BatesFlow

Data Processing Agreement

How we process and protect your data

Last updated: April 16, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between SKL LLC (“Processor,” “we”) and the law firm or legal professional using BatesFlow (“Controller,” “you”). This DPA governs the processing of personal data that you submit to BatesFlow in connection with your use of the Service.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person that you upload to or process through BatesFlow.
  • “Processing” means any operation performed on Personal Data, including collection, storage, classification, stamping, indexing, retrieval, and deletion.
  • “Sub-processor” means any third party engaged by us to process Personal Data on your behalf.

2. Scope of Processing

Data Categories

BatesFlow processes the following categories of data on your behalf:

  • Case Documents: PDFs, scanned images, and other files uploaded for Bates stamping and production.
  • Demand Letters: Discovery demand documents uploaded for AI parsing.
  • Classification Metadata: Document type, institution, date range, and description generated during AI classification.
  • Production Outputs: Bates-stamped PDFs, Rider documents, Document Inventories, and Bates Indices generated by the Service.

Processing Purposes

We process your data solely for the following purposes:

  • Parsing discovery demands to extract numbered request items.
  • Applying OCR to scanned documents to extract text content.
  • Classifying documents by type, institution, and relevance to demand items.
  • Applying sequential Bates stamps to document pages.
  • Generating production output files (Rider, Inventory, Index).
  • Storing documents and outputs for your retrieval during your subscription period.

3. Our Obligations

  • Process Personal Data only on your documented instructions and solely for the purposes described above.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures as described on our Security page.
  • Not engage additional Sub-processors without prior notice and the opportunity for you to object.
  • Assist you in responding to data subject access requests, to the extent technically feasible.
  • Notify you of any Personal Data breach within 72 hours of becoming aware of it.
  • Delete or return all Personal Data upon termination of the agreement, at your election, within 30 days.

4. Your Obligations

  • Ensure you have a lawful basis for processing the Personal Data you submit to BatesFlow.
  • Ensure you have obtained any necessary consents or authorizations from data subjects.
  • Provide us with documented instructions regarding the processing of Personal Data.
  • Notify us promptly of any data subject requests you receive that relate to data processed through BatesFlow.

5. Sub-processors

We use the following categories of Sub-processors to deliver the Service:

  • Cloud Infrastructure Provider: Hosting, compute, and managed database services. Data stored in the United States.
  • Object Storage Provider: Encrypted document storage. Data stored in the United States.
  • AI Processing Provider: Document classification and OCR. Data is processed in real time and not retained by the provider.
  • Payment Processor: Billing and subscription management. Processes payment data only — no access to case documents.

We will notify you at least 30 days in advance of engaging any new Sub-processor. You may object to a new Sub-processor by contacting us within that period.

6. Data Security

We implement the security measures described on our Security page, including but not limited to:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Three-layer tenant isolation preventing cross-firm data access.
  • Role-based access control within each firm’s environment.
  • Platform operator exclusion from case data.
  • Comprehensive audit logging retained for a minimum of 12 months.

7. Data Retention & Deletion

  • Your data is retained for the duration of your active subscription.
  • Upon termination, you may export your data for 30 days.
  • After the 30-day export period, all Personal Data is permanently deleted from our systems, including backups, within 90 days.
  • You may request deletion of specific cases or documents at any time during your subscription.

8. Data Residency

All Personal Data processed through BatesFlow is stored and processed exclusively in the United States. We do not transfer Personal Data outside the United States unless you explicitly request it and appropriate safeguards are in place.

9. Audit Rights

You may request, no more than once per year and with at least 30 days’ written notice, reasonable information about our data processing practices and security measures to verify compliance with this DPA. We will cooperate with such requests in a manner that does not compromise the security of other customers’ data.

10. Term & Termination

This DPA remains in effect for the duration of your use of BatesFlow. Obligations relating to data deletion, confidentiality, and security survive termination.

11. Governing Law

This DPA is governed by the laws of the State of New York. In the event of any conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data processing matters.

Contact

For questions about this DPA or to exercise your rights, contact:
SKL LLC
Email: privacy@batesflow.com