Legal
Data Processing Addendum
Draft last edited July 6, 2026.
This Data Processing Addendum ("DPA") would form part of the Master Services Agreement between Plaintiff Ops LLC ("Intake QA") and the subscribing Firm, and describes how we process data on the Firm's behalf.
1. Roles
For the intake-call recordings, transcripts, scores, and reports processed through the service, the Firm is the controller and Intake QA is the processor. We process this data only to provide the service and only on the Firm's documented instructions, which include this DPA and the MSA.
2. Encryption
Data is encrypted in transit (TLS to the application and to every provider) and at rest (AES-256 across our storage and models). We do not use Firm recordings, transcripts, or results to train our models, and we do not sell or share them.
3. Subprocessors
We use the following subprocessors to deliver the service. Some (SMS, e-sign) are not active until the corresponding feature is enabled for the Firm.
| Subprocessor | Purpose |
|---|---|
| AssemblyAI | Transcription of intake-call audio |
| Anthropic | Scoring transcripts against the fixed rubric |
| Supabase | Database, authentication, and file storage |
| Vercel | Application hosting and delivery |
| Twilio | SMS re-engagement (dark until A2P 10DLC approval) |
| Dropbox Sign | E-signature handoff (test mode until go-live) |
| Resend | Transactional and report email |
| Stripe | Subscription billing and payments |
4. Retention and deletion (what we actually do)
We state our real behavior, not an aspiration:
- Call audio is deleted the moment it is transcribed. We do not retain the underlying recording after transcription.
- Transcripts and reports are purged within 72 hours of your readout, or immediately on written request. A Leak Audit's data is purged automatically 72 hours after the readout if the Firm does not continue. Demo data and expired audit sessions are purged automatically on a daily scheduled job.
- For ongoing subscriptions, derived data (transcripts, scores, reports) is retained only as long as needed to provide the service and is purged on the same retention window unless the Firm asks us to keep a specific statement.
What we do not yet offer: we have not yet built one-click, immediate full-tenant deletion (a single action that removes every stored object, every database row, and issues a delete call to our transcription provider, with a deletion receipt). Until that ships, a full-tenant deletion request is handled manually by us on written request, and we will not claim otherwise. Invoices and billing records are retained as required for tax and accounting and are never used for the analysis service.
5. Confidentiality and PII
Recordings and transcripts are confidential (consistent with Cal. Rule 1.18). Transcription redacts sensitive identifiers server-side by default (Social Security, payment-card and banking, driver's-license and passport numbers). We do not place claimant PII in URLs, analytics events, or third-party tools without a processing basis. Spanish-language intake data receives the same protection.
6. Security posture (no overclaiming)
Intake QA is not itself SOC 2 certified or HIPAA compliant, and we do not claim to be. We state what our infrastructure providers attest to and mark anything unconfirmed as such. Our security posture is described on the security page.
7. Governing law
This draft is governed by the laws of the State of California.
Questions on this draft? Email ali@plaintiffops.com. Nothing here is in force until a final, attorney-reviewed version is signed.