This Data Processing Agreement ("Agreement" or "DPA") forms part of the Terms of Use between you ("Client" or "Controller") and VBD Global Services, LLC, operating the CaseMate Suite ("Processor", "we", "us", or "our"), collectively referred to as the "Parties".

This DPA governs how we process Personal Data on your behalf in the course of providing our self-hosted, subscription-based services through legalcasesuite.com (the "Service").

1. Definitions

"Controller" means the entity which determines the purposes and means of the processing of Personal Data.

"Processor" means the entity which processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.

"Applicable Data Protection Law" means all data privacy laws and regulations applicable to the Processing under this Agreement, including but not limited to the General Data Protection Regulation (EU) 2016/679 (GDPR), California Consumer Privacy Act (CCPA), and California Privacy Rights Act (CPRA), to the extent applicable.

2. Roles and Scope

The Client is the Controller of the Personal Data submitted to the Service. VBD Global Services, LLC is the Processor and shall process Personal Data only on documented instructions from the Controller and solely for the purposes of providing the Service.

3. Categories of Data Processed

The following categories of Personal Data may be processed on behalf of the Client:

• Name
• Email address
• Professional affiliation or license
• Last four digits of financial account references (if voluntarily submitted by the Client)
• Login and session data (IP address, timestamps, device type)

No special categories of personal data (e.g., health, biometric, criminal) are intended to be processed.

4. Purpose and Nature of Processing

We process Personal Data solely for the following purposes:

• To provide, maintain, and support the CaseMate Suite services
• To enable secure login and access control
• To support user account and subscription features
• To perform internal analytics for platform security and improvement
• To meet legal, contractual, or regulatory obligations

We do not use Personal Data for marketing, profiling, or resale. Data is never shared with third parties.

5. Duration of Processing

We will process Personal Data for the duration of your subscription and for up to 60 days following its termination or expiration, unless a shorter retention period is applicable. After that period, data is automatically and irreversibly purged.

6. Confidentiality and Access Control

All employees, contractors, or agents authorized to process Personal Data are subject to confidentiality obligations and receive regular security training. Access to Personal Data is restricted on a need-to-know basis using role-based access control (RBAC) and authentication safeguards.

7. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• TLS encryption for all data in transit
• AES-256 encryption for data at rest
• Encrypted database tables and backups
• Firewalled, self-hosted infrastructure with physical access control
• Session timeout enforcement and MFA options

We routinely review and update our security posture and incident response plans.

8. Subprocessors

We do not use any third-party subprocessors. All infrastructure, servers, and services are hosted, maintained, and operated internally at our U.S.-based private datacenter. Should this change, we will notify Controllers in advance and provide an updated DPA listing approved subprocessors with a right to object.

9. Data Subject Rights

To the extent applicable, we assist the Controller in responding to data subject requests under GDPR, CCPA, or similar laws, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to data portability
• Right to object or restrict processing

Requests submitted directly to us will be redirected to the Controller unless we are legally required to respond independently.

10. International Transfers

All Personal Data is stored and processed within the United States. We do not transfer Personal Data outside of the U.S. at this time. If such transfers become necessary in the future, we will ensure appropriate safeguards under GDPR Chapter V, including Standard Contractual Clauses (SCCs).

11. Audit and Compliance

Upon reasonable notice and no more than once annually, the Controller may audit the Processor's technical and organizational measures by:

• Reviewing documentation we provide
• Requesting written summaries of internal security audits
• Scheduling a remote or on-site audit, subject to confidentiality and logistical constraints

We will cooperate fully with any audits necessary to comply with data protection obligations.

12. Breach Notification

In the event of a personal data breach, we will notify the Controller without undue delay and provide:

• A description of the nature of the breach
• The categories and approximate number of data subjects affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach

We will also assist the Controller in fulfilling any regulatory or legal obligations related to the breach.

13. Termination and Deletion of Data

Upon termination of the Service, and following a 60-day retention period, all Personal Data will be deleted from our systems unless legally required to retain it. The Controller may also request early deletion in writing.

14. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the State of Texas, United States. Any dispute arising in connection with this DPA shall be subject to the exclusive jurisdiction of the courts located in Dallas County, Texas.

15. Contact

For any data protection-related inquiries or requests under this DPA, please contact:

VBD Global Services, LLC
LegalCaseSuite – Data Protection Officer
30 North Gould Street, Suite R
Sheridan, Wyoming 82801
Email: privacy@legalcasesuite.com