Data Processing Agreement

Last updated: March 27, 2026  |  This DPA is incorporated into and forms part of the FirmEdge Terms of Service

1. Definitions

• "Controller" — the law firm (Client) that determines the purposes and means of processing personal data
• "Processor" — FirmEdge, which processes personal data on behalf of the Controller
• "Personal Data" — any information relating to an identified or identifiable natural person
• "Client Data" — personal data of the law firm's clients and prospective clients
• "Processing" — any operation performed on personal data (collection, storage, use, transmission, deletion)
• "Sub-processor" — third-party service providers used by FirmEdge to process data

2. Roles & Responsibilities

2.1 Controller (Law Firm)

The law firm acts as Controller and is responsible for:

• Ensuring it has a lawful basis for sharing client data with FirmEdge
• Obtaining any required consents from its clients for AI-assisted services
• Complying with applicable bar rules regarding use of technology vendors
• Ensuring accuracy of client data provided to FirmEdge
• Notifying FirmEdge of any data subject requests received

2.2 Processor (FirmEdge)

FirmEdge acts as Processor and commits to:

• Processing personal data only on documented instructions from the Controller
• Ensuring all personnel with access to personal data are bound by confidentiality
• Implementing appropriate technical and organizational security measures
• Not engaging sub-processors without prior authorization
• Assisting the Controller in responding to data subject rights requests
• Deleting or returning all personal data upon termination of services
• Providing all information necessary to demonstrate compliance with this DPA

3. Nature & Purpose of Processing

FirmEdge processes Client Data for the following purposes only:

• Operating AI receptionist services (call answering, message taking, appointment booking)
• Sending automated follow-up communications (document requests, billing reminders, satisfaction surveys)
• Lead recovery and client reactivation communications
• Generating reports and analytics for the law firm
• Providing customer support to the law firm

Processing is performed only to the extent necessary to provide these services. FirmEdge shall not process Client Data for any other purpose without explicit written consent.

4. Types of Personal Data

Categories of personal data processed may include:

• Contact information (names, email addresses, phone numbers)
• Case/matter information (type of legal matter, case status, document status)
• Financial information (invoice amounts, payment status — not payment card data)
• Communication records (call transcripts, email correspondence)
• Appointment and scheduling information

Sensitive Data: FirmEdge recognizes that legal matter information may be sensitive. We apply heightened protection to all Client Data and treat it as confidential by default.

5. Confidentiality & Attorney-Client Privilege

FirmEdge acknowledges that Client Data may include information subject to attorney-client privilege and work product protection. FirmEdge commits to:

• Treating all Client Data as attorney-client privileged information
• Not disclosing Client Data to any third party without written authorization from the law firm
• Cooperating with the law firm to maintain privilege protections
• Promptly notifying the law firm of any legal demand for Client Data (e.g., subpoena) to allow the firm to seek a protective order
• Limiting internal access to Client Data to personnel who require it to provide services

5a. Call Recording Compliance

With respect to call recordings made by the AI receptionist service:

• FirmEdge obligation: FirmEdge configures the AI receptionist to announce at the beginning of each call that the call may be recorded. FirmEdge provides this disclosure as a technical measure.
• Controller obligation: The law firm (Controller) remains solely responsible for determining whether its jurisdiction requires all-party consent, obtaining any additional consents required, and ensuring its use of the recording feature complies with applicable federal and state wiretapping laws (including but not limited to laws in California, Florida, Illinois, and other two-party consent states).
• Retention: FirmEdge retains call recordings for no more than 90 days from the date of recording, after which they are securely and permanently deleted.
• Indemnification: The Controller agrees to indemnify FirmEdge against any claims arising from the Controller's failure to comply with applicable call recording consent laws.

6. Security Measures

FirmEdge implements the following technical and organizational measures:

Technical Measures

• TLS encryption for all data in transit
• Encrypted storage for sensitive data at rest
• Authentication and access control systems
• Automated daily encrypted backups with offsite storage
• Continuous security monitoring and logging
• Secure deletion of data upon termination

Organizational Measures

• Confidentiality agreements for all personnel with data access
• Principle of least privilege for data access
• Documented data handling procedures
• Incident response procedures

7. Sub-processors

FirmEdge uses the following authorized sub-processors. By entering this DPA, the Controller grants general authorization to use these sub-processors:

• Vapi AI — AI voice call processing (USA)
• Anthropic — AI text generation (USA)
• Twilio/SendGrid — SMS and email delivery (USA)
• Stripe — Payment processing (USA)

FirmEdge ensures each sub-processor is bound by data protection obligations equivalent to those in this DPA. FirmEdge will notify the Controller of any intended changes to sub-processors, providing the Controller 14 days to object.

8. Data Subject Rights

When FirmEdge receives a data subject request (access, deletion, portability, correction) related to Client Data, FirmEdge will:

• Forward the request to the Controller within 5 business days
• Assist the Controller in fulfilling the request using available technical measures
• Not fulfill data subject requests independently without Controller authorization

9. Data Breach Notification

In the event of a personal data breach affecting Client Data, FirmEdge will:

• Notify the Controller within 72 hours of becoming aware of the breach via email to the registered account address
• Provide a written incident report including: nature of the breach, categories and approximate number of individuals affected, categories and approximate volume of records affected, likely consequences of the breach, and measures taken or proposed to address the breach
• Cooperate fully with the Controller's breach response, including providing information needed for regulatory notifications
• Take immediate steps to contain, investigate, and remediate the breach
• Not make any public statements about the breach without prior written approval from the Controller

10. Data Return & Deletion

Upon termination of services, FirmEdge will:

• Make Client Data available for export for 30 days
• Securely delete all Client Data within 60 days of termination (or upon written request)
• Provide written confirmation of deletion upon request
• Retain only data required by applicable law (e.g., payment records)

11. Audits & Compliance

FirmEdge will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable notice, FirmEdge will cooperate with audits or inspections conducted by the Controller or its designated auditor, subject to reasonable confidentiality protections.

12. Term

This DPA is effective upon the Controller's acceptance of the FirmEdge Terms of Service and remains in effect for the duration of the service relationship. Confidentiality obligations survive termination indefinitely.

13. Contact for Data Matters

For all data protection matters: hello@firmedge.io
FirmEdge | firmedge.io