Security

Uptime

We target 99.5 percent uptime each month, which reflects general platform availability across our core systems.

This target does not apply during scheduled maintenance periods, which are performed during low traffic hours and communicated in advance. It also excludes outages caused by upstream cloud providers since these are outside our control.

Incident Response Times

If an unexpected issue occurs, we follow a clear response pattern:

• Critical issues that prevent platform access or interrupt essential data flows receive an initial response within one hour.
• High severity issues that affect major functionality receive attention within about four hours.
• Medium severity issues are acknowledged and addressed the same business day.
• Low severity issues are handled within two business days.

These timelines refer to acknowledgement and initial investigation, not guaranteed resolution times.

Data Recovery

We rely on daily, provider-managed backups. This provides a Recovery Point Objective (RPO) of about 24 hours, meaning that in a worst case scenario we can restore to a snapshot taken within the prior day.

Our Recovery Time Objective (RTO) for a full restoration ranges from 24 to 48 hours, depending on the nature of the issue and the size of the dataset.

If we confirm a security incident affecting client data, we will notify impacted clients within 72 hours.

Post-Incident Review

For any confirmed incident affecting platform stability, data integrity, or system availability, Lawgical will prepare a post-mortem analysis. This includes:

• Summary of the issue
• Root cause analysis (RCA)
• Timeline
• Remediation steps
• Long-term prevention measures

Completed post-mortems are shared with the affected clients, and turnaround may vary depending on the complexity of the investigation, but they will be delivered within a reasonable timeframe.

Exclusions

This SLA does not apply to issues caused by a user's local network, unsupported or outdated browsers, beta or experimental features, or outages originating from third-party vendors. These exclusions keep the SLA realistic while ensuring we remain accountable for the parts of the system we directly control.

Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, including collection, storage, access, transmission, or deletion.

"Controller" means the entity that determines the purposes and means of processing Personal Data (the Client law firm).

"Processor" means the entity that processes Personal Data on behalf of the Controller (Lawgical).

"Subprocessor" means any third party engaged by Lawgical to assist in processing Personal Data.

Purpose and Scope

Gouldian Inc. processes Personal Data solely to provide, maintain, secure, and improve our platform and related services. We do not sell, trade, or use Client data for advertising, training ML models, training LLMs, or any purpose beyond delivering contracted services.

This DPA applies to all data processed through The Company's platform, including intake records, case details, uploaded documents, audio recordings, call transcripts, case evaluations, contact information, questionnaire responses, communication metadata, and any other information provided by or collected on behalf of the Client.

Roles and Responsibilities

Controller Responsibilities

• Ensuring a lawful basis for processing Personal Data.
• Managing staff access rights.
• Verifying accuracy of data provided to Lawgical.
• Complying with obligations under relevant privacy laws.

Processor Responsibilities

• Process Personal Data only under Client instructions.
• Maintain administrative, technical, and physical safeguards as described in the Lawgical Data Security document.
• Restrict access to authorized personnel with a legitimate business need.
• Not disclose Personal Data to third parties except listed subprocessors or where legally required.

Data Processing and Usage

The Product processes Personal Data for some or all of the following purposes, depending on the specific agreement between the Client and the Company:

• Multi-channel intake and AI voice agent services
• Lead qualification and CRM routing
• Automated follow-up, reactivation workflows, and multi-channel communication
• Case evaluations, document generation, and personalized summaries
• AI-driven content generation, social media automation, and multi-language support
• Analytics, reporting, attribution, and conversion tracking
• Platform security monitoring, fraud prevention, and diagnostic troubleshooting

We do not:

• Sell Personal Data.
• Allow third parties to use Personal Data for their own purposes.
• Train external machine learning models using Client data.

Data Retention and Deletion

The Company retains Personal Data for the duration of the Client relationship.

Upon request or contract termination, The Company will:

• Delete Personal Data from production systems.
• Remove associated storage assets (PDFs, images, call recordings, transcripts).
• Permanently delete backup snapshots according to industry-standard backup expiration cycles.

If the Client requests an export before deletion, The Company will provide structured data in a commonly used format.

Subprocessors

The Company may engage subprocessors to support the delivery, maintenance, and improvement of the Product. These subprocessors may provide infrastructure, communication services, analytics, storage, or other technical functions necessary to operate the platform.

The Company will:

• Use subprocessors only for purposes consistent with this Agreement.
• Ensure each subprocessor is bound by written data protection and confidentiality obligations no less protective than those applied to The Company.
• Remain responsible for the acts and omissions of subprocessors to the extent that it doesn't take reasonable steps to ensure their compliance.
• Maintain a current and detailed record of authorized subprocessors in the Lawgical Subprocessors List.
• Provide the most recent version of the Lawgical Subprocessors List to the Client upon request.
• Notify the Client in advance of material changes to subprocessors when legally required or contractually agreed.

The Client may request additional information regarding subprocessors at any time.

Data Security Measures

The Company's security posture is described in detail in the Lawgical Data Security document. Key safeguards include:

• TLS 1.3 for all data in transit.
• AES-256 encryption for all data at rest.
• Full-disk encryption and column-level encryption.
• Multi-tenant isolation using application-level scoping and Row-Level Security (RLS).
• Role-based access control (RBAC).
• Daily automated backups with disaster recovery procedures.
• Logging, monitoring, and anomaly detection.

Breach Notification

For additional detail regarding incident response timelines and post-incident procedures, Clients may refer to the Company's Service Level Agreement (SLA), which supplements the commitments outlined below.

If The Company becomes aware of a confirmed data breach affecting Client Personal Data, we will:

• Notify the Client within 72 hours.
• Provide available details regarding scope, impact, and mitigation.
• Cooperate fully with Client-led or regulatory investigations.
• Supply a written post-incident report.

Confidentiality

The Company ensures that all personnel with access to Personal Data are bound by confidentiality obligations.

International Transfers

Data is primarily stored and processed in the United States. If an international transfer is required for operational reasons, The Company will implement standard contractual safeguards to maintain compliance.

Client Instructions

The Company will process Personal Data only according to documented Client instructions. Instructions may be provided via:

• Contractual agreements
• Actions taken within the Product's administrative settings
• Written requests to support@lawgical.app
• Instructions implied by the Client's use of the Product

Termination

Upon termination of services:

• The Company will, at the Client's discretion, return or delete all Personal Data.
• Backup data will be purged according to provider-managed retention cycles.
• Additional details on data return, retention, and deletion are outlined in the Lawgical Data Retention & Deletion Policy.

Liability

Each party's liability is governed by the underlying service agreement. This DPA does not expand or modify liability terms unless explicitly stated.

Database

Supabase

• Purpose: Managed Postgres database, Row-Level Security (RLS), object storage, and edge functions.
• Categories of Data: Intake data, firm and user metadata, case details, uploaded documents, communication logs.
• Location: AWS us-west-1 and us-east-1
• Certifications: SOC2 Type II, HIPAA
• Website: https://supabase.com/

Compute

Google Cloud Run

• Purpose: Containerized backend compute for API processing and system operations.
• Categories of Data: Server to server request data, logs, processing metadata.
• Location: us-central1 and us-east1
• Certifications: SOC2, ISO 27001, FedRAMP Moderate
• Website: https://cloud.google.com/run

Storage

Google Cloud Storage

Supabase Storage

Vercel

Communications and Telephony

ManyChat, Twilio, ElevenLabs, Resend, Meta / Facebook / Instagram, TikTok, LinkedIn, and X / Twitter are used for messaging, telephony, social intake, and communication workflows.

Monitoring and Error Tracking

Google Cloud Logging and Sentry support centralized logging, operational monitoring, troubleshooting, and alerting.

Payments

Stripe is used for billing, invoicing, and subscription management.

Internal Operations

Google Workspace, Notion, GitHub, Discord, Apple iMessage, Loom, FreeBoomShare, Namecheap, and Zapier support internal documentation, communication, engineering, and operations.

AI, Media, and Machine Learning

HeyGen, Descript, OpenAI, and Anthropic / Claude support media workflows, content generation, summarization, drafting, evaluation, and LLM-powered workflows.

Notification Policy

Lawgical provides advance notice to Clients before adding, removing, or replacing Subprocessors. Clients may request the most current version of this list at any time.

Scope and Roles

This Policy covers all Personal Data and related records processed by the Product, including:

• Intake records and questionnaires
• Case details and internal notes
• Uploaded documents (PDFs, images, forms, IDs)
• Call recordings, audio files, transcripts, and summaries
• Contact details for attorneys, staff, leads, prospects, and clients
• Communication metadata (timestamps, channels, phone numbers, email headers)
• Product usage and diagnostic logs

Under the DPA:

• The Client is the Controller and decides what data to collect, retain, or delete.
• The Company is the Processor and retains or deletes data according to Client instructions and this Policy.

General Retention Principles

• Purpose limitation: Data is retained only for as long as it is needed to provide the Product, support Client operations, or comply with legal, regulatory, or accounting requirements.
• Client control first: Where technically feasible, Clients can delete or request deletion of specific records, matters, or data categories.
• Minimum necessary retention: If no longer needed for service delivery, security, or compliance, data is deleted or irreversibly anonymized.
• Aligned with DPA and contracts: If a specific agreement sets stricter retention windows, that agreement takes priority.

Data Categories and Typical Retention

Actual retention periods may vary based on Client instructions or applicable law.

• Account & configuration data: Duration of the client relationship, plus up to 3 years for audit, billing, and dispute resolution.
• Intake and lead records: Duration of the client relationship, or until deleted by the Client.
• Case and matter data: Duration of the client relationship, or until deleted by the Client.
• Uploaded documents and files: Duration of the client relationship, or until deleted by the Client.
• Call recordings and audio: 24 months from the date of the call, unless customized by agreement.
• Transcripts and AI summaries: 36 months from the date of the interaction, or until deleted by the Client.
• Notification and messaging data: 24 months from send date.
• System logs and diagnostics: Typically 12 months.
• Aggregated and anonymized analytics: May be retained indefinitely in de-identified form.

Client-Controlled Deletion

Where supported by the Product, Clients can delete specific data directly from the interface. Examples include:

• Deleting a lead, contact, matter, or intake record.
• Deleting or replacing an uploaded document.
• Archiving or closing matters according to internal policies.

When a Client deletes an item in the Product:

• The record is removed from active application views.
• Associated files in primary storage are deleted or detached.
• Related derived artifacts are scheduled for deletion.

Deletion on Client Request

Clients may submit formal data deletion requests by contacting support@lawgical.app.

Upon receiving a verified request, the Company will:

• Confirm the scope of the request with the Client.
• Authenticate the requester.
• Schedule and execute deletion from production systems.
• Confirm completion to the Client once finished.

Operational deletion from active systems typically occurs within 30 days of a validated request, unless otherwise required.

Deletion on Contract Termination

• Export window: On request, the Company will provide a reasonable window for the Client to export their data.
• Production deletion: After the export window or on explicit Client instruction, the Company will schedule deletion from active databases and primary storage.
• Account artifacts: Limited records may be retained for up to 3 years to satisfy legal, accounting, and audit requirements.
• Backups: Client data will continue to exist in encrypted backup snapshots until those backups naturally expire.

Backups and Disaster Recovery

• The underlying managed database and storage systems perform daily, provider-managed backups.
• Backups are stored in encrypted form and are not used for analytics, testing, or any purpose other than recovery.
• Backup snapshots are kept for a limited rolling window defined by each cloud provider and then automatically expired or overwritten.

Legal Holds and Exceptions

If the Company becomes aware that specific data is subject to a legal hold or is reasonably required to comply with a court order, subpoena, regulatory request, or defend legal claims, then the Company may suspend normal deletion of that data until the legal obligation or dispute has been resolved.

Subprocessors and Third-Party Retention

Lawgical uses subprocessors to deliver infrastructure, communications, storage, and AI services, as detailed in the Lawgical Subprocessors List.

For each subprocessor handling Client Personal Data, the Company:

• Ensures retention is limited to what is needed to provide the contracted service.
• Requires that data is deleted or anonymized once it is no longer needed.
• Aligns subprocessor retention windows with this Policy to the extent permitted by each provider's platform capabilities and terms.

Client Responsibilities

• Defining and maintaining their own internal file retention policies for legal matters.
• Ensuring that their use of the Product aligns with applicable laws and bar rules.
• Communicating any stricter retention or deletion requirements to the Company.
• Using the Product's deletion and archiving features in line with their policies.