Anonymised snapshots of real client work. Client identities, sector specifics, and commercially sensitive terms have been generalised.
The Problem
Client was using a generic SaaS template that left IP ownership of AI-generated outputs unresolved and had no meaningful liability cap. A prospective enterprise client flagged the agreement as unacceptable before sign-off.
What I Did
Full redraft of the agreement: IP ownership clause restructured to distinguish between client inputs, platform outputs, and model weights. Tiered liability cap introduced linked to subscription value. Suspension and termination mechanics tightened. Data processing schedule added to address DPDPA obligations.
Why It Mattered
The enterprise deal closed within two weeks of the new agreement being sent. Client now has a template that holds up against sophisticated counterparties without renegotiation from scratch each time.
Enterprise deal closed. Agreement now used as standard template across all B2B engagements.
The Problem
A health-tech startup was processing patient data across multiple third-party vendors without formal data processing agreements, no documented consent mechanism, and no breach response protocol. A Series A investor flagged legal risk during diligence.
What I Did
End-to-end data flow mapping across all processing activities. DPIA drafted for high-risk processing categories. Consent architecture designed for the app's onboarding flow. DPAs executed with all third-party processors. Breach response SOP drafted with regulatory timeline triggers mapped to DPDPA requirements.
Why It Mattered
Client received a clean legal opinion on data practices prior to closing the round. The compliance documentation also served as internal governance infrastructure that the team could maintain without external counsel for routine operations.
Investor diligence cleared. Series A closed. Ongoing retainer for data protection advisory.
The Problem
Employees were using generative AI tools for client deliverables without any internal guardrails. A client contract prohibited the use of AI without disclosure, which the firm was unknowingly breaching. Legal and reputational exposure was immediate.
What I Did
Audited existing client contracts for AI-restriction clauses. Drafted a tiered internal AI use policy: permitted tools, permitted use cases, disclosure obligations, client data handling restrictions, and an escalation protocol. Produced a one-page employee summary and a manager-level FAQ alongside the policy.
Why It Mattered
The firm identified two active engagements where disclosure was owed and corrected the position before it became a dispute. The policy now forms part of employee onboarding and all new client agreements include an AI disclosure clause drafted to the firm's standard.
Policy adopted firm-wide. Contractual breach remediated. AI disclosure clause now standard in all new client agreements.
The Problem
Client (software development firm) had completed a project under a verbal scope extension. The counterparty disputed the additional fees and proposed a settlement far below what was owed, accompanied by a draft agreement that would have waived all future claims in ambiguous terms.
What I Did
Reviewed the proposed settlement draft and identified three clauses that would have extinguished claims the client was unaware of. Redlined the agreement: tightened the settlement scope, introduced mutual release language limited to the specific dispute, removed the indemnity carve-out that favoured the counterparty, and restructured payment mechanics to reduce default risk.
Why It Mattered
Client avoided signing an agreement that would have released valid claims worth significantly more than the settlement amount. The negotiated version preserved the client's position on parallel matters while closing out the immediate dispute cleanly.
Settlement restructured in client's favour. Parallel claims preserved. Counterparty accepted revised terms.
The Problem
An Indian SaaS company was transferring EU user data to servers in India for processing without Standard Contractual Clauses in place, no Article 30 record, and no adequate supplementary measures. A GDPR compliance review by an EU partner flagged the transfers as unlawful.
What I Did
Mapped all data flows between the EU and India processing environments. Implemented SCCs (Module 2: controller-to-processor) with supplementary technical and organisational measures documented in an annex. Updated the Article 30 record. Revised the client-facing privacy notice to accurately reflect the transfer mechanism and adequacy position.
Why It Mattered
The EU partner's legal review cleared the transfers and the commercial relationship proceeded. The client now has a replicable framework for structuring future cross-border transfers without rebuilding the compliance position from scratch each time.
Transfers brought into GDPR compliance. EU partnership formalised. Transfer framework reused for two subsequent vendor relationships.
All matters described above are anonymised. Client names, sectors, financial figures, and identifying details have been generalised or altered. Nothing on this page constitutes legal advice or a representation of specific outcomes. Past results do not guarantee future outcomes.