How do I upload documents to the platform securely?

To upload documents securely, you navigate to your case and click on the 'Upload' button on your dashboard. The platform automatically encrypts all documents uploaded to protect against unauthorized individuals accessing them.

Does WakiliCRM have advocate-client matching?

Yes. Advocate or lawyer client matching is a key feature on WakiliCRM. Clients can search for lawyers based on their specialization and location, to find the best fit for their legal needs.

What types of documents can I upload to the system?

You can upload a range of document types, including PDFs, Word documents, and text files. Ensure the documents are well-formatted and free from harmful content like viruses or malware.

How do I communicate with my clients and colleagues on the platform?

The platform provides a secure messaging system for communication, where all messages are encrypted to guarantee privacy and security. Access to the messages is restricted to authorized users only.

Can I use AI on the platform?

The AI tools on the platform are meant only for lawyers and may be used to assist with legal research, case management, and document analysis to improve workflow and productivity.

How are messages encrypted to ensure confidentiality?

Messages on the platform are encrypted using AES-256 encryption, ensuring that unauthorized access to communications is prevented and keeping your conversations secure.

What happens if a document is accidentally uploaded with sensitive information?

If you accidentally upload a document with sensitive information, contact the support team. The platform respects sensitive data, and the support team will assist in resolving the issue with care.

Can I modify the case description once it's uploaded to the system?

Yes, you can modify the case description after it has been uploaded. You can update the case details, and all changes will be recorded to ensure transparency and traceability.

How do I ensure the documents I upload are only accessible by authorized personnel?

Wakili CRM uses role-based access control, allowing you to set permissions on who can view or edit documents. This ensures that only authorized users or groups can access sensitive information.

Is the platform compliant with legal data protection regulations?

Yes, the platform complies with legal data protection regulations like the Kenya Data Protection Act, GDPR, and CCPA, ensuring your data is handled with the highest standards of privacy and security.

Can clients upload documents or is that restricted to lawyers only?

Both clients and lawyers can upload documents relevant to a case. As long as the document pertains to a case, either party can upload it.

What is the most suitable CRM for my case?

We ensure that your case documents, messages, and case details are encrypted and securely stored. The platform gives you complete control over who can access your confidential files.

Is Wakili CRM suitable for my large firm?

Yes, Wakili CRM is suitable for large firms. We prioritize the security and confidentiality of your legal practices, providing you full control over document and message access.

Privacy Policy for Legal Practice Management System

Last Updated: July 21, 2025

1. Introduction and Overview

This Privacy Policy governs the collection, use, processing, and disclosure of personal data by [Your Company Name] ("we," "us," or "our") through our legal practice management platform ("Platform" or "Service"). We are committed to protecting the privacy and confidentiality of all personal data processed through our Platform, with particular attention to the sensitive nature of legal data and attorney-client privileged communications.

This Policy applies to:

Legal Practitioners: Attorneys, advocates, solicitors, and other legal professionals
Law Firm Personnel: Employees, partners, associates, paralegals, and administrative staff
Clients: Individuals and entities receiving legal services through firms using our Platform
Third Parties: Vendors, experts, and other parties involved in legal matters

2. Legal Framework and Compliance

Our privacy practices comply with:

Kenya Data Protection Act, 2019 and regulations thereunder
General Data Protection Regulation (GDPR) for EU data subjects
California Consumer Privacy Act (CCPA) where applicable
Professional conduct rules and legal ethics requirements in jurisdictions where our users practice
Industry standards including ISO 27001 and SOC 2 Type II compliance frameworks

3. Data Controller and Contact Information

Data Controller: [Your Company Name]
Address: [Your Physical Address]
Email: privacy@[yourdomain].com
Phone: [Your Phone Number]
Data Protection Officer: dpo@[yourdomain].com

4. Types of Personal Data We Collect

4.1 Client Data

We process highly sensitive personal data on behalf of law firms, including but not limited to:

Identity Information: Full names, addresses, phone numbers, email addresses, identification numbers, dates of birth
Financial Information: Banking details, financial records, income statements, asset information
Legal Matter Data: Case details, legal documents, correspondence, court filings, evidence
Special Categories: Health data, criminal records, biometric data, political opinions, religious beliefs (where relevant to legal matters)
Family Data: Marital status, family relationships, custody arrangements
Communication Records: All communications between attorneys and clients, internal law firm communications

4.2 Legal Practitioner and Law Firm Staff Data

Professional Information: Bar admission details, practice areas, professional certifications
Account Data: Login credentials, user preferences, access logs
Employment Data: Job titles, employment history, performance records
Financial Data: Billing information, time records, expense reports

4.3 Technical Data

Device Information: IP addresses, device identifiers, browser types, operating systems
Usage Analytics: Platform usage patterns, feature utilization, session durations
Security Logs: Login attempts, access patterns, security incidents

5. Legal Bases for Processing

We process personal data based on the following legal grounds:

5.1 Contractual Necessity

Processing necessary for the performance of contracts with law firms and legal practitioners to provide our Platform services.

5.2 Legal Obligations

Processing required to comply with legal obligations, including:

Anti-money laundering (AML) and know your customer (KYC) requirements
Court orders and legal process
Professional regulatory requirements
Tax and accounting obligations

5.3 Legitimate Interests

Processing necessary for our legitimate interests in:

Providing and improving our Platform services
Ensuring platform security and preventing fraud
Business analytics and service optimization

5.4 Consent

Where explicitly obtained for specific processing activities, particularly for marketing communications and optional features.

5.5 Vital Interests

In rare circumstances, processing may be necessary to protect the vital interests of data subjects or other persons.

6. How We Use Personal Data

6.1 Core Platform Services

Case Management: Organizing and managing legal cases, matters, and client information
Document Management: Storing, organizing, and providing access to legal documents and evidence
Communication Tools: Facilitating secure communications between attorneys and clients
Calendar and Scheduling: Managing appointments, court dates, and deadlines
Billing and Time Tracking: Recording billable hours and generating invoices
Reporting and Analytics: Providing insights into practice management and case progress

6.2 Security and Compliance

Monitoring for unauthorized access and security threats
Maintaining audit trails for compliance purposes
Implementing data loss prevention measures
Conducting regular security assessments

6.3 Service Improvement

Analyzing usage patterns to enhance Platform functionality
Developing new features and services
Conducting user experience research
Providing technical support and customer service

7. Data Sharing and Disclosure

We implement strict controls on data sharing while recognizing the collaborative nature of legal practice:

7.1 Within Law Firms

Data is shared among authorized personnel within law firms based on:

Role-based access controls
Need-to-know principles
Matter-specific permissions
Client-specific authorization levels

7.2 Third-Party Service Providers

We may share data with carefully vetted service providers for:

Cloud Infrastructure: Secure data hosting and storage
Security Services: Threat monitoring and incident response
Payment Processing: Billing and payment collection
Integration Partners: Court filing systems, document review platforms

All third parties are bound by strict data processing agreements and security requirements.

7.3 Legal Disclosures

We may disclose data when required by law, including:

Court orders and subpoenas
Regulatory investigations
Law enforcement requests (with proper legal authority)
Professional conduct investigations

7.4 Client Authorization

Data may be shared with third parties specifically authorized by clients, such as:

Expert witnesses and consultants
Co-counsel and referring attorneys
Client-designated representatives

8. International Data Transfers

When personal data is transferred outside Kenya or the European Economic Area, we ensure adequate protection through:

Adequacy Decisions: Transfers to countries with adequate data protection laws
Standard Contractual Clauses: EU-approved contractual protections
Binding Corporate Rules: Internal data transfer agreements
Certification Schemes: Privacy Shield successors and similar frameworks

9. Data Security Measures

9.1 Technical Safeguards

Encryption: End-to-end encryption for data in transit and at rest using AES-256
Access Controls: Multi-factor authentication, role-based permissions, and zero-trust architecture
Network Security: Firewalls, intrusion detection, and regular penetration testing
Data Backup: Automated, encrypted backups with geographic redundancy

9.2 Organizational Measures

Security Training: Regular training for all personnel on data protection
Background Checks: Comprehensive screening for personnel with data access
Incident Response: 24/7 security monitoring and rapid response procedures
Regular Audits: Internal and third-party security assessments

9.3 Compliance Certifications

ISO 27001 Information Security Management
SOC 2 Type II for security, availability, and confidentiality
Regular penetration testing and vulnerability assessments

10. Data Retention and Deletion

10.1 Retention Periods

Active Client Data: Retained for the duration of the attorney-client relationship plus applicable limitation periods
Closed Matter Data: Retained for minimum periods required by legal professional conduct rules (typically 7-10 years)
Financial Records: Retained for tax and accounting periods as required by law (minimum 7 years)
Security Logs: Retained for 2 years for security monitoring purposes
System Backups: Retained for 90 days with encrypted offsite storage

10.2 Secure Deletion

When retention periods expire, data is securely deleted using:

Cryptographic erasure for encrypted data
Multi-pass overwriting for unencrypted data
Physical destruction of storage media when necessary
Certificate of destruction for physical media

11. Individual Rights

11.1 Access Rights

Data subjects have the right to:

Obtain confirmation of data processing
Access copies of their personal data
Receive information about processing purposes and legal bases
Know about data sharing and retention periods

11.2 Rectification and Erasure

Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion of data (subject to legal and professional obligations)
Right to Restriction: Limit processing in certain circumstances

11.3 Data Portability

Clients and practitioners can request their data in structured, commonly used formats for transfer to other service providers.

11.4 Objection and Consent Withdrawal

Object to processing based on legitimate interests
Withdraw consent for processing based on consent
Opt-out of marketing communications at any time

11.5 Exercising Rights

To exercise these rights, contact us at privacy@[yourdomain].com. We will respond within 30 days and may require identity verification.

12. Cookies and Tracking Technologies

12.1 Cookie Categories

Essential Cookies: Required for platform functionality and security
Performance Cookies: Analytics and usage monitoring (anonymized where possible)
Functional Cookies: User preferences and customization
Marketing Cookies: Used only with explicit consent for promotional content

12.2 Cookie Management

Users can manage cookie preferences through their account settings or browser controls. Note that disabling essential cookies may affect platform functionality.

13. Data Breach Notification

In the event of a data breach, we will:

Internal Response: Activate incident response procedures within 1 hour of detection
Regulatory Notification: Notify relevant authorities within 72 hours where required
Individual Notification: Inform affected individuals when legally required or when the breach poses high risk
Law Firm Notification: Immediately notify affected law firms with details of the breach and remediation steps
Professional Obligations: Assist law firms in meeting their professional duty to notify clients when required

14. Children's Privacy

Our Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. However, we recognize that legal matters may involve minors, and in such cases:

Data about minors is processed only as necessary for legal representation
Special protections are applied to minor's data
Parental/guardian consent requirements are followed where legally required
Enhanced security measures protect minor's information

15. Special Considerations for Legal Data

15.1 Attorney-Client Privilege

We recognize and protect attorney-client privileged communications through:

Technical measures to maintain privilege integrity
Strict access controls limiting access to authorized legal personnel
Audit trails to track all access to privileged information
Training on privilege protection for all personnel

15.2 Professional Conduct Compliance

Our Platform is designed to help law firms comply with professional conduct rules, including:

Client confidentiality requirements
Conflict of interest screening
Trust account management (where applicable)
Client communication obligations

15.3 Court-Ordered Disclosures

When legally compelled to disclose information:

We will notify affected law firms unless legally prohibited
We will challenge overbroad or inappropriate requests where possible
We will seek protective orders to limit disclosure scope
We will provide only the minimum information required

16. Business Transfers

In the event of a merger, acquisition, or sale of business assets:

We will provide 30 days advance notice to users
The acquiring entity must commit to honoring this Privacy Policy
Users will have the right to object and request data deletion
Professional conduct obligations will be transferred to the new entity

17. Updates to This Privacy Policy

We may update this Privacy Policy to reflect:

Changes in legal requirements
New Platform features or services
Enhanced security measures
User feedback and requests

Material changes will be communicated through:

Email notifications to all users
Prominent notices on the Platform
30-day advance notice for significant changes
Option to review and accept updated terms

18. Supervisory Authority and Complaints

You have the right to lodge complaints with:

Kenya: Office of the Data Protection Commissioner
EU/EEA: Your local data protection authority
Other Jurisdictions: Relevant privacy regulatory bodies

We encourage you to contact us first at privacy@[yourdomain].com to resolve any concerns.

19. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

Privacy Team:
Email: privacy@[yourdomain].com
Phone: [Phone Number]
Address: [Physical Address]

Data Protection Officer:
Email: dpo@[yourdomain].com
Direct Phone: [DPO Phone Number]

Legal Department:
Email: legal@[yourdomain].com
For law firm-specific inquiries and professional conduct matters

20. Acknowledgment and Consent

By using our Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy. For law firms, you represent that you have the authority to bind your firm to these terms and that you will ensure all firm personnel are aware of and comply with these privacy practices.

Law firms using our Platform acknowledge their continuing obligation to:

Obtain appropriate client consent for data processing
Maintain client confidentiality and privilege
Comply with applicable professional conduct rules
Notify clients of data processing activities where required
Implement additional security measures as professionally required

Last Updated: July 21, 2025
Effective Date: [Effective Date]
Version: 1.0

Privacy Policy