Caseware Privacy Statement
Last Updated: January 2023
1. Caseware’s Commitment to Privacy
Caseware International Inc., together with its affiliates and subsidiaries (collectively “Caseware”, “we”, “us” or “our”) has developed this Privacy Statement (this “Statement”) to describe Caseware’s policies and practices with respect to Personal Data we receive from (i) current and potential customers, (ii) visitors to our cloud platforms, www.caseware.com, caseware.co.uk and related Caseware webpages (collectively the “Website”), (iii) employment candidates and/or (iv) other individuals (collectively “you”, or “your”). For the purposes of this Statement, “Personal Data” refers to any information relating to an identified or identifiable natural person, and shall also mean all “Personal Information” as defined in the California Privacy Rights Act (“CRPA“).
We will review this Statement on a regular basis to ensure it (i) aligns with our privacy practices and (ii) remains compliant with applicable law. In the event we update and/or amend this Statement in a material way, we will publish a notice on the Website.
If you have any questions about this Statement or Caseware’s privacy practices, please contact us at:
Global Privacy Office
Caseware International Inc.
351 King Street East, Suite 1100
Toronto Ontario M5A 2W4 Canada
2. Personal Data We Collect & Purposes for Collection
From time to time, we will collect from you Personal Data when you (i) use our products, services or request technical support from us, (ii) register or attend an event that Caseware is hosting or participating in, (iii) access or download content from our Website (such as whitepapers), (iv) use our Website to apply for a job at Caseware, and (v) otherwise communicate with us via email, in person or through our Website.
The types of Personal Data collected may include the following:
- last name, first name – the purpose of which is to identify you;
- contact information such as telephone number address, or email address – the purpose of which is to communicate with you;
- education and professional history, professional certifications, contacts for background checks, and other relevant information – the purpose of which is to support your job application for consideration of employment at Caseware; and/or
- IT usage data (e.g., cookies, user ID, passwords, roles, geolocation data) as applicable – the purpose of which is to provide you access to our products and services, including access to our Website, MyCaseware and other technical support portals made available by Caseware.
Our products and services are intended for business use, and we do not expect them to be of any interest to minors. We do not intentionally collect any personal information of consumers below the age of 16. By providing your Personal Data to us, you are indicating you agree and consent that we may collect, use, disclose and process your Personal Data in accordance with this Statement. If you do not agree with the terms set out in this Statement, we request that you do not provide any Personal Data to us. Please note that certain services, such as a request for information about our products or access to our Website, may only be able to be provided to you if you provide us with your Personal Data. In addition, Caseware may use anonymized information regarding usage of Caseware products and services for the purpose of making additions, adjustments, or modifications to our products and services.
Cookies are small files that could be saved on your computer to track, save and store information about you when you use our Website. Sometimes we use third party cookies (such as Google Analytics and HubSpot). We use this information to (i) support the functioning of our Website, (ii) understand usage of the Website, (iii) determine browsing preferences to improve site behaviour, (iv) improve your website experience by providing you with a tailored experience within the Website, including custom marketing advertisements, (v) provide secure log-in, and/or (vi) to show you geographically relevant content.
The types of cookies used on the Websites include the following:
- Strictly Necessary Cookies: These cookies are essential in supporting the functionality and operation of the Website. Strictly necessary cookies on our site include cookies that allow you to access the secure area of our website. If users block or disable these cookies, parts of the website may not work or become inaccessible.
- Functional Cookies: These cookies enable the Website to remember your preferences and provide enhanced user functionality and personalization. Examples of functional cookies include remembering your settings such as region and language preferences or allowing you to watch videos on Website. Functional cookies include first party and third party persistent or session cookies.
- Advertising & Targeting Cookies: These cookies (including tracking tags) track user activity on Website and are designed to gather information from you to provide targeted adverts based on relevant topics and interests on other sites on other websites. Examples of advertising and targeting cookies include social media cookies that display ads to users on social media platforms. Advertising and targeting cookies are typically authorized third party persistent cookies. These cookies do not collect personal information, rather, they gather data based on uniquely identifying your browser and internet device to build user profiles from site visitors.
Additionally, web beacons may be used in email communications to you. Web beacons record visits to a particular web page or viewing of a particular email. For example, Caseware may place web beacons in marketing emails that notify us when a link in an email directs the visitor to the Website. Such technologies are used to operate and improve the Website and email communications.
4. How We Share Personal Data
We do not sell the personal information of consumers. We share Personal Data with our service providers for the purposes set out in this Statement, including but not limited to assisting us to provide you Caseware products and services or consider you for employment at Caseware. For example, Caseware uses (i) ‘Amazon Web Services’ to securely store Personal Data belonging to our customers and (ii) ‘Lever’ to help us coordinate your employment application with us. Our service providers are obligated, through contractual clauses, to use the Personal Data we transfer to them exclusively for the purpose of providing their services and to protect it at the same high level we do.
Exceptionally, we may be required to disclose Personal Data to comply with applicable laws, regulations, court orders, subpoenas or other legal process or investigation, with or without your consent. In any case, we ensure the disclosure is allowed or required by law and we will not disclose more information than is required.
5. Where Personal Data is Stored
Caseware is a Canadian company, however, we have customers (both actual and potential), employees, service providers, resellers/distributors, partners, and job candidates across the world. In order to operate our business on a global scale, we may be required to process and transfer Personal Data outside of your state, province, or country, including to the United States of America. Further, through our service providers, Personal Data may also be stored on servers located throughout the world.
With respect to customer data in our products and services, which may include Personal Data, at the time of subscribing to such products and services, customers will be advised as to the geographic server that will host Personal Data and will be given an opportunity to consent thereto prior to Personal Data of Customer being stored with any such data hosting provider.
Where Personal Data is transferred or stored across borders, we take steps to protect and safeguard it, including ensuring it is transferred in accordance with applicable law. For example, if you are in Europe, the UK, or Switzerland, Caseware’s Data Processing Agreement will apply to you. Also, when we send your Personal Data to Canada it is protected under Canadian law, which the European Commission has deemed to provide an adequate level of protection for any Personal Data transferred. If your Personal Data is then transferred to our service providers outside of Canada, this information is transferred and protected by contractual terms and conditions that are comparable to those provided in the European Commission’s Standard Contractual Clauses (SCCs).
6. How We Protect Personal Data
Caseware protects the security and confidentiality of Personal Data transferred to us using reasonable and industry standard security measures against unauthorized access, modification, and disclosure according to its level of sensitivity. For example, we generally store Personal Data on secure servers that are encrypted and limited on the basis of ‘need to know’, where applicable. Unfortunately, the risk of cyberattacks and data breaches always remains. If Caseware discovers or is advised of an incident where Personal Data is lost, stolen, accessed, used, disclosed, copied, modified or disposed of by unauthorized persons or in an unauthorized manner, we will advise you as soon as we can and comply with all applicable legal requirements.
To increase the level of security of Personal Data on our systems, you are encouraged not to share your password or other forms of authentication to the Website, products or services with another person. If you become aware of any misuse of your login credential, immediately change your password and notify us through the customer portal on the Website or by emailing us at firstname.lastname@example.org.
7. How Long We Retain Personal Data
Caseware retains Personal Data for only as long as necessary to fulfill the purposes for which it is provided. For example, if you provide us with your Personal Data for us to consider you for employment with Caseware and you are hired, the Personal Data becomes part of your personnel file. If you are not hired, we retain the Personal Data for one (1) year after completion of the recruitment process unless you ask us to delete it earlier.
Exceptionally, we may be required to retain Personal Data for longer to comply with our legal obligations, resolve disputes, and enforce agreements with Caseware.
8. Your Individual Privacy Rights
You may access and/or update your Personal Data with Caseware (including but not limited to requesting us to return, remove, or make corrections to it) or exercise any other right available to you as a ‘data subject’ under applicable privacy laws by contacting us at email@example.com.
To protect your Personal Data, we may need to verify your identity before assisting with your request, such as verifying that the information used to contact us matches the information that we have on file, provided we are not prohibited to do so by law, for example if doing so would disclose Personal Data about another individual.
If you use an authorized agent to exercise a right on your behalf, for example, where a job applicant uses an agent to request access to information relating to their application, you must provide the authorized agent written permission to do so. We may deny the request if the authorized agent does not submit sufficient proof that they have been authorized by you to act on your behalf.
If we are able to verify your identity, we will provide you a response to your request within 30 days. If we need an extension to fulfill your request, we will also let you know.
If you are not satisfied with our response either to your request to exercise your individual rights or to your complaint about the protection of Personal Data at Caseware, you have the right to lodge a complaint with the data protection or privacy authority where you reside.
California Privacy Rights
As a California resident, you may be able to exercise the following rights in relation to the Personal Information about you that we have collected (subject to certain limitations at law):
- The right to know any or all of the following information relating to your Personal Information that we have collected and disclosed in the last 12 months (upon verification of your identity):
- The specific pieces of Personal Information we have collected about you;
- The categories of Personal Information we have collected about you;
- The categories of sources of the Personal Information;
- The categories of Personal Information that we have disclosed to third parties for a business purpose, and the categories of recipients to whom this information was disclosed;
- The categories of Personal Information we have sold and the categories of third parties to whom the information was sold; and
- The business or commercial purposes for collecting or selling the Personal Information.
- The right to request deletion of Personal Information we have collected from you, subject to certain exceptions.
- The right to opt-out of Personal Information sales to third parties now or in the future. However, we do not sell your Personal Information.
- You also have the right to be free of discrimination for exercising these rights.
Please note that if exercising these rights limits our ability to process Personal Information (such as a deletion request), we may no longer be able to provide you with our products and services or engage with you in the same manner.
9. How to Exercise Your Rights
To exercise your right to know and/or your right to deletion, please submit a request by contacting us at firstname.lastname@example.org.
We will need to verify your identity before processing your request. In order to verify your identity, we will generally require sufficient information from you so that we can match it to the information we maintain about you in our systems. Sometimes we may need additional personal information from you to be able to identify you.
We may decline a request to exercise the right to know and/or right to deletion, particularly where we cannot verify your identity or locate your information in our systems or as permitted by law.
You may choose to designate an authorized agent to make a request under the CCPA on your behalf. No information will be disclosed until the authorized agent’s authority has been reviewed and verified. Once an authorized agent has submitted a request, we may require additional information (i.e., written authorization from you) to confirm the authorized agent’s authority.
If you are an employee/former employee of a Caseware client that uses our application and services, please direct your requests and/or questions directly to your employer/former employer.
If you are a third party (auditor, business associate, etc.), who was given access to the Caseware product or service by a Caseware client, please direct your requests and/or questions directly to the Caseware client that gave you access.