Last updated: April 5, 2026
This DPA supplements the Terms of Service and applies when CounselAudit Inc. processes personal data on behalf of the Customer. For a summary of our security controls and sub-processor certifications, see our Trust & Security page. Enterprise customers may request a signed version at privacy@counselaudit.ai.
“Controller” means the Customer (you). “Processor” means CounselAudit Inc. “Personal Data” means any information relating to an identified or identifiable natural person that is processed through the Service. “Processing” means any operation performed on Personal Data, including collection, storage, use, and deletion.
This DPA applies to the processing of Personal Data contained in legal invoices, billing records, and related documents uploaded to the Service. Personal Data processed may include: timekeeper names, billing rates, email addresses, matter descriptions, organization names, subscription plan details, and payment transaction references. Processing is performed solely to provide the invoice review, guideline enforcement, subscription management, and reporting features described in the Terms of Service.
CounselAudit Inc. shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure that persons authorized to process Personal Data are bound by confidentiality obligations; (c) implement appropriate technical and organizational security measures; (d) not engage sub-processors without prior written consent; (e) assist the Controller in responding to data subject requests; (f) delete or return Personal Data upon termination of the agreement; (g) make available all information necessary to demonstrate compliance.
We implement the following security measures: encryption at rest (AES-256) and in transit (TLS 1.3); access controls with role-based permissions; audit logging of all data access and modifications; regular security assessments; incident response procedures; employee background checks and training. Payment card data is processed exclusively by Stripe, a PCI DSS Level 1 certified service provider. CounselAudit does not store, process, or transmit cardholder data on its own infrastructure.
The following sub-processors are authorized to process Personal Data:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database hosting, file storage | US-East-1 |
| Vercel | Application hosting, CDN | US/Global Edge |
| Clerk | Authentication, user management | US |
| Anthropic | AI invoice parsing, guideline generation | US |
| Resend (AWS SES) | Transactional email delivery | US-East-1 |
| Stripe | Payment processing | US |
We will notify you before adding or replacing sub-processors, providing you an opportunity to object.
We will assist you in fulfilling data subject requests including: right of access, right to rectification, right to erasure, right to data portability, and right to restrict processing. Data subjects may request account deletion through the Settings page or by contacting support@counselaudit.ai.
Personal Data is retained for the duration of the service agreement plus 30 days. Upon account termination or request, Personal Data will be permanently deleted within 30 days. Backup copies are purged within 90 days. The Controller may configure data retention policies through the Settings page.
In the event of a Personal Data breach, we will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include: the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken to address the breach.
Personal Data is primarily stored and processed in the United States (US-East-1 region). For transfers from the EEA, UK, or Canada, we rely on Standard Contractual Clauses (SCCs) and/or adequacy decisions as applicable. Canadian data is processed in compliance with PIPEDA.
Invoice data is processed by Anthropic's Claude AI for parsing, guideline generation, and flag analysis. Data sent to Anthropic is transmitted over TLS 1.3 and is not used to train AI models. Per Anthropic's commercial terms, API inputs and outputs may be retained for up to 30 days for Trust & Safety and abuse monitoring purposes, after which they are deleted from Anthropic's systems. Anthropic's data processing terms apply to AI processing. Enterprise customers with heightened confidentiality requirements may request Zero Data Retention (ZDR) — contact privacy@counselaudit.ai to initiate the ZDR request with Anthropic.
Each party's aggregate liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is limited to the total fees paid by the Customer to CounselAudit Inc. during the twelve (12) months immediately preceding the event giving rise to the claim. This limitation does not apply to: (a) breaches of confidentiality obligations, (b) violations of applicable data protection law caused by a party's gross negligence or willful misconduct, or (c) a party's indemnification obligations. Nothing in this DPA excludes liability that cannot be excluded under applicable law.
The Customer has the right, at its own expense and no more than once per calendar year, to audit CounselAudit Inc.'s compliance with this DPA. Audits require thirty (30) days prior written notice and must be conducted during normal business hours in a manner that does not unreasonably disrupt operations. CounselAudit Inc. may satisfy audit requests by providing: (a) its most recent third-party security assessment or SOC 2 report (when available), (b) responses to a reasonable security questionnaire, or (c) access to relevant policies, procedures, and records. In the event of a confirmed Personal Data breach, the Customer may request an audit without the annual limitation and with fourteen (14) days notice.
Upon termination of the service agreement or at any time upon written request, CounselAudit Inc. will, at the Customer's election, either return or permanently delete all Personal Data. Returned data will be provided in structured, machine-readable formats (CSV or JSON) within thirty (30) days of request, covering: invoices, line items, timekeepers, matters, law firms, guidelines, flags, approvals, and audit log entries. Original uploaded files (PDF/LEDES) will be made available via signed URLs where retained. Following return, data will be deleted from production systems within thirty (30) days and purged from encrypted backups within ninety (90) days, consistent with Section 7. CounselAudit Inc. will provide written certification of deletion upon request.
This DPA forms part of and is governed by the Terms of Service between the parties. In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA controls.
For DPA inquiries, data subject requests, or to request a signed copy: privacy@counselaudit.ai