Data Processing Agreement
Effective Date: December 10, 2025
Last Updated: December 10, 2025
Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between CaseMark AI, Inc. ("case.dev," "Processor," "we," "us," or "our") and the entity agreeing to these terms ("Customer," "Controller," "you," or "your").
This DPA reflects the parties' agreement regarding the processing of Personal Data in connection with Customer's use of the case.dev platform and services.
By using our Services, you agree to this DPA. If you are accepting on behalf of an organization, you represent that you have authority to bind that organization.
1. Definitions
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including but not limited to:
- The General Data Protection Regulation (EU) 2016/679 ("GDPR")
- The UK General Data Protection Regulation ("UK GDPR")
- The California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA")
- Other applicable state, federal, or international data protection laws
"Controller" means the entity that determines the purposes and means of processing Personal Data. Under this DPA, Customer is the Controller.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Personal Data" means any information relating to an identified or identifiable natural person, including information defined as "personal data," "personal information," or similar terms under Applicable Data Protection Law.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
"Processor" means an entity that processes Personal Data on behalf of a Controller. Under this DPA, case.dev is the Processor.
"Services" means the case.dev platform and all related services, including the API Platform, Console, Thurgood, Orbit Compute, and Payments Platform.
"Sub-processor" means any third party engaged by case.dev to process Personal Data on behalf of Customer.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission.
"Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection law.
2. Scope and Roles
2.1 Scope of Processing
This DPA applies to the processing of Personal Data by case.dev on behalf of Customer in connection with the Services.
2.2 Roles of the Parties
- Customer as Controller: Customer determines the purposes and means of processing Personal Data and is responsible for compliance with Applicable Data Protection Law regarding the collection and use of Personal Data.
- case.dev as Processor: case.dev processes Personal Data only on behalf of and under the instructions of Customer, as described in this DPA and the Agreement.
2.3 Customer Responsibilities
Customer represents and warrants that:
- Customer has the legal authority to provide Personal Data to case.dev for processing
- Customer has provided all necessary notices and obtained all necessary consents, authorizations, or legal bases required under Applicable Data Protection Law
- Customer's instructions to case.dev comply with Applicable Data Protection Law
- Customer will not upload or process Personal Data in violation of any confidentiality, privilege, or legal obligations
3. Details of Processing
3.1 Subject Matter and Purpose
case.dev processes Personal Data to provide the Services as described in the Agreement, including:
| Service | Processing Purpose |
|---|---|
| Vault API | Storage, encryption, indexing, and semantic search of documents |
| OCR/Vision API | Text extraction from documents and images |
| Voice API | Transcription of audio/video recordings, speaker identification, PII redaction |
| LLM API | AI-powered analysis, summarization, and generation |
| Workflows API | Automated document processing pipelines |
| Email API | Sending transactional emails on Customer's behalf |
| Thurgood | AI-assisted code generation and execution |
| Orbit Compute | Application hosting and deployment |
| Payments Platform | Trust accounting and payment processing |
3.2 Duration of Processing
Processing continues for the duration of Customer's use of the Services, plus any retention period required by law or specified in the Agreement.
3.3 Categories of Data Subjects
Personal Data processed may relate to the following categories of Data Subjects:
- Customer's clients (individuals represented by or doing business with Customer)
- Opposing parties and witnesses in legal matters
- Customer's employees and contractors
- Third parties whose information appears in documents processed through the Services
- End users of applications deployed through Orbit
3.4 Types of Personal Data
Depending on Customer's use of the Services, Personal Data processed may include:
Identity Data:
- Names, aliases, titles
- Date of birth, age
- Government identifiers (Social Security numbers, driver's license numbers, passport numbers)
- Photographs and images
Contact Data:
- Email addresses
- Phone numbers
- Physical addresses
Financial Data:
- Bank account information
- Credit card numbers
- Transaction records
- Trust account information (Payments Platform)
Legal Matter Data:
- Case information and docket numbers
- Court filings and legal documents
- Deposition and hearing transcripts
- Contracts and agreements
- Correspondence and communications
Health Data:
- Medical records
- Health insurance information
- Treatment information
Employment Data:
- Employment history
- Compensation information
- Performance records
Audio/Visual Data:
- Voice recordings (depositions, hearings, interviews)
- Video recordings
- Images and photographs
Technical Data:
- IP addresses
- Device identifiers
- Usage logs
3.5 Special Categories of Data
Customer acknowledges that documents uploaded to the Services may contain special categories of Personal Data (sensitive data) as defined under GDPR Article 9, including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or data concerning sex life or sexual orientation.
Customer is responsible for ensuring a valid legal basis exists for processing such data and for implementing appropriate safeguards.
4. Processor Obligations
4.1 Processing Instructions
case.dev will:
- Process Personal Data only on documented instructions from Customer, unless required by law
- Inform Customer if, in our opinion, an instruction infringes Applicable Data Protection Law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Not process Personal Data for any purpose other than providing the Services
Documented Instructions: Customer's instructions are documented in:
- This DPA
- The Agreement (Terms of Service)
- The Privacy Policy
- API requests and Console configurations made by Customer
- Written instructions provided to support@case.dev
4.2 Confidentiality
case.dev will:
- Treat all Personal Data as confidential
- Ensure that personnel processing Personal Data are subject to confidentiality obligations
- Limit access to Personal Data to personnel who need access to perform the Services
4.3 Security Measures
case.dev implements appropriate technical and organizational measures to protect Personal Data, including:
Encryption:
- Encryption at rest using AWS KMS (AES-256)
- Encryption in transit using TLS 1.3
- Encrypted database connections
- Encrypted backup storage
Access Controls:
- Role-based access control (RBAC)
- Multi-factor authentication for internal systems
- API key authentication with hashed storage
- Organization-level data isolation
- Principle of least privilege
Infrastructure Security:
- Multi-tenant architecture with logical separation
- Network segmentation and firewalls
- Regular security patching
- DDoS protection
- Intrusion detection systems
Operational Security:
- Employee background checks
- Security awareness training
- Incident response procedures
- Business continuity planning
- Regular security assessments
Monitoring and Logging:
- Comprehensive audit logging
- Real-time monitoring and alerting
- Log retention for security analysis
- Anomaly detection
Physical Security:
- AWS data centers with SOC 2 certification
- Physical access controls
- Environmental controls
A detailed description of security measures is available in Annex II.
4.4 Sub-processing
case.dev may engage Sub-processors to assist in providing the Services, subject to the requirements in Section 6.
4.5 Assistance with Data Subject Rights
case.dev will assist Customer in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law, including rights of:
- Access
- Rectification
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability
- Objection
case.dev will:
- Promptly notify Customer of any Data Subject request received directly
- Not respond to Data Subject requests without Customer's authorization, unless required by law
- Provide reasonable assistance to enable Customer to respond within required timeframes
4.6 Assistance with Compliance
case.dev will provide reasonable assistance to Customer with:
- Data protection impact assessments (DPIAs)
- Prior consultations with Supervisory Authorities
- Compliance with security obligations under Applicable Data Protection Law
4.7 Personal Data Breach Notification
In the event of a Personal Data Breach affecting Customer's data, case.dev will:
- Notify Customer without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide information necessary for Customer to fulfill breach notification obligations, including:
- Nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Cooperate with Customer's investigation of the breach
- Take reasonable steps to mitigate the effects of the breach
Notification will be sent to the email address associated with Customer's account and/or security contact on file.
4.8 Deletion and Return of Data
Upon termination of the Agreement or upon Customer's written request:
- case.dev will delete or return all Personal Data within 30 days
- Customer may export data using our APIs prior to termination
- case.dev may retain Personal Data as required by law or for legitimate business purposes (such as resolving disputes), subject to continued confidentiality obligations
- Backup copies will be deleted in accordance with our backup retention schedule (maximum 90 days)
5. Customer Obligations
5.1 Lawful Basis
Customer is responsible for:
- Determining and documenting the lawful basis for processing Personal Data
- Providing appropriate notices to Data Subjects
- Obtaining necessary consents where required
- Responding to Data Subject requests
5.2 Instructions
Customer will provide clear, lawful instructions regarding the processing of Personal Data. Customer acknowledges that case.dev is not required to evaluate the legality of Customer's instructions but may refuse to follow instructions that appear to violate Applicable Data Protection Law.
5.3 Security
Customer is responsible for:
- Implementing appropriate security measures for data under Customer's control
- Protecting API Keys and account credentials
- Configuring Services appropriately for Customer's compliance needs
- Managing user access within Customer's Organization
6. Sub-processors
6.1 Authorized Sub-processors
Customer provides general authorization for case.dev to engage Sub-processors to process Personal Data, subject to the requirements of this Section 6.
6.2 Current Sub-processors
case.dev currently uses the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, storage, compute | United States |
| Stripe, Inc. | Payment processing | United States |
| Clerk, Inc. | Authentication and user management | United States |
| OpenAI, Inc. | AI language model processing | United States |
| Anthropic, PBC | AI language model processing | United States |
| Google LLC | AI language model processing | United States |
| Modal Labs, Inc. | Sandbox execution (Thurgood) | United States |
| GitHub, Inc. | Repository integration | United States |
| Vercel, Inc. | Application hosting | United States |
| AssemblyAI, Inc. | Audio transcription | United States |
| ElevenLabs, Inc. | Text-to-speech | United States |
An up-to-date list of Sub-processors is available at https://case.dev/legal/sub-processors.
6.3 Sub-processor Agreements
case.dev will:
- Enter into written agreements with Sub-processors imposing data protection obligations no less protective than those in this DPA
- Remain liable to Customer for the acts and omissions of Sub-processors
6.4 Changes to Sub-processors
case.dev will:
- Provide at least 30 days' notice before engaging a new Sub-processor or replacing an existing Sub-processor
- Notify Customer via email and/or by updating the Sub-processor list
- Provide Customer the opportunity to object to the new Sub-processor
6.5 Objection to Sub-processors
If Customer has a reasonable, documented objection to a new Sub-processor based on data protection concerns:
- Customer will notify case.dev in writing within 14 days of receiving notice
- The parties will work in good faith to address Customer's concerns
- If the parties cannot resolve the objection, Customer may terminate the affected Services without penalty
- Termination is Customer's sole remedy for objections to Sub-processors
7. International Data Transfers
7.1 Transfer Mechanisms
Personal Data may be transferred to and processed in the United States and other countries where case.dev or its Sub-processors operate.
For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries without an adequate level of data protection, case.dev relies on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement or Addendum (for UK transfers)
- Swiss Standard Contractual Clauses (for Swiss transfers)
- Other valid transfer mechanisms under Applicable Data Protection Law
7.2 Standard Contractual Clauses
The parties agree that the Standard Contractual Clauses set forth in Annex I are incorporated into this DPA by reference.
For transfers subject to GDPR:
- Module Two (Controller to Processor) applies
- Customer is the "data exporter"
- case.dev is the "data importer"
7.3 Additional Safeguards
case.dev implements supplementary measures to protect transferred data, including:
- Encryption of data in transit and at rest
- Access controls and authentication
- Security assessments of Sub-processors
- Contractual commitments from Sub-processors
- Transparency reporting where permitted
7.4 Government Access Requests
case.dev will:
- Not voluntarily disclose Personal Data to government authorities except as required by law
- Challenge overbroad or unlawful government requests where legally permitted
- Notify Customer of government requests unless prohibited by law
- Provide only the minimum data legally required
8. Audits and Assessments
8.1 Audit Rights
Customer may audit case.dev's compliance with this DPA, subject to the following:
- Customer will provide at least 30 days' written notice of an audit
- Audits will be conducted during normal business hours
- Audits will not unreasonably interfere with case.dev's operations
- Customer will bear the costs of the audit
- Auditors must execute confidentiality agreements
- Audits are limited to once per 12-month period (unless a Personal Data Breach has occurred)
8.2 Third-Party Certifications
In lieu of an audit, Customer may review:
- case.dev's SOC 2 Type II report (available upon request under NDA)
- Security questionnaire responses
- Penetration test summaries
- Other relevant certifications and assessments
8.3 Supervisory Authority Audits
case.dev will cooperate with audits by Supervisory Authorities to the extent required by Applicable Data Protection Law.
9. Liability
9.1 Liability Cap
Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.
9.2 Allocation
Each party is liable for damages caused by its violation of Applicable Data Protection Law or this DPA. Where both parties are responsible for damage:
- Each party is liable to Data Subjects for the entire damage
- The party that paid compensation may claim back from the other party the portion corresponding to their responsibility
10. Term and Termination
10.1 Term
This DPA takes effect on the date Customer accepts the Agreement and continues until the Agreement terminates.
10.2 Survival
Sections 4.8 (Deletion and Return), 8 (Audits), 9 (Liability), and any provisions that by their nature should survive, will survive termination of this DPA.
11. General Provisions
11.1 Conflicts
In the event of a conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.
11.2 Amendments
This DPA may be amended by case.dev to reflect changes in Applicable Data Protection Law or our processing activities. Material changes will be notified to Customer with at least 30 days' notice.
11.3 Severability
If any provision of this DPA is found unenforceable, the remaining provisions will continue in effect.
11.4 Governing Law
This DPA is governed by the laws specified in the Agreement, except that the Standard Contractual Clauses are governed as specified therein.
12. Contact Information
For questions about this DPA or to exercise rights under this DPA:
Email: hello@casemark.com
Mail:
CaseMark AI, Inc.
Attn: Data Protection
500 SW 116th Ave Suite 107
Portland, OR 97225
Data Protection Inquiries: hello@casemark.com
Annex I: Standard Contractual Clauses
For transfers of Personal Data from the EEA to case.dev in the United States, the parties agree to the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914, which are incorporated by reference.
Module Two: Controller to Processor
Clause 7 (Docking Clause): Not used.
Clause 9 (Use of Sub-processors): Option 2 (General Written Authorization) applies. The time period for notice is 30 days.
Clause 11 (Redress): The optional language is not used.
Clause 17 (Governing Law): The laws of Ireland govern the SCCs.
Clause 18 (Choice of Forum): The courts of Ireland have jurisdiction.
Annex I.A (List of Parties):
Data Exporter:
- Name: Customer (as identified in the Agreement)
- Address: As provided in Customer's account
- Contact: As provided in Customer's account
- Role: Controller
Data Importer:
- Name: CaseMark AI, Inc.
- Address: 500 SW 116th Ave Suite 107, Portland, OR 97225
- Contact: hello@casemark.com
- Role: Processor
Annex I.B (Description of Transfer): As described in Section 3 of this DPA.
Annex I.C (Competent Supervisory Authority): The supervisory authority of the EEA member state where the data exporter is established, or where the data exporter is not established in the EEA, the supervisory authority of the member state where the data exporter's EU representative is established.
Annex II (Technical and Organizational Measures): As described in Section 4.3 and Annex II of this DPA.
Annex III (Sub-processors): As described in Section 6.2 of this DPA.
Annex II: Technical and Organizational Security Measures
case.dev implements the following technical and organizational measures to protect Personal Data:
1. Encryption
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 encryption via AWS KMS for all stored data |
| Encryption in transit | TLS 1.3 for all API communications |
| Key management | AWS Key Management Service with automatic rotation |
| Database encryption | Encrypted database connections and storage |
| Backup encryption | All backups encrypted at rest |
2. Access Control
| Measure | Implementation |
|---|---|
| Authentication | API key authentication with secure hashing |
| Multi-factor authentication | Required for internal systems and Console access |
| Role-based access | Organization-level RBAC with Owner, Admin, Member, Viewer roles |
| Least privilege | Access limited to necessary personnel and systems |
| Session management | Secure session tokens with expiration |
| API key rotation | Support for key rotation and revocation |
(Additional security measures for Network Security, Data Isolation, Monitoring and Logging, Incident Response, Business Continuity, Vendor Management, Personnel Security, and Physical Security are described in similar detail in the full DPA documentation.)
Annex III: Sub-processor List
Current as of December 10, 2025
| Sub-processor | Processing Activity | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure, storage, compute | All Customer data | United States |
| Stripe, Inc. | Payment processing | Payment and billing data | United States |
| Clerk, Inc. | Authentication | Account credentials, session data | United States |
| OpenAI, Inc. | AI language model processing | Prompts and content submitted to LLM API | United States |
| Anthropic, PBC | AI language model processing | Prompts and content submitted to LLM API | United States |
| Google LLC | AI language model processing | Prompts and content submitted to LLM API | United States |
| xAI Corp. | AI language model processing | Prompts and content submitted to LLM API | United States |
| DeepSeek | AI language model processing | Prompts and content submitted to LLM API | China |
| Modal Labs, Inc. | Sandbox execution | Code and execution data (Thurgood) | United States |
| GitHub, Inc. | Repository integration | Repository data, OAuth tokens | United States |
| Vercel, Inc. | Application hosting | Deployment artifacts (Orbit) | United States |
| AssemblyAI, Inc. | Audio transcription | Audio files submitted to Voice API | United States |
| ElevenLabs, Inc. | Text-to-speech | Text submitted to TTS API | United States |
| Voyage AI, Inc. | Embedding generation | Text submitted for embeddings | United States |
Updates: This list is updated at https://case.dev/legal/sub-processors. Subscribe to notifications by emailing hello@casemark.com.
By using case.dev Services, Customer acknowledges and agrees to this Data Processing Agreement.
Effective Date: December 10, 2025