Esqase

Search documentation

Search all Esqase documentation pages

Data Processing Agreement

Effective date: July 7, 2026
Last updated: July 7, 2026

This Data Processing Agreement ("DPA") is entered into between Esqase, Inc. ("Esqase," "Processor") and the law firm or organization that has accepted the Esqase Terms of Service ("Firm," "Controller"). This DPA forms part of the Terms of Service and governs the processing of personal data by Esqase on behalf of the Firm in connection with the Esqase platform and services (the "Service").


1. Definitions

In this DPA:

  • "Applicable Data Protection Law" means all privacy and data protection laws applicable to the processing of Personal Data under this DPA, including where applicable: the EU General Data Protection Regulation (GDPR) (EU 2016/679); the UK GDPR and Data Protection Act 2018; the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations; and other applicable national or state laws.
  • "Controller" means the Firm, who determines the purposes and means of processing Personal Data.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
  • "Personal Data" means any information relating to a Data Subject that is processed through the Service on behalf of the Firm.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, or deletion.
  • "Processor" means Esqase, acting on the Controller's instructions.
  • "Security Incident" means any confirmed unauthorized access to, disclosure of, alteration of, or destruction of Personal Data processed under this DPA.
  • "Subprocessor" means a third-party engaged by Esqase to process Personal Data on behalf of the Firm.

2. Scope and Roles

2.1 Controller and Processor

The Firm is the Controller of Personal Data uploaded to or generated within the Service. Esqase is the Processor and processes Personal Data only on the Firm's instructions and for the purposes of providing the Service.

2.2 Categories of Personal Data

The Firm may submit Personal Data to the Service, which may include:

  • Contact information (name, email, phone, address)
  • Matter and case details
  • Billing and financial records
  • Documents and communications
  • Calendar events and scheduling information
  • Electronic signature data (including signer identity, IP address, timestamp, and device information)
  • User account information for Authorized Users

2.3 Categories of Data Subjects

Data Subjects may include the Firm's clients, prospective clients, contacts, opposing parties, Authorized Users, and other individuals whose data the Firm inputs into the Service.

2.4 Purpose of Processing

Esqase processes Personal Data solely to provide, operate, maintain, and improve the Service as directed by the Firm, and as further described in this DPA and the Privacy Policy.


3. Processing Instructions

3.1 Compliance with Instructions

Esqase will process Personal Data only in accordance with the Firm's documented instructions, including those set forth in the Terms of Service and this DPA, unless required to do otherwise by applicable law. If Esqase is required by law to process Personal Data other than as instructed, it will notify the Firm to the extent permitted by law.

3.2 Unauthorized Instructions

If Esqase reasonably believes that an instruction from the Firm violates Applicable Data Protection Law, it will notify the Firm promptly. Esqase is not required to follow instructions that it believes would cause it to violate applicable law.


4. Confidentiality

Esqase will ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations and are trained on data protection requirements. Access to Personal Data is restricted to Esqase personnel who need it to provide the Service.


5. Security

5.1 Technical and Organizational Measures

Esqase will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

MeasureDescription
Encryption in transitAll data transmitted between clients and servers uses TLS.
Encryption at restSensitive data fields are encrypted using AES-256-GCM.
Access controlRole-based access control enforced at the database layer; tenant isolation preventing cross-firm data access.
AuthenticationMulti-factor authentication available; session-managed access.
Audit loggingAll significant data access and modifications are logged with timestamps, user identity, and action type.
Vulnerability managementRegular dependency updates and security monitoring.
Personnel trainingSecurity awareness training for Esqase personnel.
Incident responseDocumented procedures for detecting, responding to, and notifying of Security Incidents.

5.2 Updates to Measures

Esqase may update its security measures from time to time to reflect evolving risks, provided that updates will not materially reduce the overall level of protection.


6. Subprocessors

6.1 Authorization

The Firm hereby grants Esqase a general authorization to engage Subprocessors to process Personal Data, subject to the requirements of this Section 6.

6.2 Current Subprocessors

Esqase's current Subprocessors include:

SubprocessorPurposeLocation
Google Cloud PlatformCloud infrastructure (compute, storage, database)United States
Google FirebaseAuthentication, database, cloud functions, file storage, push notifications (Firebase Cloud Messaging)United States
Cloudflare, Inc.DNS, content delivery network, and network securityUnited States (global network)
Stripe, Inc.Payment processing and subscription billingUnited States
Resend, Inc.Transactional (system) email deliveryUnited States
Google LLC (Gmail, Calendar, Meet APIs)Email, calendar, and meeting integration (when enabled by a user)United States
Microsoft Corporation (Outlook, Teams APIs)Email, calendar, and meeting integration (when enabled by a user)United States
Zoom Video Communications, Inc.Meeting link integration (when enabled by a user)United States

6.3 Changes to Subprocessors

Esqase will provide at least 14 days' prior written notice (by email or in-app notice) before adding or replacing a Subprocessor that will process Personal Data. If the Firm has reasonable objections to a new Subprocessor, it must notify Esqase within 14 days of receipt of the notice. The parties will work in good faith to resolve the objection; if unresolved, the Firm may terminate the affected portion of the Service.

6.4 Subprocessor Obligations

Esqase will enter into written agreements with each Subprocessor imposing data protection obligations at least as protective as those in this DPA. Esqase remains liable to the Firm for the acts and omissions of its Subprocessors to the extent that Esqase would itself be liable under this DPA.


7. Data Subject Rights

7.1 Assistance

Esqase will provide the Firm with reasonable technical and organizational assistance to help the Firm fulfill its obligations to respond to Data Subjects' requests to exercise their rights under Applicable Data Protection Law (including rights of access, correction, deletion, restriction, portability, and objection).

7.2 Requests Received by Esqase

If Esqase receives a Data Subject request directly, it will promptly inform the Firm and will not respond to the request on the Firm's behalf without the Firm's instruction, unless required by law.


8. Security Incident Notification

8.1 Notification

Esqase will notify the Firm without undue delay, and in any event within 72 hours of becoming aware of a confirmed Security Incident affecting Personal Data processed under this DPA.

8.2 Notice Content

The notification will include, to the extent known: the nature of the Security Incident; the categories and approximate number of Data Subjects affected; the categories and approximate volume of Personal Data affected; likely consequences; and measures taken or proposed to address the incident.

8.3 Cooperation

Esqase will cooperate with the Firm and take reasonable steps to mitigate the impact of any Security Incident.


9. Data Protection Impact Assessments

Upon the Firm's reasonable request, Esqase will provide reasonable assistance to the Firm in conducting data protection impact assessments (DPIAs) and prior consultation with supervisory authorities, to the extent that such assistance is required and relates to Esqase's processing activities.


10. International Data Transfers

Where Personal Data originating from the EEA, UK, or other jurisdictions with data transfer restrictions is transferred to or processed in countries that do not provide an adequate level of data protection, Esqase will rely on approved transfer mechanisms, such as EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs), or other lawful basis. The Firm may request copies of applicable transfer mechanisms by contacting legal@esqase.com.


11. Audit Rights

11.1 Information and Audit

Esqase will make available to the Firm, on reasonable request and no more than once per year (unless a Security Incident has occurred), all information reasonably necessary to demonstrate compliance with this DPA.

11.2 Audit Process

Any audit by the Firm will be conducted with at least 30 days' prior written notice, during normal business hours, at the Firm's expense, and in a manner that minimizes disruption to Esqase's operations. Esqase may require the Firm and its auditors to execute a reasonable confidentiality agreement before disclosing audit-relevant information.


12. Return and Deletion of Data

Upon termination of the Firm's Subscription or upon the Firm's request:

  • Esqase will provide the Firm with a copy of its Personal Data in a machine-readable format.
  • Esqase will delete or anonymize Personal Data from active systems within 30 days of account termination.
  • Backup copies may be retained for up to 90 days before being purged.
  • Esqase may retain data as required by applicable law and will notify the Firm of any such retention obligation.

13. Limitation of Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service, to the extent permitted by Applicable Data Protection Law.


14. Precedence

In the event of a conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA will prevail. In all other respects, the Terms of Service govern.


15. Governing Law

This DPA is governed by the same law as the Terms of Service. For EU/EEA/UK parties, where required by Applicable Data Protection Law, the applicable EU/UK governing law applies to data protection matters.


16. Term

This DPA remains in effect for as long as Esqase processes Personal Data on behalf of the Firm. Sections 4, 5, 8, 12, and 13 survive termination.


17. Contact

For data protection inquiries, contact:

Esqase, Inc.
Data Protection Team
legal@esqase.com