Caseware Legal
The Caseware Legal page provides centralized access to Caseware’s legal policies, agreements, and compliance resources. Explore important information related to privacy, security, AI, accessibility, and product usage in one place.

Master Product and Services Agreement (MPSA)
CASEWARE MASTER PRODUCT & SERVICES AGREEMENT
Last Updated: May 2026
This Master Product and Services Agreement ("Agreement") between the customer identified in an
applicable Order Form ("Customer"), and either (a) Caseware International Inc., a company existing
under the laws of Ontario, Canada and whose principal place of business is at 351 King Street East,
Suite 1100, Toronto, Ontario M5A 2W4 Canada; or (b) the Affiliate of Caseware International Inc. listed
on an applicable Order Form (jointly and collectively, "Caseware").
Caseware offers certain Products, Services and PS, and Customer wishes to access and use specific
Products, Services and PS as set out in one or more applicable Order Form(s) (the “Caseware
Offerings”). Once executed by the Customer, the Order Form represents the binding commitment of
the Customer to pay for the Caseware Offerings identified therein.
This Agreement is effective on the earliest of: (i) the date Customer executes an Order Form; (ii) the
date Customer clicks "accept" on this Agreement; (iii) the date Customer or any Permitted User first
accesses or uses the Products or Services; or (iv) the date Customer makes payment for any Caseware
Offerings (the "Effective Date"). By any of the foregoing actions, Customer agrees to be bound by this
Agreement, including any documents incorporated by reference, as updated from time to time.
PLEASE READ THIS AGREEMENT CAREFULLY. THIS AGREEMENT AND ANY APPLICABLE ORDER FORMS
CONSTITUTE A LEGALLY BINDING AGREEMENT BETWEEN CUSTOMER AND CASEWARE AND
GOVERNS CUSTOMER'S ACCESS TO AND USE OF THE CASEWARE OFFERINGS. IF CUSTOMER DOES
NOT ACCEPT THIS AGREEMENT, CUSTOMER MUST NOT ACCESS OR USE THE PRODUCTS OR
SERVICES. IF CUSTOMER IS USING THE PRODUCTS OR SERVICES ON BEHALF OF AN ORGANIZATION,
CUSTOMER REPRESENTS THAT CUSTOMER HAS THE AUTHORITY TO BIND THAT ORGANIZATION TO
THIS AGREEMENT, IN WHICH CASE "CUSTOMER" WILL REFER TO SUCH ORGANIZATION.
If the Parties have a fully executed agreement that expressly governs any applicable Order Form for the
Caseware Offerings and specifically states that this Agreement is not applicable, such fully executed
agreement, and the terms and conditions contained therein, shall supersede this Agreement.
For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged,
Caseware and Customer agree as follows:
1. INTERPRETATION
1.1 Definitions. As used in this Agreement, defined terms shall have the meanings specified in Schedule
1.
1.2 Schedules. The following Schedules to this Agreement are incorporated by reference herein and are
an integral part of this Agreement:
Schedule 1 - Definitions
Schedule 2 – Product-Specific Terms
Schedule 3 – Service-Specific Terms
Schedule 4 – PS-Specific Terms
2. PRODUCTS & SERVICES
2.1 Order Forms. In accordance with the terms and conditions set out in this Agreement, Caseware shall
make available to the Customer, the Caseware Offerings described herein pursuant to one or more
Order Forms which shall be governed by the terms of this Agreement, including any documents
incorporated by reference, as updated from time to time and including the applicable terms set out in
the Schedules.
2.2 Customer Affiliates. If a Customer Affiliate is named in an Order Form, Customer may permit such
Customer Affiliate to access and use the Caseware Offerings in accordance with the terms of this
Agreement. Customer shall ensure that each Customer Affiliate complies with all terms and conditions
of this Agreement. Customer shall remain fully responsible and liable for all acts, omissions, breaches,
and obligations of each Customer Affiliate to the same extent as if such acts, omissions, breaches, or
obligations were those of Customer.
2.3 Modifications to Products, Services and PS. Caseware may modify the Products, Services and PS
from time to time without notice to the Customer. Caseware will use commercially reasonable efforts to
notify the Customer in advance if a change is material, other than those changes which enhance or
extend any features or functionality of the Products, Services and PS. Caseware is not obligated to
customize, modify, or adapt the Caseware Offerings to meet Customer-specific requirements unless
expressly agreed in an Order Form.
2.4 Pilot Program. As further set out in an applicable Order Form and to the extent applicable,
Customer may receive use and access to the Caseware Offerings for a period of time on a trial or pilot
basis and for evaluation purposes (the "Pilot Program"). Customer acknowledges that the Pilot
Program: (a) may be subject to different fees and functionality from those applicable to the Caseware
Offerings offered during the Term; (b) may include Beta Services; and (c) will be provided "as is" and
"as available", and Caseware will have no liability or indemnification obligations for any harm, loss or
damage arising out of or in connection with any Caseware Offerings during the Pilot Program, unless
any such harm, loss or damage are a result of Caseware's gross negligence or willful misconduct.
2.5 Restrictions on Use. The Customer agrees to use the Caseware Offerings in accordance with this
Agreement and will not, nor permit any Permitted User to:
(i) access any of the Caseware Offerings without using user credentials registered with Caseware or
otherwise attempt to gain unauthorized access to the foregoing;(ii) misrepresent its identity or
authorization to act on behalf of others, including when it acts as the sender of any electronic
transmissions sent through the Caseware Offerings;
(iii) use any of the Caseware Offerings for unlawful purposes and except in accordance with this
Agreement, including using or accessing any of the Caseware Offerings for any purpose that infringes,
misappropriates or violates any intellectual property, privacy or other right of a third-party;
(iv) perform, or aid others in performing, penetration tests, distributed denial-of-service (DDoS) attack
tests or any other kind of security test on the Caseware Offerings without Caseware's express written
consent;
(v) sell, resell, rent, lease, lend, license, sublicense, assign, distribute, publish, transfer or otherwise
make available any of the Caseware Offerings to any third-party, except as otherwise permitted in
accordance with this Agreement;
(vi) reverse engineer, decompile, disassemble, or translate the software used by Caseware to deliver
the Products, or otherwise attempt to view, display or print the software's source code;
(vii) remove, or obscure any copyright, trademark or other proprietary notices contained in the Products
and Services;
(viii) attempt to compromise the functionality, security, or integrity of the Services, or assist others in so
doing;
(ix) copy, modify or create derivative works of the Products or Services, in whole or in part except as
expressly permitted by the functionality of the Caseware Offerings (including using AI features to
generate content for Customer's work product);
(x) access or use the Products and Services to create a competitive product or services;
(xi) frame or mirror any part of the Products or Services into any other product or service, unless
otherwise provided for under this Agreement or an applicable Order Form; or
(xii) collect, harvest, reverse look-up, trace, or otherwise seek to obtain any information on any other
user of the Products or Services;
2.6 Audit Rights. Caseware reserves the right to monitor and audit Customer's usage of the Caseware
Offerings for the purpose of ensuring compliance with the terms of this Agreement. Any such audit may
be carried out by Caseware, or a third-party authorised by Caseware, at Caseware's expense, and will
not unreasonably interfere with the Customer's normal business operations. If any such audit reveals
use of the Caseware Offerings in excess of Customer's entitlement under an applicable Order Form, or
otherwise identifies noncompliance with the terms of this Agreement, Customer shall promptly pay the
amounts necessary to rectify such underpayment or overuse, together with interest at the rate of 2%
per month, and shall pay the costs of the audit identifying the underpayment or overuse where the
audit determines that Customer's underpayment equals or exceeds 10 percent for any quarter.
2.7 Use of Subcontractors. From time to time, Caseware may use subcontractors selected by Caseware
at its sole discretion to provide the Caseware Offerings. Notwithstanding the foregoing, Caseware's use
of a subcontractor shall not release Caseware from any duty or liability to fulfill its obligations under
this Agreement or an applicable Order Form.
3. CUSTOMER RESPONSIBILITIES
3.1 Co-operation. In addition to any obligations and responsibilities described in this Agreement or an
applicable Order Form, Customer will be responsible for providing Caseware with sufficient and timely
access to systems, hardware, data (including Customer Data), information and personnel as may be
necessary or reasonably requested by Caseware to enable Caseware to provide the Caseware
Offerings. Customer acknowledges and agrees that its failure to provide such access, information,
materials or personnel on a timely basis as reasonably requested by Caseware under this Agreement
will have a material impact on the provision of the Caseware Offerings, and use thereof by Permitted
Users, and that Caseware shall not be responsible for any delays, losses or damages arising from or
related to Customer's failure to be responsive and co-operative as reasonably required under this
Agreement. Customer agrees to cooperate with Caseware in good faith to support the responsible use
of AI Models, including providing feedback and reporting anomalies or hallucinations.
3.2 Permitted Users. Customer is responsible and liable for all use of the Caseware Offerings resulting
from access provided by Caseware, directly or indirectly, whether such access or use is permitted by or
in violation of this Agreement. Customer shall only grant access to Permitted Users who have agreed to
be bound by the terms of Caseware's End User License Agreement, as amended from time to time, for
use of any Products, or Caseware's Terms of Service, as amended from time to time, for use of any
Services (collectively, the "User Agreements"). Without limiting the generality of the foregoing,
Customer is responsible for all acts and omissions of Permitted Users, and any act or omission by a
Permitted User that would constitute a breach of this Agreement or the User Agreements, as the case
may be, if taken by Customer will be deemed a breach of this Agreement by Customer. Customer shall
use all reasonable efforts: (a) to make all Permitted Users protect and secure their access to the
Caseware Offerings to prevent unauthorized use; and (b) to make all Permitted Users aware of this
Agreement's provisions as applicable to such Permitted User's use of the Caseware Offerings and the
User Agreements, as the case may be, and shall cause Permitted Users to comply with any such
provisions. If Customer learns of any actual or suspected breach of this Agreement or any User
Agreement, as the case may be, as a result of the actions or inactions of a Permitted User, Customer
shall immediately notify Caseware in writing of the breach and co-operate with any instructions
reasonably requested by Caseware in relation to the foregoing.
3.3 Customer Data. Customer is exclusively responsible for all matters related to Customer Data, and
Customer represents and warrants that: (a) the Customer Data does not infringe, violate or
misappropriate any third-party intellectual property or privacy rights, or any other rights granted
under Applicable Law; (b) Customer is responsible for accuracy, quality, integrity, legality, reliability
and appropriateness of the Customer Data; (c) Customer is the sole owner of the Customer Data or has
the necessary and required consents, licenses, permits, permissions, releases, clearances, and rights to
use, display, process, share, post, upload and transfer the Customer Data under this Agreement,
including use of the Customer Metadata to develop, train and optimize the AI Models, to the extent
permissible under applicable laws; (d) the Customer Data does not contain any illegal, defamatory,
denigrating, demeaning, obscene, profane, or offensive material or content, except in pursuit of valid
research or business purposes of Customer; (e) the Customer Data does not contain any virus, Trojan
horse, worm, or other software, script or code, the effect of which is to permit unauthorized access to,
or to alter, disable, encrypt, erase, or otherwise harm, any computer, systems, software or data; and (f)
unless otherwise set out in an Order Form, the Customer Data does not contain any Personal Data
except for (i) contact information reasonably necessary for the operation of the Caseware Offerings
(such as names, email addresses, and phone numbers), and (ii) user account information. If Caseware
forms the view that any Customer Data uploaded by Customer or any Permitted User violates this
Section 3.3, then Caseware reserves the right to remove such Customer Data and take such other
action as Caseware deems necessary to protect the integrity and operation of the Caseware Offerings.
Any costs associated with such removal may be charged by Caseware to Customer. Caseware shall use
commercially reasonable efforts to notify Customer of any removal of Customer Data under this Section
as soon as reasonably possible.
3.4 Third-Party Products. The Products and Services may allow you to access and use Third-Party
Products. Third-Party Products that require separate customer action or authorization, and any
associated fees relating to use thereof, will be set out in an applicable Order Form. Customer's use of
any Third-Party Products is solely at its own risk. Caseware makes no representations or warranties with
respect to, nor does it guarantee or endorse, any Third-Party Products. Caseware further does not
guarantee the continued availability of Third-Party Products, and may disable a Third-Party Product in
its sole discretion. Third-Party Products are governed by terms and conditions provided by the
respective third-party service provider and are separate to this Agreement, and Customer's use of any
Third-Party Products are subject to such separate terms and conditions. Accordingly, Caseware
expressly disclaims responsibility and liability for all Third-Party Products, and Customer agrees that
Caseware shall not be responsible for any loss or damage of any sort incurred as a result of any use of
Third-Party Products.
4. FEES & PAYMENT
4.1 Fees. Customer shall pay Caseware all fees, amounts, and charges (the "Fees") in relation to the
provision of the Caseware Offerings in accordance with the terms of the applicable Order Form. All Fees
are non-cancellable and non-refundable.
4.2 Invoices. Caseware shall issue invoices to Customer relating to the Fees as set out in an applicable
Order Form. Unless otherwise set out in an applicable Order Form all Fees set out in a specific invoice:
(a) will be in Canadian dollars ($CAD); and (b) are due and payable upon receipt of an invoice.
Customer reserves the right to dispute a portion or all of the Fees set out in a particular invoice
reasonably and in good faith, and Customer shall cooperate diligently with Caseware to resolve any
such dispute. Customer may withhold payment of any disputed Fees until such dispute is resolved.
4.3 Delay in Payment. If Customer fails to make any payment for undisputed Fees when due, without
limiting Caseware's other rights and remedies: (a) Caseware may charge interest on the past due
amount at the rate of 2% per month; (b) Customer shall reimburse Caseware for all reasonable costs
incurred by Caseware in collecting any late payments or interest, including legal fees, court costs, and
collection agency fees; and (c) Caseware may suspend Customer access to any portion or all of the
Caseware Offerings in accordance with Section 11.3 of this Agreement.
4.4 Taxes.
All Fees are exclusive of sales, use, consumption, value-added, excise taxes, and any other similar
taxes, duties, and charges of any kind imposed by any federal, provincial, territorial, or local
governmental entity (other than taxes imposed on Caseware's income) (collectively, "Taxes"), which
shall be the responsibility of the Customer. To the extent that any Taxes are payable by Caseware,
Customer agrees to pay to Caseware the amount of such Taxes in addition to any Fees owed under this
Agreement. Notwithstanding the foregoing, Customer may have obtained an exemption from relevant
Taxes as of the time such Taxes are levied or assessed. In that case, Customer agrees to provide
Caseware with any such exemption information, and Caseware will use reasonable efforts to provide
such invoicing documents as may enable Customer to obtain a refund or credit for the amount so paid
from any relevant revenue authority if such a refund or credit is available.
In addition, Customer is responsible to pay all Fees net of any applicable withholding taxes. The Parties
agree to work together to avoid any withholding tax if exemptions, or a reduced treaty withholding
rate, are available. If Caseware qualifies for a tax exemption, or a reduced treaty withholding rate,
Caseware will provide Customer with reasonable documentary proof. Customer agrees to provide
Caseware reasonable evidence that it has paid the relevant authority for the sum withheld or deducted.
4.5 Orders through Caseware Partners. Where Customer purchases any Caseware Offerings through a
Partner the following terms apply:
(i) Customer will pay the Fees for the applicable Caseware Offerings directly to the Partner or to
Caseware, as directed and agreed between Caseware and the Partner in the Partner Agreement;
(ii) Customer will enter into a Partner Agreement directly with the Partner instead of an Order Form with
Caseware, and the Caseware Partner will submit an Order Form to Caseware on Customer's behalf in
relation to the applicable Caseware Offerings, whereby the Partner is responsible for the accuracy of
any such order as communicated to Caseware;
(iii) To the extent the Customer is entitled to a refund for any Fees, such refund will be provided by the
Partner and not directly by Caseware;
(iv) The terms and conditions of this Agreement shall be incorporated by reference into the Partner
Agreement, and Partner must require Customer to accept these terms. Customer acknowledges that,
notwithstanding its purchase through a Partner, Customer's use of the Caseware Offerings is subject to
this Agreement, and by accessing or using the Caseware Offerings, Customer agrees to be bound by
this Agreement as if Customer had contracted directly with Caseware. A Partner is not authorized to
modify this Agreement or make any promises or commitments on Caseware's behalf without Caseware's
explicit written approval, absent which, Caseware will not be bound by any obligations to Customer
other than as set forth in this Agreement; and
(v) The Fees paid or payable by the Partner to Caseware for Customer's use of the applicable Caseware
Offerings through which it has engaged the Partner will be deemed the amount actually paid or
payable by Customer to Caseware under this Agreement for purposes of calculating the liability cap in
Section 9 (Liability).
4.6 Credit Card Surcharge. To the extent permitted by Applicable Law, Caseware may apply a
surcharge of 2.4% to any payments made by Customer by credit card.
5. CONFIDENTIALITY
5.1 Definition. The term "Confidential Information" means all non-public, confidential, material or
information relating to a Party which is disclosed or made available to a receiving Party (the
"Recipient") by the other Party (the "Discloser") under this Agreement, either orally or in a tangible
form, including but not limited to Customer Data, financial information, business plans, marketing
materials and strategies, and any other information regarding the foregoing that Discloser provides to
the Recipient hereunder.
5.2 Exclusion. Confidential Information shall not include information that the Recipient can establish:
(i) was publicly known and made generally available in the public domain prior to the time of disclosure
by the Discloser;
(ii) is independently developed by the Recipient without use of or reference to the Discloser's
Confidential Information;
(iii) is already in the possession of the Recipient at the time of disclosure by the Discloser as shown by
the Recipient's files and records immediately prior to the time of disclosure;
(iv) is obtained by the Recipient from a third-party lawfully in possession of such information and
without a breach of such third-party's obligations of confidentiality; or
(v) becomes publicly known and made generally available after disclosure by the Discloser to Recipient
through no action or inaction of the Recipient.
5.3 Limited Use. The Recipient agrees to use Confidential Information only during the Term and solely
for purposes of the performance of its obligations, and exercise of its rights, under this Agreement. The
Recipient's obligations with respect to the Confidential Information shall survive for two (2) years
following the expiration or termination of this Agreement, provided that (a) the Recipient's obligations
with respect to any Confidential Information consisting of software or other non-public product
information, whether in source or object code form, shall never expire; and (b) Caseware's obligations
regarding Customer Data shall terminate in accordance with Section 11.5.
5.4 Protection. The Recipient hereby agrees to take all steps reasonably necessary to maintain and
protect Confidential Information in the strictest confidence and for the benefit of the Discloser. Without
limiting the foregoing, the Recipient shall take at least those measures that it takes to protect its own
confidential information of a similar nature, but in no case less than reasonable care. The Recipient will
not at any time, without the express written permission of the Discloser, disclose the Confidential
Information directly or indirectly to any person, except on a "need to know" basis to its Affiliates and its
respective employees, officers, directors, agents, subcontractors, and/or legal and financial advisors
(collectively, the "Representatives"), provided that such Representatives are bound to confidentiality
obligations no less protective of the Discloser than this Section 5 and that the Recipient remains
responsible for compliance by them with the terms of this Section 5.
5.5 Compelled Disclosures. If a Recipient is required by law or in connection with a judicial proceeding
or court order, or a governmental authority to make any disclosure that is prohibited or otherwise
constrained by this Section, the Recipient will provide the Discloser with prompt written notice of such
requirement, where permitted by law, so that the Discloser may seek a protective order or other
appropriate relief. Subject to the foregoing sentence, such Recipient may furnish that portion (and only
that portion) of the Confidential Information that the Recipient is legally compelled or is otherwise
legally required to disclose; provided, however, that the Recipient provides such assistance as the
Discloser may reasonably request in obtaining such order or other relief.
5.6 Return of Materials. All documents and other tangible objects containing or representing
Confidential Information that have been disclosed by the Discloser shall be and remain the property of
the Discloser. At any time upon the written request of the Discloser, Recipient shall promptly (a) return
to the Discloser and/or (b) securely destroy all Confidential Information, except for any information
maintained in connection with any automated electronic backup process of the files of the Recipient.
Notwithstanding the foregoing, a Recipient may retain in the offices of its legal advisor a single archival
copy of any Confidential Information provided by the Discloser under this Agreement, which copy shall
only be used by the Recipient and its legal advisors in connection with the review and enforcement of its
obligations under this Agreement.
6. SECURITY & PRIVACY
6.1 Security. Each Party will maintain appropriate administrative, physical, and technical safeguards for
the protection of the security, confidentiality, and integrity of: (a) in the case of Caseware, the
Customer's Confidential Information, including Customer Data, and (b) in the case of Customer, access
and use of and to the Caseware Offerings and Caseware Confidential Information. These safeguards
will include measures designed to protect against accidental, unauthorized or unlawful destruction, loss,
alteration, disclosure of or access to such information. Caseware’s specific security measures and
practices are described at https://trust.caseware.com, as updated from time to time.
6.2 Privacy. To the extent Caseware collects, uses, stores, handles, discloses, disposes of or otherwise
processes Personal Data (collectively, "Process") in relation to or in connection with this Agreement,
Caseware shall Process Personal Data: (a) solely as permitted under this Agreement and as agreed
upon in writing by the Parties; and (b) in accordance with terms and conditions of Caseware's Data
Processing Agreement made available at www.caseware.com/legal/caseware-data-processing-agreement
as updated from time to time.
7. PROPRIETARY RIGHTS
7.1 Customer Data. As between Customer and Caseware, Caseware acknowledges Customer shall own
all right, title and interest, including all Intellectual Property Rights, in and to the Customer Data, and
such Customer Data is protected as Customer Confidential Information. During the Term, and subject to
the terms and conditions of this Agreement, Customer grants to Caseware a non-exclusive, royalty-free,
fully paid-up, worldwide license to copy, reproduce, modify, develop, access, collect, store and use
the Customer Data as necessary to provide the Caseware Offerings to Customer and Permitted Users
and provide the Customer Outputs.
7.2 Customer Metadata. As between Customer and Caseware, Caseware acknowledges Customer shall
own all right, title and interest, including all Intellectual Property Rights, in and to the Customer
Metadata, and such Customer Metadata is protected as Customer Confidential Information. During the
Term, and subject to the terms and conditions of this Agreement, Customer grants to Caseware a nonexclusive,
royalty-free, fully paid-up, worldwide license to copy, reproduce, modify, develop, access,
collect, store and use the Customer Metadata: (a) as necessary to provide the Caseware Offerings to
Customer and Permitted Users; (b) to generate Aggregated Data; and (c) to create, develop, modify,
update, and train the AI Models, to the extent permitted under Applicable Law, and provide the
Customer Outputs.
7.3 Caseware Offerings, AI Models and Documentation. As between Customer and Caseware,
Customer acknowledges that Caseware shall own all right, title and interest, including all Intellectual
Property Rights, in and related to the Caseware Offerings, AI Models and Documentation, and any
trademarks used in association therewith (and all copies, Enhancements and derivative works in
relation thereto) and, with respect to Third-party Products, the applicable third-party providers own all
right, title, and interest, including all Intellectual Property Rights, in and to the Third-party Products.
Customer agrees not to assert any rights or claim to rights (including any Intellectual Property Rights) in
any Caseware Offerings, AI Models or Documentation, including any copies, Enhancements, and
derivative works in relation thereto. Customer further agrees to refrain from challenging, limiting,
jeopardizing, or interfering with Caseware's ownership of and title in and to all Intellectual Property
Rights relating to all of the foregoing.
7.4 Aggregated Data. Notwithstanding anything to the contrary in this Agreement, Caseware may
collect and compile Aggregated Data derived or developed from: (a) Caseware's monitoring of
Customer and its Permitted Users use of the Caseware Offerings; or (b) Customer Metadata.
Aggregated Data shall not contain any Personal Data and does not in any way identify Customer or any
Permitted User, or include any identifiable Subscriber Data or Personal Data. As between Caseware and
Customer, all right, title, and interest, including all Intellectual Property Rights, in Aggregated Data vest
in Caseware upon creation and are retained solely by Caseware. Customer agrees that Caseware may
use Aggregated Data to the extent and in any manner permitted under Applicable Law, including to
develop, optimize, benchmark, or measure the Products or Services, for research, marketing, analytical
and informational purposes related to the Products or Services, and to develop, train, improve and
optimize AI Models.
7.5 Customer Outputs. As between Customer and Caseware, any reports, results, data, research,
materials or other information generated by or resulting from use of the Subscriber Data or Customer
Metadata with the Caseware Offerings, including those derived or outputted from the use of the AI
Models (collectively, "Customer Outputs"), together with all Intellectual Property Rights therein, will vest
in Customer upon final payment of the Fees. To the extent any Customer Outputs are derived from or
incorporate Third-Party Products or third-party intellectual property licensed to Caseware, Customer's
rights in such Customer Outputs are subject to the terms and restrictions of the applicable third-party
licenses. To the extent any such intellectual property and proprietary rights vest in Caseware upon
creation of the Customer Outputs, Caseware hereby assigns and transfers and agrees to assign and
transfer and to cause any employee, affiliate or contractor to assign and transfer to Customer all such
right, title and interest worldwide, including all Intellectual Property Rights, in such Customer Outputs,
and shall cause each of its employees, affiliates and contractors to waive their respective moral rights
in and to the works comprised in such Customer Outputs. For clarity, Caseware shall not use Customer
Outputs to train or improve AI Models. Caseware may use performance data, usage metrics, and
benchmarking information derived from Customer's use of the Services, provided such data is
anonymized and does not identify Customer or any Permitted User. During the Term, Caseware will
have a limited, royalty free, paid up, non-exclusive, license to use, modify and access the Customer
Outputs to perform its obligations under this Agreement. Customer acknowledges that AI-generated
outputs may contain inaccuracies or hallucinations and are provided 'as is' without warranty. Such
outputs shall not be considered defects under this Agreement. Notwithstanding the foregoing,
Caseware: (a) expressly disclaims and provides no representations, warranties or covenants in relation
to the Customer Outputs, or use thereof, including any and all implied warranties and conditions of
fitness for a particular purpose, merchantability, non-infringement, title, completeness or accuracy; and
(b) Caseware will have no liability or indemnification obligations for any loss, harm, damage or claim
arising out of or in connection with the Customer Outputs, except for that caused by the gross
negligence or wilful misconduct of Caseware.
7.6 AI Use Policy. Caseware's practices regarding the use of AI Models, including training data sources,
model development, and data processing practices, are described in Caseware's AI Use Policy, available
at www.caseware.com/legal/caseware-ai-use-policy, as updated from time to time. To the extent of
any conflict between this Agreement and the AI Use Policy, this Agreement shall control.
7.7 API Usage Policy. Caseware's practices and requirements regarding the use of its application
programming interfaces (APIs), including permitted uses, credential management, rate limits, third-party
developer requirements, and prohibited uses, are described in Caseware's API Usage Policy,
available at www.caseware.com/legal/caseware-api-use-policy, as updated from time to time. To the
extent of any conflict between this Agreement and the API Usage Policy, this Agreement shall control.
7.8 Know-How. With the exception of Customer's Confidential Information and any Personal Data,
Caseware and its personnel may use and disclose their general skills, knowledge, experience and knowhow,
including, without limitation, general processes, concepts, methods, methodologies, techniques,
ideas and other residual information gained or learned in the provision of the Caseware Offerings.
7.9 Feedback. Customer may provide feedback, suggestions, recommendations, and corrections to
Caseware about the Caseware Offerings, Documentation or otherwise in connection the Agreement,
including but not limited to by responding to surveys and questionnaires or derived through the use of
AI Models or development of the Customer Outputs (collectively, "Feedback"). Customer grants to
Caseware and its Affiliates a worldwide, perpetual, irrevocable, royalty-free, transferable,
sublicensable (through multiple tiers) license to use the Feedback without restriction and without
obligation, acknowledgement or compensation to Customer, including to incorporate the Feedback into
the Products and Services or develop new Products and Services, provided that use of the Feedback
shall not identify Customer or any Permitted User without the prior written consent of Customer.
8. INDEMNIFICATION
8.1 Indemnity. To the extent permitted by Applicable Law, the Indemnitor agrees to indemnify the
Indemnitee and its officers, directors, employees, permitted assignees and agents from and against any
third-party claims, liabilities, damages, losses and expenses, including reasonable legal expenses,
arising out of or in connection with a claim that, the Caseware Offerings (in the case of Caseware), or
the Customer Data or Customer Outputs (in the case of Customer), or use thereof, infringe,
misappropriate or violate a third-party's Intellectual Property Rights. If such a claim is brought by or
appears possible, the Indemnitee agrees to permit the Indemnitor, at its sole discretion, to: (a) obtain a
right for the Indemnitee to continue using the allegedly infringing component or part; (b) modify the
allegedly infringing component or part so they become non-infringing; or (c) terminate the applicable
Order Form and refund the unused portion of any prepaid Fees received by Caseware from Customer in
relation to the infringing component or part. For Products licensed on a perpetual basis, such refund
shall be based on the unamortized or unexpensed portion of the purchase price allocated to that
portion of the Product, based on a three-year straight-line amortization. Notwithstanding the
foregoing, Caseware shall not be liable for infringement claims arising from Customer's use of the
Caseware Offerings in combination with unauthorized data, software, or configurations.
8.2 Indemnification Process. The Indemnitor's obligations in this Section 8 are subject to the following:
(i) the Indemnitee notifying the Indemnitor in writing promptly upon the Indemnitee becoming aware of
a claim under this Section; provided, however, that the failure to provide such notice within a
reasonable period of time shall not relieve the Indemnitor of any of its obligations hereunder except to
the extent the Indemnitor is prejudiced by such failure;
(ii) the Indemnitee not making any admission or statement against the Indemnitor's interest, including
entering into a settlement agreement (other than for monetary amounts which do not require any
admission of guilt or the assumption of any other obligation by the Indemnitee), without the
Indemnitor's prior written consent;
(iii) the Indemnitee providing reasonable assistance to the Indemnitor in connection with the defense,
litigation or settlement by the Indemnitor of the claim at the Indemnitor's cost for any out-of-pocket
expenses of the Indemnitee; and
(iv) the Indemnitor's sole control over the defense, litigation, and settlement of any claim, including the
legal counsel at the Indemnitor's expense.
9. LIABILITY
9.1 Exclusion of Liability. Except for Customer's payment of Fees under this Agreement or an applicable
Order Form and to the maximum extent permitted by Applicable Law, in no event will either Party be
liable for loss of or damage to data, lost revenue, lost profits, lost savings, damage to reputation,
business interruption, downtime costs or any indirect, incidental, consequential, special, punitive,
exemplary or any similar type of damages arising out of or in any way related to this Agreement under
any theory of liability, whether in contract, tort (including negligence), indemnity, strict liability or
otherwise, even if advised of the possibility of such damages or such losses were otherwise foreseeable.
9.2 Limitation of Liability. In no event shall Caseware's total liability to Customer for all claims arising
out of or as a result of this Agreement under any theory of liability, whether in contract, tort (including
negligence), indemnity, strict liability or otherwise, exceed the total amount of fees paid by Customer to
Caseware in the twelve (12) month period preceding the claim or action.
10. DISCLAIMER
EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT (INCLUDING THE SCHEDULES) AND ANY
APPLICABLE ORDER FORMS, AND TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW,
CASEWARE EXCLUDES ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR
OTHERWISE. CASEWARE SPECIFICALLY DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES OF
DESIGN, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUALITY AND
NONINFRINGEMENT, THAT THE CASEWARE OFFERINGS, DOCUMENTATION, AI MODELS OR
CUSTOMER OUTPUTS WILL MEET CUSTOMER'S OR ANY OTHER PERSON'S REQUIREMENTS, OR THAT
THE CASEWARE OFFERINGS, DOCUMENTATION, AI MODELS OR CUSTOMER OUTPUTS WILL ALWAYS
BE AVAILABLE, ACCESSIBLE, UNINTERRUPTED, TIMELY, SECURE, ACCURATE, LEGAL, RELIABLE,
COMPLETE, ERROR-FREE OR FREE OF VIRUSES. NO ADVICE OR INFORMATION, WHETHER ORAL OR
WRITTEN, OBTAINED FROM CASEWARE, ITS AFFILIATES OR ELSEWHERE IN RELATION TO THE
CASEWARE OFFERINGS OR THIS AGREEMENT WILL CREATE ANY WARRANTY OR CONDITION NOT
EXPRESSLY STATED IN THIS AGREEMENT. EXCEPT AS OTHERWISE SET FORTH IN THIS AGREEMENT,
THE CASEWARE OFFERINGS, DOCUMENTATION, AND AI MODELS ARE PROVIDED ON AN "AS IS" AND
"AS AVAILABLE" BASIS. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING THE FAILURE OF AN
ESSENTIAL PURPOSE OF ANY LIMITED REMEDY PROVIDED HEREIN. CASEWARE DISCLAIMS ANY AND
ALL RESPONSIBILITY OR LIABILITY IN RELATION TO THE CONTENT GENERATED OR OTHERWISE MADE
AVAILABLE THROUGH THE CASEWARE OFFERINGS OR USE THEREOF, INCLUDING BUT NOT LIMITED
TO THE CUSTOMER OUTPUTS. CASEWARE MAKES NO WARRANTY OF ANY KIND AND DISCLAIMS ANY
AND ALL REPRESENTATIONS, WARRANTIES OR DISCLAIMERS IN RELATION TO ANY THIRD-PARTY
PRODUCTS, CUSTOMER DATA, OR DATA STORAGE OR HOSTING PROVIDER USED IN CONJUNCTION
WITH THE CASEWARE OFFERINGS. CASEWARE DOES NOT GUARANTEE UNINTERRUPTED
AVAILABILITY OF THE CASEWARE OFFERINGS AND MAY PERFORM SCHEDULED OR EMERGENCY
MAINTENANCE AS NEEDED.
CUSTOMER ACKNOWLEDGES AND UNDERSTANDS THAT THE CASEWARE OFFERINGS, OR USE
THEREOF, ARE INTENDED AS A TOOL TO ASSIST THE CUSTOMER, IN PERFORMING THEIR
PROFESSIONAL SERVICES AND ARE IN NO WAY INTENDED TO REPLACE THE ROLE OF ANY
PROFESSIONAL FINANCIAL, ACCOUNTING, AUDITING AND/OR LEGAL ADVICE. CUSTOMER REMAINS
SOLELY RESPONSIBLE FOR ALL PROFESSIONAL JUDGMENTS, DECISIONS, AND ADVICE PROVIDED TO
ITS CLIENTS OR STAKEHOLDERS.
11. TERM & TERMINATION
11.1 Term.
The term of this Agreement commences on the Effective Date and continues for the initial period set out
in the initial Order Form (the "Initial Term") unless this Agreement is terminated earlier in accordance
with this Section 11.
Upon the expiration of the Initial Term, and unless otherwise specified in the Order Form, this
Agreement shall automatically renew for an additional twelve (12) month period.
For any Renewal Term(s), the terms and conditions of this Agreement during each such Renewal Term
shall be the same as the terms and conditions in effect immediately prior to such renewal, subject to
any change in the Fees payable hereunder by Customer during the applicable Renewal Term in
accordance with any applicable Order Form. If Customer declines the automatic renewal feature and
payment is not received by Caseware within ten (10) days of expiry of the then current term, Caseware
may consider the account to be overdue and Caseware may pursue the remedies in Section 4.3 and 11.3
of this Agreement.
In the event of termination of this Agreement, any Order Form then in-effect shall continue in force and
shall continue to be subject to the terms of this Agreement until such Order Form terminates or expires
in accordance with its terms.
11.2 Termination for Cause. Either Party may terminate this Agreement (including all or some of the
Order Forms):
(i) immediately upon notice if the other Party materially breaches any of its material obligations
hereunder and fails to cure such breach within 30 calendar days following written notice; or
(ii) immediately upon notice in the event of the suspension of business, insolvency, institution of
bankruptcy or liquidation proceedings by or against the other Party.
11.3 Suspension. In addition to the foregoing, Caseware may suspend or terminate this Agreement and
any Order Form and the rights granted thereunder without prejudice to enforcement of any other legal
right or remedy, immediately upon giving written notice of such termination:
(i) if Customer is in breach of its payment obligations and fails to cure such breach within 10 calendar
days following Caseware's written notice;
(ii) if Customer breaches its obligations under Sections 2.5 (Use Restrictions), 3.3 (Customer Data) or 5
(Confidentiality);
(iii) if Caseware has reason to believe that Customer is using the Products and Services for any
improper or unlawful purpose; or
(iv) if Customer's continued use of the Services may result in harm to Services, or to other users.
11.4 Effect of Termination. Upon termination or expiration of this Agreement Customer shall cease to
access and use the Caseware Offerings and all rights of Customer under the Agreement and any
applicable Order Form will terminate. If this Agreement is terminated by Customer in accordance with
Section 11.2, Caseware will refund Customer a prorated amount of the Fees paid by Customer to
Caseware for the Caseware Offerings for remainder of the Term. If this Agreement is terminated by
Caseware in accordance with Section 11.2 or 11.3, Customer will pay Caseware any unpaid Fees for the
remainder of the Term. Except where an exclusive remedy may be specified in this Agreement, the
exercise by either Party of any remedy, including termination, will be without prejudice to any other
remedies it may have under this Agreement, by law, or otherwise.
11.5 Offboarding. Upon request by Customer made within 30 calendar days after the effective date of
termination or expiration of this Agreement, Caseware will make available to Customer (a) Subscriber
Data for export or download, and (b) Caseware's offboarding tools, including processes to assist
Customer with the foregoing exportation process. After such a 30-day period, Caseware will have no
obligation to maintain or provide any Subscriber Data, or, to the extent applicable, any Customer Data,
to Customer and will thereafter delete or destroy all copies of Customer Data in its systems or otherwise
in its possession or control, unless legally prohibited.
11.6 Survival. Except as otherwise agreed to by the Parties in writing, Sections 3 (Customer
Responsibilities), 4 (Fees & Payment), 5 (Confidentiality), 6 (Security & Privacy), 7 (Proprietary Rights),
8 (Indemnification), 9 (Liability), 10 (Disclaimer), 11.4 (Effect of Termination), 11.5 (Offboarding), and 12.1
(Notice), 12.5 (Equitable Relief), 12.6 (Waiver), 12.10 (Anti-Corruption), 12.11 (Export Controls), and
12.12 (Amendments) shall survive the expiration or termination of this Agreement.
12. MISCELLANEOUS
12.1 Notice. All notices and other information to be given by one of the Parties to the other shall be
given by hand delivery or e-mail to the other Party. For Caseware, all notices should be sent to the
Customer's account representative, with a copy of such notice to legal@caseware.com. For Customer,
all notices will be sent to the mailing and/or email address Customer provides to Caseware for the
Order Form. Notices sent by e-mail shall be deemed to have been received by the Party to whom it was
addressed on the date of transmission or receipt, or if sent on a day that is not a business day or after
normal business hours, on the first business day following transmission or receipt. Notices sent by hand
delivery shall be deemed to have been received on the date of delivery. Any notice of change of
address by a Party shall be effective only upon receipt of a notice provided to the other Party in
accordance with the provisions of this Section 12.1.
12.2 Entire Agreement. This Agreement, together with any other documents incorporated herein by
reference and all related Schedules and Order Forms, constitutes the sole and entire agreement of the
Parties with respect to the subject matter of this Agreement. Except where the Parties enter into a
written agreement expressly stating that said written agreement supersedes all other agreements
(including this Agreement), this Agreement supersedes all prior and contemporaneous understandings,
agreements, and representations and warranties, both written and oral, with respect to such subject
matter, including any proposals, price quotes, purchase orders, click-wrap agreements, or nondisclosure
agreements. In the event of any conflict or inconsistency among the following documents, the
order of precedence shall be (1) the applicable Order Form, (2) any exhibit, schedule or addendum to
this Agreement, and (3) the body of this Agreement. Titles and headings of sections of this Agreement
are for convenience only and shall not affect the construction of any provision of this Agreement.
12.3 Relationship. The Parties agree that Caseware and Customer are independent entities, and that no
other relationship is intended, including but not limited to a partnership, joint venture or agency
relationship. Neither Party will have the authority or right to represent nor obligate the other Party in
any way except as expressly authorized by this Agreement.
12.4 Governing Law and Choice of Forum. This Agreement shall be governed by and construed and
enforced in accordance with the laws of the jurisdiction set out in the table below, unless otherwise
specified in the applicable Order Form and the Parties hereto submit to the exclusive jurisdiction of the
courts of such jurisdiction. Where the Order Form does not set out a specific jurisdiction, this Agreement
shall be governed by and construed and enforced in accordance with the laws in force in the Province of
Ontario and the federal laws of Canada applicable therein and the Parties hereto agree to submit to
the exclusive jurisdiction of the courts of the Province of Ontario.
Caseware Affiliate Identified on the Order Form Governing Law and Choice of Forum
Caseware International Inc. Province of Ontario, Canada
Caseware USA Inc. State of New York, U.S.A.
Caseware Nederland B.V. Netherlands
Caseware UK Limited England and Wales
Caseware Germany GmbH Germany
Caseware Australia Pty Ltd. Australia
12.5 Equitable Relief. Each Party acknowledges and agrees that a breach or threatened breach by such
Party of any of its obligations under Section 5 or, in the case of Customer, Section 2.5 or Section 3,
would cause the other Party irreparable harm for which monetary damages would not be an adequate
remedy and agrees that, in the event of such breach or threatened breach, the other Party will be
entitled to equitable relief, including a restraining order, an injunction, specific performance, and any
other relief that may be available from any court, without any requirement to post a bond or other
security, or to prove actual damages or that monetary damages are not an adequate remedy. Such
remedies are not exclusive and are in addition to all other remedies that may be available at law, in
equity or otherwise.
12.6 Waiver. The waiver by either Party of a breach or default of any provision of this Agreement by the
other Party shall not be effective unless in writing and shall not be construed as a waiver of any
succeeding breach of the same or of any other provision. Nor shall any delay or omission on the part of
either Party to exercise or avail itself of any right, power or privilege by such Party shall constitute a
waiver.
12.7 Assignment. Customer may not assign this Agreement or any of its rights or obligations in relation
thereto, in whole or in part, without the prior written consent of Caseware, such consent not to be
unreasonably withheld. Any attempt by Customer to assign any of the rights of this Agreement or any
Order Form without such prior written consent is void.
12.8 Force Majeure. Except for payment obligations, neither Party shall be liable for any delay or failure
to perform its obligations in this Agreement attributable to circumstances beyond its reasonable
control, such as acts of God, fire, pandemic, natural disaster, terrorism, labour stoppage, Internet
service provider or system failures or delays, civil unrest, war or military hostilities, or criminal acts of
third-parties (each a "Force Majeure Event"). Any Party claiming a Force Majeure Event shall use
reasonable diligence to remove the condition that prevents performance and shall not be entitled to
suspend the performance of its obligations in any greater scope or for any longer duration than is
required by the Force Majeure Event. Each Party shall use its commercially reasonable efforts to
mitigate the effects of such Force Majeure Event, remedy its inability to perform, and resume full
performance of its obligations hereunder, provided, however, that in the event the Force Majeure Event
continues for thirty (30) days after the date of the occurrence, and such failure to perform would
constitute a material breach of this Agreement in the absence of such force majeure, either Party may
terminate this Agreement pursuant by written notice to the other Party and in accordance with Section
11.2 of this Agreement.
12.9 Severability. Wherever possible, each provision of this Agreement may be interpreted in such a
manner as to be effective and valid under Applicable Law, but if any provision of this Agreement is held
to be prohibited or invalid under Applicable Law, such provision will be ineffective only to the extent to
such prohibition or invalidity, without invalidating the remainder of such provision or the remaining
provisions of this Agreement.
12.10 Anti-Corruption. Neither Party has received or been offered any illegal or improper bribe,
kickback, payment, gift, or thing of value from an employee or agent of the other Party in connection
with this Agreement. Reasonable gifts and entertainment provided in the ordinary course of business
do not violate the above restriction.
12.11 Export Controls. This Agreement is expressly made subject to any laws, regulations, orders, or
other restrictions on export from Canada or the United States of America (U.S.) of the Caseware
Offerings, or any information about any of them, which may be imposed from time to time by the
governments of Canada or the U.S. Customer shall not export the Caseware Offerings, or any
information about any of them without the prior written consent of Caseware and compliance with such
laws, regulations, orders, and other restrictions. Customer represents and warrants that (a) it is not
located in a country that is subject to a Canadian or U.S. government embargo, or that has been
designated by the Canadian or U.S. government as a "terrorist supporting" country; and (b) it is not
listed on any Canadian or U.S. government list of prohibited or restricted parties.
12.12 Amendments and Modifications. No amendment to or modification of this Agreement is effective
unless it is in writing and signed by an authorized representative of each party.
12.13 Language. This Agreement may be translated into other languages for Customer convenience. In
the event of any conflict or inconsistency between the English version and any translated version, the
English language version shall prevail.
IN WITNESS WHEREOF, the Parties have caused this Agreement to be executed by their duly authorized
representatives.
Caseware
By: _______________________________
Name: ______________________________
Title: _______________________________
Date: _______________________________
Customer
By: ________________________________
Name: ______________________________
Title: _______________________________
Date: _______________________________
SCHEDULE 1 - DEFINITIONS
1. Definitions
In the Agreement, the following terms shall have the following meanings:
"Affiliate" means an entity which, directly or indirectly, owns or controls, is owned or is controlled by or
is under common ownership or control with a Party, where "control" means the power to direct the
management or affairs of an entity, and "ownership" means the beneficial ownership of greater than
50% of the voting equity securities or other equivalent voting interests of the entity;
"Aggregated Data" means data and information related to Customer's use of the Caseware Offerings
or derived from the Customer Metadata that is aggregated and anonymized and in no way identifies
Customer or any Permitted User and does not contain any Personal Data or Subscriber Data in
identifiable form.
"AI Models" means the artificial intelligence models, machine learning and large language models,
weighting systems, algorithms, decision trees, specifications, parameters, methods, methodologies,
techniques, procedures and processes used, licensed or created by Caseware and integrated within the
Caseware Offerings.
"Applicable Law" means all applicable federal, provincial, state, territorial, regional or municipal laws,
regulations, common law, orders, rules or by-laws that are applicable to this Agreement and the
Parties' obligations under this Agreement during the term of this Agreement;
“Beta Services" means any products, services, features, or functionality that Caseware makes available
to Customer on a trial, pilot, beta, or evaluation basis, which are identified as such in an Order Form or
in the Services interface.
“Customer Affiliate" means an Affiliate of Customer that is authorized to use the Caseware Offerings
pursuant to an Order Form.
"Caseware Offerings" means those Products and/or Services and/or PS that are identified in an Order
Form provided to Customer by Caseware;
"Customer Data" means information, data, materials, works, expressions, and other content, in any
form or medium, that are uploaded, submitted, posted, transferred, transmitted, or otherwise provided
or made available by or on behalf of Customer for use with the Caseware Offerings, and includes
Subscriber Data and Customer Metadata.
"Customer Metadata" means data or information generated by or relating to Customer's or any
Permitted User's configuration, usage, access logs, preferences, technical settings, environment
variables, or interactions with the Caseware Offerings, which does not in itself identify Customer, any
Permitted User, or contain any Subscriber Data in identifiable form or any Personal Data.
"Documentation" means (a) operating instructions for the Services, as made available by Caseware, as
may be updated from time to time; and/or (b) the end user manuals governing the Products (in printed
or electronic format) provided by Caseware, as modified from time to time by a Caseware;
"Enhancement" means any enhancement, update, modification, change, or improvement to the
Caseware Offerings, other than the correction of bugs or errors acknowledged by Caseware.
"Indemnitee" means the Party that has made a claim against the other Party as contemplated in
Section 8;
"Indemnitor" means the Party that has received a claim from the other Party as contemplated in Section
8 and is required under Section 8 to indemnify the Indemnitee;
"Intellectual Property Rights" means all worldwide rights associated with utility and design patents, and
patent applications, including any divisions, continuations, continuations-in-part, reissues and re
examinations thereof, works of authorship, derivative works, trade secrets, know-how, proprietary
information, technical data, inventions, processes, materials, software, improvements, derivatives, and
developments, whether or not patentable or copyrightable and regardless of whether such rights arise
under the laws of Canada, the United States or any country or jurisdiction;
"Licensed CPU" means a central processing unit controlled by the Customer in a multiple-user
environment accessed by means of a modem, a network, or other means of remote access and/or on a
single standalone computer;
"Order Form" means the ordering document prepared by Caseware with an itemized bill of Caseware
Offerings to be provided by Caseware to Customer, and applicable Fees to be paid by Customer and
with respect to PS, also means a Statement of Work;
"Partner" means an authorized reseller or distributor of Caseware that Caseware has authorized to sell
or resell Caseware Offerings;
"Partner Agreement" means the agreement entered into between a Partner and Customer in relation to
Caseware Offerings that Partner is authorized to sell on Caseware's behalf;
"Party" means either Caseware or Customer individually, and "Parties" shall mean both Caseware and
Customer collectively;
"Permitted User" means those individuals associated with Customer who are authorized by Customer to
access and use the Caseware Offerings pursuant to the terms of this Agreement, up to the maximum
number of users or licenses specified in an applicable Order Form;
"Personal Data" means any information about an identifiable individual or any information that is
otherwise subject to Applicable Laws relating to data protection and privacy;
“PS” means those professional services (including e-learning training services) provided to Customer by
Caseware that are identified in an Order Form or Statement of Work;
"Products" means those desktop software products provided to Customer by Caseware that are
identified in an Order Form, as modified or supplemented by an Enhancement or other modification
received from Caseware;
"Renewal Term" means any subsequent extension or renewal of the term for which this Agreement or
use of the Caseware Offerings applies for a period of twelve (12) months, unless otherwise indicated in
an applicable Order Form.
"Services" means those software solutions, including the provision of storage, software, platform,
computing services or other resources provided to Customer by Caseware as software as a service, and
may include professional services such as implementation, training, and consulting services, during the
Services Subscription Term and that are identified in an Order Form;
"Services Subscription Term" means the applicable term the Services are to be provided by Caseware,
as specified on an Order Form;
“Statement of Work” means the ordering document prepared by Caseware which identifies the details
of the PS to be provided to Customer by Caseware and applicable Fees to be paid by Customer;
"Subscriber Data" means data input by a Permitted User into the Services, or data prepared for the
Customer by the Services;
"Template" means the portion of a Program comprised of either (a) a sample of text, format and/or
layout for presentation and explanation of data that has been processed by a Program and/or
disclosure of related information or (b) a work aid, such as a check list or sample letter; and
"Term" means the Initial Term and any applicable Renewal Term(s).
"Third-Party Products" means any third-party products and software described in the applicable Order
Form or otherwise incorporated into the Caseware Offerings.
SCHEDULE 2 – PRODUCT-SPECIFIC TERMS
1. Use of Products
1.1 License. Upon the execution of an Order Form for Products and subject to the payment of the
applicable Fees and compliance with the terms of this Agreement, Caseware grants to the Customer a
revocable, royalty-free, limited, non-exclusive, non-transferable license to use the Products identified
on the Order Form (the "License") for the number of Permitted Users set out in the Order Form.
1.2 Rights of Use. Pursuant to the License, Customer may:
(i) make for use by means of one (1) or more Licensed CPUs, one (1) or more copies of the Product(s) for
the Permitted User(s), provided that each such copy must contain all proprietary notices that appear on
the Products;
(ii) make one (1) copy of a Product for backup or archival purposes, provided that such copy must
contain all proprietary notices that appear on the Products;
(iii) use the Documentation to assist Permitted User(s) to understand how to install, and operate the
Products; and
(iv) make a copy of the Documentation for use by each Permitted User.
1.3. Assignment of Licenses. Except where a License is assigned from one Licensed CPU to another for
use by the same Permitted User, or in the event a Permitted User is not longer employed by or
contracted to the Customer and the License is reassigned to a new employee or contractor to the
Customer, the License granted hereunder is personal to each Permitted User, and may not be assigned,
transferred, sublicensed or encumbered without the express written consent of Caseware.
1.4 License Activation. Use of a Product may require activation and registration by a Permitted User.
Where use of a License requires registration, Caseware shall provide a unique identification key that a
Permitted User will use to validate its License on Caseware's website.
1.5 Excess Permitted Users. If at any time during the Licensed Term the aggregate number of Permitted
Users exceeds the number of Permitted Users set out in the applicable Order Form, Customer shall
immediately advise Caseware of same in writing and pay Caseware's then prevailing license fee for
each excess Permitted User and thereafter the number of Permitted Users shall be increased by such
excess number.
2. Duration of License
2.1 License Term. Customer will have the right to use the License for the term set out in the Order Form
(the "License Term") and any renewal of the License Term.
3. Use of Products and Templates
3.1 Customer acknowledges that:
(i) Templates may only be used to gather, select, and prepare data for processing by a Program and to
present data that has been processed by a Program;
(ii) Templates may not be distributed to a third-party as a standalone work;
(iii) any sample presentation, documents, letters, and disclosures presented by the Product or
Documentation are only samples or examples and are not complete nor comprehensive;
(iv) neither the Products nor Documentation are a substitute for materials, methods or processes
required by Applicable Law, practice guidelines or as an alternative to the Permitted User's judgement;
(v) information retrieved from a Template or the Products are provided on an "as is" basis with no
guarantee of completeness, accuracy and timeliness and it is the Permitted User's responsibility to
ensure the accuracy of the results obtained from the use of reliance upon this information;
(vi) it is the Customer's responsibility to ensure that appropriate disclosures are made, and applicable
standards are met in a manner that meets the requirements of a particular jurisdiction; and
(vii) the License does not grant to Customer any right to (i) receive an Enhancement; (ii) any Templates;
or (iii) use the trademark "Caseware" or any other trademark owned or licensed by Caseware without
Caseware's prior written approval.
4. Enhancements and Support
4.1 Updates. During the License Term, Caseware may develop Enhancements to the Products, and will
use commercially reasonable efforts to make such Enhancements available to Customer and its
Permitted Users when they become commercially available. It is a Permitted User's responsibility to
download and update the Product when an Enhancement is made available by Caseware. Customer
acknowledges that a failure to download or an Enhancement may affect the functionality of the
Product. Customer further acknowledges that Caseware may cease support of any previous version of a
Product 1 year after an Enhancement is made available.
4.2 Support. During the License Term, Caseware will use commercially reasonable efforts to provide
Customer with technical support and customer service for the Products as set out at Caseware’s
Support Website at www.caseware.com/legal/caseware-support-website and in accordance with
Caseware’s Support Policy, available at www.caseware.com/legal/support-policy, as updated from
time to time. Caseware typically supports only the current shipping version and one prior version of
each Product. Support services, including new features, enhancements, patch releases, hotfixes, and
technical assistance, will only be provided for supported versions. Customer is responsible for
upgrading to a supported version to continue receiving support services.
5. Product Warranty
5.1 Warranty. Upon commencement of the License Term and for a period of thirty (30) days thereafter,
all Products, will be free from material defects, free from material errors, free from all known viruses (as
identified using commercially reasonable steps and antivirus software) and will perform materially in
accordance with the Documentation.
5.2 Exceptions. The foregoing warranty shall not apply to (a) any modification made to the Products by
any Party other than Caseware or its authorized agents; (b) the use of the Products in a manner other
than as contemplated in this Agreement or the Documentation; or (c) the failure by Customer to report
a warranty claim within the warranty period specified set out above.
5.3 Remedy. Caseware's sole responsibility for a valid warranty claim of the warranty provided in this
Section 5 shall be, in Caseware's sole discretion, to (a) advise Customer how to achieve substantially
the same functionality with the Products as described in the Documentation through a procedure
different from that set forth in the Documentation; (b) use commercially reasonable efforts to develop a
solution or workaround to make the non-conforming Product functional to comply with the warranty set
out in Section 5.1; or (c) terminate the applicable Order Form, and/or this Agreement, and refund a
prorated amount of the Fees for that particular Product paid by Customer for the calendar month in
which Caseware receives written notice of the warranty claim. For greater certainty, Customer Outputs,
including hallucinations or inaccuracies, shall not be considered defects under this warranty.
SCHEDULE 3 - SERVICE-SPECIFIC TERMS
1. Provision of Services
1.1 License to Services. Upon the execution of an Order Form for certain Services and subject to
Customer's payment of the applicable Fees and continued compliance with the terms and conditions of
this Agreement, Caseware grants a license to Customer and its Permitted Users to access to and use of
those specific Services on a limited, non-exclusive, non-transferable, non-assignable and nonsublicensable
basis for the applicable Services Subscription Term identified in the Order Form.
1.2 Rights of Use. The Services may be accessed and used by Permitted Users by way of the internet
from a computing device in a manner described in the Documentation for the language version
selected. Each Permitted User shall register with Caseware to obtain valid credentials (user ID and
password) for accessing the Services.
2. Duration of Services
2.1 Services Subscription Terms. Customer will have the right to use the Service for the Services
Subscription Term set out in the Order Form for each applicable Service, and the Order Form shall
govern any renewal of the Services Subscription Term, unless terminated earlier in accordance with this
Agreement.
3. Support Services & Maintenance
3.1 Service Level Agreement. During the Services Subscription Term, Caseware will use commercially
reasonable efforts to provide the Support Services and meet the services levels set out in the Caseware
Service Level Agreement www.caseware.com/legal/caseware-service-level-agreement as updated and
amended from time to time (the "SLA").
3.2 Remedies. The remedies set out in the SLA are Customer's sole remedy and Caseware's sole
obligation for any failure to meet any service levels relating to service availability or support response
times set out in the SLA.
3.3 Maintenance. From time to time, it will be necessary for Caseware to perform maintenance on the
Services, including routine maintenance to ensure the continued provision of the Services. Caseware
shall use reasonable efforts to perform such maintenance at such times to minimize the impact of any
downtime of its Software on the Customer. To the extent Caseware is able, Caseware shall notify
Customer in advance of any scheduled maintenance by posting a message on its website or by sending
an email to the designated Customer representative of the scheduled maintenance time and the
anticipated duration of such maintenance. In instances where Caseware must perform emergency
maintenance, including to address Security Events, Caseware shall use commercially reasonable efforts
to notify Customer as soon as reasonably practicable.
SCHEDULE 4 - PS-SPECIFIC TERMS
1. Provision of PS
1.1 License to PS. Upon the execution of an Order Form for PS and subject to Customer's payment of the
applicable Fees and continued compliance with the terms and conditions of this Agreement, Caseware
grants a license to Customer and its Permitted Users to access to and use of results of the PS and
related deliverables on a limited, royalty-free, non-exclusive, non-transferable, non-assignable and
non-sublicensable basis for the applicable Caseware Offerings identified in the Order Form.
1.2 Assumptions, Dependencies and Responsibilities. The Order Form shall identify assumptions,
dependencies and responsibilities of both Customer and Caseware. Customer acknowledges that any
delay or non-compliance of these terms by Customer may result in delays or extra time and costs in the
delivery of the PS by Caseware. Any such delay or extra costs shall be agreed between the Parties and
documented with a change order prior to Caseware performing the PS.
1.3 Change Orders. Any changes to an Order Form must be mutually agreed by the Parties in writing
via a change order.
1.4 Deliverables. Details of deliverables shall be identified in the Order Form.
1.5 Fees. Unless otherwise specified in the Order Form, all PS shall be performed on a fixed fee basis.
Where the Order Form specifies an estimate for PS based on hourly work, Caseware shall not exceed
the estimated hours of PS service without the written consent of Customer via a Change Order.
Caseware may suspend performance of PS services where any Fees are past due by more than 15 days.
Out of pocket expenses, if any, in addition to the PS Fees, shall be pre-approved by the Customer and
invoiced as they occur.
2. Duration of PSs
2.1 License Term. Customer will have the right to use the results of the PS and related deliverables for
the License Term of the related Product and for the Services Subscription Term for the related Services,
as the case may be, unless terminated earlier in accordance with this Agreement.
3. Learning Services. The terms of the learning services are set out on Caseware's website at
www.caseware.com/legal, as may be updated from time to time.
4. PS Warranty
4.1 Warranty. For a period of thirty (30) days from the completion of the PS, the PS will be performed in
a professional manner using qualified and experienced personnel familiar with the Caseware Products
and Services. Any warranty claims must be reported in writing to Caseware within such time period.
4.2 Exceptions. The foregoing warranty shall not apply where any change, additional, deletion or
other modification was made to the PS work performed by Caseware or related deliverables, except as
specifically authorized in writing by Caseware.
4.3 Remedies. Caseware's sole responsibility for a valid warranty claim of the warranty provided in this
Section 4 shall be to use commercially reasonable efforts to promptly cure such breach; provided, that,
if Caseware cannot cure such breach within a reasonable time but not more than thirty (30) days of
Customer’s written notice of such breach, Customer may, at its option, terminate the Order Form and
Caseware shall refund a pro rated amount of Fees related to the applicable PS which gave rise to the
warranty breach.
Application and Interface Security
Our Software Development Life Cycle (SDLC) ensures that our applications and programming interfaces (APIs) are designed, deployed, and tested in accordance with leading industry standards – such as OWASP, ISO, and SOC – and adhere to legal, statutory, or regulatory compliance obligations.
You will be onboarded once all agreements and policies are accepted for usage of the service. You are responsible for ensuring your usage of Caseware Cloud is in compliance with applicable laws and regulations.
Legal specifics can be found in the Cloud Services Agreement here.
Our policies and procedures have been established and are maintained in support of data security to include confidentiality, integrity, and availability across multiple system interfaces, jurisdictions, and business functions to prevent improper disclosure, alteration, or destruction.
Audit Assurance and Compliance
Independent audits are conducted by registered 3rd parties as part of our compliance program for ISO 27001 and SOC 2 for our Cloud services. We also have an internal audit program, external penetration testing and regularly scheduled internal vulnerability testing. Vulnerability test results are shared with customers as outlined in the Client Initiated Testing Policy. The results of these processes are tracked through our improvements process. The methodology and tools used to conduct penetration testing is tailored to each assessment for specific targets and attacker profiles. SOC 2 reports are provided under NDA to clients. Our SOC 3 Report is available in PDF format here.
Production data is stored on Amazon Web Services (AWS). The application handles logical separation of client data through database isolation. Data that is transferred to and from our service (including backups) is 100% encrypted over an SSL connection (AES-256-bit – the same strength used in online banking). Data transmission occurs between client and server, and databases. Controls are in place for secure and encrypted bulk data transfers. There are no email transmissions. For more information on security, see: https://www.casewarecloud.com/security.html. Our legal team monitors our regulatory obligations. Please refer to our Cloud Services agreement for legal requirements here.
Business Continuity Management and Operational Resilience
Caseware has a consistent unified framework for business continuity planning and has established, documented, and adopted this to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements.
Requirements for business continuity plans include the following:
- Defined purpose and scope, aligned with relevant dependencies
- Accessible to and understood by those who will use them
- Owned by a named person(s) who is responsible for their review, update, and approval
- Defined lines of communication, roles, and responsibilities
- Detailed recovery procedures, manual work-around, and reference information
- Method for plan invocation
Our business continuity and security incident response plans are tested at planned intervals or upon significant organizational or environmental changes. Incident response plans involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies.
Our service is hosted on Amazon’s AWS and utilities services and environmental conditions (for example, water, power, temperature and humidity controls, telecommunications, and internet connectivity) are secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and are designed with automated failover or other redundancies in the event of planned or unplanned disruptions.
Our cloud service is completely virtual and hosted on Amazon Web Services (AWS). Amazon is also ISO and SOC2 compliant and responsible for restricting access to facilities housing the productions systems to authorized individuals. AWS is also responsible for environmental protection and preventative maintenance over production systems. AWS has published further details here: https://aws.amazon.com/compliance/data-center/controls. These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management. Physical access and environmental controls are managed and controlled by AWS. AWS physical protection assurance information can be found at: https://aws.amazon.com/compliance.
Caseware has aligned our security program to ISO 27001 and we have business continuity processes in place to address disruptions to critical services. We monitor all cloud instances for performance and availability and incorporate the following:
- Identify critical products and services
- Identify all dependencies, including processes, applications, business partners, and third party service providers
- Understand threats to critical products and services
- Determine impacts resulting from planned or unplanned disruptions and how these vary over time
- Establish the maximum tolerable period for disruption
- Establish priorities for recovery
- Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption
- Estimate the resources required for resumption
Customers can see our real-time operational status at our status page here: https://caseware.statuspage.io/.
We maintain a central system for documentation and train all staff on processes. Procedures include change management, security processes, roles and responsibilities of internal users. Our procedures are updated on an as needed basis and revision histories are logged. Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training.
Caseware maintains a records and retention policy for Cloud services. The retention policy is not client-specific. Backup and recovery procedures are documented and automated alerts are sent daily to operations staff. Backup and recovery measures have been incorporated into business continuity planning and tested accordingly for effectiveness. See the retention policy for each category of records below.
System transaction logs
Description: Database journals and other logs used for database recovery.
Retention period: 30 days.
Reason for retention: Based on backup and recovery strategy.
Allowable storage media: Electronic.
Audit logs
Description: Security logs, for example, records of logon/logoff and permission changes.
Retention period: 30 days.
Reason for retention: Maximum period of delay before forensic investigation.
Allowable storage media: Electronic.
Operational procedures
Description: Records associated with the completion of operational procedures.
Retention period: 2 years.
Reason for retention: Maximum period elapsed regarding dispute.
Allowable storage media: Electronic.
Customer
Description: Customer backups.
Retention period: 90 days.
Reason for retention: Data protection requirement.
Allowable storage media: Electronic.
Change Control and Configuration Management
Change management controls have been established for any new development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function. Our SDLC has a defined quality change control and testing process with established baselines, testing, and release standards which focus on system availability, confidentiality and integrity of systems and services.
Policies and procedures have been established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices and IT infrastructure network and systems components within the production cloud environment. Our change management policies and procedures include managing the risks associated with applying changes to business-critical or customer impacting applications and system-system interface (API) designs and configurations. Technical measures have also been implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer, and/or authorization by, the customer as per agreement prior to deployment.
Data Security and Information Lifecycle Management
Caseware has policies and procedures and supporting business processes and technical measures in place to inventory and maintain data flows within the SaaS network and systems for each geographic location. Controls are in place to ensure that data is placed in the geographic area determined by the client. Subscriber data within the production cloud environment resides on two-tier architecture and is not directly accessible from the internet.
Our security policy defines four levels of data classification: confidential, restricted, operational, and public. All data stored within the production cloud infrastructure is considered confidential, which is our highest level of security and only authorized staff have access to this environment. Logical access to the production cloud environment is restricted to the operations team alone.
All subscriber data is stored in the production cloud environment. Use of customer data in non-production environments is controlled through secure data-handling processes, which require explicitly documented approval from the customers whose data is affected, and must comply with legal and regulatory requirements for scrubbing of sensitive data elements.
There is a designated operations team responsible for all operational functions regarding the infrastructure and storage with assigned responsibilities that have been defined, documented, and communicated.
Caseware Cloud is hosted on Amazon web servers around the world. Upon subscribing to the Caseware Cloud Services, CWC informs clients of the jurisdiction in which the server that has been allocated to host your Subscriber Data and Personal Information is located. You may consent to such allocation, or refuse a server so allocated.
For performance reasons, we’ll typically set you up in:
- United States/North Virginia if you’re located in the United States or South America
- Canada/Montreal if you’re located in Canada
- Australia/New South Wales if you’re located in the Asia-Pacific region
- Ireland/Leinster if you’re located in any other region
Data center Security
The production infrastructure is completely hosted within Amazon’s AWS. AWS is responsible for restricting access to facilities housing the production systems to authorized individuals. AWS is also responsible for environmental protection and preventative maintenance over production systems. Physical access is controlled by AWS at the perimeter and at building ingress points. Full details can be found here: https://aws.amazon.com/whitepapers/#security. AWS has published further details here: https://aws.amazon.com/compliance/data-center/controls/.
Our production infrastructure is completely hosted within Amazon’s AWS. AWS has SOC 2 reports, which are reviewed annually. AWS governance processes can be found here: https://aws.amazon.com/compliance/.
Encryption and Key Management
Our cryptography policies and procedures are designed to support business process. Technical measures have been implemented based on business requirements for protection of data at rest and data in transit as per applicable legal, statutory, and regulatory compliance obligations.
Our cryptography policy requires all encryption keys to have identifiable owners within the organization. The cryptographic key lifecycle management ensures access controls are in place for secure key generation, exchange and storage, including segregation of keys used for encrypted data or sessions.
Data stored at the server level (data-at-rest) is encrypted using the industry standard AES-256 algorithm. Data that is transferred to and from our service (data-in-transit) is encrypted via TLS with ephemeral key exchange and use industry-accepted strong cipher suites. Certificates use a minimum of 2048-bit key strength with SHA-2 or stronger signature algorithm. Private keys are generated and stored in our secrets management systems. They are deployed and used on production systems as needed via our change control process. Certificates are obtained through a reputable vendor and follow the built-in and industry standard renewal/rotation process based on expiry or revocation as needed.
Governance and Risk Management
Security risk assessments are completed at least annually and consider the following:
- Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure
- Compliance with defined retention periods
- Data classification and protection from unauthorized use, access, loss, destruction, and falsification
We have implemented an Information Security Management System based on ISO 27001 and SOC 2 controls. Our ISMS includes the following areas insofar as they relate to the characteristics of the business:
- Information Security Policy (this document)
- Access Control Policy
- Availability Management
- Clean Desk Policy
- Cryptography Policy
- IS Supplier Management Policy
- Logging and Monitoring Policy
- Mobile Device Policy
- Network Security Policy
- Password Management Policy
- Patch Management Policy
- Software Policy
- Technical Vulnerability Management Policy
- Risk Assessment Methodology
- Malware, Email and ISMS Policy
- Internet Acceptable Use Policy
- Penetration Testing Policy
- Teleworking Policy
- Records Retention and Protection
Department managers are responsible for maintaining awareness of, and complying with, security policies, procedures, and standards that are relevant to their area of responsibility.
Risk acceptance levels have been defined within the risk management methodology and all risks are mitigated to an acceptable level with reasonable resolution time frames and stakeholder approval.
Our information security policies and procedures are posted and available for review by all impacted staff and external business relationships. The Information Security Steering Committee is responsible for developing, maintaining, and enforcing our service’s information security policies. The information security policy is reviewed annually and approved by the Information Security Steering Committee. Executive and line management provide support for information security through clearly documented direction and commitment, and shall ensure action has been assigned. There is a senior member of management who is responsible for information security governance and operations, including protection of customer data – this role reports to the CFO.
Policy reviews are conducted annually by the Information Security Steering Committee or as a result of changes to the organization to ensure its continuing alignment with the security strategy, effectiveness, accuracy, relevance, and applicability to legal, statutory, or regulatory compliance obligations.
Formal risk assessments are performed annually and in conjunction with any changes to information systems to determine the likelihood and impact of all identified risks. The likelihood and impact associated with inherent and residual risk is determined independently, considering all risk categories based on audit results, threat and vulnerability analysis, and regulatory compliance. Risk assessment results can include updates to security policies, procedures, standards, and controls to ensure that they remain relevant and effective. The results of risk assessments are:
- Reported to senior management who then partake in a risk treatment process
- Updated in a risk register
- Prioritized based on possible impact to production systems
Our HR has a defined screening process for all staff. Reference checks are obtained with respect to all employees at time of hiring, with criminal and credit background checks for those who perform operational roles with the product cloud environment. All staff are required to sign a confidentiality agreement prior to employment to ensure protection of client information for the protection of data. Information security awareness training is provided during employee onboarding. Specific training is provided for developers on secure coding practices. Formal records are maintained for completion of internal staff training. Employee terminations and position changes are initiated by department managers. Our HR team reviews these requests and submits the request through our ticketing system for de-provisioning and provisioning requirements. Our HR team has an employee departure process to ensure all equipment is returned and accounts terminated to ensure that access to production environments is removed.
A security awareness training program has been established for all contractors, third-party users, and employees and is mandated. All individuals with access to confidential and restricted data receive appropriate awareness training and regular updates in organizational procedures, processes, and policies relating to their job function relative to the organization. Roles and responsibilities of contractors, employees, and third-party users are documented as they relate to information assets and security.
User responsibilities are defined within job descriptions for all staff and they are made aware of their roles and responsibilities for:
- Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations
- Maintaining a safe and secure working environment
- Report any suspicious activity if detected
We have a clear screen policy which requires that unattended workspaces do not have openly visible sensitive documents and user computing sessions had been disabled after an established period of inactivity.
We have an Access Control policy in place that specifies how to manage access control to all system components and sensitive information in the organization. Policies governing acceptable use or access to subscriber data and metadata is included in the Caseware privacy policy (https://www.caseware.com/privacy-statement/). Caseware collects, uses and discloses information only for the following purposes:
- To verify your identity
- To provide you with the Caseware Cloud Services
- To contact you for the purposes of product information, service updates, billing notifications, or notifications relating to the Caseware Cloud Services
- To monitor and/or improve system usage, server and software performance
- To assist with technical support issues
- To comply with any laws, regulations, court orders, subpoenas or other legal process of investigation and to protect CWC, its Affiliates and other individuals from harm
- To improve and enhance CWC Service offerings
Identity and Access Management
Policies and procedures have been established to store and manage identity information about every person who accesses the production cloud infrastructure and to determine their level of access. Access control policies and procedures have been established, and supporting business processes and technical measures implemented, for restricting user access as per defined segregation of duties to address business risks associated with a user-role conflict of interest. The access control repository is managed by the provider. We use a privileged identity manager and password management system.
Access to, and use of, audit tools that interact with production cloud environment is segmented and restricted to prevent compromise and misuse of log data. User access to diagnostic and configuration ports are restricted to authorized individuals and applications.
Controls are in place to ensure only approved software is installed within the production cloud infrastructure.
Access to the organization’s own developed applications, program, or object source code, or any other form of intellectual property (IP), and use of proprietary software is controlled following the rule of least privilege based on job function as per established user access policies and procedures.
Caseware Cloud Service requires password authentication to access the base system. Once in the system, users must be assigned security roles to perform additional operations and access certain content. With security roles, you can control who has access to what content. Your organization is responsible for developing appropriate security policies around passwords and security roles using the security features provided in Caseware Cloud. Caseware provides access to clients, who then control their own users and administrative accounts, including provisioning and de-provisioning. Two-factor authentication is employed. User access is authorized and revalidated quarterly, to ensure the rule of least privilege based on job function. For identified access violations, remediation activities are followed based on the established user access policies and procedures. Timely de-provisioning (revocation or modification) of user access to data or managed applications, infrastructure systems, and network components, has been implemented as per established policies and procedures and based on user’s change in status such as termination of employment or other business relationship, job change, or transfer. The provider manages service account provisioning and de-provisioning. Service account authentication utilizes multi-factor authentication.
Infrastructure and Virtualization Security
Caseware Cloud deploys a SaaS-based endpoint detection and response security endpoint to all hosts within our infrastructure. All user, process, and network activity is collected and stored in the tamper-proof central location and analyzed in near real-time for suspicious behaviors as well as for manual forensics. Protection, retention, and lifecycle management of audit logs, adhere to applicable legal, statutory, or regulatory compliance obligations and provide unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, that are required to support forensic investigative capabilities in the event of a security breach. Our tools have the capability to detect/prevent unauthorized or anomalous behavior based on network traffic or host activity. All authentication events, successful and failed, are logged.
Our production and non-production environments are separated to prevent unauthorized access or changes to information assets. Separation of the environments include logical separation and segregation of duties for personnel accessing these environments as part of their job duties.
Our production system and network environment is protected by centrally managed firewalls and ensures separation of production and non-production environments. Our production environment is designed, developed, deployed, and configured to ensure our operations team and clients user access is appropriately segmented from other client users, based on the following considerations:
- Established policies and procedures
- Isolation of business critical assets and/or sensitive user data and sessions that mandate stronger internal controls and high levels of assurance
- Compliance with legal, statutory, and regulatory compliance obligations
The production cloud infrastructure has a reliable and mutually agreed upon external time source that is used to synchronize the system clocks of all relevant information processing systems to facilitate tracing and reconstitution of activity timelines.
Supply Chain Management, Transparency, and Accountability
Policies and procedures have been implemented to ensure the consistent review of service agreements between providers and customers across the relevant supply chain. Reviews performed at least annually and identify non-conformance to established agreements. Any non-conformances are identified as actions to address service-level conflicts or inconsistencies.
Threat and Vulnerability Management
Policies and procedures have been established, and supporting business processes and technical measures implemented, to prevent the execution of malware within the production cloud environment or end user devices and IT infrastructure network and system components. Policies and procedures have been established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed applications, infrastructure network and system components. We also perform ongoing application and code vulnerability evaluations of our products and have dual peer reviews of all code changes to ensure the efficiency of implemented security controls. Our risk management methodology is used for prioritizing remediation of identified vulnerabilities. Changes are managed through our defined change management process for all vendor-supplied patches, configuration changes, or changes to our applications. Our anti-malware solution is centrally managed and runs on all systems. The anti-malware solution includes mechanisms for detecting or preventing phishing. Malware signature updates are deployed within 1 day of release.
