Data Processing Agreement

"Controller" means you, the user who determines the purposes and means of processing personal data.

"Processor" means CourtCase (operated by Haiec), which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, storage, use, and deletion.

"Sub-processor" means any third party engaged by the Processor to process personal data.

Subject Matter: Document organization and timeline generation services

Duration: For the duration of your use of CourtCase services

Nature and Purpose:

• OCR processing of uploaded documents
• AI-powered extraction of dates, events, and entities
• Generation of chronological timelines
• Creation of formatted PDF documents
• Temporary storage of case files

Types of Personal Data:

• Names and contact information in uploaded documents
• Dates and events described in documents
• Any personal information contained in user-uploaded files
• User account information (email, name)

Categories of Data Subjects:

• Users of the CourtCase service
• Individuals mentioned in uploaded documents

CourtCase agrees to:

• Process data only on documented instructions from the Controller (you)
• Ensure confidentiality - All personnel with access to personal data are bound by confidentiality obligations
• Implement security measures including:
  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Access controls and authentication
  • Regular security assessments
  • SHA256 file integrity verification
• Engage sub-processors only with prior authorization (see Section 4)
• Assist with data subject requests (access, deletion, portability)
• Notify of data breaches within 72 hours
• Delete or return data upon termination of services
• Make available information to demonstrate compliance

You authorize CourtCase to engage the following sub-processors:

We will notify you of any changes to sub-processors at least 30 days in advance. You may object to new sub-processors by contacting us.

Automatic Deletion Schedule:

• Uploaded files: Deleted after 30 days
• Generated timelines: Deleted after 30 days
• Generated PDFs: Deleted after 30 days
• Processing logs: Deleted after 90 days
• Account data: Retained until account deletion
• Payment records: Retained for 7 years (legal requirement)

Manual Deletion:

You may delete your data at any time through:

• Dashboard: Delete individual cases
• Settings: Delete entire account
• Email: Request deletion at privacy@haiec.com

Deletion Verification:

Upon deletion, data is permanently removed from all systems within 7 days. Backups are purged within 30 days.

CourtCase will assist you in responding to data subject requests:

• Right of Access: Export your data from Settings
• Right to Rectification: Edit your profile in Settings
• Right to Erasure: Delete cases or account
• Right to Data Portability: Download data in JSON/PDF format
• Right to Object: Contact privacy@haiec.com
• Right to Restrict Processing: Contact privacy@haiec.com

Response time: Within 30 days of request

Technical Measures:

• AES-256 encryption at rest
• TLS 1.3 encryption in transit
• SHA256 file integrity checksums
• Bcrypt password hashing (12 rounds)
• JWT token authentication with expiration
• Rate limiting and DDoS protection
• Regular security updates and patching

Organizational Measures:

• Access limited to authorized personnel only
• Confidentiality agreements with all staff
• Security awareness training
• Incident response procedures
• Regular security assessments

In the event of a personal data breach, CourtCase will:

• Notify you within 72 hours of becoming aware of the breach
• Provide details of the nature of the breach
• Describe the likely consequences
• Describe measures taken to address the breach
• Provide contact information for further inquiries
• Assist with notifications to supervisory authorities if required

Your data may be transferred to and processed in the United States. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) with sub-processors
• Encryption of all data in transit and at rest
• Compliance with EU-US Data Privacy Framework where applicable

You have the right to audit our compliance with this DPA. Audits may be conducted:

• Upon reasonable notice (at least 30 days)
• During normal business hours
• At your expense
• Subject to confidentiality obligations

Alternatively, we can provide audit reports, certifications, or other documentation demonstrating compliance upon request.

Each party is liable for damages caused by processing that violates applicable data protection laws or this DPA. Liability is subject to the limitations set forth in our Terms of Service.

This DPA is effective as long as you use CourtCase services. Upon termination:

• We will delete or return all personal data within 30 days
• We will provide certification of deletion upon request
• Certain data may be retained as required by law

For questions about this DPA or data processing: