Data privacy
CaseFlow includes GDPR tools and data privacy controls to help your firm comply with data protection regulations.
GDPR tools
Go to Setup > GDPR to access privacy management features.
Data export (right of access)
If a client requests a copy of their data, you can generate an export:
- Go to Setup > GDPR
- Click Data Export
- Search for the client
- Click Export
CaseFlow generates a file containing all data associated with that client: contact details, matters, invoices, payments, documents, notes, and any custom field values.
Data erasure (right to be forgotten)
If a client requests deletion of their data:
- Go to Setup > GDPR
- Click Data Removal
- Search for the client
- Review what will be deleted
- Confirm erasure
This permanently deletes the client record, contacts, and linked data. Invoices and payments may be retained for legal/tax compliance (configurable).
Be careful: erasure is irreversible.
Consent management
Track whether clients have consented to data processing. On client contact records, there are consent fields showing:
- Whether the contact agreed to data processing
- When they agreed
- What they agreed to
Data portability
The GDPR export generates data in a structured, machine-readable format (JSON or CSV) that can be provided to the client or transferred to another system.
What CaseFlow stores
For each client:
- Contact details (name, email, phone, address)
- Matter information
- Invoices and payment records
- Time entries
- Documents uploaded
- Communication history (emails sent)
- Notes
- Custom field values
- Portal login activity
For staff:
- Name, email, phone
- Login history
- Time entries
- Activity log
Data retention
CaseFlow does not automatically delete old data. Records stay until you remove them manually or use the GDPR erasure tool. This is intentional; law firms typically need to retain records for years (ethical obligations, statutes of limitation, malpractice insurance requirements).
Set your own retention policy and review old records periodically.
Firm data isolation
Your firm's data lives in a completely isolated workspace, separate from every other firm on the platform. There is no shared storage or pooled data. An administrator at another firm cannot see your data, and platform administrators can only see your firm's basic account information (firm name, subdomain, plan) without access to your client records.
What CaseFlow does not do
- CaseFlow does not sell or share your data with third parties
- CaseFlow does not use your data for training AI models
- CaseFlow does not serve ads based on your data
- CaseFlow support staff do not access your data unless you request debugging assistance
Brute force protection
CaseFlow locks accounts after multiple failed login attempts. After 5 consecutive wrong passwords, the account is locked for 15 minutes. This prevents automated password-guessing attacks.
The lockout is per-account, not per-IP. This means a targeted attack against one account triggers the lockout regardless of where the attempts come from.
Session security
Sessions are encrypted and configured with:
- HTTPS-only delivery (your session cookie is never sent over an unencrypted connection)
- Protection from in-browser scripts (no third-party script on a CaseFlow page can read your session cookie)
- Automatic timeout after inactivity
When you log out, your session is destroyed server-side. You cannot log back in with an old session token.