CaseCloud Software Terms of Service

1.1 Agreement components

The agreement for use of CaseCloud consists of:

• these Terms of Service;
• any Call-Off Terms (including any order form, statement of work, framework call-off, data processing agreement, SLA pack, feature matrix, rate card, or security schedule); and
• any policies or technical constraints presented within the Service (for example password requirements, rate limits, usage limits).

1.2 Priority

Where there is conflict, the Call-Off Terms prevail over these Terms. These Terms apply to all access and use unless expressly displaced by the Call-Off Terms.

1.3 Changes to these Terms

We may update these Terms. Changes take effect from the "Last updated" date. If a change materially reduces Customer rights or increases Customer obligations, we will provide notice via the Service or to the Customer's nominated admin contact.

1.4 Definitions

Capitalised terms have the meanings set out in Section 2.

3.1 Business-to-organisation service

CaseCloud is provided to organisations under Call-Off Terms. Individual consumer use is not offered unless expressly agreed in writing.

3.2 Authority

If you accept these Terms on behalf of a Customer, you confirm you have authority to do so.

3.3 Authorised Users only

Access is limited to Authorised Users and any other users expressly permitted by the Customer and the Call-Off Terms.

4.1 Platform function

The Service supports operational case management and workflow delivery, including configurable forms, case views and search, tagging/labels, attachments and evidence handling, linking/merging, workflow steps and automation, dashboards and reporting, and collaboration controls, as enabled by the Customer's Subscription.

4.2 Configuration model

The Service is configurable using patterns, templates, and administrative tooling. The Customer is responsible for configuration choices (fields, workflows, permissions, retention rules, and organisational boundaries) unless the Call-Off Terms state we will configure these on the Customer's behalf.

4.3 Band-dependent capabilities

Limits and feature entitlements vary by Subscription band. The binding definition of entitlements is in the Call-Off Terms. Any description on casecloud.co (including /plans) is informational and does not override the Call-Off Terms.

5.1 Customer administrators

The Customer must designate administrators who are responsible for:

• provisioning/deprovisioning Authorised Users;
• assigning roles and permissions;
• setting and maintaining workspace boundaries, including partner/agency access where used; and
• ensuring only appropriate users have access to sensitive case types.

5.2 Credential security

Authorised Users must safeguard authentication factors and must not share accounts. The Customer must promptly remove access for leavers and compromised accounts.

5.3 Customer System requirements

The Service requires a modern web browser and internet connectivity. The Customer is responsible for maintaining secure and compatible Customer Systems.

5.4 Notifications and communications

The Service may send operational notifications (for example assignment alerts, workflow notifications, scheduled reports where enabled). The Customer is responsible for configuring notification settings and recipient lists.

6.1 Policy and governance

The Customer is responsible for:

• lawful basis and transparency notices for processing personal data;
• operational decision-making (triage, investigations, safeguarding, enforcement, service delivery);
• evidential policies (chain of custody, disclosure, and retention) where relevant; and
• training of Authorised Users.

6.2 Accuracy of records

The Customer is responsible for the content and accuracy of Customer Data entered or uploaded by Authorised Users and End Users.

6.3 Multi-agency and partnership use

If the Customer enables multi-organisation workspaces, the Customer must ensure appropriate agreements, governance, and access controls are in place between participating organisations.

7.1 No interference

You must not attempt to disrupt, overload, probe, or degrade the Service or any related systems.

7.2 No unauthorised access

You must not bypass authentication/authorisation controls, attempt privilege escalation, or access data outside your permissions.

7.3 No harmful code

You must not introduce malware, exploit code, or other harmful content.

7.4 No unlawful or abusive use

The Service must not be used to unlawfully surveil, harass, threaten, discriminate, or otherwise harm individuals.

7.5 No bulk extraction outside permitted methods

You must not scrape or harvest data except through the Service's export features and APIs as permitted by the Subscription and configuration.

7.6 Security testing

Any penetration testing or security assessment of the Service requires our prior written authorisation and coordination.

7.7 Enforcement

We may investigate suspected misuse and apply protective measures (including restrictions or suspension) consistent with Section 16.

8.1 Customer-controlled intake

Where the Customer enables End User submission channels, the Customer controls:

• what data is collected;
• how it is presented to End Users; and
• how submissions are processed and acted upon.

8.2 End User conduct

End Users must not submit content that is unlawful, knowingly false, malicious, or infringing of third-party rights.

8.3 Customer accountability

The Customer is accountable for how it uses submissions, including onward sharing with other agencies, and must provide appropriate notices and exercise appropriate discretion.

9.1 Customer Data ownership

The Customer retains all rights in Customer Data. We do not obtain ownership of Customer Data.

9.2 Licence to process

The Customer grants us a limited right to host, copy, transmit, and process Customer Data solely to provide, support, secure, and improve the Service consistent with these Terms and the Call-Off Terms.

9.3 Service intellectual property

We retain all rights in the Service, including software, documentation, templates and design elements. No rights are granted except as needed to use the Service during the term.

9.4 Feedback

We may use feedback to improve the Service without obligation, provided we do not disclose Customer confidential information.

10.1 Roles

For Customer Data:

• the Customer is Data Controller; and
• AAPTERA is Data Processor.

10.2 Processor commitments

We will:

• process Customer Data only on documented Customer instructions and as needed to provide and secure the Service;
• maintain appropriate technical and organisational measures to protect Customer Data;
• ensure personnel confidentiality;
• use sub-processors under appropriate contractual protections; and
• support the Customer with data subject requests and DPIAs to the extent required by law and as set out in the Call-Off Terms.

10.3 Hosting and sub-processors

Data is hosted primarily in the UK, with UK/EU hosting selectable subject to the Call-Off Terms. Sub-processor details are available on request.

10.4 Operational telemetry and logs

We process security and operational telemetry (for example uptime metrics, error logs, authentication events, audit trails where enabled) to maintain and secure the Service.

10.5 Anonymised/aggregated analytics

We may use anonymised and aggregated data derived from service operation and usage to improve performance, reliability, and capability, designed so it cannot reasonably identify individuals.

10.6 Privacy Notice

Our Privacy Notice (including cookies) is at /privacy-cookies.

11.1 Security controls

The Service includes controls such as role-based access control, encryption in transit and at rest, and audit logging features where enabled by Subscription.

11.2 Customer security posture

The Customer is responsible for secure configuration (roles, permissions, retention, integration credentials) and for protecting Customer Systems.

11.3 Incident handling

Incident management, communications, and response targets are governed by the Call-Off Terms.

12.1 APIs and webhooks

Where enabled, API usage is subject to Subscription limits, authentication requirements, and technical constraints (including rate limiting).

12.2 Customer integration responsibility

The Customer is responsible for its integration code, credentials, and configuration, and for ensuring integrations do not exceed agreed limits or create security risks.

12.3 Exports

The Service supports export capabilities (for example CSV/Excel and, where enabled, API-based extraction). Export formats and availability vary by Subscription and configuration.

13.1 Availability and SLAs

Availability targets and response times are governed by the Call-Off Terms.

13.2 Maintenance

We may perform maintenance and deploy updates. We will take reasonable steps to minimise disruption and provide notice where required under the Call-Off Terms.

13.3 Product evolution

We may modify, add, or retire features. If the Call-Off Terms specify protections (for example notice periods or minimum functionality commitments), those protections apply.

14.1 Confidentiality obligations

Each party must protect the other's confidential information and use it only to perform the agreement. Confidential information may be shared with personnel and subcontractors who need to know and are bound by confidentiality obligations.

14.2 Customer Data confidentiality

Customer Data is treated as confidential in addition to data protection obligations.

15.1 Protective measures

We may restrict or suspend access to protect the Service, the Customer, other customers, or data subjects where we reasonably believe:

• there is a security compromise or imminent risk;
• there is unlawful or materially abusive use; or
• suspension is required by law or a regulator.

15.2 Notification

Where practicable, we will notify the Customer administrator and provide information reasonably necessary to support investigation and remediation.

16.1 Termination rights

Termination rights, notice requirements, and consequences are governed by the Call-Off Terms.

16.2 Export window

Following termination or expiry, we will make Customer Data available for export for 90 days, where reasonably practicable and subject to the Call-Off Terms and applicable law.

16.3 Deletion

After the export window, we will delete Customer Data in accordance with configured retention rules and secure deletion processes, subject to legal obligations.

17.1 Informational materials

Website pages (including /plans) describe the Service but do not create binding commitments beyond the Call-Off Terms.

17.2 No legal advice

The Service supports record-keeping and workflow; it does not provide legal advice.

18.1 Statutory limitations

Nothing limits or excludes liability that cannot be limited or excluded by law (including death or personal injury caused by negligence, fraud, or fraudulent misrepresentation).

18.2 Liability caps

Any liability limitations and caps are governed by the Call-Off Terms.

18.3 Exclusions

To the maximum extent permitted by law, we are not liable for:

• indirect, consequential, or special loss, including loss of profits, business, revenue, goodwill, anticipated savings, or data;
• loss or damage arising from Customer's configuration choices, operational decisions, or misuse of the Service;
• loss or damage arising from Customer Systems, third-party integrations, or Customer's failure to maintain secure systems;
• loss or damage arising from Customer Data errors, inaccuracies, or unauthorised access due to Customer's failure to maintain appropriate security controls;
• loss or damage arising from events beyond our reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, strikes, or failures of third-party systems or networks; and
• loss or damage arising from suspension or termination of access in accordance with these Terms.

18.4 Customer responsibility

The Customer is responsible for its operational decisions and outcomes using the Service.