DraftThis document is a working draft pending review by Caseflow's outside counsel. It is not legally binding in its current state. The final version will be signed off and posted before the public launch.

Legal · June 1, 2026

Data Processing Agreement

The framework under which Caseflow processes customer personal data.

Effective June 1, 2026 · Last updated June 1, 2026

This DPA forms part of the agreement between Caseflow, Inc. (the "Processor") and the customer (the "Controller"). It governs Caseflow's processing of personal data on behalf of the customer in the course of providing the Caseflow service.

1. Scope and roles

Caseflow acts as a Processor with respect to customer data. The customer is the Controller. This DPA applies to all personal data the customer uploads, including evidence files, member profiles, and case metadata.

2. Subject matter and duration

Caseflow processes personal data solely to provide the contracted services for the duration of the customer's subscription. On termination, data is deleted per the Privacy Policy or the customer's explicit instructions.

3. Sub-processors

Caseflow may engage sub-processors listed at /subprocessors. Caseflow provides 30 days' advance notice of any new sub-processor; the customer may terminate without penalty if they object.

4. Security

Caseflow maintains technical and organizational measures as described on the Security page, including encryption in transit and at rest, access controls, and audit logging.

5. Personnel

Caseflow personnel with access to customer data are bound by confidentiality obligations and have completed security training. Access is granted on a need-to-know basis and logged.

6. Sub-processor flow-down

Caseflow imposes equivalent contractual obligations on every sub-processor it engages to process customer data.

7. Data subject requests

Caseflow will assist the customer in responding to data subject rights requests within 7 business days of receipt.

8. Breach notification

Caseflow will notify the customer of any confirmed personal data breach affecting their data within 72 hours of discovery.

9. Audit

The customer may, no more than once per year, audit Caseflow's compliance with this DPA via a reasonable mutual process. Caseflow will respond to a written security questionnaire within 15 business days in lieu of an on-site audit.

10. International transfers

Caseflow does not transfer customer personal data outside the US. If this changes, Standard Contractual Clauses will be incorporated.

11. Liability

Each party's liability under this DPA is subject to the limitations in the main agreement.

Questions about this document? Contact us.

Security overview →