DraftThis document is a working draft pending review by Caseflow's outside counsel. It is not legally binding in its current state. The final version will be signed off and posted before the public launch.

Legal · June 1, 2026

Business Associate Agreement

For firms whose work touches Protected Health Information.

Effective On request · Last updated June 1, 2026

Most criminal defense work does not involve Protected Health Information (PHI) under HIPAA. For matters where it does (DUI cases involving toxicology reports, competency hearings, mental health records subpoenas) Caseflow will sign a Business Associate Agreement (BAA) on request.

How to request a BAA

Email legal@caseflow.me with your firm name and a contact for signature. We return a countersigned BAA within 5 business days.

What our BAA covers

Caseflow's standard BAA is built from the HHS template and addresses: permitted uses and disclosures, safeguards, sub-BAA flow-down to our sub-processors, breach notification within 60 days, individual rights cooperation, return or destruction of PHI on termination, and indemnification for HIPAA violations attributable to Caseflow.

Technical posture relevant to PHI

See Security. Highlights: TLS 1.3 in transit, AES-256 at rest with per-firm KMS keys, RBAC with audit logging, US-only residency, no cross-tenant model training.

What it does not cover

Caseflow is not a HIPAA-covered entity. We do not provide health services. The BAA covers our processing of PHI you upload incidentally to legal review; it does not create a clinical relationship.

Questions about this document? Contact us.

Security overview →