Data Processing Addendum

What this is. This Data Processing Addendum (the "DPA") supplements the Terms of Service between CourtFlow AI, Corp. ("CourtFlow") and the law firm or organization that subscribes to the CourtFlow AI service ("Customer", "you"). It governs how CourtFlow processes Customer Personal Data on Customer's behalf in the course of providing the Service. By accepting the Terms of Service or by using the Service, Customer accepts this DPA.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service.

• "Customer Personal Data" means any information that identifies or relates to an identifiable natural person and that CourtFlow processes on behalf of Customer in connection with the Service. It includes the personal data of Customer's users (e.g., name, email, bar number), the personal data contained in court documents and emails Customer routes through the Service, and intake answers and uploads submitted to Customer's public probate intake portal by prospective clients.
• "Processing" means any operation performed on Customer Personal Data, including collection, storage, transmission, analysis, and deletion.
• "Controller" means the entity that determines the purposes and means of Processing.
• "Processor" means an entity that Processes data on behalf of a Controller.
• "Subprocessor" means any third party engaged by CourtFlow to Process Customer Personal Data, as listed at courtflow.ai/subprocessors.
• "Security Incident" means a confirmed breach of CourtFlow's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data. It does not include unsuccessful login attempts, port scans, denial-of-service attempts, or other events that do not result in unauthorized access to Customer Personal Data.

2. Roles & Scope

For Customer Personal Data Processed in connection with the Service, Customer is the Controller and CourtFlow is the Processor. CourtFlow Processes Customer Personal Data only:

• To deliver the Service as described in the Terms of Service and our Privacy Policy;
• In accordance with Customer's documented instructions, which are deemed to include the configuration choices Customer makes in the application (email provider, storage provider, AI aggressiveness, deadline rules, jurisdictional defaults, feature flags, etc.);
• As required by applicable law, in which case CourtFlow will, where legally permitted, inform Customer of the legal requirement before Processing.

CourtFlow acts as an independent Controller for a narrow, separate category of data: account-level billing information, support correspondence with Customer's administrators, sales-cycle communications (including data captured by the public sales chat widget), website-analytics data captured before Customer signs up, and CourtFlow's own audit logs of system activity. The Privacy Policy describes how that data is handled.

3. Subject Matter, Duration, Nature & Categories

• Subject matter: Provision of the CourtFlow AI service.
• Duration: The term of the Customer's subscription, plus the post-termination retention windows described in §10 of this DPA and §6 of the Privacy Policy.
• Nature & purpose of Processing: Court email ingestion, document analysis, deadline extraction, case management, calendar & task synchronization, AI-generated work product (briefs, drafts, trial preparation, probate documents), audit logging, billing, and notifications.
• Categories of data subjects: Customer's users (attorneys, paralegals, staff); Customer's clients and adverse parties identified in court filings and emails; opposing counsel, judges, and court staff named in those filings; prospective clients who submit a public probate intake.
• Categories of personal data: Identification (name, bar number, firm), contact (email, phone, address), professional (role, signature block, court of admission), case and matter content (filings, deadlines, parties, summaries), authentication (OAuth tokens — encrypted), audit logs, billing identifiers.
• Special categories: Court filings frequently contain information that may include health, financial, or other sensitive data. Customer is responsible for ensuring it has a lawful basis to route such data through the Service.

4. CourtFlow Obligations

CourtFlow will:

• Process Customer Personal Data only on documented instructions from Customer;
• Ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and are trained on security and privacy expectations;
• Implement and maintain the technical and organizational measures described in §6;
• Assist Customer in responding to requests from data subjects, as described in §7;
• Notify Customer of Security Incidents as described in §8;
• Make available the information necessary to demonstrate compliance with this DPA, as described in §9; and
• Return or delete Customer Personal Data at the end of the Service as described in §10.

5. Subprocessors

Customer authorizes CourtFlow to engage the Subprocessors listed at courtflow.ai/subprocessors and any further Subprocessors added in accordance with this section. CourtFlow remains responsible for the acts and omissions of its Subprocessors with respect to Customer Personal Data to the same extent as if CourtFlow were performing the services directly.

CourtFlow will impose data-protection obligations on each Subprocessor by written contract that are no less protective than those in this DPA.

Notice of new Subprocessors. CourtFlow will update the Subprocessor page and post a changelog entry before engaging a new Subprocessor that will Process Customer Personal Data, with at least 30 days' notice except where a faster engagement is required to maintain Service availability or address a security risk. Customer may subscribe to proactive change notifications by emailing privacy@courtflow.ai.

Right to object. Customer may object in writing to a new Subprocessor within 30 days of notice, on a documented, reasonable basis (e.g., a regulatory restriction or legal-ethics constraint applicable to Customer). The parties will work in good faith to find a workable resolution. If none can be reached, Customer may terminate the affected portion of the Service for cause and receive a pro-rata refund of any prepaid fees covering the period after termination, as Customer's sole and exclusive remedy.

6. Security Measures

CourtFlow implements and maintains the technical and organizational measures described on our Security page, which include at minimum:

• Zero-document-storage architecture for court PDFs (filed directly to Customer's own Google Drive or OneDrive; not retained on CourtFlow infrastructure);
• Encryption in transit (TLS 1.2+, HSTS with one-year policy and subdomain coverage);
• Encryption at rest (AES-256 at the database storage layer, plus AES-256-GCM application-layer encryption for OAuth refresh tokens, with the encryption key held outside the database);
• Tenant isolation via mandatory tenantId scoping on every database read and write, and parameterized SQL throughout;
• Authentication and access control via OAuth 2.0 (Google, Microsoft), JWT-signed sessions with 7-day maximum lifetime and 1-hour sliding refresh, and a four-tier role-based access control matrix (Admin, Attorney, Paralegal, Read-Only);
• Input validation including magic-byte signature checks on uploads from unauthenticated public surfaces (filing analyzer, public probate intake) and LIKE-pattern escaping in SQL lookup endpoints;
• Rate limiting on all critical endpoints to mitigate abuse;
• Logging and monitoring with PII-scrubbed error reporting (Sentry); and
• Secret management via encrypted environment variables; secrets are not committed to source control and are redacted from outbound error reports.

CourtFlow may update its security measures from time to time, provided that the updated measures do not materially decrease the overall security of Customer Personal Data.

7. Data Subject Requests

Customer is responsible for responding to requests from data subjects to exercise their rights (including access, correction, deletion, and portability). The Service exposes self-service tools that let Customer fulfill these requests directly:

• Settings → Privacy & Data → Download Export produces a JSON bundle of a user's profile, firm settings, cases, document metadata, deadlines, case notes, time entries, and recent activity log.
• Settings → Privacy & Data → Delete Account revokes OAuth access immediately and schedules permanent deletion within 30 days; a 30-day grace window allows recovery.
• Public probate intake submitters do not have CourtFlow accounts; they may exercise rights by contacting the inviting Customer firm or by emailing privacy@courtflow.ai, which will route the request to the firm.

Where a data subject contacts CourtFlow directly with a request relating to Customer Personal Data, CourtFlow will, unless legally prohibited, refer the request to Customer without responding substantively.

To the extent the self-service tools are insufficient for a particular request, CourtFlow will provide commercially reasonable assistance to Customer at no additional charge for routine requests, and at hourly time-and-materials rates for requests that require substantial engineering effort.

8. Security Incident Notification

CourtFlow will notify Customer of a Security Incident affecting Customer Personal Data without undue delay, and in any case within seventy-two (72) hours of confirmed discovery. Notification will be sent to the administrator email addresses on file for the affected Customer's tenant.

The notification will include, to the extent then known: the nature of the incident; the categories and approximate volume of data subjects and records affected; the likely consequences; and the measures CourtFlow has taken or proposes to take to address the incident and mitigate its effects. CourtFlow will provide updates as additional information becomes available and will produce a written post-mortem for severity-1 and severity-2 incidents.

CourtFlow's notification of, or response to, a Security Incident is not an acknowledgement by CourtFlow of any fault or liability with respect to the incident.

9. Audits & Assurance

CourtFlow will make available to Customer the information necessary to demonstrate compliance with this DPA. Specifically, CourtFlow will, upon written request and no more than once per twelve-month period:

• Provide the most recent SOC 2 (or equivalent) reports of the infrastructure Subprocessors that hold such reports (e.g., Supabase, Vercel);
• Respond in good faith to a reasonable, scoped security questionnaire from Customer; and
• Permit Customer or a mutually agreed independent auditor (subject to written confidentiality obligations) to conduct an audit of CourtFlow's controls relevant to the Processing of Customer Personal Data, on at least 30 days' prior written notice, during normal business hours, in a manner that does not interfere with CourtFlow's operations or the security of other customers' data, and at Customer's expense — except where the audit reveals a material breach of this DPA, in which case CourtFlow will reimburse Customer's reasonable audit costs.

The audit right above is in addition to any audit rights that may be required by applicable law.

10. Return & Deletion of Customer Personal Data

Upon termination or expiration of the Service:

• Customer may export its data via the self-service export tool at any time during the subscription, and for at least 90 days following termination;
• After the 90-day post-termination window, CourtFlow will permanently delete Customer Personal Data from production systems within an additional 30 days, except for: (a) account-level billing records retained as required by tax or accounting law; (b) audit logs retained for 12 months for security and incident-response purposes; and (c) backups, which are overwritten on the standard backup-rotation schedule (typically within 30 days);
• Court documents that were filed to Customer's own Google Drive or OneDrive remain in Customer's storage account; CourtFlow has no copies to return or delete; and
• Public probate intake submissions remain in the inviting Customer's account and follow the same retention rules as other Customer Personal Data.

CourtFlow will, on Customer's written request, provide written confirmation of completed deletion.

11. International Transfers

The Service is operated from and intended for use within the United States. CourtFlow does not knowingly accept registrations from, or actively market the Service to, residents of the European Economic Area, the United Kingdom, or Switzerland, and accordingly does not enter into Standard Contractual Clauses, the EU-U.S. Data Privacy Framework, or analogous transfer mechanisms. If Customer's use of the Service involves the transfer of personal data of EEA, UK, or Swiss data subjects, Customer is solely responsible for ensuring it has a lawful basis for that transfer and may not rely on this DPA as such a basis.

12. Liability & Order of Precedence

Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service with respect to the Processing of Customer Personal Data, this DPA controls.

13. Term & Changes

This DPA is effective as of the date Customer accepts the Terms of Service or first uses the Service, whichever is earlier, and continues for the duration of the Service plus any post-termination retention period described in §10.

CourtFlow may update this DPA from time to time. We will post the updated DPA at this URL, bump the "Last updated" date, and post a changelog entry. If a change materially reduces the protections this DPA provides to Customer Personal Data, CourtFlow will give Customer at least 30 days' notice via the administrator email addresses on file before the change takes effect; Customer's sole remedy if it does not accept the change is to terminate the affected Service for cause within that notice period and receive a pro-rata refund of any prepaid fees covering the period after termination.

Privacy & data-protection contact

For DPA questions, audit requests, Subprocessor change subscriptions, or breach-notification routing, contact privacy@courtflow.ai.