Legal · Summary
When you upload case records, CitePage handles them as your processor — we process that content only to provide the service to you. This is the readable summary of how that works. A full, signed DPA (and a BAA, where you need one) is available on request.
This summary supplements our Terms of Service and Privacy Policy. It describes, in plain terms, how CitePage processes the case content you upload ("Customer Content") on your behalf. It is a readable overview — not a substitute for a signed agreement. If your engagement needs a countersigned DPA or BAA, see Signed DPA / BAA below.
We process Customer Content solely to provide and support the service, following your documented instructions (which include your use of the product's features). We do not use your Customer Content for our own purposes, we do not sell it, and it is never used to train or fine-tune any AI model. Where we're legally compelled to process it otherwise, we'll tell you unless the law prohibits it.
We use a small set of subprocessors to deliver the service, each bound to process data only to provide their function to us:
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic | AI processing (Claude API) — reads records to build the chronology; contractually barred from training on the content | United States |
| Fly.io | Application hosting and encrypted storage of Customer Content | United States |
| Cloudflare | Content delivery (CDN) and cookieless website analytics (no Customer Content) | Global CDN |
| Porkbun | Domain registration and DNS only — no Customer Content | United States |
If we add or replace a subprocessor that processes Customer Content, we'll update this list. The canonical list lives on our Trust & Security page.
We maintain technical and organizational measures appropriate to the sensitivity of the data, including:
Full detail, and an honest account of what we don't yet claim, is on the Trust & Security page.
You can delete any case and its source files at any time from your account. On request, or on termination of your account, we will delete or return Customer Content in the ordinary course, subject to limited retention required by law. We're also rolling out an option to auto-delete original records once your chronology is built, so only the cited timeline is retained.
We'll provide reasonable assistance to help you respond to requests from individuals exercising their data rights and to meet your own compliance obligations, taking into account the nature of our processing. If we become aware of a security incident affecting your Customer Content, we'll notify you without undue delay and share what we reasonably can to help you respond.
Many experts and their retaining counsel are fine with this summary. If your engagement requires a countersigned Data Processing Addendum — or a Business Associate Agreement (BAA) for HIPAA-covered arrangements — we can provide one on request. Email security@citepage.com or hello@citepage.com and we'll work through what you need.
Questions about data processing? Email security@citepage.com or hello@citepage.com.
CitePage
1738 SW 57th Ave #407
Miami, FL 33155
United States