a Shoal Valley System
StartManaging-Legal
Sign in

Legal

Data Processing Agreement

Effective: May 13, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between StartManaging-Legal, LLC (the “Processor”) and the subscribing law firm (the “Controller”). It describes how the Processor handles personal data on the Controller’s behalf and complements the firm’s own privacy and client-confidentiality obligations.

1. Roles

The Controller (the firm) determines the purposes and means of processing Customer Content. The Processor ( StartManaging-Legal) processes Customer Content only as necessary to provide the Service or as instructed by the Controller. Each Firm User’s account credentials are held by the Processor in its own right as a service-account operator.

2. Subject-matter and duration

The Processor processes Customer Content for the duration of the Controller’s subscription, plus the 30-day export window described in the Terms of Service and the cold-backup aging period described in the Privacy Policy.

3. Categories of data subject

  • The Controller’s own attorneys and staff.
  • The Controller’s clients, opposing parties, witnesses, experts, and other matter participants — to the extent the Controller stores such information in the Service.
  • Visitors to the Controller’s marketing packets.

4. Types of data

  • Identification (name, email, phone).
  • Matter content (case descriptions, time entries, documents, engagement letters, billing records, ledger transactions).
  • Limited financial data (trust-ledger balances, invoice amounts, bank-routing fragments). Full bank-account numbers are stored masked.
  • Authentication metadata (password hash, TOTP secret, last-login IP).

5. Processor obligations

  • Documented instructions. The Processor processes Customer Content only on the Controller’s documented instructions — including those expressed by actions the Controller takes inside the Service.
  • Confidentiality. Personnel authorized to access Customer Content are bound by appropriate confidentiality obligations.
  • Security. The Processor implements the technical and organizational measures described in the Security Practices page.
  • Sub-processors. The current list of sub-processors is published in Section 9 below. The Processor notifies the Controller of any new sub-processor at least 30 days before that sub-processor begins processing. The Controller may object on reasonable grounds.
  • Data-subject requests. The Processor will assist the Controller in responding to access, rectification, erasure, and portability requests within the Controller’s regulatory deadlines.
  • Breach notification. The Processor notifies the Controller without unreasonable delay, and in any event within 60 days, of any unauthorized acquisition of Customer Content, per Texas Business & Commerce Code §521.053.
  • Return or deletion. At the Controller’s choice on termination, the Processor returns the Customer Content (via the JSON export) or deletes it within the retention schedule in the Privacy Policy.
  • Audit. The Processor makes available the information necessary to demonstrate compliance with this DPA and contributes to audits conducted by the Controller or an auditor mandated by the Controller, no more than once per year unless required by regulators.

6. Controller obligations

  • Provide accurate documented instructions and ensure each Firm User’s access reflects the principle of least privilege.
  • Maintain its own lawful basis for the personal data it stores in the Service.
  • Notify the Processor if it intends to store special categories of data (health, biometrics, etc.) at unusual scale, so additional safeguards can be agreed.

7. International transfers

Production data is stored in the United States. The Processor does not transfer Customer Content outside the United States without the Controller’s prior written agreement and an appropriate legal mechanism (standard contractual clauses, adequacy decision, etc.).

8. Liability

The limitation-of-liability provisions of the Terms of Service apply to claims under this DPA.

9. Current sub-processors

As of the effective date the Processor relies on the following sub-processors:

  • Neon (USA) — application database hosting (Postgres).
  • Vercel (USA) — application hosting and edge delivery.
  • Resend (USA) — transactional email delivery.
  • Sentry (USA) — error tracking. PII is scrubbed before payloads leave the application server.
  • Cloudflare (USA) — DNS, CDN, and immutable backup-bucket storage.

10. Contact

Privacy: privacy@startmanaging-legal.com
Security: security@startmanaging-legal.com