Legal
Data Processing Addendum
Effective June 9, 2026
This Data Processing Addendum (the "DPA") forms part of, and is incorporated by reference into, the Impact Witness SaaS Subscription Agreement between Law Box LLC ("Company") and the law firm that uses the Service ("Customer"). It describes how Company processes Customer Data on Customer's behalf.
1. Roles
Customer (the law firm) is the controller / business and determines the purposes and means of processing its clients' personal information. Company (Law Box LLC) is the processor / service provider, processing Customer Data only on Customer's documented instructions to provide the Service.
Company will not "sell" or "share" Customer Data, and will not use it for its own purposes, including training general AI models. AI processing is configured with store: false and organization-level API logging disabled, and is never used to train any model.
2. Scope of processing
Subject matter: provision of the Service. Duration: the term plus the post-termination export/deletion window. Nature/purpose: hosting, categorizing, and generating narrative/prep work product from Customer Data. Categories of data subjects: Customer's clients and Customer's authorized users. Categories of data: client-submitted impact moments and recovery updates, contact data, and account data — which may include information about a person's physical condition.
3. Security measures
Company maintains: encryption in transit (TLS 1.3) and at rest (AES-256); per-firm Postgres row-level security isolation; least-privilege access controls and secrets management; OpenAI calls configured with store: false and organization-level logging disabled (never used for model training); and encrypted per-firm backups. Company reviews these measures periodically.
4. Subprocessors
Customer authorizes Company to use the subprocessors below to provide the Service. Company remains responsible for their performance and binds them to confidentiality and data-protection obligations. Company will give notice of new subprocessors and a chance to object.
| Subprocessor | Function | Location |
|---|---|---|
| Supabase | Database, auth, storage | USA |
| Cloudflare | Hosting / edge / CDN | USA |
| OpenAI | AI text generation (store: false; no model training) | USA |
| Resend | Transactional email | USA |
| Twilio | Inbound/outbound client text messages | USA |
| Stripe | Payments (billing data only) | USA |
5. Assistance & data-subject rights
Taking into account the nature of processing, Company will reasonably assist Customer in responding to data-subject/consumer requests (access, deletion, correction) and in meeting Customer's security, breach-notification, and assessment obligations.
6. Breach notification
Company will notify Customer without undue delay, and in any case within 72 hours, after becoming aware of a personal-data breach affecting Customer Data, with the information Customer reasonably needs to meet its own notification duties.
7. Return & deletion
On termination, Company will, at Customer's choice, return or delete Customer Data within 30 days, except as retention is required by law. Backups are deleted on their normal cycle.
8. Audit
Company will make available information reasonably necessary to demonstrate compliance and will respond to reasonable Customer security questionnaires no more than once per year absent a breach or legal requirement.
Contact
Questions about this DPA? Email admin@impactwitness.com. See also the Subscription Agreement, Privacy Policy, and Terms.
Not legal advice. Impact Witness is operated by Law Box LLC, a Texas limited liability company.