GDPR Compliance

Last updated: January 1, 2025

Casemeister is fully GDPR compliant

As a software provider for lawyers, we understand the importance of data protection. We have implemented extensive measures to comply with the General Data Protection Regulation (GDPR).

1. What is the GDPR?

The General Data Protection Regulation (GDPR) is European privacy legislation that has been in effect since May 25, 2018. The GDPR gives citizens more control over their personal data and places strict requirements on organizations that process personal data.

2. Our role under the GDPR

Under the GDPR, Casemeister can fulfill two roles:

2.1 Data Controller

For the data of our customers (account holders), we act as data controller. This concerns:

Account and login data
Billing data
Communication with our support

2.2 Data Processor

For the data that our customers enter in cases (their clients' data), we act as processor. The customer (the law firm) remains the data controller for this data.

3. Technical security measures

We have implemented the following technical measures:

Encryption

256-bit SSL/TLS for data traffic and AES-256 encryption for stored data

2FA

Two-factor authentication available for additional account security

Audit logging

Comprehensive logging of all access and changes

Access control

Role-based access control (RBAC) for user management

4. Data location

All data is stored in data centers within the European Union:

Primary location: Frankfurt, Germany

Certification: ISO 27001, SOC 2 Type II

Backup location: Amsterdam, Netherlands

By choosing European data centers, your data is not subject to legislation such as the US CLOUD Act. This is essential for law firms working with confidential client data.

5. Data Processing Agreement

In accordance with Article 28 GDPR, we conclude a data processing agreement with our customers. This agreement regulates:

The subject and duration of the processing
The nature and purpose of the processing
The type of personal data and categories of data subjects
The obligations and rights of the data controller
Security measures
Engagement of sub-processors
Assistance with data subject rights
Data breach notification requirements

A data processing agreement is available upon request. Contact privacy@casemeister.nl.

6. Sub-processors

We use the following sub-processors, all within the EU or with adequate safeguards:

Sub-processor	Service	Location
Hetzner Online GmbH	Hosting & infrastructure	Germany
Postmark (ActiveCampaign)	Transactional email	EU (SCCs)
Mollie B.V.	Payment processing	Netherlands
Voys	VoIP telephony	Netherlands

Changes in sub-processors are communicated to customers in advance.

7. Data subject rights

The GDPR grants data subjects (persons whose data is processed) various rights. We support you in facilitating these rights:

7.1 Functionality in the application

Right of access: Export function for case data
Right to rectification: Data can be directly modified
Right to erasure: Delete function for cases and contacts
Right to data portability: Export in common formats (JSON, CSV)

7.2 Support with requests

Receive a GDPR request from a data subject? We help you within 48 hours with:

Identification of relevant data
Export of data
Deletion of data

8. Data breaches

We have a procedure for handling data breaches:

Detection: Monitoring and alerting for suspicious activities
Notification: In case of a data breach, we notify affected customers within 24 hours
Documentation: All incidents are documented
Support: We support with any notification to the Data Protection Authority

The notification obligation to the Data Protection Authority (within 72 hours) rests with the data controller (your firm). We provide you with all necessary information.

9. Data Protection Impact Assessment (DPIA)

A DPIA may be required for high-risk processing. We can provide support with:

Identification of processing that requires a DPIA
Technical information about our security measures
Risk assessment of processing via Casemeister

10. Retention periods

We apply the following standard retention periods:

Data type	Retention period	Explanation
Case data	Until deleted by customer	Customer determines retention period
Account data	2 years after termination	For potential questions/claims
Billing data	7 years	Legal retention requirement
Log files	12 months	Security & troubleshooting
Backups	30 days rolling	Disaster recovery

11. Data Protection Officer

For questions about data protection, please contact our privacy officer:

Email: privacy@casemeister.nl

Response time: Within 5 business days

12. Compliance documentation

The following documentation is available upon request for customers:

Data Processing Agreement (DPA)
Technical and Organizational Measures (TOM)
List of sub-processors
Data center certificates
Penetration test report (summary)

Contact privacy@casemeister.nl to request these documents.

13. Frequently asked questions

Do I need to conclude a data processing agreement with Casemeister as a law firm?

Yes, if you process personal data of clients via Casemeister, you are required to conclude a data processing agreement. We provide this free of charge.

Where is my data stored?

All data is stored in ISO 27001 certified data centers in Frankfurt (Germany) with backups in Amsterdam (Netherlands). No transfer takes place to countries outside the EU.

How do I handle an access request from a client?

You can export all data of a specific client via the export function in Casemeister. We are happy to help with any questions.

What happens to my data if I cancel my account?

After cancellation, you have 30 days to export your data. After that, all data is permanently deleted, except for billing data (7-year retention requirement).

14. Updates

This page is updated when there are changes in our GDPR compliance or security measures. Important changes are communicated via email to all customers.

Questions about GDPR compliance?

Our team is ready to answer your questions and provide you with the necessary documentation.