the firm's requirements; minimum 6 years after mandate end (§ 50 BRAO) • Inquiries (Leads): per configured retention date or on firm's instruction • Audit logs: 10 years (§ 257 HGB, GDPR Art. 5(2)) • Usage metrics: 3 years (aggregated) • Billing data: 10 years (§ 257 HGB, § 147 AO) • Technical log data: 90 days • Consent records: duration of processing + 3 years after withdrawal Deletion Procedures: • Soft Delete: archival first, permanent deletion after configurable period • Permanent Deletion: archived records and associated documents are fully removed • Account Deletion: all firm data deleted after retention periods expire, with prior data export option • Right to Erasure: data subjects may request deletion per Art. 17 GDPR

SDN IT-Services GmbH does not disclose personal data to third parties for advertising or marketing purposes. A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is concluded with each law firm, governing: • Subject matter and duration of processing • Nature and purpose of processing • Types of personal data and categories of data subjects • Controller's (firm's) obligations and rights • Technical and organizational measures • Use of sub-processors • Deletion and return of data upon contract termination Access to client data by SDN IT-Services GmbH staff is strictly limited to troubleshooting and maintenance, with all access logged.

SDN IT-Services GmbH uses the following sub-processors: • Amazon Web Services EMEA SARL — Cloud infrastructure (compute, storage, database, authentication, key management) — Frankfurt am Main, Germany (EU) — Basis: DPA, EU SCCs • Hetzner Online GmbH — Frontend hosting — Nuremberg/Falkenstein, Germany (EU) — Basis: DPA • Resend Inc. — Transactional emails (notifications, password reset) — EU — Basis: DPA, EU SCCs • Anthropic PBC — AI language model for document analysis and text generation — Processing via European API endpoints — Basis: DPA, EU Standard Contractual Clauses • OpenAI, L.L.C. — AI language model for document analysis and text generation — Processing via European API endpoints — Basis: DPA, EU Standard Contractual Clauses Changes to sub-processors are communicated to law firms with at least 30 days' notice. Firms may object to new sub-processors. A current list can be requested at datenschutz@lexatech.de.

Every data subject has the following rights under the GDPR: • Art. 15 — Right of access • Art. 16 — Right to rectification • Art. 17 — Right to erasure • Art. 18 — Right to restriction of processing • Art. 20 — Right to data portability • Art. 21 — Right to object • Art. 7(3) — Right to withdraw consent To exercise your rights, contact: Email: datenschutz@lexatech.de Post: SDN IT-Services GmbH, Attn: Data Protection, Monetweg 8, D-60438 Frankfurt am Main We will respond within one month (Art. 12(3) GDPR). Note for end clients: If your data is managed by a law firm via LEXA, the firm is the data controller. Please contact your firm first.

SDN IT-Services GmbH maintains a documented data breach response procedure: 1. Detection: automated monitoring and audit logs 2. Internal escalation: immediate notification of the data protection and security team 3. Risk assessment: within 24 hours 4. Supervisory authority notification: within 72 hours (Art. 33 GDPR) 5. Data subject notification: without undue delay if high risk (Art. 34 GDPR) 6. Law firm notification: immediate communication of nature, scope, and countermeasures 7. Documentation: complete incident documentation Competent Supervisory Authority: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit Gustav-Stresemann-Ring 1 65189 Wiesbaden https://datenschutz.hessen.de Email: poststelle@datenschutz.hessen.de

LEXA may optionally offer AI-powered features: • Document analysis: automatic extraction of relevant information • Summaries: generation of inquiry summaries • Categorization: suggestions for legal area classification Transparency: • AI features are optional and can be enabled/disabled by the firm • Results are always suggestions and do not replace professional legal review • AI processing takes place in European data centers • No client data is used for training AI models • The firm controls which data is accessible to the AI component No automated individual decision-making within the meaning of Art. 22 GDPR takes place. All AI-generated results serve exclusively as support and suggestions for the attorney, who always makes the final decision. The legal basis for the use of AI features is Art. 6(1)(b) GDPR (performance of contract) in conjunction with the DPA pursuant to Art. 28 GDPR.

The LEXA platform uses only technically necessary cookies: • Session cookie: maintaining the login session — duration: session • Authentication token: proof of login — duration: max. 1 hour, refresh token up to 30 days • Language setting: storing preferred language — duration: 1 year LEXA does not use tracking cookies, advertising cookies, or third-party cookies for analytics or advertising purposes. We use Plausible Analytics on the landing page — a privacy-friendly, cookie-free web analytics tool. No personal data, cookies, or IP addresses are stored. Plausible complies with GDPR and the ePrivacy Directive and therefore does not require consent under § 25 TTDSG.

LEXA is specifically designed for use in German law firms and addresses the particular requirements of legal professional regulations: Attorney-Client Privilege (§ 43a(2) BRAO, § 2 BORA): • Strict tenant separation ensures confidentiality • Client data access restricted to the authorized firm • TOMs ensure SDN IT-Services GmbH only accesses data within contractual boundaries Retention Obligations (§ 50 BRAO): • Case files must be retained for at least six years after mandate end • LEXA supports this through configurable retention dates and deletion scheduling • Legal hold feature allows suspending automatic deletion Conflict of Interest Check: • Comprehensive party tracking supports checks per § 43a(4) BRAO Data Classification: • Cases can be classified as "sensitive" for enhanced protection (e.g., criminal matters) Special Categories of Personal Data (Art. 9, 10 GDPR): Law firm case files may contain special categories of personal data (e.g., health data, criminal conviction data). Processing is based on Art. 9(2)(f) GDPR (establishment, exercise, or defense of legal claims). LEXA ensures that such data is particularly protected through client separation, encryption, and restrictive access controls.

SDN IT-Services GmbH reserves the right to update this privacy policy as needed. • Material changes will be communicated at least 30 days before taking effect via email or in-app notification. • The current version is always available at https://www.lexatech.de/datenschutz. • Previous versions are available upon request.

For data protection inquiries or to exercise your rights: SDN IT-Services GmbH Data Protection Monetweg 8 D-60438 Frankfurt am Main Email: datenschutz@lexatech.de Phone: +49 69 90750132 Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for SDN IT-Services GmbH is: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit Gustav-Stresemann-Ring 1 65189 Wiesbaden https://datenschutz.hessen.de Email: poststelle@datenschutz.hessen.de This privacy policy was created on February 28, 2026. SDN IT-Services GmbH — LEXA Law Firm Management Platform