Subprocessors
Last updated: 2026-05-12
CasePlus AI engages the third-party service providers below ("subprocessors") to deliver its product. Each subprocessor processes customer or visitor data only on instructions from CasePlus AI and is bound by a Data Processing Agreement (DPA) where applicable.
We may add, remove, or replace subprocessors as our infrastructure evolves. Material changes will be reflected on this page; customers under enterprise agreements will receive advance notice of new subprocessors per their contract terms.
Active subprocessors
| Provider | Role | Region | Certifications | Legal |
|---|---|---|---|---|
Vercel Inc. Application logs, build artifacts, request metadata, encrypted document files (PDFs, images uploaded by visitors during intake) | Application hosting + private blob storage for uploaded documents | United States (multi-region) | SOC 2 Type II, ISO 27001, PCI DSS, HIPAA-eligible | PrivacyDPA |
Neon Inc. All structured customer + visitor data including firm configuration, user accounts, intake conversations, lead records (visitor PII fields encrypted at the application layer with AES-256-GCM) | Managed Postgres database (primary data store) | United States (us-east-2) | SOC 2 Type II, ISO 27001, GDPR, CCPA. HIPAA BAA available on enterprise tier. | PrivacyDPA |
Clerk Inc. Authorized firm-user identifiers, email addresses, password hashes, login session metadata, MFA factors. Visitor data is NOT shared with Clerk. | Authentication + user identity management for the dashboard | United States | SOC 2 Type II, GDPR, CCPA | PrivacyDPA |
Stripe Inc. Firm billing contact email, subscription plan + add-on selections, invoice history, payment method tokens. CasePlus does not store credit card numbers. | Payment processing for firm subscriptions + add-ons | United States (Stripe processes globally; CasePlus accounts in US region) | PCI DSS Level 1, SOC 1, SOC 2 Type II, ISO 27001 | PrivacyDPA |
Anthropic, PBC Intake conversation contents, document contents (text + images) submitted for analysis, system prompts. Per Anthropic policy, API inputs/outputs are NOT used to train models. | Large language model (Claude Haiku 4.5 + Sonnet 4.6) for intake conversations, qualification, summaries, document analysis | United States | SOC 2 Type II, ISO 27001, GDPR-aligned | PrivacyDPA |
OpenAI Inc. Same as Anthropic, only during failover events. Per OpenAI API policy, API inputs are not used for training. | Fallback LLM (GPT-4o-mini / GPT-4o) used only when Anthropic API is unavailable | United States | SOC 2 Type II, ISO 27001, GDPR-aligned | PrivacyDPA |
ElevenLabs Inc. Phone-call audio (visitor voice), AI-generated voice output, call transcripts | Text-to-speech voice synthesis for the AI Phone Intake add-on; conversational AI agent backend for inbound calls | United States | SOC 2 Type II, GDPR-aligned | PrivacyDPA |
Twilio Inc. Phone numbers (visitor + firm), SMS message contents, call routing metadata | Inbound + outbound SMS messaging; phone number provisioning for AI Phone Intake | United States | SOC 2 Type II, ISO 27001, HIPAA-eligible (separate BAA) | PrivacyDPA |
Resend Inc. Recipient email addresses, email content (which may include lead summaries / case details), delivery + open metadata | Transactional email delivery (lead notifications, follow-ups, demand-letter delivery, account emails) | United States | SOC 2 Type II | PrivacyDPA |
Inngest Inc. Event payloads passed between jobs (lead IDs, session IDs, scoring results — typically references rather than full PII) | Background job orchestration (qualification pipeline, follow-up sequences, scheduled reports) | United States | SOC 2 Type II | PrivacyDPA |
What CasePlus does NOT share
- Visitor PII (names, phone numbers, email addresses on lead records) is encrypted with AES-256-GCM at the application layer before reaching the database. Even Neon's operators see only ciphertext for these fields.
- OAuth tokens for customer-enabled integrations (e.g. Clio) are encrypted with the same scheme before storage.
- Customer payment card numbers are never seen or stored by CasePlus — Stripe handles these directly.
- We do not sell, rent, or license any customer or visitor data to third parties for advertising or any other purpose.
Customer-enabled integrations
When a firm chooses to enable an integration (e.g. Clio, generic webhook, Slack), qualified-lead data flows to the receiving system at the firm's direction. Those receivers are not CasePlus subprocessors — they are controllers of the data the firm chooses to send them. See Terms of Service §11A and the Privacy Policy for details.
Questions or DPA requests
For Data Processing Agreement requests, security questionnaires, or any subprocessor-related questions, email support@caseplus.ai.