Caseware Legal

The Caseware Legal page provides centralized access to Caseware’s legal policies, agreements, and compliance resources. Explore important information related to privacy, security, AI, accessibility, and product usage in one place.

CASEWARE CLOUD SERVICE LEVEL AGREEMENT

Version: 4.0 Last Updated: January 9, 2024

This Caseware cloud service level agreement (the “SLA”) describes the levels and availability of the Support Services Customer will receive from Caseware when using the Services pursuant to an applicable product and/or services agreement entered into by Customer and Caseware (the “MPSA”).

  1. Definitions

Capitalized terms used herein but not otherwise defined shall have the meanings assigned to them in the MPSA.

In this SLA, the following terms shall have the following meanings:

  1. Business Day” means any weekday of the year (Monday through Friday) except for the following: New Year’s Day (January 1st), and Christmas Day (December 25th).
  2. Caseware” means the Caseware entity set out in the MPSA, and for the purposes of this SLA, shall include Affiliates and third-party service providers who act on behalf of Caseware.
  3. Defect” means any error, problem, or malfunction of Services such that the Services do not conform to the Documentation.
  4. Distributor” means the authorized Caseware distributor or reseller for a specific region, as set out at www.Caseware.com/distributors.
  5. Documentation” means the operating instructions for the Services made available by Caseware, as may be updated from time to time.
  6. "Downtime" means any period where Services is not available to Permitted Users, excluding Exempt Downtime.
  7. Exempt Downtime” means any period where Services is not available to Permitted Users for the following reasons: (i) scheduled maintenance necessary to implement required updates, upgrades or other modifications to the Services or the performance of routine, emergency or an ad hoc maintenance activity for which Caseware has provided Customer with reasonable advance notice; or (ii) is caused by failure of equipment or services not provided by Caseware, including but not limited to Customer or public infrastructure/facilities accessed by Customer to connect the Services.
  8. “Fee” has the meaning set forth in the MPSA.
  9. “MPSA” has the meaning set forth in the recitals above.
  10. Notification” has the meaning set forth in Section 4.
  11. Permitted User” has the meaning set forth in the MPSA.
  12. Response” means an acknowledgment by Caseware or a Distributor, as applicable, of a Notification and assignment of a support representative to investigate the related Defect.
  13. Service Level Credit” has the meaning set forth in Section 6.
  14. Services” has the meaning set forth in the MPSA.
  15. “SLA” has the meaning set forth in the recitals above.
  16. Software” has the meaning set forth in the MPSA.
  17. Support Services” has the meaning set forth in Section 2.
  18. “Term” has the meaning set forth in the MPSA.

2. Support Services

a) During the Term of Customer’s applicable subscription of the Services, Caseware will provide Customer the following support services (collectively the “Support Services”):

(i) technical support via telephone, email, or web to answer queries concerning the use, operation or business functionality of Services;

(ii) error analysis and correction;

(iii) access to in-line releases, including minor and major new versions of the Services as they become commercially available; and

(iv) online access to resources and information regarding the Services and its use.

b.) Customer acknowledges and agrees that the Support Services will be provided by Caseware and/or service providers authorized by Caseware to support the Services. In the event Caseware utilizes a service provider to provide the Support Services, Caseware shall be solely responsible for the acts, omissions, performance, negligence, or fault of said third party.

c.) Caseware warrants that Support Services will be performed in a professional manner using qualified and adequately trained personnel and will be provided in accordance with the standards of care and diligence normally practiced by software companies performing services of a similar nature.

d.) The following shall relieve Caseware of its obligations under this SLA to the extent related to, affected by, prevented by any of the following:

(i) any event deemed a “force majeure” as set out in the MPSA;
(ii) Customer’s use or misuse of the Services in a manner inconsistent with the Documentation;
(iii) Customer’s breach of the MPSA, including non-payment; and/or
(iv) maintenance, modifications, or other interference made to the Services approved, recommended or provided by Caseware.

3. Out-of-Scope Services

a) The following, among other things, are outside of the services provided under this SLA:

(i) errors arising from third-party hardware or software used in association with, and not approved, recommended, or provided by Caseware and/or

(ii) diagnosing problems or deficiencies not caused by the Software.

b.) Should a Customer request assistance or support which is not within the scope of the Support Services identified in this SLA, Caseware is under no obligation to perform such services, but may agree to perform such assistance or support upon prior mutual written agreement of the Parties and in accordance with Caseware’s standard time and material rates.

c.) Implementation of a new version or an update to the Services and/or software fixes will be implemented in the Services release cycle at Caseware’s sole discretion as they become commercially available.

4. Notifications & Requests for Support

All notifications of a Defect in the Services and/or a request for Support Services under this SLA (each a “Notification”) shall be reported to (i) Caseware via support@Caseware.com or (ii) the Distributor from whom Caseware’s Services were purchased through, contact information for each Distributor is located at https://www.caseware.com/distributors, as applicable.

Customer shall provide sufficient detail in the Notification to allow Caseware to assess the nature of the issue, including any applicable severity level and details of the circumstances of its occurrence. If Caseware confirms the existence of the Defect, Caseware will correct the error in accordance with this SLA, or with a future major release or upgrade of the Services, and/or advise Customer how to achieve substantially the same functionality with the Services as described in the Documentation through a procedure different from that set forth in the Documentation.

Notifications will be managed/escalated by Caseware, or if applicable a Distributor, as follows:

(i) “First-Tier” Support Services will include Customer inquiries about the Services and/or application issues. First-Tier support will be made available by Caseware or a Distributor during the hours set out on https://www.Caseware.com/ca/support. Meetings may be scheduled and agreed upon by the parties outside of this time frame to facilitate issue review, upgrades and patches.

(ii) “Second-Tier” Support Services may include a specific product issue and will be escalated accordingly by Caseware.

5. Service Levels

Caseware utilizes the following four (4) severity levels to categorize and facilitate resolution of reported Defects:

Defect Severity Table
Defect Impact Time for Response*
Severity 1
Defect

Services are not available as follows:

  1. (i)no users can log on to the web application, and/or
  2. (ii)no records can be submitted system wide.
Within one (1) hour of Notification for Defect on production environment
Severity 2
Defect

Services are available, but one or more functions are inoperable or unavailable to Customer, including:

  1. (i)inability by Customers to access documents that they have created using the Services,
  2. (ii)inability to submit or revise data, and/or
  3. (iii)one (1) or more users are prevented from accessing Services.
Within one (1) Business Day of Notification for Defect on production environment
Severity 3
Defect

Defect in the Services that does not meet the criteria for Severity 1 or Severity 2 Defect, including:

  1. (i)individual documents are not running, and/or
  2. (ii)individual documents are inaccurate due to system issues.
Within three (3) Business Days of Notification
Severity 4
Defect

A support inquiry, including:

  1. (i)specific functionality questions.
  2. (ii)process questions.
  3. (iii)enhancement request and/or
  4. (iv)documentation enhancement or clarification request.
Within five (5) Business Days of Notification

*Time of Response refers to a confirmation of receipt of a Notification and may not necessarily include a resolution of the Defect.

6. Availability & Service Level Credits

a.) Availability

Caseware will make the Services available 99.9% of the time, as calculated in a calendar month on a 24 hour/7-day basis, excluding (a) an Exempt Downtime or (b) an availability issue caused by any one or more of the following activities:

(i) those set out in Section 2(d);
(ii) those that are that are related to third party apps, including add-on features for the Services;
(iii) those that result from Customer's or a third party's hardware, software or services;
(iv) those that result from actions or inactions by Customer or Customer’s employees, agents, contractors or vendors, or anyone gaining access to the Services by means of Customer's login credentials;
(v) those that result from intermittent periods of Downtime that are ten (10) minutes or less in duration; or
(vi) those that result from Customer's use of beta, trial offers, early access programs and/or demos of the Services.

b.) Service Level Credit

If the Services are not available at any given time in any calendar month due to a Severity Level 1, Customer, shall, as its sole and exclusive remedy for such lack of availability, be entitled to a service credit as follows (“Service Level Credit”):

Service Level Credit Table
Actual Availability Percentage Service Level Credit
>=99.9% No Credit
99 to 99.89% 3% of the monthly Fee for the applicable calendar month
98 to 98.99% 6% of the monthly Fee for the applicable calendar month
97 to 97.99% 10% of the monthly Fee for the applicable calendar month
< 97% 20% of the monthly Fee for the applicable calendar month

Service Level Credits will be provided to Customer only if Customer requests Service Level Credits for a Severity 1 issue from Caseware within 14 days of resolution of such an issue. If Customer fails to request Service Level Credits within this time frame, Caseware is not obligated to credit customer any Service Level Credits.

Service Level Credits shall be applied to future invoices issued to Customer. Service Level Credits shall have no other value and shall not give rise to any right of redemption or refund for fees already paid by Customer unless otherwise set out in the MPSA.

See what your
audit workflow looks like

with Ai built in.
Get in touch
Version: 3.0
Last Updated: January 2023

Application and Interface Security

Our Software Development Life Cycle (SDLC) ensures that our applications and programming interfaces (APIs) are designed, deployed, and tested in accordance with leading industry standards – such as OWASP, ISO, and SOC – and adhere to legal, statutory, or regulatory compliance obligations.

You will be onboarded once all agreements and policies are accepted for usage of the service. You are responsible for ensuring your usage of Caseware Cloud is in compliance with applicable laws and regulations.

Legal specifics can be found in the Cloud Services Agreement here.

Our policies and procedures have been established and are maintained in support of data security to include confidentiality, integrity, and availability across multiple system interfaces, jurisdictions, and business functions to prevent improper disclosure, alteration, or destruction.

Audit Assurance and Compliance

Independent audits are conducted by registered 3rd parties as part of our compliance program for ISO 27001 and SOC 2 for our Cloud services. We also have an internal audit program, external penetration testing and regularly scheduled internal vulnerability testing. Vulnerability test results are shared with customers as outlined in the Client Initiated Testing Policy. The results of these processes are tracked through our improvements process. The methodology and tools used to conduct penetration testing is tailored to each assessment for specific targets and attacker profiles. SOC 2 reports are provided under NDA to clients. Our SOC 3 Report is available in PDF format here.

Production data is stored on Amazon Web Services (AWS). The application handles logical separation of client data through database isolation. Data that is transferred to and from our service (including backups) is 100% encrypted over an SSL connection (AES-256-bit – the same strength used in online banking). Data transmission occurs between client and server, and databases. Controls are in place for secure and encrypted bulk data transfers. There are no email transmissions. For more information on security, see: https://www.casewarecloud.com/security.html. Our legal team monitors our regulatory obligations. Please refer to our Cloud Services agreement for legal requirements here.

Business Continuity Management and Operational Resilience

Caseware has a consistent unified framework for business continuity planning and has established, documented, and adopted this to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements.

Requirements for business continuity plans include the following:

  • Defined purpose and scope, aligned with relevant dependencies
  • Accessible to and understood by those who will use them
  • Owned by a named person(s) who is responsible for their review, update, and approval
  • Defined lines of communication, roles, and responsibilities
  • Detailed recovery procedures, manual work-around, and reference information
  • Method for plan invocation

Our business continuity and security incident response plans are tested at planned intervals or upon significant organizational or environmental changes. Incident response plans involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies.

Our service is hosted on Amazon’s AWS and utilities services and environmental conditions (for example, water, power, temperature and humidity controls, telecommunications, and internet connectivity) are secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and are designed with automated failover or other redundancies in the event of planned or unplanned disruptions.

Our cloud service is completely virtual and hosted on Amazon Web Services (AWS). Amazon is also ISO and SOC2 compliant and responsible for restricting access to facilities housing the productions systems to authorized individuals. AWS is also responsible for environmental protection and preventative maintenance over production systems. AWS has published further details here: https://aws.amazon.com/compliance/data-center/controls. These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management. Physical access and environmental controls are managed and controlled by AWS. AWS physical protection assurance information can be found at: https://aws.amazon.com/compliance.

Caseware has aligned our security program to ISO 27001 and we have business continuity processes in place to address disruptions to critical services. We monitor all cloud instances for performance and availability and incorporate the following:

  • Identify critical products and services
  • Identify all dependencies, including processes, applications, business partners, and third party service providers
  • Understand threats to critical products and services
  • Determine impacts resulting from planned or unplanned disruptions and how these vary over time
  • Establish the maximum tolerable period for disruption
  • Establish priorities for recovery
  • Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption
  • Estimate the resources required for resumption

Customers can see our real-time operational status at our status page here: https://caseware.statuspage.io/.

We maintain a central system for documentation and train all staff on processes. Procedures include change management, security processes, roles and responsibilities of internal users. Our procedures are updated on an as needed basis and revision histories are logged. Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training.

Caseware maintains a records and retention policy for Cloud services. The retention policy is not client-specific. Backup and recovery procedures are documented and automated alerts are sent daily to operations staff. Backup and recovery measures have been incorporated into business continuity planning and tested accordingly for effectiveness. See the retention policy for each category of records below.

System transaction logs

Description: Database journals and other logs used for database recovery.

Retention period: 30 days.

Reason for retention: Based on backup and recovery strategy.

Allowable storage media: Electronic.

Audit logs

Description: Security logs, for example, records of logon/logoff and permission changes.

Retention period: 30 days.

Reason for retention: Maximum period of delay before forensic investigation.

Allowable storage media: Electronic.

Operational procedures

Description: Records associated with the completion of operational procedures.

Retention period: 2 years.

Reason for retention: Maximum period elapsed regarding dispute.

Allowable storage media: Electronic.

Customer

Description: Customer backups.

Retention period: 90 days.

Reason for retention: Data protection requirement.

Allowable storage media: Electronic.

Change Control and Configuration Management

Change management controls have been established for any new development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function. Our SDLC has a defined quality change control and testing process with established baselines, testing, and release standards which focus on system availability, confidentiality and integrity of systems and services.

Policies and procedures have been established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices and IT infrastructure network and systems components within the production cloud environment. Our change management policies and procedures include managing the risks associated with applying changes to business-critical or customer impacting applications and system-system interface (API) designs and configurations. Technical measures have also been implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer, and/or authorization by, the customer as per agreement prior to deployment.

Data Security and Information Lifecycle Management

Caseware has policies and procedures and supporting business processes and technical measures in place to inventory and maintain data flows within the SaaS network and systems for each geographic location. Controls are in place to ensure that data is placed in the geographic area determined by the client. Subscriber data within the production cloud environment resides on two-tier architecture and is not directly accessible from the internet.

Our security policy defines four levels of data classification: confidential, restricted, operational, and public. All data stored within the production cloud infrastructure is considered confidential, which is our highest level of security and only authorized staff have access to this environment. Logical access to the production cloud environment is restricted to the operations team alone.

All subscriber data is stored in the production cloud environment. Use of customer data in non-production environments is controlled through secure data-handling processes, which require explicitly documented approval from the customers whose data is affected, and must comply with legal and regulatory requirements for scrubbing of sensitive data elements.

There is a designated operations team responsible for all operational functions regarding the infrastructure and storage with assigned responsibilities that have been defined, documented, and communicated.

Caseware Cloud is hosted on Amazon web servers around the world. Upon subscribing to the Caseware Cloud Services, CWC informs clients of the jurisdiction in which the server that has been allocated to host your Subscriber Data and Personal Information is located. You may consent to such allocation, or refuse a server so allocated.

For performance reasons, we’ll typically set you up in:

  • United States/North Virginia if you’re located in the United States or South America
  • Canada/Montreal if you’re located in Canada
  • Australia/New South Wales if you’re located in the Asia-Pacific region
  • Ireland/Leinster if you’re located in any other region

Data center Security

The production infrastructure is completely hosted within Amazon’s AWS. AWS is responsible for restricting access to facilities housing the production systems to authorized individuals. AWS is also responsible for environmental protection and preventative maintenance over production systems. Physical access is controlled by AWS at the perimeter and at building ingress points. Full details can be found here: https://aws.amazon.com/whitepapers/#security. AWS has published further details here: https://aws.amazon.com/compliance/data-center/controls/.

Our production infrastructure is completely hosted within Amazon’s AWS. AWS has SOC 2 reports, which are reviewed annually. AWS governance processes can be found here: https://aws.amazon.com/compliance/.

Encryption and Key Management

Our cryptography policies and procedures are designed to support business process. Technical measures have been implemented based on business requirements for protection of data at rest and data in transit as per applicable legal, statutory, and regulatory compliance obligations.

Our cryptography policy requires all encryption keys to have identifiable owners within the organization. The cryptographic key lifecycle management ensures access controls are in place for secure key generation, exchange and storage, including segregation of keys used for encrypted data or sessions.

Data stored at the server level (data-at-rest) is encrypted using the industry standard AES-256 algorithm. Data that is transferred to and from our service (data-in-transit) is encrypted via TLS with ephemeral key exchange and use industry-accepted strong cipher suites. Certificates use a minimum of 2048-bit key strength with SHA-2 or stronger signature algorithm. Private keys are generated and stored in our secrets management systems. They are deployed and used on production systems as needed via our change control process. Certificates are obtained through a reputable vendor and follow the built-in and industry standard renewal/rotation process based on expiry or revocation as needed.

Governance and Risk Management

Security risk assessments are completed at least annually and consider the following:

  • Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure
  • Compliance with defined retention periods
  • Data classification and protection from unauthorized use, access, loss, destruction, and falsification

We have implemented an Information Security Management System based on ISO 27001 and SOC 2 controls. Our ISMS includes the following areas insofar as they relate to the characteristics of the business:

  • Information Security Policy (this document)
  • Access Control Policy
  • Availability Management
  • Clean Desk Policy
  • Cryptography Policy
  • IS Supplier Management Policy
  • Logging and Monitoring Policy
  • Mobile Device Policy
  • Network Security Policy
  • Password Management Policy
  • Patch Management Policy
  • Software Policy
  • Technical Vulnerability Management Policy
  • Risk Assessment Methodology
  • Malware, Email and ISMS Policy
  • Internet Acceptable Use Policy
  • Penetration Testing Policy
  • Teleworking Policy
  • Records Retention and Protection

Department managers are responsible for maintaining awareness of, and complying with, security policies, procedures, and standards that are relevant to their area of responsibility.

Risk acceptance levels have been defined within the risk management methodology and all risks are mitigated to an acceptable level with reasonable resolution time frames and stakeholder approval.

Our information security policies and procedures are posted and available for review by all impacted staff and external business relationships. The Information Security Steering Committee is responsible for developing, maintaining, and enforcing our service’s information security policies. The information security policy is reviewed annually and approved by the Information Security Steering Committee. Executive and line management provide support for information security through clearly documented direction and commitment, and shall ensure action has been assigned. There is a senior member of management who is responsible for information security governance and operations, including protection of customer data – this role reports to the CFO.

Policy reviews are conducted annually by the Information Security Steering Committee or as a result of changes to the organization to ensure its continuing alignment with the security strategy, effectiveness, accuracy, relevance, and applicability to legal, statutory, or regulatory compliance obligations.

Formal risk assessments are performed annually and in conjunction with any changes to information systems to determine the likelihood and impact of all identified risks. The likelihood and impact associated with inherent and residual risk is determined independently, considering all risk categories based on audit results, threat and vulnerability analysis, and regulatory compliance. Risk assessment results can include updates to security policies, procedures, standards, and controls to ensure that they remain relevant and effective. The results of risk assessments are:

  • Reported to senior management who then partake in a risk treatment process
  • Updated in a risk register
  • Prioritized based on possible impact to production systems

Our HR has a defined screening process for all staff. Reference checks are obtained with respect to all employees at time of hiring, with criminal and credit background checks for those who perform operational roles with the product cloud environment. All staff are required to sign a confidentiality agreement prior to employment to ensure protection of client information for the protection of data. Information security awareness training is provided during employee onboarding. Specific training is provided for developers on secure coding practices. Formal records are maintained for completion of internal staff training. Employee terminations and position changes are initiated by department managers. Our HR team reviews these requests and submits the request through our ticketing system for de-provisioning and provisioning requirements. Our HR team has an employee departure process to ensure all equipment is returned and accounts terminated to ensure that access to production environments is removed.

A security awareness training program has been established for all contractors, third-party users, and employees and is mandated. All individuals with access to confidential and restricted data receive appropriate awareness training and regular updates in organizational procedures, processes, and policies relating to their job function relative to the organization. Roles and responsibilities of contractors, employees, and third-party users are documented as they relate to information assets and security.

User responsibilities are defined within job descriptions for all staff and they are made aware of their roles and responsibilities for:

  • Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations
  • Maintaining a safe and secure working environment
  • Report any suspicious activity if detected

We have a clear screen policy which requires that unattended workspaces do not have openly visible sensitive documents and user computing sessions had been disabled after an established period of inactivity.

We have an Access Control policy in place that specifies how to manage access control to all system components and sensitive information in the organization. Policies governing acceptable use or access to subscriber data and metadata is included in the Caseware privacy policy (https://www.caseware.com/privacy-statement/). Caseware collects, uses and discloses information only for the following purposes:

  • To verify your identity
  • To provide you with the Caseware Cloud Services
  • To contact you for the purposes of product information, service updates, billing notifications, or notifications relating to the Caseware Cloud Services
  • To monitor and/or improve system usage, server and software performance
  • To assist with technical support issues
  • To comply with any laws, regulations, court orders, subpoenas or other legal process of investigation and to protect CWC, its Affiliates and other individuals from harm
  • To improve and enhance CWC Service offerings

Identity and Access Management

Policies and procedures have been established to store and manage identity information about every person who accesses the production cloud infrastructure and to determine their level of access. Access control policies and procedures have been established, and supporting business processes and technical measures implemented, for restricting user access as per defined segregation of duties to address business risks associated with a user-role conflict of interest. The access control repository is managed by the provider. We use a privileged identity manager and password management system.

Access to, and use of, audit tools that interact with production cloud environment is segmented and restricted to prevent compromise and misuse of log data. User access to diagnostic and configuration ports are restricted to authorized individuals and applications.

Controls are in place to ensure only approved software is installed within the production cloud infrastructure.

Access to the organization’s own developed applications, program, or object source code, or any other form of intellectual property (IP), and use of proprietary software is controlled following the rule of least privilege based on job function as per established user access policies and procedures.

Caseware Cloud Service requires password authentication to access the base system. Once in the system, users must be assigned security roles to perform additional operations and access certain content. With security roles, you can control who has access to what content. Your organization is responsible for developing appropriate security policies around passwords and security roles using the security features provided in Caseware Cloud. Caseware provides access to clients, who then control their own users and administrative accounts, including provisioning and de-provisioning. Two-factor authentication is employed. User access is authorized and revalidated quarterly, to ensure the rule of least privilege based on job function. For identified access violations, remediation activities are followed based on the established user access policies and procedures. Timely de-provisioning (revocation or modification) of user access to data or managed applications, infrastructure systems, and network components, has been implemented as per established policies and procedures and based on user’s change in status such as termination of employment or other business relationship, job change, or transfer. The provider manages service account provisioning and de-provisioning. Service account authentication utilizes multi-factor authentication.

Infrastructure and Virtualization Security

Caseware Cloud deploys a SaaS-based endpoint detection and response security endpoint to all hosts within our infrastructure. All user, process, and network activity is collected and stored in the tamper-proof central location and analyzed in near real-time for suspicious behaviors as well as for manual forensics. Protection, retention, and lifecycle management of audit logs, adhere to applicable legal, statutory, or regulatory compliance obligations and provide unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, that are required to support forensic investigative capabilities in the event of a security breach. Our tools have the capability to detect/prevent unauthorized or anomalous behavior based on network traffic or host activity. All authentication events, successful and failed, are logged.

Our production and non-production environments are separated to prevent unauthorized access or changes to information assets. Separation of the environments include logical separation and segregation of duties for personnel accessing these environments as part of their job duties.

Our production system and network environment is protected by centrally managed firewalls and ensures separation of production and non-production environments. Our production environment is designed, developed, deployed, and configured to ensure our operations team and clients user access is appropriately segmented from other client users, based on the following considerations:

  • Established policies and procedures
  • Isolation of business critical assets and/or sensitive user data and sessions that mandate stronger internal controls and high levels of assurance
  • Compliance with legal, statutory, and regulatory compliance obligations

The production cloud infrastructure has a reliable and mutually agreed upon external time source that is used to synchronize the system clocks of all relevant information processing systems to facilitate tracing and reconstitution of activity timelines.

Supply Chain Management, Transparency, and Accountability

Policies and procedures have been implemented to ensure the consistent review of service agreements between providers and customers across the relevant supply chain. Reviews performed at least annually and identify non-conformance to established agreements. Any non-conformances are identified as actions to address service-level conflicts or inconsistencies.

Threat and Vulnerability Management

Policies and procedures have been established, and supporting business processes and technical measures implemented, to prevent the execution of malware within the production cloud environment or end user devices and IT infrastructure network and system components. Policies and procedures have been established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed applications, infrastructure network and system components. We also perform ongoing application and code vulnerability evaluations of our products and have dual peer reviews of all code changes to ensure the efficiency of implemented security controls. Our risk management methodology is used for prioritizing remediation of identified vulnerabilities. Changes are managed through our defined change management process for all vendor-supplied patches, configuration changes, or changes to our applications. Our anti-malware solution is centrally managed and runs on all systems. The anti-malware solution includes mechanisms for detecting or preventing phishing. Malware signature updates are deployed within 1 day of release.

Mit Caseware führen Sie Ihre Kanzlei zu mehr Sorgfalt, Effizienz und Wachstum.

Der Maßstab für KI-gestützte Wirtschaftsprüfung.

Kontaktieren Sie uns