Data Processing Agreement (DPA)
Last updated: March 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between CaseFill, Inc. (“CaseFill”, “Processor”) and the law firm or legal entity using the CaseFill platform (“Controller”, “you”). This DPA is provided as a template and does not constitute legal advice. Controllers should review this agreement with their own legal counsel.
1. Definitions
The following terms have the meanings set forth below when used in this DPA:
- Controller: The law firm or legal entity that determines the purposes and means of processing Personal Data through the CaseFill platform.
- Processor:CaseFill, Inc., which processes Personal Data on behalf of the Controller in accordance with this DPA and the Controller’s instructions.
- Data Subject: An identified or identifiable natural person whose Personal Data is processed. In the context of CaseFill, this typically includes immigration applicants, petitioners, beneficiaries, and their dependents.
- Personal Data: Any information relating to a Data Subject that can be used to directly or indirectly identify them, including names, identification numbers, passport data, contact information, and immigration case details.
- Processing: Any operation performed on Personal Data, whether automated or manual, including collection, recording, storage, retrieval, consultation, use, disclosure, erasure, or destruction.
- Sub-Processor: A third-party entity engaged by CaseFill to process Personal Data on behalf of the Controller in connection with the services.
2. Roles and Responsibilities
Controller (Law Firm)
The Controller:
- Determines the purposes and means of processing Personal Data of its clients and case participants
- Is responsible for ensuring a lawful basis for processing (e.g., consent, legitimate interest, contractual necessity, legal obligation)
- Must inform Data Subjects about the processing of their data, including the use of CaseFill as a Processor
- Retains full ownership and control of all data uploaded to or generated within the platform
Processor (CaseFill)
CaseFill, as the Processor:
- Processes Personal Data only on documented instructions from the Controller, unless required by applicable law
- Implements appropriate technical and organizational measures to ensure the security of Personal Data
- Assists the Controller in fulfilling its obligations to respond to Data Subject rights requests
- Notifies the Controller without undue delay upon becoming aware of a Personal Data breach
- Does not sell, share, or use Personal Data for any purpose other than providing the CaseFill services
3. Processing Details
CaseFill processes Personal Data as necessary to provide the immigration case management platform and related services, including:
- Storing and organizing case files, client profiles, and immigration documents
- AI-assisted analysis and extraction of information from uploaded documents. Document images are processed by AI vision models to extract structured data. After extraction, PII field values are redacted before any subsequent AI processing (e.g., form auto-fill, case research).
- Auto-filling USCIS forms based on extracted and attorney-reviewed data
- Generating PDF documents for filing
- Sending transactional emails (case updates, client invitations, notifications)
- Processing payments and managing subscriptions
- Maintaining audit logs for compliance and attorney record-keeping
CaseFill does not make independent decisions about the purpose or manner of data processing. All processing activities are performed in accordance with the Controller’s use of the platform features.
4. Data Categories and Purposes
The following categories of Personal Data may be processed through the CaseFill platform:
| Category | Examples | Purpose |
|---|---|---|
| Identifiers | Names, dates of birth, passport numbers, A-numbers, SSNs, visa numbers | Case management, form filling, identity verification |
| Documents | Passports, I-94s, birth certificates, employment letters, financial records | Document analysis, evidence organization, form auto-fill |
| Contact Information | Email addresses, phone numbers, mailing addresses | Client communication, form filling, notifications |
| Financial Data | Payment card details (via Stripe), billing addresses, subscription records | Payment processing, subscription management |
| Audit Data | User actions, login timestamps, document access logs, case status changes | Compliance, attorney record-keeping, security monitoring |
Sensitive identifiers (SSNs, passport numbers, A-numbers, etc.) receive application-level AES-256-GCM encryption at rest and are redacted before any AI processing. See our Security Policy for details.
5. Sub-Processors
CaseFill engages the following Sub-Processors to provide its services. Sub-Processors are engaged under their API terms of service with zero-training and minimal-retention guarantees. CaseFill is in the process of executing formal Data Processing Agreements with each sub-processor; current status is available on request. The Controller consents to the use of the Sub-Processors listed below:
| Sub-Processor | Purpose | Location | Compliance |
|---|---|---|---|
| Supabase | Database, authentication, file storage | United States | SOC 2 Type II |
| Anthropic | AI document analysis and form auto-fill (Claude) | United States | SOC 2 Type II |
| OpenAI | AI embeddings and supplementary analysis | United States | SOC 2 Type II |
| Stripe | Payment processing and subscription billing | United States | PCI DSS Level 1, SOC 2 |
| Resend | Transactional email delivery | United States | SOC 2 |
| Vercel | Application hosting and edge delivery | United States | SOC 2 Type II |
| Railway | Background job processing, PDF generation, Redis | United States | US-hosted |
| Upstash | Rate limiting and caching | United States | SOC 2 |
| Sentry | Error monitoring (configured to exclude PII) | United States | SOC 2 |
CaseFill will notify the Controller of any intended changes to Sub-Processors at least 30 days in advance. The Controller may object to such changes by contacting CaseFill at dpa@casefill.ai.
6. Data Subject Rights
CaseFill assists the Controller in responding to Data Subject rights requests under GDPR Articles 15–22 and other applicable data protection laws. The following rights are supported:
- Right of Access (Article 15):Data Subjects may request a copy of their Personal Data. Controllers can export all case data, client profiles, and associated documents through the platform’s data export functionality.
- Right to Rectification (Article 16): Data Subjects may request correction of inaccurate Personal Data. Controllers can update client records and case data directly within the platform.
- Right to Erasure (Article 17): Data Subjects may request deletion of their Personal Data, subject to legal retention obligations. Controllers can initiate deletion through account settings. CaseFill will delete or anonymize data within 30 days, except where retention is required by law.
- Right to Data Portability (Article 20): Data Subjects may request their data in a structured, commonly used, machine-readable format. CaseFill supports data export in standard formats.
- Right to Object (Article 21): Data Subjects may object to processing of their Personal Data. Controllers can disable specific processing features (e.g., AI analysis) on a per-case or account-wide basis.
- Right to Restriction of Processing (Article 18): Data Subjects may request restriction of processing under certain circumstances. Controllers can archive cases or disable AI features to restrict processing scope.
CaseFill will respond to Controller requests regarding Data Subject rights without undue delay and within 30 days. Requests should be directed to dpa@casefill.ai.
7. Security Measures
CaseFill implements the following technical and organizational measures to protect Personal Data, in accordance with Article 32 of the GDPR:
Encryption
- AES-256-GCM application-level encryption for sensitive PII fields (SSNs, passport numbers, A-numbers, dates of birth, financial data) with unique initialization vectors per field
- TLS 1.3 encryption for all data in transit (browser-to-server, server-to-database, server-to-AI-provider, inter-service communication)
- Database-level encryption at rest via Supabase (AES-256)
- Encrypted file storage for uploaded documents
Access Controls
- PostgreSQL row-level security (RLS) policies enforced at the database layer, ensuring firm-level data isolation
- Role-based access control (RBAC) with attorney, client, and admin roles
- Multi-factor authentication (MFA) via TOTP with 128-bit backup codes
- Bcrypt password hashing with rate-limited authentication endpoints
AI-Specific Safeguards
- PII redaction for AI form processing: after initial document analysis, sensitive field values (SSNs, passport numbers, A-numbers, dates of birth, phone numbers, emails) are replaced with redacted placeholders before any subsequent AI calls such as form auto-fill and case research. Initial document image analysis requires the AI to see the document to extract data; zero-training guarantees ensure this data is not retained or used for model training.
- Zero AI training guarantee: API providers do not train on API inputs/outputs
- Granular AI consent: AI features require explicit opt-in and can be disabled per-account
Monitoring and Audit
- Comprehensive audit logging of user actions, document access, and case status changes
- Error monitoring via Sentry (configured to exclude PII from reports)
- Rate limiting on all API endpoints to prevent abuse
For a detailed description of security measures, see our Security & AI Data Policy.
8. International Data Transfers
All CaseFill infrastructure and Sub-Processors are based in the United States. Personal Data is stored and processed within the United States.
For Controllers located in the European Economic Area (EEA), United Kingdom, or Switzerland, CaseFill relies on the following transfer mechanisms for cross-border data transfers:
- Standard Contractual Clauses (SCCs): For Controllers requiring SCC back-to-back coverage, contact dpa@casefill.ai. CaseFill can execute the European Commission’s Standard Contractual Clauses (Module 2: Controller-to-Processor, Commission Implementing Decision (EU) 2021/914) on a Controller-to-Processor basis where required by applicable law.
- EU-U.S. Data Privacy Framework: Where applicable, Sub-Processors that are certified under the EU-U.S. Data Privacy Framework provide an additional transfer mechanism
- Supplementary measures: Encryption in transit and at rest, access controls, and contractual obligations on all Sub-Processors
9. Data Retention and Deletion
CaseFill retains Personal Data only as long as necessary to provide the services and comply with legal obligations. The following retention periods apply:
| Data Type | Retention Period | Basis |
|---|---|---|
| Account Data | Active account + 30 days after deletion request | Recovery window, then permanent deletion |
| Case Data | 7 years after case closure | Attorney record-keeping obligations |
| Billing Records | 7 years | Tax and accounting requirements |
| Audit Logs | 7 years | Regulatory compliance, attorney record-keeping |
| AI Processing Logs | Extracted suggestions only; no full conversation history retained | Service functionality |
Upon account deletion, Personal Data is anonymized (e.g., email addresses changed to @deleted.casefill.ai) and personal identifiers are removed. Data subject to legal retention periods is retained in anonymized form only.
10. Breach Notification
In the event of a Personal Data breach, CaseFill will:
- Detection: Identify and contain the breach within 24 hours of becoming aware of it
- Notification: Notify the Controller without undue delay and in any event within 72 hours of confirming the breach, in accordance with GDPR Article 33
- Information provided: The nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, measures taken or proposed to address the breach
- Cooperation: Assist the Controller in notifying affected Data Subjects and relevant supervisory authorities as required under applicable law
- Documentation: Maintain a record of all data breaches, including facts, effects, and remedial actions taken
11. Term and Termination
This DPA is effective for the duration of the Controller’s use of the CaseFill platform and terminates when the Controller ceases to use the services.
Upon Termination
- Data export window:The Controller will have 30 days from the date of termination to export all data through the platform’s data export functionality or by contacting CaseFill support
- Deletion schedule: After the 30-day export window, CaseFill will delete or anonymize all Personal Data within 30 additional days, except where retention is required by law (see Section 9)
- Confirmation:CaseFill will provide written confirmation of data deletion upon the Controller’s request
Obligations under this DPA that by their nature should survive termination (including confidentiality, breach notification, and data retention obligations) will survive the termination of this DPA.
12. Contact and Dispute Resolution
For questions, requests, or concerns regarding this DPA or data processing practices, please contact:
- Email: dpa@casefill.ai
- Entity: CaseFill, Inc.
Dispute Resolution
Any disputes arising under this DPA will be resolved as follows:
- Negotiation: The parties will first attempt to resolve any dispute through good-faith negotiation
- Governing law: This DPA is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law principles
- Jurisdiction: Any legal proceedings will be brought in the state or federal courts located in Delaware
- Supervisory authority: Nothing in this DPA prevents a Data Subject from lodging a complaint with a supervisory authority in the EU Member State of their habitual residence or place of work