EOR Confidentiality Notice

This Confidentiality Notice governs the collection, use, storage, and protection of all sensitive information exchanged between Courtpals, LLC and its Clients, Employees, and Virtual Assistants (VAs) in connection with Employer of Record (EOR) services.

It applies to all parties involved in the EOR relationship — including law firms, individual attorneys, recruited employees, VAs, and any affiliated service providers — and covers all information shared during sourcing, onboarding, payroll processing, HR management, and offboarding.

In the course of providing EOR services, Courtpals, LLC may collect, process, or have access to the following categories of confidential information:

• Client Information: Law firm and attorney names, contact details, billing information, case strategy, client rosters, and any internal operational details shared during the engagement.
• Employee and VA Information: Full legal name, government-issued identification, tax identification numbers, payroll data, employment history, educational credentials, reference check results, banking details for salary disbursement, and health or benefits enrollment data.
• Client End-User Information: To the extent that a law firm's clients (e.g., immigration applicants) are referenced in work assignments, any personally identifiable information — including Alien Registration Numbers (A-Numbers), case numbers, or declarations — is treated as strictly confidential.
• Operational Information: Internal processes, fee structures, Exhibit agreements, communication logs, and service workflows shared between the Client and Courtpals.

Courtpals, LLC takes the security and confidentiality of all information seriously. Protective measures include:

• Access to sensitive data is restricted on a strict need-to-know basis. Only the personnel directly involved in delivering the relevant service will have access to confidential records.
• All employees and VAs are required to sign a Non-Disclosure Agreement (NDA) prior to beginning any work assignment. This obligation survives the termination of their engagement with Courtpals, LLC.
• Electronic records are stored in secured systems with role-based access controls. Physical documents, when applicable, are stored securely and disposed of in compliance with applicable data protection regulations.
• Internal communications involving confidential client or employee information are conducted exclusively through secured and approved channels.

All Courtpals employees and VAs assigned to a Client are bound by the following confidentiality obligations:

• They must not disclose, share, copy, or reproduce any confidential information belonging to the Client or the Client's end-users to any third party, including other Courtpals staff not directly involved in the engagement.
• They must not use confidential information for any purpose outside the scope of their assigned work duties.
• Upon conclusion of the engagement — whether through completion, resignation, or termination — all confidential materials must be returned or securely destroyed.
• These obligations remain in effect for a period of three (3) years following the end of the working relationship, or indefinitely where trade secrets or attorney-client privileged information is involved.

The Client also bears responsibility for protecting the confidentiality of information shared within the EOR relationship:

• Clients must not share Courtpals' internal processes, fee structures, or proprietary service methodologies with third parties or competing service providers.
• Clients must limit the confidential information shared with Courtpals VAs to what is strictly necessary for the completion of assigned tasks.
• Clients are responsible for ensuring their own legal malpractice insurance covers any work performed by Courtpals VAs on behalf of the Client's legal matters, as outlined in the EOR Service Agreement.
• Clients must promptly notify Courtpals if they become aware of any unauthorized disclosure or suspected breach of confidential information involving a VA or Courtpals representative.

Courtpals, LLC retains personal and operational data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

• Payroll and employment records are retained in accordance with local labor and tax regulations, typically for a minimum of five (5) years following the end of the employment relationship.
• Client end-user data (e.g., immigration case details, A-Numbers) that is not required for regulatory compliance is permanently deleted upon conclusion of the relevant service.
• Recruitment and screening records (resumes, interview notes, reference checks) are retained for a maximum of one (1) year after the completion of a hiring process, then securely destroyed.
• Clients may request confirmation of data deletion for their records by contacting their assigned Courtpals Account Manager.

Courtpals, LLC will not disclose any confidential Client, Employee, or VA information to third parties except under the following circumstances:

• Legal Requirement: Disclosure is compelled by a valid court order, subpoena, or applicable law. In such cases, Courtpals will notify the Client promptly and to the extent permitted by law before complying.
• Affiliated Service Providers: Where portions of the service are fulfilled by affiliated companies or subcontractors of Courtpals, LLC, those parties are bound by equivalent confidentiality obligations and are not considered unauthorized third parties.
• Explicit Written Consent: The Client or Employee provides prior written authorization for a specific disclosure.

Under no circumstances will Courtpals sell, rent, or commercially exploit any confidential information belonging to its Clients, Employees, or their end-users.

In the event of a confirmed or reasonably suspected breach of confidential information involving Courtpals systems or personnel, Courtpals, LLC will:

• Notify the affected Client(s) in writing within 72 hours of confirming the breach.
• Provide a summary of the nature of the breach, the information involved, and the steps being taken to contain and remediate the incident.
• Cooperate fully with any reasonable investigation or remediation effort required by the Client or applicable regulatory authorities.

Clients are equally expected to notify Courtpals promptly if they identify or suspect any unauthorized use or disclosure of information attributable to the EOR engagement.

Courtpals, LLC is committed to handling all personal and confidential information in compliance with applicable data protection and privacy laws, including but not limited to:

• The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which govern the rights of California-based clients and employees.
• Local labor and data protection laws in the jurisdictions where Courtpals employees and VAs are based.
• U.S. federal employment and tax regulations applicable to Employer of Record arrangements.

Where conflicts arise between applicable laws, Courtpals will apply the standard most protective of individual rights and privacy.