GDPR Commitment

Capel is committed to GDPR principles. This page explains how we approach our obligations under the General Data Protection Regulation and how we help your firm meet yours.

Our Role Under GDPR

When you use Capel, we act as a data processor for the client data you upload. Your law firm remains the data controller, responsible for determining the purposes and means of processing.

For your account information and usage data, we act as a data controller. Full details are in our Privacy Policy.

Data Processing Agreement

We can provide a Data Processing Agreement (DPA) to customers upon request. Our DPA covers:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data processed
  • Categories of data subjects
  • Obligations and rights of the controller
  • Sub-processor arrangements
  • Data breach notification procedures

Contact us at finn@usecapel.com to request a copy of our DPA.

Technical and Organisational Measures

We implement security measures aligned with Article 32 requirements:

Encryption

  • TLS 1.3 for data in transit
  • AES-256 encryption for data at rest
  • Encrypted backups

Access Control

  • Role-based access control
  • Multi-factor authentication
  • Regular access reviews
  • Principle of least privilege

Monitoring and Testing

  • Audit logging
  • Regular security testing
  • Vulnerability scanning

Data Subject Rights

We help you fulfil data subject requests. When you receive a request from a data subject (access, rectification, erasure, portability, etc.), you can:

  • Export all data related to a matter or client directly from the platform
  • Delete specific records through the admin interface
  • Contact our support team for assistance with complex requests

We will notify you promptly if we receive a data subject request directly, as required by our DPA.

Data Breach Procedures

In the event of a personal data breach, we will:

  • Notify you within 24 hours of becoming aware of the breach
  • Provide details of the nature of the breach, categories of data affected, and approximate number of records
  • Describe likely consequences and measures taken or proposed
  • Cooperate with your notification obligations to the DPC and data subjects

Sub-Processors

We use a limited number of sub-processors to provide the Service. All sub-processors are bound by data processing agreements and must meet our security standards. Current sub-processors include:

  • Amazon Web Services (Ireland) – Cloud infrastructure
  • Stripe – Payment processing

We will notify you of any intended changes to sub-processors, giving you the opportunity to object.

Data Location

All customer data is processed and stored exclusively within the European Union, specifically in AWS's Dublin (eu-west-1) region. We do not transfer data outside the EEA.

Records of Processing

We maintain records of processing activities. These records are available for inspection by supervisory authorities upon request.

Data Protection Contact

For data protection queries, contact us at:

Email: finn@usecapel.com
Address: Capel Legal Technology Ltd, Dublin, Ireland

Helping Your Firm Comply

Beyond our own compliance, Capel helps your firm meet GDPR obligations:

  • Audit trails: Comprehensive logs of who accessed what data and when
  • Data minimisation: Only collect and process what's necessary
  • Retention controls: Automated data retention and deletion policies
  • Export tools: Easy data export for subject access requests
  • Consent management: Track and manage client consents

Questions about data protection?

We're happy to discuss our data protection practices in detail or provide documentation for your records.

Contact Us