Version: 3.0
Effective Date: September 2024
Last Reviewed: September 2025
Owner: CaseLens Inc., a Delaware C Corp (EIN 61-2265071)

1. Introduction

1.1. CaseLens Inc. (“CaseLens”) provides AI-powered products and services for professional teams working with complex data.

1.2. This policy sets out how CaseLens protects all data entrusted to it by its clients, in accordance with applicable law, contractual obligations, and industry best practices.

1.3. CaseLens processes client data solely for the purpose of delivering the agreed products and services.

2. Scope

2.1. This policy applies to:

2.1.1. All data received, processed, stored, or generated by CaseLens in the course of delivering its products and services.

2.1.2. All CaseLens personnel, contractors, and authorised representatives.

2.1.3. All infrastructure, systems, and third-party services used by CaseLens.

3. Data Processing Principles

3.1. CaseLens processes data in accordance with the following principles:

3.1.1. Purpose limitation — Data is used solely for delivering the agreed products and services. Any other use, including model training or secondary use of identifiable client data, is prohibited.  CaseLens may use aggregated and de-identified technical metrics for the purposes of system optimization, internal benchmarking, and reporting on general service performance.

3.1.2. Data minimisation — CaseLens processes data provided by the client in connection with the agreed products and services. CaseLens does not seek or retain data beyond what is provided.

3.1.3. Confidentiality — All data is treated as confidential, regardless of whether it is marked as such.

3.1.4. Client ownership — All data provided to CaseLens and final outputs generated for the client (such as summaries and data tables) that contain Confidential Information remain the sole property of the client. CaseLens claims no ownership over the client's proprietary data.

3.1.5. CaseLens Intellectual Property — CaseLens retains all rights, title, and interest in and to its underlying software, algorithms, extraction methodologies, and any improvements or modifications made to its general service offerings during the course of the engagement, provided such improvements do not incorporate the Disclosing Party’s Confidential Information

4. Data Storage

4.1. Location

4.1.1. All data is stored in encrypted cloud infrastructure.

4.1.2. The hosting region may be agreed with the client and can be configured to meet data residency requirements (e.g. EU-only).

4.2. Isolation

4.2.1. Each client engagement is logically isolated. Data from one engagement cannot be accessed from another.

4.3. What Is Stored

4.3.1. Documents and data provided by the client.

4.3.2. Outputs generated by CaseLens products and services.

4.3.3. Processing metadata.

4.3.4. User access preferences.

5. Encryption

5.1. In Transit

5.1.1. All data transmitted between CaseLens systems, sub-processors, and external services is encrypted using TLS 1.2 or higher.

5.2. At Rest

5.2.1. All data at rest is encrypted using AES-256 with provider-managed encryption keys. This includes:

5.2.1.1. Document storage.

5.2.1.2. Processed data and metadata.

5.2.1.3. Backups.

5.2.1.4. Secrets and credentials (encrypted via KMS).

6. Access Control

6.1. User Access

6.1.1. Access controls are managed centrally and enforced at the individual user level.

6.1.2. Users can only access data explicitly granted to them.

6.1.3. Users cannot view, search, or interact with any data outside their assigned scope.

6.2. CaseLens Personnel Access

6.2.1. Access to client data is restricted to authorised CaseLens engineers on a need-to-access basis, approved by the CTO or CEO.

6.2.2. Access is permitted solely for delivering products and services, support, and troubleshooting.

6.2.3. CaseLens does not access client data for any purpose beyond delivering the agreed products and services.

6.2.4. All access is logged and auditable.

6.3. Representative Obligations

6.3.1. All CaseLens personnel and representatives — including employees, contractors, and professional advisers — with access to client data are bound by confidentiality obligations at least as stringent as those set out in this policy and, where applicable, the relevant NDA.

7. Authentication

7.1. SSO is available via OAuth 2.0 / OIDC, with support for major enterprise identity providers.

7.2. Multi-factor authentication is enforced for all users.

7.3. Access to production infrastructure requires MFA and is restricted to authorised engineers.

8. Data Retention and Deletion

8.1. Retention

8.1.1. Data is retained only for as long as necessary to accomplish the agreed purpose.

8.1.2. CaseLens does not retain client data beyond the engagement period.

8.2. Deletion

8.2.1. Upon completion, termination, or written request from the client, the following applies:

8.2.1.1. All client data, including copies, derivatives, cached outputs, and backups, is securely deleted within 10 business days.

8.2.1.2. A written deletion confirmation is provided upon completion.

8.2.1.3. Residual copies in routine system backups that are not reasonably accessible are encrypted, access-restricted, and not restored or used except for disaster recovery purposes. These are purged in accordance with automated lifecycle policies.

8.3. Data Export

8.3.1. Upon request, CaseLens provides a mechanism for the client to export their data in a standard, usable format prior to termination.

8.3.2. The client is responsible for completing any export prior to the deletion window.

8.3.3. After the deletion window, CaseLens has no obligation to recover deleted data.

9. Backups

9.1. Versioning and point-in-time recovery are in place for operational resilience.

9.2. Backups are encrypted using the same standards as primary data (AES-256).

9.3. Backups are subject to the same retention and deletion obligations as primary data.

10. Monitoring and Logging

10.1. Application Logging

10.1.1. Application-level logging is in place across all key operations, including data processing, AI operations, and data access events.

10.1.2. Logs are timestamped and categorised.

10.2. Audit Logging

10.2.1. API-level audit logging captures data access events.

10.2.2. All access to client data by CaseLens personnel is logged.

10.3. Access to Logs

10.3.1. Access to logs is restricted to authorised personnel via role-based access.

10.4. Retention

10.4.1. Logs are retained for 12 months in line with this policy.

10.4.2. Clients may request access to relevant logs.

11. Incident Response

11.1. Notification

11.1.1. In the event of any security incident involving client data, CaseLens notifies the affected client without undue delay and in any event within 24 hours of becoming aware.

11.2. Response Process

11.2.1. The incident response process follows these stages:

11.2.1.1. Detection and alerting — identification of the incident.

11.2.1.2. Triage and classification — severity assessment.

11.2.1.3. Containment — immediate measures to limit impact.

11.2.1.4. Notification — affected clients are notified with all available details.

11.2.1.5. Investigation and reporting — root cause analysis and written incident report.

11.2.1.6. Remediation — corrective actions implemented and tracked to resolution.

11.2.1.7. Post-incident review — documented lessons learned and preventive measures.

11.3. Cooperation

11.3.1. CaseLens cooperates fully with the client and any relevant authorities in investigating and remediating incidents.

12. Sub-Processors

12.1. CaseLens engages third-party sub-processors for infrastructure, AI processing, and identity management. All sub-processors are vetted for compliance with applicable security and data protection standards.

12.2. A current list of sub-processors is available upon request.

12.3. Sub-processor terms prohibit the use of client data for any purpose other than performing the contracted service. No client data is retained by sub-processors beyond the duration of processing.

13. Security Training and Vetting

13.1. CaseLens maintains a security awareness programme for all personnel, covering secure development practices, social engineering, and data handling.

13.2. Pre-employment screening is conducted for all personnel.

13.3. Training records are maintained.

14. Physical Security

14.1. CaseLens runs entirely on cloud infrastructure with no on-premises servers or physical data storage.

14.2. Physical security of data centres is managed by the cloud provider under their compliance certifications, including SOC 1/2/3 and ISO 27001.

15. Vulnerability and Patch Management

15.1. CaseLens performs automated vulnerability scanning of application dependencies and container images during every build cycle as part of the CI/CD pipeline.

15.2. CaseLens aims to apply patches for verified critical vulnerabilities within 24 hours of a stable release being available, and within 7 days for high-risk vulnerabilities.

15.3. Container images are rebuilt and deployed from updated base images on a regular release schedule to ensure underlying libraries remain current, with automatic rollback capabilities in place for deployment failures.

16. Regulatory Compliance

16.1. Where required by applicable data protection legislation, including the EU GDPR, Swiss Federal Act on Data Protection (FADP), and UK GDPR, CaseLens enters into a Data Processing Agreement (DPA) with the client.

16.2. The DPA addresses international data transfers, data subject rights, breach notification obligations, data protection impact assessments, records of processing activities, and any other regulatory requirements arising from applicable law.

17. Governing Law

17.1. This policy and all related data processing activities are governed by the laws of the State of Delaware.

17.2. Where a Data Processing Agreement is in effect, the terms of the DPA prevail to the extent of any conflict with this policy.

18. Contact

18.1. For questions regarding this policy or to exercise any data-related rights:

CaseLens Inc.

1111B S Governors Ave STE 34874, Dover, DE 19904

Email: info@caselens.tech

This policy is reviewed at least annually and updated as necessary to reflect changes in law, technology, or business practices.