This Service Confidentiality Agreement (herein referred to as “SCA”) is made and entered into as of [Date, Month, Year] by and between ___________________________________, a law firm in the State of Texas, herein referred to as “Firm,” and ______________________, an online platform, herein referred to as “Platform” (“Firm” and “Platform,” each a “party” or “Party” and, collectively, the “parties” or “Parties”). 

I. Purpose 

1. This SCA establishes the terms and conditions under which Platform will provide services to Firm, access Firm Information, and comply with applicable legal and ethical obligations.
2. The Parties have entered or will enter into one or more agreements under which Platform provides or will provide certain specified services to Firm (collectively, the “Agreement”).
3. In providing services pursuant to the Agreement, Platform will have access to Firm Information, including Attorney-Client Confidential Information.
4. By providing the services pursuant to the Agreement, Platform will become a “Service Provider” of Firm.
5. Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of Attorney-Client Confidential Information, including, but not limited to, following the applicable American Bar Association (ABA) Model Rules of Professional Conduct and the Texas Disciplinary Rules of Professional Conduct. The Texas Disciplinary Rules of Professional Conduct will prevail if there is a conflict between the two.
6. Both Parties intend to protect the privacy and provide for the security of Firm Information, including protected Attorney-Client Confidential Information disclosed to Platform according to the terms of this SCA, the Texas Data Privacy and Securities Act, and all other applicable laws, as they may be amended from time to time.

In consideration of the mutual covenants and conditions contained herein and the continued provisions of the confidential information by Firm to Platform under the Agreement in reliance of this SCA, the Parties agree as follows: 

II. Definitions 

For this SCA, the Parties give the following meaning to each of the terms. Any capitalized terms used in this SCA but not otherwise defined have the meaning given to the term in the ABA Model Rules of Professional Conduct, the Texas Disciplinary Rules of Professional Conduct, or pertinent law. The Texas Disciplinary Rules of Professional Conduct will prevail if there is a conflict between the ABA Model Rules and the Texas Disciplinary Rules of Professional Conduct. 

1. “Affiliate” means a partner, associate, cocounsel, of counsel, or other affiliate of Firm that is or has been considered a part of Firm.
2. “Anonymized Data” means data that has been stripped of all personally identifiable information and cannot be reidentified using reasonably available tools or information.
3. “Attorney-Client Confidential Information” shall have the same definition as described in Rule 1.6 of the ABA Model Rules of Professional Conduct.
4. “Audit Rights” means that Firm has a right to inspect, review, and evaluate Platform’s compliance with this SCA, including access to processes and data Safeguards, to the extent reasonably practicable.
5. E. “Breach” means the acquisition, access, use, or disclosure of Firm Information, including Attorney-Client Confidential Information, in a manner not permitted under the ABA Model Rules of Professional Conduct that compromises the security or privacy of the Attorney-Client Confidential I
6. F. “Data Aggregation” means, with respect to Firm Information, including Attorney-Client Confidential Information created or received by Platform in its capacity as the “Service Provider” of Firm, the combining of such Firm Information, including Attorney-Client Confidential Information, by Platform with Firm Information and/or Attorney-Client Confidential Information received by Platform in its capacity as providing service(s) of one or more other “Firm(s).”
7. G. “De-identification” means Firm Information that does not identify an individual and for which there is no reasonable basis to believe that the information can be used to identify an individual or entity.
8. A determination that information is de-identified can be made only if the person or Platform with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable—
9. applies those principles and methods;
10. determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information; and
11. documents the methods and results of the analysis that justify that determination.

OR 

2. The following are true: 
3. the following identifiers of the individual or of relatives, employers, or household members of the individual, are removed: names; all geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes; all elements of dates (except year) for dates directly related to an individual, including birth date; telephone and fax numbers; electronic mail addresses; social security numbers; medical record numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators; internet protocol address numbers; biometric identifiers, including finger and voice prints, full face photographic images and comparable images; and any other unique identifying number, characteristic, or code; and
4. Platform does not have actual knowledge or could not have reasonably known that the information could be used alone or in combination with other information to identify an individual who is the subject of the information.
5. H. “Disclosure” means the release, transfer, provision of access to, divulgence in any other manner of information outside the entity or Person holding the information.
6. I. “Firm Information” means any information that Firm inputs into Platform, creates for or on Platform, or receives as a result of that input from
7. J. “Individual” means the person who is the subject of the Attorney-Client Confidential Information and/or their personal representative.
8. K. “Individually Identifiable Information” is information that is input by or on behalf of Firm, including demographic information collected from an individual, and—
9. is created or received by Firm and/or Platform;
10. relates to the past, present, or future legal matter; and
11. identifies the individual, or for whom there is a reasonable basis to believe the information could be used to identify the individual.
12. L. “Safeguards” means administrative, technical, and physical controls consistent with industry standards, such as those that might be frequently changed, i.e., ISO 27001 or SOC 2 Type II.
13. M. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system.
14. N. “Texas-Specific Compliance” means compliance with all applicable laws of the State of Texas and all applicable rules of the State Bar of Texas, including but not limited to Texas ethics opinion 680 on confidentiality and cloud computing.

III. Use and Disclosure of Firm Information 

1. Except as otherwise provided in this SCA, Platform may use Firm Information only to the extent reasonably necessary to provide the services described in this SCA to Firm after Firm’s written agreement or as required by law.
2. Except as otherwise provided or limited by this SCA or federal or state law or any information relating to Attorney-Client Confidential Information, Firm authorizes Platform to use Firm Information in its possession for the proper management and administration of Platform’s business to carry out its legal responsibilities. Platform may disclose any Firm Information for its proper management and administration, provided that the disclosure is required by law or Platform obtains, in writing, before disclosing to a third party, (1) Firm’s consent, (2) assurances from the third party that the confidential information will be held confidential as provided under this SCA and used for further disclosures only as required by law or for the purpose for which Firm gave consent, and (3) an agreement from the third party to notify Platform immediately of any breaches of the confidentiality of Firm Information, to the extent that it has knowledge of the breach.
3. Platform will not use or disclose any Firm Information in a manner other than as provided in this SCA or as required by law under a court order after a reasonable notice and option to object is provided to Firm unless notice or option to Firm is specifically excluded by court order. However, under no circumstances shall Platform disclose any Attorney-Client Confidential Information. Platform will use or disclose Firm Information only as permitted under this SCA or as required by law, to the extent practicable, as a limited data set, or limited to the minimum necessary amount of Firm Information to carry out the intended purpose of the use or disclosure of the request.
4. Upon request, Platform will make available to Firm any of the Firm’s Information, including Attorney-Client Confidential Information that Platform or any of its agents or subcontractors have in their possession.
5. Platform may not use any Firm Information to make reports of violation, unless a court order specifically requires it. However, in no case shall Firm’s Attorney-Client Confidential Information be disclosed. And, before any disclosure, Platform shall provide Firm an opportunity to object.

IV. Safeguards Against Misuse of Firm Information 

Platform will use appropriate Safeguards to prevent the use or disclosure of Firm Information other than as provided by the Agreement or this SCA, and Platform agrees to implement Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Firm Information that it creates, receives, maintains, or transmits on behalf of Firm. Platform agrees to take reasonable steps, including providing adequate training and supervision of its employees to ensure compliance with this SCA, and that the actions or omissions of its employees or agents do not cause Platform to breach the terms of this SCA. 

V. Reporting Disclosures of Firm Information and Security Incidents 

Platform will report to Firm in writing any use or disclosure of Firm Information not provided for by this SCA of which it becomes aware, and Platform agrees to report to Firm any confirmed Security Incident affecting Firm’s electronic Firm Information of which it becomes aware. Platform agrees to report any confirmed Security Incident affecting Firm Information within 48 hours of discovery. Platform shall provide an initial notification within 48 hours of discovering a confirmed Security Incident, including available details and potential impact. Updates shall be provided every 72 hours until a breach is resolved. A final comprehensive report detailing the incident, affected data, remedial actions, and steps to prevent recurrence shall be delivered within 30 days of resolution. Platform further agrees to reimburse Firm for any costs Firm incurred in complying with any penalties imposed on Firm due to the breach committed by Platform. 

VI. Mitigation of Disclosures of Firm Information 

Platform will take reasonable steps to mitigate, to the extent practicable, any harmful effect known to Platform of any use or disclosure of Firm Information by Platform or its agents or subcontractors in violation of the requirements of this SCA. 

VII. Agreements with Agents or Subcontractors 

Platform shall maintain and provide an up-to-date list of subcontractors with access to Firm Information upon request. Platform shall ensure that subcontractors comply with the confidentiality and security obligations under this SCA. Platform shall notify Firm or upstream Platform, of all subcontractors and agreements relating to the Agreement, where the subcontractor or subcontractor’s agent receives any Firm Information. Such notifications shall occur within five (5) business days of the execution of the subcontract by placement of such notice on Platform’s primary website, another method as agreed upon by and between Platform and Firm, or using industry standard. Platform shall ensure that all subcontractors and subcontractor agreements provide the same level of privacy and security as in this SCA. 

VIII. Platform-Specific Obligations 

1. Platform agrees to implement ongoing training to its employees and subcontractors on handling Attorney-Client Confidential Information. Such training shall include but is not limited to the identification of confidential information, security protocols for data access and storage, and incident response procedures. Platform shall also adopt continuous monitoring tools to detect and mitigate potential threats to Firm Information.
2. Platform may identify Firm as a customer and reference compliance with the Texas-specific legal and ethical standards in its marketing materials, subject to Firm’s prior written consent.
3. Platform must ensure that anonymized data cannot be reidentified, directly or indirectly, by combining it with other data sets. Anonymized data shall not be used for marking or targeting Firm’s clients without prior written consent from Firm. Upon request, Platform shall provide documentation demonstrating the anonymization of Firm Information used for service improvements. Such data must comply with industry standards for de-identification and be irreversibly anonymized.

IX. Audit Reports 

1. Upon request, Platform will provide Firm, or upstream Platform, with a copy of its most recent independent National Institute of Standards and Technology Cybersecurity and Privacy Framework report or its equivalent or other mutually agreed upon independent standards-based third-party audit report. Firm agrees not to redisclose Platform’s audit report.
2. Firm may request evidence of compliance through third-party certifications, consistent with industry standards, as may be frequently changed and/or updated (e.g., SOC 2 Type II or ISO 27001). Firm may conduct an audit no more than once annually, unless triggered by a confirmed Security Incident. Said audits shall be limited to verifying compliance with this SCA and conducted with 30 days’ prior written notice to Platform.

X. Access to Firm Information by Individuals 

1. Upon request, Platform agrees to furnish Firm with copies of Firm Information maintained by Platform in a time and manner designated by Firm to enable Firm to respond to an individual’s request for access to record.
2. If any individual or personal representative requests access to the individual’s own records, Platform will forward that request to Firm to make the final decision on whether disclosure shall be allowed, unless Firm has already waived that request through other means.

XI. Amendment of Firm Information 

Upon request and instruction from Firm, Platform will amend Firm Information that is maintained by, or otherwise within the possession of, Platform as directed by Firm within 30 business days, unless a court order specifically prevents such amendments. 

XII. Accounting of Disclosures 

Platform will document any disclosure of Firm Information made by it to account for such disclosures. Platform will make available information related to such disclosure as would be required for Firm to respond to a request for an accounting of disclosure by the State Bar of Texas or as required in the ABA Model Rules of Professional Conduct. At a minimum, Platform will furnish Firm with the following with respect to any disclosure by Platform: date of disclosure; name of the entity or person who received the disclosure and, if known, the address of such entity or person; a brief description of the information disclosed; and a brief statement of purpose of the disclosure including the basis for such disclosure. 

XIII. Availability of Books and Records 

Platform will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of information, upon request, to the State Bar of Texas for the purpose of determining Platform and Firm’s compliance with this SCA. 

XIV. Firm Responsibilities 

1. Regarding the use and/or disclosure of Firm Information by Platform, Firm agrees to:
2. Notify Platform of any limitation(s) in its notice of privacy practices to the extent such limitation may affect Platform’s use or disclosure of Firm Information.
3. Notify Platform of any changes in, or revocation of, permission by Firm to use or disclose Firm Information, to the extent that such changes may affect Platform’s use or disclosure of Firm Information.
4. Notify Platform of any restriction to the use or disclosure of Firm Information in accordance with the State Bar of Texas rules and regulations to the extent that such restriction may affect Platform’s use or disclosure of Firm Information.
5. Except for data aggregation or management or administrative activities of Platform, Firm shall not request Platform to use or disclose information in any manner not permissible under the ABA Model Rules of Professional Conduct or other applicable law.

XV. Data Ownership 

Platform’s data stewardship does not confer data ownership rights on Platform with respect to any data shared with it under the Agreement, including all other forms thereof. 

XVI. Terms and Termination 

1. This SCA shall become effective on the date written above and will continue in effect until all obligations of the Parties have been met under the Agreement and under this SCA.
2. Firm may immediately terminate this SCA, the Agreement, and any other related agreement if Firm determines that Platform has breached a material term of this SCA and Platform has failed to cure that material breach to Firm’s reasonable satisfaction within 30 days after written notice from Firm.
3. If Platform determines that Firm has breached a material term of this SCA, Platform shall provide Firm written notice of the breach and shall allow Firm 30 days to cure the breach. Firm’s failure to cure the breach within 30 days may be grounds for immediate termination of the Agreement and this SCA. Platform may report the breach to the State Bar of Texas.
4. Upon termination of the Agreement or this SCA for any reason, all Firm Information maintained by Platform will be returned to Firm (delivered to Firm in a format agreed upon by both Parties, e.g., encrypted file transfer) or destroyed (permanently deleted following secure destruction industry standards) by Platform after reasonable notice to Firm to obtain all information. In no event shall such notice be less than 90 days. Platform will not retain any copies of such information. This provision will apply to Firm Information in the possession of Platform’s agents and subcontractors. Platform shall provide a written certification confirming the destruction or return of Firm Information. If return or destruction is not feasible, Platform will notify Firm of the reasons for infeasibility and retain Firm Information under the protections of this SCA and limit its use and purposes that make return or destruction infeasible.
5. If return or destruction of Firm Information is not feasible in Platform’s reasonable judgment, Platform will provide Firm written notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of Firm Information is not feasible, Platform will extend the protections of this SCA to such information for as long as Platform retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible.
6. The Parties understand and agree that these sections XVI.D and XVI.E shall survive any termination of this SCA.

XVII. Indemnification and Liability 

Platform shall indemnify and hold harmless Firm from damages arising from Platform’s negligence, misuse of Firm Information, or noncompliance with applicable federal or state laws. Platform’s total liability, including indemnification, shall not exceed 3 times the annual fees paid by Firm under the Agreement or $500,000, whichever is greater; OR the liability cap may be adjusted upon mutual agreement between the Parties, depending on the scale and nature of services provided. This cap excludes damages caused by gross negligence or intentional misconduct. Indirect damages, such as a loss of profit, are excluded unless caused by willful misconduct. 

XVIII. Governing Law and Venue 

This Agreement shall be governed and construed under the laws of the State of Texas. Any disputes arising from this Agreement shall be resolved through binding arbitration in accordance with the American Arbitration Association’s Commercial Arbitration Rules. The Parties agree that arbitration awards are final and enforceable in Texas state courts. 

XIX. Effect of SCA 

1. This SCA is a part of and subject to the terms of the Agreement; if any terms of this SCA conflict with any terms of the Agreement, the terms of this SCA shall govern.
2. Unless expressly stated in this SCA or provided by law, this SCA does not create any rights in favor of any third party.

XX. Notices 

All notices, requests, demands, or other communications to be given under this SCA to a Party will be made via first-class mail, registered or certified mail, express courier, or electronic mail to the Party’s address given below: 

If to Firm: _____________ 

If to Platform: ____________ 

XXI. Amendments and Waiver 

This SCA may not be modified, nor will any provisions be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar or waiver of, any right or remedy as to subsequent events. 

XXII. Further Compliance 

Each Party agrees to comply with the applicable laws of the State of Texas and federal laws. Both Parties acknowledge the rapid evolution of artificial intelligence (AI) and privacy regulations. The Parties agree to negotiate amendments to this SCA in good faith within 90 days of any legal or regulatory changes to ensure compliance with applicable laws. 

SIGNATURE PAGE TO FOLLOW 

Considering the mutual agreement and understanding described above, the Parties execute this SCA as of the date first written above. 

Platform 

By: ________________________ 

Name: __________________ 

Title: ______________________ 

Firm 

By: ________________________ 

Name: __________________ 

Title: ______________________