How we process personal data on behalf of your firm as your data processor under the UK GDPR.
Last updated: 15 July 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Legal Case Manager (“Processor”) and the firm using the platform (“Controller”). It governs our processing of personal data on your behalf and reflects the requirements of Article 28 of the UK GDPR.
For personal data your firm and its clients enter into the platform, your firm is the Controller and we are the Processor. We process that data only on your documented instructions, which include your configuration and use of the platform.
We process personal data for the purpose of providing the client-onboarding and matter-intake service for the duration of your subscription and any agreed data-retention period thereafter.
Processing includes collection, storage, organisation, access control, transmission and deletion of client and matter data to deliver onboarding, document handling, compliance checks and case management.
Data subjects include your firm’s clients and their related parties, and your staff. Categories may include identity and contact details, identity-verification data, matter details and uploaded documents — including special-category data where your matters require it.
We implement appropriate technical and organisational measures, including UK data residency (AWS eu-west-2), encryption in transit and at rest, matter-level role-based access control, ethical walls, multi-factor authentication and an immutable audit trail.
You authorise us to engage vetted sub-processors (for example, cloud hosting, email delivery, payments and electronic identity verification) under written terms that impose equivalent data-protection obligations. We remain responsible for their performance and will inform you of intended changes.
We store and process personal data in the United Kingdom. Where any transfer outside the UK is necessary, we will ensure an appropriate safeguard (such as the IDTA or an adequacy decision) is in place.
We will assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification and impact-assessment obligations. We will notify you without undue delay after becoming aware of a personal-data breach affecting your data.
On termination, and at your choice, we will return or delete the personal data we process on your behalf, subject to any retention required by law, and delete existing copies within a reasonable period.
We will make available information necessary to demonstrate compliance with this DPA and allow for reasonable audits, including through third-party reports and security documentation available on request.
This page is provided for general information about how Legal Case Manager operates and does not constitute legal advice. For questions, contact [email protected].