1. Definitions
- Controller: The entity that determines the purposes and means of processing Personal Data
- Processor: CaseForge, acting on behalf of the Controller
- Data Subject: An identified or identifiable natural person whose Personal Data is processed
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on Personal Data
- Sub-processor: Any third party engaged by CaseForge to process Personal Data
2. Scope and Application
This Data Processing Agreement ("DPA") applies to all processing of Personal Data by CaseForge on behalf of the Controller in connection with the provision of the Service. This DPA supplements and forms part of the Terms of Service.
3. Processor Obligations
CaseForge shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorised to process the Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Respect the conditions for engaging sub-processors
- Delete or return all Personal Data to the Controller upon termination of services
4. Security Measures
Technical Measures
- Encryption of Personal Data in transit (TLS 1.3+) and at rest (AES-256)
- Firewalls and intrusion detection systems
- Regular security patches and updates
- Access controls and authentication mechanisms
- Regular data backups
Organisational Measures
- Regular employee security training
- Least-privilege access principles
- Confidentiality agreements with all staff
- Regular security audits and assessments
- Documented incident response procedures
5. Sub-processors
CaseForge currently uses the following sub-processors to deliver the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure and hosting | EU / UK |
| SendGrid | Email services | EU |
6. Data Subject Rights
CaseForge will assist the Controller in fulfilling its obligations to respond to Data Subject requests for:
- Access to their Personal Data
- Rectification of inaccurate data
- Erasure of Personal Data
- Restriction of processing
- Data portability
- Objection to processing
7. Data Breach Notification
In the event of a Personal Data breach, CaseForge will:
- Notify the Controller without undue delay after becoming aware of the breach
- Provide sufficient information to allow the Controller to meet its notification obligations
- Cooperate with the Controller's investigation of the breach
- Document all breaches, including those not requiring notification
8. International Transfers
CaseForge will not transfer Personal Data outside the EEA without the Controller's prior written consent. Where transfers are necessary, CaseForge will implement appropriate safeguards including Standard Contractual Clauses or rely on adequacy decisions recognised under UK GDPR.
9. Audits and Inspections
CaseForge will make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to reasonable advance notice and confidentiality obligations. CaseForge may satisfy audit requirements by providing relevant certifications and security reports.
10. Term and Termination
This DPA remains in effect for the duration of the Service agreement. Upon termination, CaseForge will, at the Controller's choice, delete or return all Personal Data and delete existing copies unless applicable law requires storage. CaseForge will certify such deletion in writing upon request.
11. Liability and Indemnification
The liability of each party under this DPA is subject to the limitations set out in the Terms of Service. Each party shall indemnify the other for damages caused by a breach of this DPA attributable to that party.
12. Governing Law
This DPA is governed by the laws of the United Kingdom and subject to the exclusive jurisdiction of the UK courts.
13. Contact Us
For questions about this DPA or to exercise rights under it, please contact our Data Protection Officer:
By using CaseForge Services, the Controller agrees to be bound by this Data Processing Agreement. This DPA is effective upon the Controller's acceptance of the Terms of Service.
Effective Date: Upon acceptance of Terms of Service