AgileCase Data Processing Agreement

AgileCase Data Processing Agreement – Last updated, 8 May 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between AgileCase (“AgileCase”, “Processor”) and the customer identified in the applicable Agreement (“Customer”, “Controller”) governing the Customer’s use of the AgileCase services (“Services”).

This DPA is incorporated into and forms part of the Agreement.

This DPA applies to the extent AgileCase Processes Customer Personal Data on behalf of the Customer in connection with the Services.

This DPA is intended to address the parties’ obligations under Applicable Data Protection Law, including the UK GDPR, EU GDPR where applicable, and the Data Protection Act 2018.

To the extent of any conflict between this DPA and the Agreement regarding Processing of Customer Personal Data, this DPA shall prevail.

This DPA does not apply to Personal Data for which AgileCase acts as an independent Controller.

Our Terms and Conditions, Privacy Policy, GDPR Statement, and list of subprocessors provide related information and context.

1. Definitions

For the purposes of this DPA:

“Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under the Agreement.

This includes:

• the UK GDPR;
• the EU GDPR where applicable;
• the Data Protection Act 2018; and
• related regulatory guidance and binding supervisory authority requirements.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” have the meanings given under Applicable Data Protection Law.

“Customer Data” means all data submitted to or processed through the Services by or on behalf of the Customer.

“Customer Personal Data” means Personal Data contained within Customer Data.

“Subprocessor” / “Sub-processor” means any third party engaged by AgileCase to Process Customer Personal Data on behalf of the Customer.

“Standard Contractual Clauses” or “SCCs” means approved international transfer mechanisms recognised under Applicable Data Protection Law.

“Agreement” means the applicable agreement governing use of the Services, including applicable order forms, subscription terms, and incorporated policies.

“Services” means the AgileCase platform and related hosted, support, API, workflow, communication, and operational services provided by AgileCase.

2. Roles and Scope

The Customer acts as Controller and AgileCase acts as Processor in relation to Customer Personal Data Processed through the Services.

The Customer is responsible for:

• determining the lawful basis for Processing;
• ensuring the legality and accuracy of Customer Data;
• ensuring that Customer Personal Data is collected lawfully;
• providing required notices;
• obtaining required consents where applicable;
• responding to Data Subject requests;
• ensuring its instructions comply with Applicable Data Protection Law; and
• ensuring that use of the Services is appropriate for its intended Processing activities.

AgileCase shall:

• Process Customer Personal Data only on documented instructions from the Customer unless otherwise required by law;
• Process Customer Personal Data solely for the limited purposes described in the Agreement, this DPA, and documented Customer instructions;
• implement reasonable and appropriate technical and organisational measures designed to protect Customer Personal Data;
• ensure authorised personnel are subject to confidentiality obligations;
• provide reasonable and proportionate assistance to the Customer in meeting its compliance obligations under Applicable Data Protection Law; and
• not Process Customer Personal Data for advertising, profiling, data brokerage, or unrelated commercial purposes.

AgileCase may Process Personal Data as an independent Controller where necessary for:

• security;
• fraud prevention;
• service analytics;
• billing;
• legal compliance;
• operational management;
• product improvement;
• support; or
• other legitimate business operations related to the Services.

The subject matter, nature, purpose, categories of Data Subjects, categories of Personal Data, and duration of Processing are described in Annex 1.

3. Processor Obligations

AgileCase shall:

• Process Customer Personal Data only in accordance with the Agreement, this DPA, and documented Customer instructions;
• ensure personnel with access to Customer Personal Data are appropriately trained and subject to confidentiality obligations;
• maintain reasonable technical and organisational measures in accordance with Article 32 GDPR;
• provide reasonable and proportionate assistance with Data Subject requests where required under Applicable Data Protection Law;
• provide reasonable and proportionate assistance with data protection impact assessments, transfer impact assessments, and consultations with Supervisory Authorities where required under Applicable Data Protection Law;
• notify the Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data;
• make available information reasonably necessary to demonstrate compliance with this DPA; and
• delete or return Customer Personal Data in accordance with Section 9.

Additional Customer instructions must be:

• documented in writing;
• reasonable;
• proportionate;
• technically feasible; and
• consistent with the Services and Applicable Data Protection Law.

AgileCase may refuse instructions that:

• violate Applicable Data Protection Law;
• materially alter the scope of the Services;
• create unreasonable technical or operational burdens;
• create unreasonable security risks; or
• require material changes to AgileCase systems or infrastructure.

Nothing in this DPA requires AgileCase to:

• disclose confidential information relating to other customers;
• compromise the security, confidentiality, or integrity of the Services;
• disclose proprietary information, trade secrets, or internal security documentation; or
• act in violation of applicable law or regulatory obligations.

Where requests from the Customer require material additional effort beyond AgileCase’s standard obligations under the Agreement, AgileCase may charge reasonable fees reflecting the scope and complexity of the requested assistance.

4. Confidentiality

AgileCase shall ensure that all personnel authorised to Process Customer Personal Data are subject to reasonable and appropriate confidentiality obligations.

Such obligations may be:

• contractual;
• statutory; or
• professional in nature.

Access to Customer Personal Data shall be limited to personnel who require such access for the purpose of:

• providing the Services;
• supporting the Services;
• maintaining the Services;
• securing the Services;
• investigating security incidents; or
• complying with legal or regulatory obligations.

AgileCase shall implement reasonable and appropriate internal access management controls, including:

• role-based access controls;
• least-privilege principles; and
• authentication and access restriction measures.

AgileCase shall maintain internal policies and procedures governing the handling, access, and protection of Customer Personal Data.

Confidentiality obligations shall survive termination of employment or engagement where applicable.

Where AgileCase receives a legally binding request from a governmental authority, regulator, or law enforcement body relating to Customer Personal Data, AgileCase may disclose such information to the extent required by applicable law.

Where legally permitted, AgileCase shall use commercially reasonable efforts to notify the Customer prior to such disclosure.

5. Security Measures

AgileCase shall maintain reasonable and appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful:

• destruction;
• loss;
• alteration;
• unauthorised disclosure; or
• unauthorised access.

Such measures shall be appropriate to:

• the nature of the Services;
• the scope of Processing;
• the sensitivity of Customer Personal Data;
• the risks presented by the Processing; and
• the nature, scope, context, and purposes of the Processing.

Security measures may include, where appropriate:

• role-based access controls;
• authentication and credential management controls;
• encryption of data in transit;
• encryption at rest where reasonable and appropriate;
• infrastructure and network security protections;
• system monitoring and logging;
• vulnerability management procedures;
• malware and threat protection measures;
• backup and recovery procedures;
• incident response processes;
• change management procedures; and
• restricted access to infrastructure and production systems.

AgileCase shall maintain reasonable processes designed to:

• detect security incidents;
• investigate security incidents;
• respond to security incidents; and
• remediate security incidents.

AgileCase may update or modify its security measures from time to time provided AgileCase maintains security measures appropriate to the nature of the Services.

Except where expressly agreed in writing, AgileCase is not required to implement customer-specific security measures, infrastructure segregation, data residency arrangements, retention policies, penetration testing rights, or bespoke technical controls.

The Customer acknowledges responsibility for:

• maintaining secure user credentials;
• managing authorised users;
• configuring the Services appropriately;
• implementing reasonable and appropriate endpoint and account security; and
• implementing additional safeguards appropriate to the Customer’s use of the Services.

Except as expressly set out in the Agreement or this DPA, AgileCase does not guarantee that the Services will be uninterrupted, error-free, or immune from all security threats or vulnerabilities.

6. Subprocessors

The Customer provides general authorisation for AgileCase to engage Subprocessors in connection with the Services.

AgileCase shall ensure that Subprocessors are subject to written contractual obligations providing a level of commercially reasonable data protection obligations to those set out in this DPA.

A current list of Subprocessors used in connection with the Services is available on our subprocessors page.

The Subprocessors list may include:

• provider name;
• processing purpose;
• hosting region; and
• transfer safeguards where relevant.

AgileCase may appoint new Subprocessors from time to time in connection with the operation, security, support and maintenance of the Services.

Where AgileCase appoints a new Subprocessor that materially affects Processing activities, AgileCase shall update the Subprocessors list or otherwise provide reasonable prior notice where practicable.

If the Customer reasonably objects to a new Subprocessor on documented data protection grounds, the parties shall work together in good faith to address the concern.

If no commercially reasonable resolution can be reached, the Customer may terminate the affected Services by written notice without penalty solely in relation to the affected Processing activities.

Where Subprocessors Process Customer Personal Data outside the United Kingdom or European Economic Area, AgileCase shall implement reasonable and appropriate safeguards in accordance with Applicable Data Protection Law.

AgileCase shall remain responsible for the acts and omissions of its Subprocessors to the extent required by Applicable Data Protection Law.

Nothing in this DPA restricts AgileCase from engaging affiliates or service providers that do not Process Customer Personal Data.

7. Data Subject Rights

Taking into account the nature of the Processing, AgileCase shall provide reasonable and proportionate assistance to enable the Customer to respond to requests from Data Subjects under Applicable Data Protection Law.

Such assistance shall be limited to functionality made available through the Services and information reasonably available to AgileCase.

Such requests may include requests relating to:

• access;
• rectification;
• erasure;
• restriction;
• portability; and
• objection to Processing.

If AgileCase receives a request directly relating to Customer Personal Data, AgileCase shall, where reasonably possible:

• notify the Customer; and
• refrain from responding except as required by law.

The Customer remains responsible for:

• responding to Data Subject requests;
• verifying identity where required;
• determining the legal validity of requests; and
• communicating with affected Data Subjects.

AgileCase may provide tools or functionality enabling the Customer to:

• access Customer Data;
• export Customer Data;
• correct Customer Data; or
• delete Customer Data.

8. Personal Data Breach and DPIAs

AgileCase shall notify the Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

To the extent reasonably available at the time of notification, AgileCase shall provide information regarding:

• the nature of the breach;
• affected categories of Customer Personal Data;
• the likely consequences of the breach;
• remediation measures taken or proposed; and
• contact information for follow-up communications.

AgileCase may provide information in phases as additional information becomes available.

AgileCase shall take reasonable steps to:

• investigate the breach;
• contain the breach;
• mitigate the effects of the breach; and
• remediate the breach where reasonably practicable.

AgileCase shall provide reasonable and proportionate cooperation to support the Customer’s compliance obligations under Applicable Data Protection Law.

Such assistance is limited to information reasonably available to AgileCase and does not include preparation of Customer regulatory filings, legal assessments, or formal compliance documentation on behalf of the Customer.

AgileCase shall also provide reasonable and proportionate assistance with:

• data protection impact assessments;
• transfer impact assessments; and
• consultations with Supervisory Authorities.

Such assistance applies where required under Applicable Data Protection Law and where the relevant information is reasonably available to AgileCase.

Participation in regulatory reviews, investigations, hearings, or supervisory authority engagement beyond AgileCase’s standard compliance obligations may be subject to additional fees.

Notification of a Personal Data Breach shall not constitute an admission of fault, liability, or wrongdoing by AgileCase.

The Customer remains responsible for determining whether notification to:

• a Supervisory Authority; or
• affected Data Subjects

is required under Applicable Data Protection Law.

Where requests for assistance require material additional effort beyond AgileCase’s standard obligations under the Agreement, AgileCase may charge reasonable fees reflecting the scope and complexity of the requested assistance.

9. Data Retention, Return, and Deletion

AgileCase shall retain Customer Personal Data only for as long as reasonably necessary to:

• provide the Services;
• comply with legal obligations;
• resolve disputes;
• maintain backup and recovery systems;
• prevent fraud or abuse; or
• enforce contractual rights.

During the term of the Agreement, the Customer may access or export Customer Data using functionality made available through the Services where applicable.

Upon termination or expiry of the Agreement, the Customer may request export of Customer Data within thirty (30) days in a commonly used electronic format where technically feasible.

Custom export formats, migration assistance, restoration requests, forensic recovery efforts, or other non-standard data handling requests may be subject to additional fees.

Following the applicable retention period, AgileCase shall delete or render inaccessible Customer Personal Data unless retention is required by:

• applicable law;
• security obligations;
• backup or disaster recovery requirements;
• fraud prevention purposes; or
• legal or regulatory compliance obligations.

Customer Personal Data retained within backup or archival systems shall remain subject to the protections described in this DPA until deleted in accordance with AgileCase’s standard retention practices.

AgileCase may retain anonymised or aggregated information that does not identify the Customer or any Data Subject and does not constitute Personal Data under Applicable Data Protection Law.

Except where expressly required by Applicable Data Protection Law or the Agreement, AgileCase is not required to retain, restore, recover, or maintain Customer Personal Data following expiration of the applicable retention period.

10. Audits and Compliance Information

AgileCase shall make available standard compliance information reasonably necessary to demonstrate compliance with this DPA.

Such information may include, where appropriate:

• security documentation;
• audit summaries;
• compliance certifications;
• responses to reasonable security questionnaires; or
• other comparable compliance documentation.

Where required by Applicable Data Protection Law, the Customer may request an audit of AgileCase’s compliance with this DPA no more than once in any twelve (12) month period unless:

• required by law; or
• reasonably required under Applicable Data Protection Law following a confirmed Personal Data Breach.

Any Customer-requested onsite assessment, penetration testing review, bespoke compliance review, or expanded audit procedure shall be subject to separate written agreement regarding scope, timing, security controls, and applicable fees.

AgileCase may satisfy audit obligations through the provision of:

• third-party audit reports;
• independent certifications;
• compliance attestations; or
• comparable compliance documentation.

Any audit conducted under this section shall:

• be conducted on reasonable prior written notice;
• occur during normal business hours;
• avoid unreasonable disruption to AgileCase operations;
• remain subject to reasonable and appropriate confidentiality obligations; and
• not compromise the security, confidentiality, or integrity of AgileCase systems or other customer data.

The Customer shall not exercise audit rights in a manner that:

• requires disclosure of proprietary information, trade secrets, or internal security architecture;
• compromises security controls;
• interferes with AgileCase operations; or
• circumvents AgileCase security or access procedures.

Each party shall bear its own costs associated with audits unless otherwise required by Applicable Data Protection Law.

Where requests for questionnaires, assessments, reviews, meetings, or audit-related assistance require material additional effort beyond AgileCase’s standard compliance obligations, AgileCase may charge reasonable fees reflecting the scope and complexity of the requested assistance.

11. International Transfers

Customer Personal Data may be Processed outside the United Kingdom or European Economic Area where reasonably necessary to provide, maintain, support or secure the Services.

Where international transfers of Customer Personal Data occur, AgileCase shall implement reasonable and appropriate safeguards in accordance with Applicable Data Protection Law.

Such safeguards may include, where appropriate:

• adequacy decisions;
• Standard Contractual Clauses;
• the UK International Data Transfer Addendum;
• the UK International Data Transfer Agreement; or
• other recognised transfer mechanisms permitted under Applicable Data Protection Law.

The Customer instructs AgileCase to carry out such international transfers where reasonably necessary in connection with the provision of the Services.

Where required under Applicable Data Protection Law, the applicable transfer mechanism shall be deemed incorporated into this DPA by reference.

AgileCase may implement supplementary technical, contractual, or organisational safeguards where reasonably appropriate to address international transfer risks.

Nothing in this DPA shall require AgileCase to adopt transfer mechanisms beyond those required under Applicable Data Protection Law.

12. Liability

Liability arising under or in connection with this DPA shall be subject to the exclusions, limitations, and liability caps set out in the Agreement unless prohibited by Applicable Data Protection Law.

Nothing in this DPA:

• increases either party’s liability beyond the limitations set out in the Agreement;
• creates separate or additional causes of action beyond those available under Applicable Data Protection Law or the Agreement; or
• permits duplicate recovery.

Each party remains responsible for its own compliance with Applicable Data Protection Law.

The Customer acknowledges that AgileCase relies on the Customer for instructions regarding the lawful Processing of Customer Personal Data and shall not be responsible for claims arising from:

• unlawful Customer instructions;
• the Customer’s failure to obtain required consents or permissions;
• the Customer’s misuse of the Services; or
• Processing activities initiated by the Customer or its authorised users in violation of Applicable Data Protection Law.

Nothing in this DPA excludes or limits liability that cannot lawfully be excluded or limited under applicable law.

Except where expressly required under Applicable Data Protection Law or the Agreement, AgileCase shall not be liable for:

• indirect losses;
• consequential losses;
• loss of profits;
• loss of revenue;
• loss of goodwill;
• loss of anticipated savings; or
• loss of business opportunity.

13. Term and Termination

This DPA remains in effect for the duration of the Agreement and for so long as AgileCase Processes Customer Personal Data on behalf of the Customer.

Upon termination or expiry of the Agreement, AgileCase shall cease Processing Customer Personal Data except where retention is permitted or required under:

• this DPA;
• the Agreement; or
• Applicable Data Protection Law.

AgileCase may retain Customer Personal Data where reasonably necessary for:

• legal or regulatory compliance;
• dispute resolution;
• enforcement of contractual rights;
• fraud prevention;
• security purposes; or
• backup and disaster recovery processes.

Provisions relating to:

• confidentiality;
• security;
• international transfers;
• deletion obligations; and
• liability limitations

shall survive termination for so long as applicable.

Termination of this DPA shall not affect:

• rights or obligations accrued prior to termination; or
• obligations that expressly or implicitly survive termination.

Nothing in this DPA limits AgileCase’s right to suspend access to the Services in accordance with the Agreement where reasonably necessary to:

• protect the security or integrity of the Services;
• prevent unlawful activity;
• respond to security incidents; or
• comply with applicable law or regulatory requirements.

14. Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement regarding the Processing of Customer Personal Data, this DPA shall prevail to the extent of the conflict or inconsistency.

Where applicable transfer mechanisms, including Standard Contractual Clauses or the UK International Data Transfer Addendum, impose stricter obligations than this DPA, the applicable transfer mechanism shall prevail to the extent required under Applicable Data Protection Law.

If any provision of this DPA is found to be invalid, unenforceable, or contrary to Applicable Data Protection Law, the remaining provisions shall remain in full force and effect.

AgileCase may update this DPA where reasonably necessary to:

• comply with changes in Applicable Data Protection Law;
• implement updated transfer mechanisms;
• reflect regulatory guidance;
• support changes to the Services; or
• maintain consistency with the Agreement and related compliance documentation.

Where changes materially reduce Customer protections under this DPA, AgileCase shall provide reasonable prior notice where practicable through the Services, website, or other reasonable and appropriate communication method.

Except where expressly stated otherwise in the Agreement or this DPA, where the Customer requests assistance, information, measures, assessments, audits, reviews, reports, meetings, questionnaires, technical modifications, exports, or support beyond AgileCase’s standard obligations or standard Service offering, AgileCase may charge reasonable fees reflecting the scope, complexity, urgency, and resources required.

Except where expressly stated otherwise, this DPA constitutes the complete agreement between the parties regarding the Processing of Customer Personal Data in connection with the Services.

Annex 1 – Details of Processing

A. Subject Matter of the Processing

Provision of the AgileCase platform and related services, including case management, workflow automation, document handling, communication, support, and associated cloud-based functionality.

B. Nature and Purpose of the Processing

Processing activities may include:

• hosting and storage of Customer Data;
• case and workflow management;
• document processing and retrieval;
• user authentication and account management;
• communication and collaboration functionality;
• customer support;
• security monitoring;
• backup and disaster recovery; and
• maintenance and operation of the Services.

Processing is carried out solely for the purpose of providing, maintaining, securing, and supporting the Services in accordance with the Agreement and documented Customer instructions.

C. Categories of Data Subjects

Depending on the Customer’s use of the Services, Data Subjects may include:

• Customer personnel and authorised users;
• end customers or clients of the Customer;
• employees, contractors, or representatives;
• counterparties or third parties referenced in case records;
• communication participants; and
• other individuals whose Personal Data is submitted to the Services by or on behalf of the Customer.

D. Categories of Personal Data

Depending on the Customer’s use of the Services, Personal Data may include:

• names and contact details;
• email addresses;
• telephone numbers;
• account credentials and user identifiers;
• case-related information and correspondence;
• uploaded files and documents;
• billing and transaction information;
• technical and usage data;
• audit logs and activity records; and
• other Personal Data submitted by the Customer through the Services.

The Customer acknowledges that use of the Services may involve Processing of special category data or criminal offence data where submitted by the Customer.

E. Frequency and Duration of Processing

Processing occurs on a continuous basis for the duration of the Agreement and any applicable retention or deletion period described in the DPA.

F. Processing Operations

Processing operations may include:

• collection;
• recording;
• organisation;
• structuring;
• storage;
• retrieval;
• consultation;
• use;
• disclosure by transmission;
• alignment or combination;
• restriction;
• deletion; and
• destruction.

Annex 2 – Technical and Organisational Security Measures

AgileCase implements and maintains technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

Security measures may include, where reasonable and appropriate:

1. Access Controls

• role-based access restrictions;
• least-privilege access principles;
• authentication controls for administrative access;
• controlled provisioning and deprovisioning procedures; and
• periodic access review processes.

2. Data Protection Measures

• encryption of data in transit using industry-standard protocols;
• encryption of data at rest where reasonable and appropriate;
• secure handling of credentials and secrets;
• logical segregation of customer environments where applicable; and
• data minimisation practices.

3. Infrastructure and Network Security

• secured hosting environments;
• firewall and network protection measures;
• infrastructure monitoring and logging;
• vulnerability management processes;
• malware and threat protection measures; and
• change management procedures.

4. Monitoring and Incident Management

• security event monitoring;
• incident response procedures;
• investigation and remediation processes;
• logging of relevant system activity; and
• procedures for responding to suspected Personal Data Breaches.

5. Business Continuity and Availability

• backup and recovery processes;
• resilience and availability measures;
• disaster recovery procedures; and
• operational continuity safeguards.

6. Personnel Security and Confidentiality

• confidentiality obligations for personnel;
• security and privacy awareness measures;
• restricted access to Customer Personal Data; and
• internal policies governing handling of sensitive information.

7. Vendor and Subprocessor Management

• due diligence processes for Subprocessors;
• contractual data protection obligations;
• review of security commitments where reasonable and appropriate; and
• oversight measures relating to Processing activities delegated to Subprocessors.

8. Security Updates

AgileCase may update or modify its security measures from time to time provided AgileCase maintains security measures appropriate to the nature of the Services.

Related policies

Our Terms and Conditions and Privacy Policy set out the legal framework governing our relationship with customers and users. Our GDPR Statement summarises how we approach data protection roles and transfers. The current list of subprocessors is published on our website.