Last updated: June 2, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller," "you," or "your") and SuitsIndex ("Processor," "we," "us," or "our") and applies where we process personal data on your behalf in connection with your use of the SuitsIndex law firm management platform.
This DPA is incorporated into and forms part of our Terms of Service. By creating an account, subscribing to, or using SuitsIndex to store client or case data, you enter into this DPA on behalf of your organization.
1. Definitions
In this DPA:
"Applicable Data Protection Law" means the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and any other applicable data protection or privacy laws.
"Personal Data," "Processing," "Data Subject," "Controller," "Processor," "Sub-processor," and "Supervisory Authority" have the meanings given in Applicable Data Protection Law.
"Services" means the SuitsIndex website, web application, cloud hosting, support, and related services described in our Terms of Service.
"Customer Data" means personal data processed by us on your behalf through the Services, including client names, contact information, case details, court records, documents, correspondence, and other matter data you upload or enter into SuitsIndex.
2. Roles of the Parties
You are the Controller of Customer Data. You determine the purposes and means of processing Customer Data and are responsible for ensuring a valid lawful basis exists before storing any personal data in SuitsIndex.
We are the Processor of Customer Data. We process Customer Data only on your documented instructions, as described in this DPA, our Terms of Service, and the functionality of the Services.
3. Details of Processing
Subject matter: Provision of law firm management software and related cloud services.
Duration: For the term of your subscription or use of the Services, and as set out in Section 11 (Return and Deletion of Data).
Nature and purpose of processing: Storage, organization, retrieval, backup, security, and technical support of Customer Data to enable case management, document management, billing, reporting, and related legal practice functions.
Categories of data subjects: Your clients, opposing parties, witnesses, court officials, employees, contractors, and other individuals whose personal data you choose to store in the Services.
Types of personal data: Names, contact details, identification information, case and court information, billing records, correspondence, documents, notes, and other personal data you upload or generate through the Services.
4. Controller Obligations
You agree to:
a. Process Customer Data in compliance with Applicable Data Protection Law;
b. Have a valid lawful basis before storing or processing any personal data in SuitsIndex, including client names, contact information, and case details;
c. Provide all required privacy notices to data subjects;
d. Ensure your instructions to us comply with Applicable Data Protection Law;
e. Respond to data subject rights requests in your role as Controller, and notify us promptly if you require our assistance;
f. Not instruct us to process Customer Data in a manner that violates Applicable Data Protection Law.
5. Processor Obligations
We will:
a. Process Customer Data only on your documented instructions, unless required by law. If we are required by law to process Customer Data, we will inform you unless prohibited from doing so;
b. Ensure that persons authorized to process Customer Data are bound by confidentiality obligations;
c. Implement appropriate technical and organizational measures to protect Customer Data, as described in Section 7;
d. Not engage another processor (Sub-processor) without your general written authorization as set out in Section 8;
e. Assist you, taking into account the nature of processing, in responding to data subject requests to exercise their rights under Applicable Data Protection Law;
f. Assist you with security obligations, data protection impact assessments, and prior consultation with Supervisory Authorities where required, taking into account the nature of processing and information available to us;
g. Notify you without undue delay after becoming aware of a personal data breach affecting Customer Data;
h. Delete or return Customer Data as set out in Section 11, unless Applicable Data Protection Law requires retention;
i. Make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 12.
6. Lawful Basis and Instructions
You instruct us to process Customer Data solely to provide the Services in accordance with this DPA and our Terms of Service. You acknowledge that personal data must not be stored in SuitsIndex without a valid legal reason under Applicable Data Protection Law.
Your use of the Services (including uploading, editing, exporting, or deleting Customer Data through the application) constitutes documented instructions to us for those processing activities.
7. Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
a. Hosting on Microsoft Azure with industry-standard infrastructure security;
b. Access controls and authentication for user accounts;
c. Encryption of data in transit using TLS/SSL;
d. Regular backups and disaster recovery procedures;
e. Monitoring and logging for security and operational purposes;
f. Restricted access to Customer Data on a need-to-know basis by authorized personnel.
We may update security measures from time to time, provided such updates do not materially reduce the overall security of the Services.
8. Sub-processors
You provide general written authorization for us to engage Sub-processors to support the Services. We will ensure each Sub-processor is bound by data protection obligations no less protective than those in this DPA.
Our current Sub-processors include:
Microsoft Corporation (Microsoft Azure) – cloud hosting and infrastructure
What they process: All application data including account, client/case, and document data
Location: Data may be processed in regions selected for Azure deployment
Purpose: Hosting, storage, backups, and operation of the SuitsIndex application
Meta Platforms / WhatsApp (WhatsApp Business Platform) – client messaging
What they process: Client phone numbers and message content when the WhatsApp case-update feature is enabled
Location: Data may be processed in countries where Meta/WhatsApp operates
Purpose: Delivering WhatsApp notifications to law firm clients about case progress
We will inform you of any intended changes concerning the addition or replacement of Sub-processors by updating this page or notifying you by email. You may object to a new Sub-processor on reasonable grounds relating to data protection by contacting us within thirty (30) days of notification. If we cannot reasonably accommodate your objection, you may terminate the affected Services.
9. International Data Transfers
Customer Data may be processed in Jordan and in other countries where we or our Sub-processors operate. Where Customer Data is transferred outside the EEA or UK, we will ensure appropriate safeguards are in place as required by Applicable Data Protection Law, such as Standard Contractual Clauses approved by the European Commission or UK authorities.
Upon request, we will provide information about applicable transfer mechanisms.
10. Data Subject Rights
We will assist you in fulfilling your obligation to respond to data subject requests under Applicable Data Protection Law, including requests for access, rectification, erasure, restriction, portability, and objection, by providing appropriate technical means within the Services and reasonable support upon your written request.
If we receive a data subject request relating to Customer Data directly, we will promptly notify you and will not respond except on your instructions or as required by law.
11. Return and Deletion of Data
Upon termination or expiry of the Services, you may export Customer Data using the functionality available in the application. Upon your written request, we will delete Customer Data from our active systems within ninety (90) days, unless Applicable Data Protection Law requires retention, an unresolved dispute or legal claim requires continued retention, or backup copies are retained for a limited period (up to ninety (90) days) for disaster recovery, security, or legal compliance purposes as described in our Privacy Policy.
You remain responsible for deleting Customer Data when you no longer have a lawful basis to retain it, regardless of your subscription status.
12. Audits and Compliance
We will make available information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable written notice and subject to confidentiality obligations, you may request information about our processing activities or conduct an audit no more than once per year, unless required by a Supervisory Authority or following a confirmed personal data breach.
Audits will be conducted during normal business hours, in a manner that does not unreasonably disrupt our operations, and may be satisfied by review of our security documentation, certifications, or third-party audit reports where available.
13. Personal Data Breach
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data. Our notification will include, to the extent known, a description of the nature of the breach, likely consequences, and measures taken or proposed to address the breach.
We will cooperate with you and take reasonable steps to assist in your investigation, mitigation, and notification obligations to Supervisory Authorities and data subjects, as required by Applicable Data Protection Law.
14. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in our Terms of Service, except where liability cannot be limited under Applicable Data Protection Law.
15. Order of Precedence
If there is a conflict between this DPA and the Terms of Service regarding the processing of Customer Data, this DPA will prevail. If there is a conflict between this DPA and a separately executed written agreement specifically addressing data processing, that written agreement will prevail.
16. Changes to This DPA
We may update this DPA from time to time to reflect changes in law, our Services, or Sub-processors. Material changes will be posted on this page with an updated "Last updated" date. Where required by Applicable Data Protection Law, we will provide additional notice.
17. Contact
For questions about this DPA, Sub-processors, security, or data protection matters, contact:
SuitsIndex (operated by Zarafah Technologies)
Email: info@suitsindex.com
Address: Zahran Street, Amman, 11183, Jordan
Phone: +962 79 690 690 1
Related documents: Terms of Service | Privacy Policy