Legal

Casewyze Data Processing Addendum

Effective Date: May 12, 2026

This Data Processing Addendum (“DPA”) forms part of and supplements the Terms of Service and any applicable agreement between CaseWyze (“CaseWyze,” “Processor,” “we,” “our,” or “us”) and the customer entity using the Services (“Customer” or “Controller”).

This DPA governs the processing of Personal Data by CaseWyze on behalf of the Customer in connection with the CaseWyze platform, software, websites, APIs, mobile applications, and related services (collectively, the “Services”).

If there is a conflict between this DPA and the Terms of Service regarding Personal Data processing, this DPA shall control to the extent of that conflict.

1. Definitions

For purposes of this DPA:

“Applicable Privacy Laws”

Means all applicable privacy, data protection, and cybersecurity laws and regulations, including where applicable:

  • General Data Protection Regulation (“GDPR”);
  • UK GDPR;
  • California Consumer Privacy Act (“CCPA”);
  • California Privacy Rights Act (“CPRA”);
  • Other applicable U.S. state privacy laws;
  • Applicable international data protection laws.

“Controller”

Means the entity determining the purposes and means of processing Personal Data.

“Processor”

Means an entity processing Personal Data on behalf of a Controller.

“Personal Data”

Means information relating to an identified or identifiable individual processed through the Services.

“Data Subject”

Means the individual to whom Personal Data relates.

“Processing”

Means any operation performed on Personal Data, including collection, storage, use, disclosure, deletion, transfer, or organization.

“Subprocessor”

Means a third party engaged by CaseWyze to process Personal Data on behalf of Customer.

2. Roles of the Parties

Customer acts as the Controller of Personal Data processed through the Services.

CaseWyze acts as a Processor of Personal Data processed on behalf of Customer.

Each party shall comply with obligations applicable to it under Applicable Privacy Laws.

3. Nature and Purpose of Processing

CaseWyze processes Personal Data solely for the purpose of:

  • Providing the Services;
  • Hosting and maintaining Customer environments;
  • Authenticating users;
  • Storing and organizing Client Data;
  • Processing uploads and records;
  • Supporting investigative workflow functionality;
  • Providing customer support;
  • Monitoring platform security and performance;
  • Enforcing agreements;
  • Complying with legal obligations.

Processing activities may include:

  • Collection;
  • Recording;
  • Storage;
  • Structuring;
  • Retrieval;
  • Transmission;
  • Deletion;
  • Analysis;
  • Backup and recovery.

4. Categories of Data

Depending on Customer usage, Personal Data processed may include:

  • Names;
  • Email addresses;
  • Telephone numbers;
  • Physical addresses;
  • Identification numbers;
  • User account credentials;
  • Communications;
  • Investigative records;
  • Insurance-related records;
  • Legal records;
  • Uploaded documents;
  • Images;
  • Audio recordings;
  • Video recordings;
  • Geolocation data;
  • Device and usage data.

Sensitive information may be processed only at Customer’s direction and responsibility.

5. Customer Responsibilities

Customer represents and warrants that:

  • It has lawful authority to collect and process Personal Data;
  • It has provided required notices and obtained required consents;
  • Its instructions to CaseWyze comply with Applicable Privacy Laws;
  • It is solely responsible for determining the legality of the Personal Data uploaded to the Services.

Customer is responsible for:

  • Configuring user permissions;
  • Managing retention schedules;
  • Responding to Data Subject requests unless otherwise agreed;
  • Ensuring lawful investigative practices;
  • Ensuring compliance with applicable licensing and confidentiality obligations.

6. Casewyze Processing Obligations

CaseWyze shall:

  • Process Personal Data only on documented instructions from Customer;
  • Not sell Personal Data;
  • Not retain, use, or disclose Personal Data outside the scope of providing the Services;
  • Maintain confidentiality obligations for personnel accessing Personal Data;
  • Implement reasonable administrative, technical, and organizational safeguards.

CaseWyze shall not be responsible for reviewing the legality, accuracy, or admissibility of Customer-provided information.

7. Security Measures

CaseWyze maintains commercially reasonable security measures intended to protect Personal Data, including where appropriate:

  • Encryption in transit;
  • Access controls;
  • Role-based permissions;
  • Authentication protections;
  • Infrastructure monitoring;
  • Audit logging;
  • Backup systems;
  • Security incident monitoring.

Customer acknowledges that:

  • No system is completely secure;
  • Internet-based services involve inherent security risks;
  • Customer remains responsible for protecting credentials and exported data.

8. Subprocessors

Customer authorizes CaseWyze to engage Subprocessors necessary to provide the Services.

CaseWyze shall:

  • Maintain contractual protections with Subprocessors;
  • Require appropriate confidentiality obligations;
  • Require reasonable security protections.

CaseWyze remains responsible for the performance of its Subprocessors to the extent required by law.

A current list of major subprocessors may be provided upon written request.

9. International Data Transfers

Customer acknowledges that Personal Data may be processed in the United States or other jurisdictions where CaseWyze or its service providers operate.

Where legally required, CaseWyze may implement:

  • Standard Contractual Clauses;
  • Data transfer agreements;
  • Other lawful transfer mechanisms.

10. Data Subject Requests

Where legally required and reasonably feasible, CaseWyze shall provide reasonable assistance to Customer in responding to verified Data Subject requests concerning:

  • Access;
  • Correction;
  • Deletion;
  • Restriction;
  • Portability;
  • Objection rights.

Customer remains primarily responsible for responding to Data Subject requests.

CaseWyze may decline requests where:

  • Disclosure is prohibited by law;
  • Requests would compromise investigations or security;
  • Requests are technically infeasible;
  • Other legal exemptions apply.

11. Security Incidents

CaseWyze shall maintain procedures designed to detect and respond to Security Incidents involving Personal Data.

In the event of a confirmed Security Incident affecting Customer Personal Data, CaseWyze shall:

  • Notify Customer without undue delay where legally required;
  • Provide reasonably available information regarding the incident;
  • Take commercially reasonable steps to mitigate the incident.

CaseWyze does not guarantee that Security Incidents will never occur.

12. Data Retention and Deletion

Customer controls retention periods for Client Data where functionality permits.

Upon termination of Services:

  • Customer is responsible for exporting its data;
  • CaseWyze may retain certain data for backup, legal, audit, compliance, or security purposes;
  • Remaining Personal Data may be deleted according to CaseWyze retention schedules unless otherwise required by law.

13. Confidentiality

CaseWyze personnel with access to Personal Data shall be subject to confidentiality obligations.

CaseWyze shall not disclose Customer Personal Data except:

  • As instructed by Customer;
  • As required by law;
  • To authorized Subprocessors;
  • To protect legal rights or platform security.

14. Audits and Information Requests

Upon reasonable written request and subject to confidentiality protections, CaseWyze may provide information reasonably necessary to demonstrate compliance with this DPA.

Customer acknowledges that:

  • Security-sensitive information may be restricted;
  • Audit requests must be reasonable in scope and frequency;
  • CaseWyze may satisfy requests through existing certifications, reports, or documentation.

15. Liability

Liability arising under this DPA shall be subject to the limitations of liability contained within the CaseWyze Terms of Service unless otherwise prohibited by law.

16. Governing Law

This DPA shall be governed by the governing law provisions contained in the applicable Terms of Service between the parties.

17. Contact Information

Questions regarding this DPA or privacy-related matters may be directed to:

CaseWyze
Privacy and Compliance Department
info@casewyze.com