Caseware Legal

The Caseware Legal page provides centralized access to Caseware’s legal policies, agreements, and compliance resources. Explore important information related to privacy, security, AI, accessibility, and product usage in one place.

CASEWARE MASTER PRODUCT & SERVICES AGREEMENT

Last Updated: May 2026

This Master Product and Services Agreement ("Agreement") between the customer identified in an

applicable Order Form ("Customer"), and either (a) Caseware International Inc., a company existing

under the laws of Ontario, Canada and whose principal place of business is at 351 King Street East,

Suite 1100, Toronto, Ontario M5A 2W4 Canada; or (b) the Affiliate of Caseware International Inc. listed

on an applicable Order Form (jointly and collectively, "Caseware").

Caseware offers certain Products, Services and PS, and Customer wishes to access and use specific

Products, Services and PS as set out in one or more applicable Order Form(s) (the “Caseware

Offerings”). Once executed by the Customer, the Order Form represents the binding commitment of

the Customer to pay for the Caseware Offerings identified therein.

This Agreement is effective on the earliest of: (i) the date Customer executes an Order Form; (ii) the

date Customer clicks "accept" on this Agreement; (iii) the date Customer or any Permitted User first

accesses or uses the Products or Services; or (iv) the date Customer makes payment for any Caseware

Offerings (the "Effective Date"). By any of the foregoing actions, Customer agrees to be bound by this

Agreement, including any documents incorporated by reference, as updated from time to time.

PLEASE READ THIS AGREEMENT CAREFULLY. THIS AGREEMENT AND ANY APPLICABLE ORDER FORMS

CONSTITUTE A LEGALLY BINDING AGREEMENT BETWEEN CUSTOMER AND CASEWARE AND

GOVERNS CUSTOMER'S ACCESS TO AND USE OF THE CASEWARE OFFERINGS. IF CUSTOMER DOES

NOT ACCEPT THIS AGREEMENT, CUSTOMER MUST NOT ACCESS OR USE THE PRODUCTS OR

SERVICES. IF CUSTOMER IS USING THE PRODUCTS OR SERVICES ON BEHALF OF AN ORGANIZATION,

CUSTOMER REPRESENTS THAT CUSTOMER HAS THE AUTHORITY TO BIND THAT ORGANIZATION TO

THIS AGREEMENT, IN WHICH CASE "CUSTOMER" WILL REFER TO SUCH ORGANIZATION.

If the Parties have a fully executed agreement that expressly governs any applicable Order Form for the

Caseware Offerings and specifically states that this Agreement is not applicable, such fully executed

agreement, and the terms and conditions contained therein, shall supersede this Agreement.

For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged,

Caseware and Customer agree as follows:

1. INTERPRETATION

1.1 Definitions. As used in this Agreement, defined terms shall have the meanings specified in Schedule

1.

1.2 Schedules. The following Schedules to this Agreement are incorporated by reference herein and are

an integral part of this Agreement:

Schedule 1 - Definitions

Schedule 2 – Product-Specific Terms

Schedule 3 – Service-Specific Terms

Schedule 4 – PS-Specific Terms


2. PRODUCTS & SERVICES

2.1 Order Forms. In accordance with the terms and conditions set out in this Agreement, Caseware shall

make available to the Customer, the Caseware Offerings described herein pursuant to one or more

Order Forms which shall be governed by the terms of this Agreement, including any documents

incorporated by reference, as updated from time to time and including the applicable terms set out in

the Schedules.


2.2 Customer Affiliates. If a Customer Affiliate is named in an Order Form, Customer may permit such

Customer Affiliate to access and use the Caseware Offerings in accordance with the terms of this

Agreement. Customer shall ensure that each Customer Affiliate complies with all terms and conditions

of this Agreement. Customer shall remain fully responsible and liable for all acts, omissions, breaches,

and obligations of each Customer Affiliate to the same extent as if such acts, omissions, breaches, or

obligations were those of Customer.


2.3 Modifications to Products, Services and PS. Caseware may modify the Products, Services and PS

from time to time without notice to the Customer. Caseware will use commercially reasonable efforts to

notify the Customer in advance if a change is material, other than those changes which enhance or

extend any features or functionality of the Products, Services and PS. Caseware is not obligated to

customize, modify, or adapt the Caseware Offerings to meet Customer-specific requirements unless

expressly agreed in an Order Form.


2.4 Pilot Program. As further set out in an applicable Order Form and to the extent applicable,

Customer may receive use and access to the Caseware Offerings for a period of time on a trial or pilot

basis and for evaluation purposes (the "Pilot Program"). Customer acknowledges that the Pilot

Program: (a) may be subject to different fees and functionality from those applicable to the Caseware

Offerings offered during the Term; (b) may include Beta Services; and (c) will be provided "as is" and

"as available", and Caseware will have no liability or indemnification obligations for any harm, loss or

damage arising out of or in connection with any Caseware Offerings during the Pilot Program, unless

any such harm, loss or damage are a result of Caseware's gross negligence or willful misconduct.


2.5 Restrictions on Use. The Customer agrees to use the Caseware Offerings in accordance with this

Agreement and will not, nor permit any Permitted User to:


(i) access any of the Caseware Offerings without using user credentials registered with Caseware or

otherwise attempt to gain unauthorized access to the foregoing;(ii) misrepresent its identity or

authorization to act on behalf of others, including when it acts as the sender of any electronic

transmissions sent through the Caseware Offerings;


(iii) use any of the Caseware Offerings for unlawful purposes and except in accordance with this

Agreement, including using or accessing any of the Caseware Offerings for any purpose that infringes,

misappropriates or violates any intellectual property, privacy or other right of a third-party;


(iv) perform, or aid others in performing, penetration tests, distributed denial-of-service (DDoS) attack

tests or any other kind of security test on the Caseware Offerings without Caseware's express written

consent;


(v) sell, resell, rent, lease, lend, license, sublicense, assign, distribute, publish, transfer or otherwise

make available any of the Caseware Offerings to any third-party, except as otherwise permitted in

accordance with this Agreement;


(vi) reverse engineer, decompile, disassemble, or translate the software used by Caseware to deliver

the Products, or otherwise attempt to view, display or print the software's source code;


(vii) remove, or obscure any copyright, trademark or other proprietary notices contained in the Products

and Services;


(viii) attempt to compromise the functionality, security, or integrity of the Services, or assist others in so

doing;


(ix) copy, modify or create derivative works of the Products or Services, in whole or in part except as

expressly permitted by the functionality of the Caseware Offerings (including using AI features to

generate content for Customer's work product);


(x) access or use the Products and Services to create a competitive product or services;


(xi) frame or mirror any part of the Products or Services into any other product or service, unless

otherwise provided for under this Agreement or an applicable Order Form; or


(xii) collect, harvest, reverse look-up, trace, or otherwise seek to obtain any information on any other

user of the Products or Services;

2.6 Audit Rights. Caseware reserves the right to monitor and audit Customer's usage of the Caseware

Offerings for the purpose of ensuring compliance with the terms of this Agreement. Any such audit may

be carried out by Caseware, or a third-party authorised by Caseware, at Caseware's expense, and will

not unreasonably interfere with the Customer's normal business operations. If any such audit reveals

use of the Caseware Offerings in excess of Customer's entitlement under an applicable Order Form, or

otherwise identifies noncompliance with the terms of this Agreement, Customer shall promptly pay the

amounts necessary to rectify such underpayment or overuse, together with interest at the rate of 2%

per month, and shall pay the costs of the audit identifying the underpayment or overuse where the

audit determines that Customer's underpayment equals or exceeds 10 percent for any quarter.

2.7 Use of Subcontractors. From time to time, Caseware may use subcontractors selected by Caseware

at its sole discretion to provide the Caseware Offerings. Notwithstanding the foregoing, Caseware's use

of a subcontractor shall not release Caseware from any duty or liability to fulfill its obligations under

this Agreement or an applicable Order Form.

3. CUSTOMER RESPONSIBILITIES

3.1 Co-operation. In addition to any obligations and responsibilities described in this Agreement or an

applicable Order Form, Customer will be responsible for providing Caseware with sufficient and timely

access to systems, hardware, data (including Customer Data), information and personnel as may be

necessary or reasonably requested by Caseware to enable Caseware to provide the Caseware

Offerings. Customer acknowledges and agrees that its failure to provide such access, information,

materials or personnel on a timely basis as reasonably requested by Caseware under this Agreement

will have a material impact on the provision of the Caseware Offerings, and use thereof by Permitted

Users, and that Caseware shall not be responsible for any delays, losses or damages arising from or

related to Customer's failure to be responsive and co-operative as reasonably required under this

Agreement. Customer agrees to cooperate with Caseware in good faith to support the responsible use

of AI Models, including providing feedback and reporting anomalies or hallucinations.


3.2 Permitted Users. Customer is responsible and liable for all use of the Caseware Offerings resulting

from access provided by Caseware, directly or indirectly, whether such access or use is permitted by or

in violation of this Agreement. Customer shall only grant access to Permitted Users who have agreed to

be bound by the terms of Caseware's End User License Agreement, as amended from time to time, for

use of any Products, or Caseware's Terms of Service, as amended from time to time, for use of any

Services (collectively, the "User Agreements"). Without limiting the generality of the foregoing,

Customer is responsible for all acts and omissions of Permitted Users, and any act or omission by a

Permitted User that would constitute a breach of this Agreement or the User Agreements, as the case

may be, if taken by Customer will be deemed a breach of this Agreement by Customer. Customer shall

use all reasonable efforts: (a) to make all Permitted Users protect and secure their access to the

Caseware Offerings to prevent unauthorized use; and (b) to make all Permitted Users aware of this

Agreement's provisions as applicable to such Permitted User's use of the Caseware Offerings and the

User Agreements, as the case may be, and shall cause Permitted Users to comply with any such

provisions. If Customer learns of any actual or suspected breach of this Agreement or any User

Agreement, as the case may be, as a result of the actions or inactions of a Permitted User, Customer

shall immediately notify Caseware in writing of the breach and co-operate with any instructions

reasonably requested by Caseware in relation to the foregoing.


3.3 Customer Data. Customer is exclusively responsible for all matters related to Customer Data, and

Customer represents and warrants that: (a) the Customer Data does not infringe, violate or

misappropriate any third-party intellectual property or privacy rights, or any other rights granted

under Applicable Law; (b) Customer is responsible for accuracy, quality, integrity, legality, reliability

and appropriateness of the Customer Data; (c) Customer is the sole owner of the Customer Data or has

the necessary and required consents, licenses, permits, permissions, releases, clearances, and rights to

use, display, process, share, post, upload and transfer the Customer Data under this Agreement,

including use of the Customer Metadata to develop, train and optimize the AI Models, to the extent

permissible under applicable laws; (d) the Customer Data does not contain any illegal, defamatory,

denigrating, demeaning, obscene, profane, or offensive material or content, except in pursuit of valid

research or business purposes of Customer; (e) the Customer Data does not contain any virus, Trojan

horse, worm, or other software, script or code, the effect of which is to permit unauthorized access to,

or to alter, disable, encrypt, erase, or otherwise harm, any computer, systems, software or data; and (f)

unless otherwise set out in an Order Form, the Customer Data does not contain any Personal Data

except for (i) contact information reasonably necessary for the operation of the Caseware Offerings

(such as names, email addresses, and phone numbers), and (ii) user account information. If Caseware

forms the view that any Customer Data uploaded by Customer or any Permitted User violates this

Section 3.3, then Caseware reserves the right to remove such Customer Data and take such other

action as Caseware deems necessary to protect the integrity and operation of the Caseware Offerings.

Any costs associated with such removal may be charged by Caseware to Customer. Caseware shall use

commercially reasonable efforts to notify Customer of any removal of Customer Data under this Section

as soon as reasonably possible.


3.4 Third-Party Products. The Products and Services may allow you to access and use Third-Party

Products. Third-Party Products that require separate customer action or authorization, and any

associated fees relating to use thereof, will be set out in an applicable Order Form. Customer's use of

any Third-Party Products is solely at its own risk. Caseware makes no representations or warranties with

respect to, nor does it guarantee or endorse, any Third-Party Products. Caseware further does not

guarantee the continued availability of Third-Party Products, and may disable a Third-Party Product in

its sole discretion. Third-Party Products are governed by terms and conditions provided by the

respective third-party service provider and are separate to this Agreement, and Customer's use of any

Third-Party Products are subject to such separate terms and conditions. Accordingly, Caseware

expressly disclaims responsibility and liability for all Third-Party Products, and Customer agrees that

Caseware shall not be responsible for any loss or damage of any sort incurred as a result of any use of

Third-Party Products.


4. FEES & PAYMENT

4.1 Fees. Customer shall pay Caseware all fees, amounts, and charges (the "Fees") in relation to the

provision of the Caseware Offerings in accordance with the terms of the applicable Order Form. All Fees

are non-cancellable and non-refundable.


4.2 Invoices. Caseware shall issue invoices to Customer relating to the Fees as set out in an applicable

Order Form. Unless otherwise set out in an applicable Order Form all Fees set out in a specific invoice:

(a) will be in Canadian dollars ($CAD); and (b) are due and payable upon receipt of an invoice.

Customer reserves the right to dispute a portion or all of the Fees set out in a particular invoice

reasonably and in good faith, and Customer shall cooperate diligently with Caseware to resolve any

such dispute. Customer may withhold payment of any disputed Fees until such dispute is resolved.


4.3 Delay in Payment. If Customer fails to make any payment for undisputed Fees when due, without

limiting Caseware's other rights and remedies: (a) Caseware may charge interest on the past due

amount at the rate of 2% per month; (b) Customer shall reimburse Caseware for all reasonable costs

incurred by Caseware in collecting any late payments or interest, including legal fees, court costs, and

collection agency fees; and (c) Caseware may suspend Customer access to any portion or all of the

Caseware Offerings in accordance with Section 11.3 of this Agreement.


4.4 Taxes.

All Fees are exclusive of sales, use, consumption, value-added, excise taxes, and any other similar

taxes, duties, and charges of any kind imposed by any federal, provincial, territorial, or local

governmental entity (other than taxes imposed on Caseware's income) (collectively, "Taxes"), which

shall be the responsibility of the Customer. To the extent that any Taxes are payable by Caseware,

Customer agrees to pay to Caseware the amount of such Taxes in addition to any Fees owed under this

Agreement. Notwithstanding the foregoing, Customer may have obtained an exemption from relevant

Taxes as of the time such Taxes are levied or assessed. In that case, Customer agrees to provide

Caseware with any such exemption information, and Caseware will use reasonable efforts to provide

such invoicing documents as may enable Customer to obtain a refund or credit for the amount so paid

from any relevant revenue authority if such a refund or credit is available.

In addition, Customer is responsible to pay all Fees net of any applicable withholding taxes. The Parties

agree to work together to avoid any withholding tax if exemptions, or a reduced treaty withholding

rate, are available. If Caseware qualifies for a tax exemption, or a reduced treaty withholding rate,

Caseware will provide Customer with reasonable documentary proof. Customer agrees to provide

Caseware reasonable evidence that it has paid the relevant authority for the sum withheld or deducted.


4.5 Orders through Caseware Partners. Where Customer purchases any Caseware Offerings through a

Partner the following terms apply:


(i) Customer will pay the Fees for the applicable Caseware Offerings directly to the Partner or to

Caseware, as directed and agreed between Caseware and the Partner in the Partner Agreement;


(ii) Customer will enter into a Partner Agreement directly with the Partner instead of an Order Form with

Caseware, and the Caseware Partner will submit an Order Form to Caseware on Customer's behalf in

relation to the applicable Caseware Offerings, whereby the Partner is responsible for the accuracy of

any such order as communicated to Caseware;


(iii) To the extent the Customer is entitled to a refund for any Fees, such refund will be provided by the

Partner and not directly by Caseware;


(iv) The terms and conditions of this Agreement shall be incorporated by reference into the Partner

Agreement, and Partner must require Customer to accept these terms. Customer acknowledges that,

notwithstanding its purchase through a Partner, Customer's use of the Caseware Offerings is subject to

this Agreement, and by accessing or using the Caseware Offerings, Customer agrees to be bound by

this Agreement as if Customer had contracted directly with Caseware. A Partner is not authorized to

modify this Agreement or make any promises or commitments on Caseware's behalf without Caseware's

explicit written approval, absent which, Caseware will not be bound by any obligations to Customer

other than as set forth in this Agreement; and


(v) The Fees paid or payable by the Partner to Caseware for Customer's use of the applicable Caseware

Offerings through which it has engaged the Partner will be deemed the amount actually paid or

payable by Customer to Caseware under this Agreement for purposes of calculating the liability cap in

Section 9 (Liability).


4.6 Credit Card Surcharge. To the extent permitted by Applicable Law, Caseware may apply a

surcharge of 2.4% to any payments made by Customer by credit card.


5. CONFIDENTIALITY

5.1 Definition. The term "Confidential Information" means all non-public, confidential, material or

information relating to a Party which is disclosed or made available to a receiving Party (the

"Recipient") by the other Party (the "Discloser") under this Agreement, either orally or in a tangible

form, including but not limited to Customer Data, financial information, business plans, marketing

materials and strategies, and any other information regarding the foregoing that Discloser provides to

the Recipient hereunder.


5.2 Exclusion. Confidential Information shall not include information that the Recipient can establish:


(i) was publicly known and made generally available in the public domain prior to the time of disclosure

by the Discloser;


(ii) is independently developed by the Recipient without use of or reference to the Discloser's

Confidential Information;


(iii) is already in the possession of the Recipient at the time of disclosure by the Discloser as shown by

the Recipient's files and records immediately prior to the time of disclosure;


(iv) is obtained by the Recipient from a third-party lawfully in possession of such information and

without a breach of such third-party's obligations of confidentiality; or


(v) becomes publicly known and made generally available after disclosure by the Discloser to Recipient

through no action or inaction of the Recipient.

5.3 Limited Use. The Recipient agrees to use Confidential Information only during the Term and solely

for purposes of the performance of its obligations, and exercise of its rights, under this Agreement. The

Recipient's obligations with respect to the Confidential Information shall survive for two (2) years

following the expiration or termination of this Agreement, provided that (a) the Recipient's obligations

with respect to any Confidential Information consisting of software or other non-public product

information, whether in source or object code form, shall never expire; and (b) Caseware's obligations

regarding Customer Data shall terminate in accordance with Section 11.5.


5.4 Protection. The Recipient hereby agrees to take all steps reasonably necessary to maintain and

protect Confidential Information in the strictest confidence and for the benefit of the Discloser. Without

limiting the foregoing, the Recipient shall take at least those measures that it takes to protect its own

confidential information of a similar nature, but in no case less than reasonable care. The Recipient will

not at any time, without the express written permission of the Discloser, disclose the Confidential

Information directly or indirectly to any person, except on a "need to know" basis to its Affiliates and its

respective employees, officers, directors, agents, subcontractors, and/or legal and financial advisors

(collectively, the "Representatives"), provided that such Representatives are bound to confidentiality

obligations no less protective of the Discloser than this Section 5 and that the Recipient remains

responsible for compliance by them with the terms of this Section 5.


5.5 Compelled Disclosures. If a Recipient is required by law or in connection with a judicial proceeding

or court order, or a governmental authority to make any disclosure that is prohibited or otherwise

constrained by this Section, the Recipient will provide the Discloser with prompt written notice of such

requirement, where permitted by law, so that the Discloser may seek a protective order or other

appropriate relief. Subject to the foregoing sentence, such Recipient may furnish that portion (and only

that portion) of the Confidential Information that the Recipient is legally compelled or is otherwise

legally required to disclose; provided, however, that the Recipient provides such assistance as the

Discloser may reasonably request in obtaining such order or other relief.


5.6 Return of Materials. All documents and other tangible objects containing or representing

Confidential Information that have been disclosed by the Discloser shall be and remain the property of

the Discloser. At any time upon the written request of the Discloser, Recipient shall promptly (a) return

to the Discloser and/or (b) securely destroy all Confidential Information, except for any information

maintained in connection with any automated electronic backup process of the files of the Recipient.

Notwithstanding the foregoing, a Recipient may retain in the offices of its legal advisor a single archival

copy of any Confidential Information provided by the Discloser under this Agreement, which copy shall

only be used by the Recipient and its legal advisors in connection with the review and enforcement of its

obligations under this Agreement.


6. SECURITY & PRIVACY

6.1 Security. Each Party will maintain appropriate administrative, physical, and technical safeguards for

the protection of the security, confidentiality, and integrity of: (a) in the case of Caseware, the

Customer's Confidential Information, including Customer Data, and (b) in the case of Customer, access

and use of and to the Caseware Offerings and Caseware Confidential Information. These safeguards

will include measures designed to protect against accidental, unauthorized or unlawful destruction, loss,

alteration, disclosure of or access to such information. Caseware’s specific security measures and

practices are described at https://trust.caseware.com, as updated from time to time.


6.2 Privacy. To the extent Caseware collects, uses, stores, handles, discloses, disposes of or otherwise

processes Personal Data (collectively, "Process") in relation to or in connection with this Agreement,

Caseware shall Process Personal Data: (a) solely as permitted under this Agreement and as agreed

upon in writing by the Parties; and (b) in accordance with terms and conditions of Caseware's Data

Processing Agreement made available at www.caseware.com/legal/caseware-data-processing-agreement

as updated from time to time.

7. PROPRIETARY RIGHTS

7.1 Customer Data. As between Customer and Caseware, Caseware acknowledges Customer shall own

all right, title and interest, including all Intellectual Property Rights, in and to the Customer Data, and

such Customer Data is protected as Customer Confidential Information. During the Term, and subject to

the terms and conditions of this Agreement, Customer grants to Caseware a non-exclusive, royalty-free,

fully paid-up, worldwide license to copy, reproduce, modify, develop, access, collect, store and use

the Customer Data as necessary to provide the Caseware Offerings to Customer and Permitted Users

and provide the Customer Outputs.


7.2 Customer Metadata. As between Customer and Caseware, Caseware acknowledges Customer shall

own all right, title and interest, including all Intellectual Property Rights, in and to the Customer

Metadata, and such Customer Metadata is protected as Customer Confidential Information. During the

Term, and subject to the terms and conditions of this Agreement, Customer grants to Caseware a nonexclusive,

royalty-free, fully paid-up, worldwide license to copy, reproduce, modify, develop, access,

collect, store and use the Customer Metadata: (a) as necessary to provide the Caseware Offerings to

Customer and Permitted Users; (b) to generate Aggregated Data; and (c) to create, develop, modify,

update, and train the AI Models, to the extent permitted under Applicable Law, and provide the

Customer Outputs.


7.3 Caseware Offerings, AI Models and Documentation. As between Customer and Caseware,

Customer acknowledges that Caseware shall own all right, title and interest, including all Intellectual

Property Rights, in and related to the Caseware Offerings, AI Models and Documentation, and any

trademarks used in association therewith (and all copies, Enhancements and derivative works in

relation thereto) and, with respect to Third-party Products, the applicable third-party providers own all

right, title, and interest, including all Intellectual Property Rights, in and to the Third-party Products.

Customer agrees not to assert any rights or claim to rights (including any Intellectual Property Rights) in

any Caseware Offerings, AI Models or Documentation, including any copies, Enhancements, and

derivative works in relation thereto. Customer further agrees to refrain from challenging, limiting,

jeopardizing, or interfering with Caseware's ownership of and title in and to all Intellectual Property

Rights relating to all of the foregoing.


7.4 Aggregated Data. Notwithstanding anything to the contrary in this Agreement, Caseware may

collect and compile Aggregated Data derived or developed from: (a) Caseware's monitoring of

Customer and its Permitted Users use of the Caseware Offerings; or (b) Customer Metadata.

Aggregated Data shall not contain any Personal Data and does not in any way identify Customer or any

Permitted User, or include any identifiable Subscriber Data or Personal Data. As between Caseware and

Customer, all right, title, and interest, including all Intellectual Property Rights, in Aggregated Data vest

in Caseware upon creation and are retained solely by Caseware. Customer agrees that Caseware may

use Aggregated Data to the extent and in any manner permitted under Applicable Law, including to

develop, optimize, benchmark, or measure the Products or Services, for research, marketing, analytical

and informational purposes related to the Products or Services, and to develop, train, improve and

optimize AI Models.


7.5 Customer Outputs. As between Customer and Caseware, any reports, results, data, research,

materials or other information generated by or resulting from use of the Subscriber Data or Customer

Metadata with the Caseware Offerings, including those derived or outputted from the use of the AI

Models (collectively, "Customer Outputs"), together with all Intellectual Property Rights therein, will vest

in Customer upon final payment of the Fees. To the extent any Customer Outputs are derived from or

incorporate Third-Party Products or third-party intellectual property licensed to Caseware, Customer's

rights in such Customer Outputs are subject to the terms and restrictions of the applicable third-party

licenses. To the extent any such intellectual property and proprietary rights vest in Caseware upon

creation of the Customer Outputs, Caseware hereby assigns and transfers and agrees to assign and

transfer and to cause any employee, affiliate or contractor to assign and transfer to Customer all such

right, title and interest worldwide, including all Intellectual Property Rights, in such Customer Outputs,

and shall cause each of its employees, affiliates and contractors to waive their respective moral rights

in and to the works comprised in such Customer Outputs. For clarity, Caseware shall not use Customer

Outputs to train or improve AI Models. Caseware may use performance data, usage metrics, and

benchmarking information derived from Customer's use of the Services, provided such data is

anonymized and does not identify Customer or any Permitted User. During the Term, Caseware will

have a limited, royalty free, paid up, non-exclusive, license to use, modify and access the Customer

Outputs to perform its obligations under this Agreement. Customer acknowledges that AI-generated

outputs may contain inaccuracies or hallucinations and are provided 'as is' without warranty. Such

outputs shall not be considered defects under this Agreement. Notwithstanding the foregoing,

Caseware: (a) expressly disclaims and provides no representations, warranties or covenants in relation

to the Customer Outputs, or use thereof, including any and all implied warranties and conditions of

fitness for a particular purpose, merchantability, non-infringement, title, completeness or accuracy; and

(b) Caseware will have no liability or indemnification obligations for any loss, harm, damage or claim

arising out of or in connection with the Customer Outputs, except for that caused by the gross

negligence or wilful misconduct of Caseware.


7.6 AI Use Policy. Caseware's practices regarding the use of AI Models, including training data sources,

model development, and data processing practices, are described in Caseware's AI Use Policy, available

at www.caseware.com/legal/caseware-ai-use-policy, as updated from time to time. To the extent of

any conflict between this Agreement and the AI Use Policy, this Agreement shall control.


7.7 API Usage Policy. Caseware's practices and requirements regarding the use of its application

programming interfaces (APIs), including permitted uses, credential management, rate limits, third-party

developer requirements, and prohibited uses, are described in Caseware's API Usage Policy,

available at www.caseware.com/legal/caseware-api-use-policy, as updated from time to time. To the

extent of any conflict between this Agreement and the API Usage Policy, this Agreement shall control.


7.8 Know-How. With the exception of Customer's Confidential Information and any Personal Data,

Caseware and its personnel may use and disclose their general skills, knowledge, experience and knowhow,

including, without limitation, general processes, concepts, methods, methodologies, techniques,

ideas and other residual information gained or learned in the provision of the Caseware Offerings.


7.9 Feedback. Customer may provide feedback, suggestions, recommendations, and corrections to

Caseware about the Caseware Offerings, Documentation or otherwise in connection the Agreement,

including but not limited to by responding to surveys and questionnaires or derived through the use of

AI Models or development of the Customer Outputs (collectively, "Feedback"). Customer grants to

Caseware and its Affiliates a worldwide, perpetual, irrevocable, royalty-free, transferable,

sublicensable (through multiple tiers) license to use the Feedback without restriction and without

obligation, acknowledgement or compensation to Customer, including to incorporate the Feedback into

the Products and Services or develop new Products and Services, provided that use of the Feedback

shall not identify Customer or any Permitted User without the prior written consent of Customer.


8. INDEMNIFICATION

8.1 Indemnity. To the extent permitted by Applicable Law, the Indemnitor agrees to indemnify the

Indemnitee and its officers, directors, employees, permitted assignees and agents from and against any

third-party claims, liabilities, damages, losses and expenses, including reasonable legal expenses,

arising out of or in connection with a claim that, the Caseware Offerings (in the case of Caseware), or

the Customer Data or Customer Outputs (in the case of Customer), or use thereof, infringe,

misappropriate or violate a third-party's Intellectual Property Rights. If such a claim is brought by or

appears possible, the Indemnitee agrees to permit the Indemnitor, at its sole discretion, to: (a) obtain a

right for the Indemnitee to continue using the allegedly infringing component or part; (b) modify the

allegedly infringing component or part so they become non-infringing; or (c) terminate the applicable

Order Form and refund the unused portion of any prepaid Fees received by Caseware from Customer in

relation to the infringing component or part. For Products licensed on a perpetual basis, such refund

shall be based on the unamortized or unexpensed portion of the purchase price allocated to that

portion of the Product, based on a three-year straight-line amortization. Notwithstanding the

foregoing, Caseware shall not be liable for infringement claims arising from Customer's use of the

Caseware Offerings in combination with unauthorized data, software, or configurations.


8.2 Indemnification Process. The Indemnitor's obligations in this Section 8 are subject to the following:


(i) the Indemnitee notifying the Indemnitor in writing promptly upon the Indemnitee becoming aware of

a claim under this Section; provided, however, that the failure to provide such notice within a

reasonable period of time shall not relieve the Indemnitor of any of its obligations hereunder except to

the extent the Indemnitor is prejudiced by such failure;

(ii) the Indemnitee not making any admission or statement against the Indemnitor's interest, including

entering into a settlement agreement (other than for monetary amounts which do not require any

admission of guilt or the assumption of any other obligation by the Indemnitee), without the

Indemnitor's prior written consent;


(iii) the Indemnitee providing reasonable assistance to the Indemnitor in connection with the defense,

litigation or settlement by the Indemnitor of the claim at the Indemnitor's cost for any out-of-pocket

expenses of the Indemnitee; and


(iv) the Indemnitor's sole control over the defense, litigation, and settlement of any claim, including the

legal counsel at the Indemnitor's expense.

9. LIABILITY

9.1 Exclusion of Liability. Except for Customer's payment of Fees under this Agreement or an applicable

Order Form and to the maximum extent permitted by Applicable Law, in no event will either Party be

liable for loss of or damage to data, lost revenue, lost profits, lost savings, damage to reputation,

business interruption, downtime costs or any indirect, incidental, consequential, special, punitive,

exemplary or any similar type of damages arising out of or in any way related to this Agreement under

any theory of liability, whether in contract, tort (including negligence), indemnity, strict liability or

otherwise, even if advised of the possibility of such damages or such losses were otherwise foreseeable.


9.2 Limitation of Liability. In no event shall Caseware's total liability to Customer for all claims arising

out of or as a result of this Agreement under any theory of liability, whether in contract, tort (including

negligence), indemnity, strict liability or otherwise, exceed the total amount of fees paid by Customer to

Caseware in the twelve (12) month period preceding the claim or action.


10. DISCLAIMER

EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT (INCLUDING THE SCHEDULES) AND ANY

APPLICABLE ORDER FORMS, AND TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW,

CASEWARE EXCLUDES ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR

OTHERWISE. CASEWARE SPECIFICALLY DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES OF

DESIGN, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUALITY AND

NONINFRINGEMENT, THAT THE CASEWARE OFFERINGS, DOCUMENTATION, AI MODELS OR

CUSTOMER OUTPUTS WILL MEET CUSTOMER'S OR ANY OTHER PERSON'S REQUIREMENTS, OR THAT

THE CASEWARE OFFERINGS, DOCUMENTATION, AI MODELS OR CUSTOMER OUTPUTS WILL ALWAYS

BE AVAILABLE, ACCESSIBLE, UNINTERRUPTED, TIMELY, SECURE, ACCURATE, LEGAL, RELIABLE,

COMPLETE, ERROR-FREE OR FREE OF VIRUSES. NO ADVICE OR INFORMATION, WHETHER ORAL OR

WRITTEN, OBTAINED FROM CASEWARE, ITS AFFILIATES OR ELSEWHERE IN RELATION TO THE

CASEWARE OFFERINGS OR THIS AGREEMENT WILL CREATE ANY WARRANTY OR CONDITION NOT

EXPRESSLY STATED IN THIS AGREEMENT. EXCEPT AS OTHERWISE SET FORTH IN THIS AGREEMENT,

THE CASEWARE OFFERINGS, DOCUMENTATION, AND AI MODELS ARE PROVIDED ON AN "AS IS" AND

"AS AVAILABLE" BASIS. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING THE FAILURE OF AN

ESSENTIAL PURPOSE OF ANY LIMITED REMEDY PROVIDED HEREIN. CASEWARE DISCLAIMS ANY AND

ALL RESPONSIBILITY OR LIABILITY IN RELATION TO THE CONTENT GENERATED OR OTHERWISE MADE

AVAILABLE THROUGH THE CASEWARE OFFERINGS OR USE THEREOF, INCLUDING BUT NOT LIMITED

TO THE CUSTOMER OUTPUTS. CASEWARE MAKES NO WARRANTY OF ANY KIND AND DISCLAIMS ANY

AND ALL REPRESENTATIONS, WARRANTIES OR DISCLAIMERS IN RELATION TO ANY THIRD-PARTY

PRODUCTS, CUSTOMER DATA, OR DATA STORAGE OR HOSTING PROVIDER USED IN CONJUNCTION

WITH THE CASEWARE OFFERINGS. CASEWARE DOES NOT GUARANTEE UNINTERRUPTED

AVAILABILITY OF THE CASEWARE OFFERINGS AND MAY PERFORM SCHEDULED OR EMERGENCY

MAINTENANCE AS NEEDED.


CUSTOMER ACKNOWLEDGES AND UNDERSTANDS THAT THE CASEWARE OFFERINGS, OR USE

THEREOF, ARE INTENDED AS A TOOL TO ASSIST THE CUSTOMER, IN PERFORMING THEIR

PROFESSIONAL SERVICES AND ARE IN NO WAY INTENDED TO REPLACE THE ROLE OF ANY

PROFESSIONAL FINANCIAL, ACCOUNTING, AUDITING AND/OR LEGAL ADVICE. CUSTOMER REMAINS

SOLELY RESPONSIBLE FOR ALL PROFESSIONAL JUDGMENTS, DECISIONS, AND ADVICE PROVIDED TO

ITS CLIENTS OR STAKEHOLDERS.

11. TERM & TERMINATION

11.1 Term.

The term of this Agreement commences on the Effective Date and continues for the initial period set out

in the initial Order Form (the "Initial Term") unless this Agreement is terminated earlier in accordance

with this Section 11.


Upon the expiration of the Initial Term, and unless otherwise specified in the Order Form, this

Agreement shall automatically renew for an additional twelve (12) month period.


For any Renewal Term(s), the terms and conditions of this Agreement during each such Renewal Term

shall be the same as the terms and conditions in effect immediately prior to such renewal, subject to

any change in the Fees payable hereunder by Customer during the applicable Renewal Term in

accordance with any applicable Order Form. If Customer declines the automatic renewal feature and

payment is not received by Caseware within ten (10) days of expiry of the then current term, Caseware

may consider the account to be overdue and Caseware may pursue the remedies in Section 4.3 and 11.3

of this Agreement.


In the event of termination of this Agreement, any Order Form then in-effect shall continue in force and

shall continue to be subject to the terms of this Agreement until such Order Form terminates or expires

in accordance with its terms.


11.2 Termination for Cause. Either Party may terminate this Agreement (including all or some of the

Order Forms):


(i) immediately upon notice if the other Party materially breaches any of its material obligations

hereunder and fails to cure such breach within 30 calendar days following written notice; or


(ii) immediately upon notice in the event of the suspension of business, insolvency, institution of

bankruptcy or liquidation proceedings by or against the other Party.


11.3 Suspension. In addition to the foregoing, Caseware may suspend or terminate this Agreement and

any Order Form and the rights granted thereunder without prejudice to enforcement of any other legal

right or remedy, immediately upon giving written notice of such termination:


(i) if Customer is in breach of its payment obligations and fails to cure such breach within 10 calendar

days following Caseware's written notice;


(ii) if Customer breaches its obligations under Sections 2.5 (Use Restrictions), 3.3 (Customer Data) or 5

(Confidentiality);


(iii) if Caseware has reason to believe that Customer is using the Products and Services for any

improper or unlawful purpose; or


(iv) if Customer's continued use of the Services may result in harm to Services, or to other users.


11.4 Effect of Termination. Upon termination or expiration of this Agreement Customer shall cease to

access and use the Caseware Offerings and all rights of Customer under the Agreement and any

applicable Order Form will terminate. If this Agreement is terminated by Customer in accordance with

Section 11.2, Caseware will refund Customer a prorated amount of the Fees paid by Customer to

Caseware for the Caseware Offerings for remainder of the Term. If this Agreement is terminated by

Caseware in accordance with Section 11.2 or 11.3, Customer will pay Caseware any unpaid Fees for the

remainder of the Term. Except where an exclusive remedy may be specified in this Agreement, the

exercise by either Party of any remedy, including termination, will be without prejudice to any other

remedies it may have under this Agreement, by law, or otherwise.

11.5 Offboarding. Upon request by Customer made within 30 calendar days after the effective date of

termination or expiration of this Agreement, Caseware will make available to Customer (a) Subscriber

Data for export or download, and (b) Caseware's offboarding tools, including processes to assist

Customer with the foregoing exportation process. After such a 30-day period, Caseware will have no

obligation to maintain or provide any Subscriber Data, or, to the extent applicable, any Customer Data,

to Customer and will thereafter delete or destroy all copies of Customer Data in its systems or otherwise

in its possession or control, unless legally prohibited.


11.6 Survival. Except as otherwise agreed to by the Parties in writing, Sections 3 (Customer

Responsibilities), 4 (Fees & Payment), 5 (Confidentiality), 6 (Security & Privacy), 7 (Proprietary Rights),

8 (Indemnification), 9 (Liability), 10 (Disclaimer), 11.4 (Effect of Termination), 11.5 (Offboarding), and 12.1

(Notice), 12.5 (Equitable Relief), 12.6 (Waiver), 12.10 (Anti-Corruption), 12.11 (Export Controls), and

12.12 (Amendments) shall survive the expiration or termination of this Agreement.


12. MISCELLANEOUS

12.1 Notice. All notices and other information to be given by one of the Parties to the other shall be

given by hand delivery or e-mail to the other Party. For Caseware, all notices should be sent to the

Customer's account representative, with a copy of such notice to legal@caseware.com. For Customer,

all notices will be sent to the mailing and/or email address Customer provides to Caseware for the

Order Form. Notices sent by e-mail shall be deemed to have been received by the Party to whom it was

addressed on the date of transmission or receipt, or if sent on a day that is not a business day or after

normal business hours, on the first business day following transmission or receipt. Notices sent by hand

delivery shall be deemed to have been received on the date of delivery. Any notice of change of

address by a Party shall be effective only upon receipt of a notice provided to the other Party in

accordance with the provisions of this Section 12.1.


12.2 Entire Agreement. This Agreement, together with any other documents incorporated herein by

reference and all related Schedules and Order Forms, constitutes the sole and entire agreement of the

Parties with respect to the subject matter of this Agreement. Except where the Parties enter into a

written agreement expressly stating that said written agreement supersedes all other agreements

(including this Agreement), this Agreement supersedes all prior and contemporaneous understandings,

agreements, and representations and warranties, both written and oral, with respect to such subject

matter, including any proposals, price quotes, purchase orders, click-wrap agreements, or nondisclosure

agreements. In the event of any conflict or inconsistency among the following documents, the

order of precedence shall be (1) the applicable Order Form, (2) any exhibit, schedule or addendum to

this Agreement, and (3) the body of this Agreement. Titles and headings of sections of this Agreement

are for convenience only and shall not affect the construction of any provision of this Agreement.


12.3 Relationship. The Parties agree that Caseware and Customer are independent entities, and that no

other relationship is intended, including but not limited to a partnership, joint venture or agency

relationship. Neither Party will have the authority or right to represent nor obligate the other Party in

any way except as expressly authorized by this Agreement.


12.4 Governing Law and Choice of Forum. This Agreement shall be governed by and construed and

enforced in accordance with the laws of the jurisdiction set out in the table below, unless otherwise

specified in the applicable Order Form and the Parties hereto submit to the exclusive jurisdiction of the

courts of such jurisdiction. Where the Order Form does not set out a specific jurisdiction, this Agreement

shall be governed by and construed and enforced in accordance with the laws in force in the Province of

Ontario and the federal laws of Canada applicable therein and the Parties hereto agree to submit to

the exclusive jurisdiction of the courts of the Province of Ontario.

Caseware Affiliate Identified on the Order Form Governing Law and Choice of Forum

Caseware International Inc. Province of Ontario, Canada

Caseware USA Inc. State of New York, U.S.A.

Caseware Nederland B.V. Netherlands

Caseware UK Limited England and Wales

Caseware Germany GmbH Germany

Caseware Australia Pty Ltd. Australia


12.5 Equitable Relief. Each Party acknowledges and agrees that a breach or threatened breach by such

Party of any of its obligations under Section 5 or, in the case of Customer, Section 2.5 or Section 3,

would cause the other Party irreparable harm for which monetary damages would not be an adequate

remedy and agrees that, in the event of such breach or threatened breach, the other Party will be

entitled to equitable relief, including a restraining order, an injunction, specific performance, and any

other relief that may be available from any court, without any requirement to post a bond or other

security, or to prove actual damages or that monetary damages are not an adequate remedy. Such

remedies are not exclusive and are in addition to all other remedies that may be available at law, in

equity or otherwise.

12.6 Waiver. The waiver by either Party of a breach or default of any provision of this Agreement by the

other Party shall not be effective unless in writing and shall not be construed as a waiver of any

succeeding breach of the same or of any other provision. Nor shall any delay or omission on the part of

either Party to exercise or avail itself of any right, power or privilege by such Party shall constitute a

waiver.

12.7 Assignment. Customer may not assign this Agreement or any of its rights or obligations in relation

thereto, in whole or in part, without the prior written consent of Caseware, such consent not to be

unreasonably withheld. Any attempt by Customer to assign any of the rights of this Agreement or any

Order Form without such prior written consent is void.

12.8 Force Majeure. Except for payment obligations, neither Party shall be liable for any delay or failure

to perform its obligations in this Agreement attributable to circumstances beyond its reasonable

control, such as acts of God, fire, pandemic, natural disaster, terrorism, labour stoppage, Internet

service provider or system failures or delays, civil unrest, war or military hostilities, or criminal acts of

third-parties (each a "Force Majeure Event"). Any Party claiming a Force Majeure Event shall use

reasonable diligence to remove the condition that prevents performance and shall not be entitled to

suspend the performance of its obligations in any greater scope or for any longer duration than is

required by the Force Majeure Event. Each Party shall use its commercially reasonable efforts to

mitigate the effects of such Force Majeure Event, remedy its inability to perform, and resume full

performance of its obligations hereunder, provided, however, that in the event the Force Majeure Event

continues for thirty (30) days after the date of the occurrence, and such failure to perform would

constitute a material breach of this Agreement in the absence of such force majeure, either Party may

terminate this Agreement pursuant by written notice to the other Party and in accordance with Section

11.2 of this Agreement.

12.9 Severability. Wherever possible, each provision of this Agreement may be interpreted in such a

manner as to be effective and valid under Applicable Law, but if any provision of this Agreement is held

to be prohibited or invalid under Applicable Law, such provision will be ineffective only to the extent to

such prohibition or invalidity, without invalidating the remainder of such provision or the remaining

provisions of this Agreement.

12.10 Anti-Corruption. Neither Party has received or been offered any illegal or improper bribe,

kickback, payment, gift, or thing of value from an employee or agent of the other Party in connection

with this Agreement. Reasonable gifts and entertainment provided in the ordinary course of business

do not violate the above restriction.

12.11 Export Controls. This Agreement is expressly made subject to any laws, regulations, orders, or

other restrictions on export from Canada or the United States of America (U.S.) of the Caseware

Offerings, or any information about any of them, which may be imposed from time to time by the

governments of Canada or the U.S. Customer shall not export the Caseware Offerings, or any

information about any of them without the prior written consent of Caseware and compliance with such

laws, regulations, orders, and other restrictions. Customer represents and warrants that (a) it is not

located in a country that is subject to a Canadian or U.S. government embargo, or that has been

designated by the Canadian or U.S. government as a "terrorist supporting" country; and (b) it is not

listed on any Canadian or U.S. government list of prohibited or restricted parties.


12.12 Amendments and Modifications. No amendment to or modification of this Agreement is effective

unless it is in writing and signed by an authorized representative of each party.


12.13 Language. This Agreement may be translated into other languages for Customer convenience. In

the event of any conflict or inconsistency between the English version and any translated version, the

English language version shall prevail.

IN WITNESS WHEREOF, the Parties have caused this Agreement to be executed by their duly authorized

representatives.

Caseware

By: _______________________________

Name: ______________________________

Title: _______________________________

Date: _______________________________

Customer

By: ________________________________

Name: ______________________________

Title: _______________________________

Date: _______________________________

SCHEDULE 1 - DEFINITIONS

1. Definitions

In the Agreement, the following terms shall have the following meanings:

"Affiliate" means an entity which, directly or indirectly, owns or controls, is owned or is controlled by or

is under common ownership or control with a Party, where "control" means the power to direct the

management or affairs of an entity, and "ownership" means the beneficial ownership of greater than

50% of the voting equity securities or other equivalent voting interests of the entity;

"Aggregated Data" means data and information related to Customer's use of the Caseware Offerings

or derived from the Customer Metadata that is aggregated and anonymized and in no way identifies

Customer or any Permitted User and does not contain any Personal Data or Subscriber Data in

identifiable form.

"AI Models" means the artificial intelligence models, machine learning and large language models,

weighting systems, algorithms, decision trees, specifications, parameters, methods, methodologies,

techniques, procedures and processes used, licensed or created by Caseware and integrated within the

Caseware Offerings.

"Applicable Law" means all applicable federal, provincial, state, territorial, regional or municipal laws,

regulations, common law, orders, rules or by-laws that are applicable to this Agreement and the

Parties' obligations under this Agreement during the term of this Agreement;

“Beta Services" means any products, services, features, or functionality that Caseware makes available

to Customer on a trial, pilot, beta, or evaluation basis, which are identified as such in an Order Form or

in the Services interface.

“Customer Affiliate" means an Affiliate of Customer that is authorized to use the Caseware Offerings

pursuant to an Order Form.

"Caseware Offerings" means those Products and/or Services and/or PS that are identified in an Order

Form provided to Customer by Caseware;

"Customer Data" means information, data, materials, works, expressions, and other content, in any

form or medium, that are uploaded, submitted, posted, transferred, transmitted, or otherwise provided

or made available by or on behalf of Customer for use with the Caseware Offerings, and includes

Subscriber Data and Customer Metadata.

"Customer Metadata" means data or information generated by or relating to Customer's or any

Permitted User's configuration, usage, access logs, preferences, technical settings, environment

variables, or interactions with the Caseware Offerings, which does not in itself identify Customer, any

Permitted User, or contain any Subscriber Data in identifiable form or any Personal Data.

"Documentation" means (a) operating instructions for the Services, as made available by Caseware, as

may be updated from time to time; and/or (b) the end user manuals governing the Products (in printed

or electronic format) provided by Caseware, as modified from time to time by a Caseware;

"Enhancement" means any enhancement, update, modification, change, or improvement to the

Caseware Offerings, other than the correction of bugs or errors acknowledged by Caseware.

"Indemnitee" means the Party that has made a claim against the other Party as contemplated in

Section 8;

"Indemnitor" means the Party that has received a claim from the other Party as contemplated in Section

8 and is required under Section 8 to indemnify the Indemnitee;

"Intellectual Property Rights" means all worldwide rights associated with utility and design patents, and

patent applications, including any divisions, continuations, continuations-in-part, reissues and re

examinations thereof, works of authorship, derivative works, trade secrets, know-how, proprietary

information, technical data, inventions, processes, materials, software, improvements, derivatives, and

developments, whether or not patentable or copyrightable and regardless of whether such rights arise

under the laws of Canada, the United States or any country or jurisdiction;

"Licensed CPU" means a central processing unit controlled by the Customer in a multiple-user

environment accessed by means of a modem, a network, or other means of remote access and/or on a

single standalone computer;

"Order Form" means the ordering document prepared by Caseware with an itemized bill of Caseware

Offerings to be provided by Caseware to Customer, and applicable Fees to be paid by Customer and

with respect to PS, also means a Statement of Work;

"Partner" means an authorized reseller or distributor of Caseware that Caseware has authorized to sell

or resell Caseware Offerings;

"Partner Agreement" means the agreement entered into between a Partner and Customer in relation to

Caseware Offerings that Partner is authorized to sell on Caseware's behalf;

"Party" means either Caseware or Customer individually, and "Parties" shall mean both Caseware and

Customer collectively;

"Permitted User" means those individuals associated with Customer who are authorized by Customer to

access and use the Caseware Offerings pursuant to the terms of this Agreement, up to the maximum

number of users or licenses specified in an applicable Order Form;

"Personal Data" means any information about an identifiable individual or any information that is

otherwise subject to Applicable Laws relating to data protection and privacy;

“PS” means those professional services (including e-learning training services) provided to Customer by

Caseware that are identified in an Order Form or Statement of Work;

"Products" means those desktop software products provided to Customer by Caseware that are

identified in an Order Form, as modified or supplemented by an Enhancement or other modification

received from Caseware;

"Renewal Term" means any subsequent extension or renewal of the term for which this Agreement or

use of the Caseware Offerings applies for a period of twelve (12) months, unless otherwise indicated in

an applicable Order Form.

"Services" means those software solutions, including the provision of storage, software, platform,

computing services or other resources provided to Customer by Caseware as software as a service, and

may include professional services such as implementation, training, and consulting services, during the

Services Subscription Term and that are identified in an Order Form;

"Services Subscription Term" means the applicable term the Services are to be provided by Caseware,

as specified on an Order Form;

“Statement of Work” means the ordering document prepared by Caseware which identifies the details

of the PS to be provided to Customer by Caseware and applicable Fees to be paid by Customer;


"Subscriber Data" means data input by a Permitted User into the Services, or data prepared for the

Customer by the Services;

"Template" means the portion of a Program comprised of either (a) a sample of text, format and/or

layout for presentation and explanation of data that has been processed by a Program and/or

disclosure of related information or (b) a work aid, such as a check list or sample letter; and


"Term" means the Initial Term and any applicable Renewal Term(s).


"Third-Party Products" means any third-party products and software described in the applicable Order

Form or otherwise incorporated into the Caseware Offerings.

SCHEDULE 2 – PRODUCT-SPECIFIC TERMS

1. Use of Products

1.1 License. Upon the execution of an Order Form for Products and subject to the payment of the

applicable Fees and compliance with the terms of this Agreement, Caseware grants to the Customer a

revocable, royalty-free, limited, non-exclusive, non-transferable license to use the Products identified

on the Order Form (the "License") for the number of Permitted Users set out in the Order Form.

1.2 Rights of Use. Pursuant to the License, Customer may:

(i) make for use by means of one (1) or more Licensed CPUs, one (1) or more copies of the Product(s) for

the Permitted User(s), provided that each such copy must contain all proprietary notices that appear on

the Products;

(ii) make one (1) copy of a Product for backup or archival purposes, provided that such copy must

contain all proprietary notices that appear on the Products;

(iii) use the Documentation to assist Permitted User(s) to understand how to install, and operate the

Products; and

(iv) make a copy of the Documentation for use by each Permitted User.

1.3. Assignment of Licenses. Except where a License is assigned from one Licensed CPU to another for

use by the same Permitted User, or in the event a Permitted User is not longer employed by or

contracted to the Customer and the License is reassigned to a new employee or contractor to the

Customer, the License granted hereunder is personal to each Permitted User, and may not be assigned,

transferred, sublicensed or encumbered without the express written consent of Caseware.

1.4 License Activation. Use of a Product may require activation and registration by a Permitted User.

Where use of a License requires registration, Caseware shall provide a unique identification key that a

Permitted User will use to validate its License on Caseware's website.

1.5 Excess Permitted Users. If at any time during the Licensed Term the aggregate number of Permitted

Users exceeds the number of Permitted Users set out in the applicable Order Form, Customer shall

immediately advise Caseware of same in writing and pay Caseware's then prevailing license fee for

each excess Permitted User and thereafter the number of Permitted Users shall be increased by such

excess number.

2. Duration of License

2.1 License Term. Customer will have the right to use the License for the term set out in the Order Form

(the "License Term") and any renewal of the License Term.

3. Use of Products and Templates

3.1 Customer acknowledges that:

(i) Templates may only be used to gather, select, and prepare data for processing by a Program and to

present data that has been processed by a Program;


(ii) Templates may not be distributed to a third-party as a standalone work;


(iii) any sample presentation, documents, letters, and disclosures presented by the Product or

Documentation are only samples or examples and are not complete nor comprehensive;


(iv) neither the Products nor Documentation are a substitute for materials, methods or processes

required by Applicable Law, practice guidelines or as an alternative to the Permitted User's judgement;

(v) information retrieved from a Template or the Products are provided on an "as is" basis with no

guarantee of completeness, accuracy and timeliness and it is the Permitted User's responsibility to

ensure the accuracy of the results obtained from the use of reliance upon this information;


(vi) it is the Customer's responsibility to ensure that appropriate disclosures are made, and applicable

standards are met in a manner that meets the requirements of a particular jurisdiction; and


(vii) the License does not grant to Customer any right to (i) receive an Enhancement; (ii) any Templates;

or (iii) use the trademark "Caseware" or any other trademark owned or licensed by Caseware without

Caseware's prior written approval.


4. Enhancements and Support

4.1 Updates. During the License Term, Caseware may develop Enhancements to the Products, and will

use commercially reasonable efforts to make such Enhancements available to Customer and its

Permitted Users when they become commercially available. It is a Permitted User's responsibility to

download and update the Product when an Enhancement is made available by Caseware. Customer

acknowledges that a failure to download or an Enhancement may affect the functionality of the

Product. Customer further acknowledges that Caseware may cease support of any previous version of a

Product 1 year after an Enhancement is made available.


4.2 Support. During the License Term, Caseware will use commercially reasonable efforts to provide

Customer with technical support and customer service for the Products as set out at Caseware’s

Support Website at www.caseware.com/legal/caseware-support-website and in accordance with

Caseware’s Support Policy, available at www.caseware.com/legal/support-policy, as updated from

time to time. Caseware typically supports only the current shipping version and one prior version of

each Product. Support services, including new features, enhancements, patch releases, hotfixes, and

technical assistance, will only be provided for supported versions. Customer is responsible for

upgrading to a supported version to continue receiving support services.

5. Product Warranty

5.1 Warranty. Upon commencement of the License Term and for a period of thirty (30) days thereafter,

all Products, will be free from material defects, free from material errors, free from all known viruses (as

identified using commercially reasonable steps and antivirus software) and will perform materially in

accordance with the Documentation.


5.2 Exceptions. The foregoing warranty shall not apply to (a) any modification made to the Products by

any Party other than Caseware or its authorized agents; (b) the use of the Products in a manner other

than as contemplated in this Agreement or the Documentation; or (c) the failure by Customer to report

a warranty claim within the warranty period specified set out above.


5.3 Remedy. Caseware's sole responsibility for a valid warranty claim of the warranty provided in this

Section 5 shall be, in Caseware's sole discretion, to (a) advise Customer how to achieve substantially

the same functionality with the Products as described in the Documentation through a procedure

different from that set forth in the Documentation; (b) use commercially reasonable efforts to develop a

solution or workaround to make the non-conforming Product functional to comply with the warranty set

out in Section 5.1; or (c) terminate the applicable Order Form, and/or this Agreement, and refund a

prorated amount of the Fees for that particular Product paid by Customer for the calendar month in

which Caseware receives written notice of the warranty claim. For greater certainty, Customer Outputs,

including hallucinations or inaccuracies, shall not be considered defects under this warranty.

SCHEDULE 3 - SERVICE-SPECIFIC TERMS

1. Provision of Services


1.1 License to Services. Upon the execution of an Order Form for certain Services and subject to

Customer's payment of the applicable Fees and continued compliance with the terms and conditions of

this Agreement, Caseware grants a license to Customer and its Permitted Users to access to and use of

those specific Services on a limited, non-exclusive, non-transferable, non-assignable and nonsublicensable

basis for the applicable Services Subscription Term identified in the Order Form.


1.2 Rights of Use. The Services may be accessed and used by Permitted Users by way of the internet

from a computing device in a manner described in the Documentation for the language version

selected. Each Permitted User shall register with Caseware to obtain valid credentials (user ID and

password) for accessing the Services.


2. Duration of Services

2.1 Services Subscription Terms. Customer will have the right to use the Service for the Services

Subscription Term set out in the Order Form for each applicable Service, and the Order Form shall

govern any renewal of the Services Subscription Term, unless terminated earlier in accordance with this

Agreement.


3. Support Services & Maintenance


3.1 Service Level Agreement. During the Services Subscription Term, Caseware will use commercially

reasonable efforts to provide the Support Services and meet the services levels set out in the Caseware

Service Level Agreement www.caseware.com/legal/caseware-service-level-agreement as updated and

amended from time to time (the "SLA").


3.2 Remedies. The remedies set out in the SLA are Customer's sole remedy and Caseware's sole

obligation for any failure to meet any service levels relating to service availability or support response

times set out in the SLA.


3.3 Maintenance. From time to time, it will be necessary for Caseware to perform maintenance on the

Services, including routine maintenance to ensure the continued provision of the Services. Caseware

shall use reasonable efforts to perform such maintenance at such times to minimize the impact of any

downtime of its Software on the Customer. To the extent Caseware is able, Caseware shall notify

Customer in advance of any scheduled maintenance by posting a message on its website or by sending

an email to the designated Customer representative of the scheduled maintenance time and the

anticipated duration of such maintenance. In instances where Caseware must perform emergency

maintenance, including to address Security Events, Caseware shall use commercially reasonable efforts

to notify Customer as soon as reasonably practicable.

SCHEDULE 4 - PS-SPECIFIC TERMS

1. Provision of PS

1.1 License to PS. Upon the execution of an Order Form for PS and subject to Customer's payment of the

applicable Fees and continued compliance with the terms and conditions of this Agreement, Caseware

grants a license to Customer and its Permitted Users to access to and use of results of the PS and

related deliverables on a limited, royalty-free, non-exclusive, non-transferable, non-assignable and

non-sublicensable basis for the applicable Caseware Offerings identified in the Order Form.


1.2 Assumptions, Dependencies and Responsibilities. The Order Form shall identify assumptions,

dependencies and responsibilities of both Customer and Caseware. Customer acknowledges that any

delay or non-compliance of these terms by Customer may result in delays or extra time and costs in the

delivery of the PS by Caseware. Any such delay or extra costs shall be agreed between the Parties and

documented with a change order prior to Caseware performing the PS.


1.3 Change Orders. Any changes to an Order Form must be mutually agreed by the Parties in writing

via a change order.


1.4 Deliverables. Details of deliverables shall be identified in the Order Form.


1.5 Fees. Unless otherwise specified in the Order Form, all PS shall be performed on a fixed fee basis.

Where the Order Form specifies an estimate for PS based on hourly work, Caseware shall not exceed

the estimated hours of PS service without the written consent of Customer via a Change Order.

Caseware may suspend performance of PS services where any Fees are past due by more than 15 days.

Out of pocket expenses, if any, in addition to the PS Fees, shall be pre-approved by the Customer and

invoiced as they occur.


2. Duration of PSs

2.1 License Term. Customer will have the right to use the results of the PS and related deliverables for

the License Term of the related Product and for the Services Subscription Term for the related Services,

as the case may be, unless terminated earlier in accordance with this Agreement.


3. Learning Services. The terms of the learning services are set out on Caseware's website at

www.caseware.com/legal, as may be updated from time to time.


4. PS Warranty

4.1 Warranty. For a period of thirty (30) days from the completion of the PS, the PS will be performed in

a professional manner using qualified and experienced personnel familiar with the Caseware Products

and Services. Any warranty claims must be reported in writing to Caseware within such time period.


4.2 Exceptions. The foregoing warranty shall not apply where any change, additional, deletion or

other modification was made to the PS work performed by Caseware or related deliverables, except as

specifically authorized in writing by Caseware.


4.3 Remedies. Caseware's sole responsibility for a valid warranty claim of the warranty provided in this

Section 4 shall be to use commercially reasonable efforts to promptly cure such breach; provided, that,

if Caseware cannot cure such breach within a reasonable time but not more than thirty (30) days of

Customer’s written notice of such breach, Customer may, at its option, terminate the Order Form and

Caseware shall refund a pro rated amount of Fees related to the applicable PS which gave rise to the

warranty breach.

See what your
audit workflow looks like

with Ai built in.
Get in touch
Version: 3.0
Last Updated: January 2023

Master Product and Services Agreement (MPSA)

Application and Interface Security

Our Software Development Life Cycle (SDLC) ensures that our applications and programming interfaces (APIs) are designed, deployed, and tested in accordance with leading industry standards – such as OWASP, ISO, and SOC – and adhere to legal, statutory, or regulatory compliance obligations.

You will be onboarded once all agreements and policies are accepted for usage of the service. You are responsible for ensuring your usage of Caseware Cloud is in compliance with applicable laws and regulations.

Legal specifics can be found in the Cloud Services Agreement here.

Our policies and procedures have been established and are maintained in support of data security to include confidentiality, integrity, and availability across multiple system interfaces, jurisdictions, and business functions to prevent improper disclosure, alteration, or destruction.

Audit Assurance and Compliance

Independent audits are conducted by registered 3rd parties as part of our compliance program for ISO 27001 and SOC 2 for our Cloud services. We also have an internal audit program, external penetration testing and regularly scheduled internal vulnerability testing. Vulnerability test results are shared with customers as outlined in the Client Initiated Testing Policy. The results of these processes are tracked through our improvements process. The methodology and tools used to conduct penetration testing is tailored to each assessment for specific targets and attacker profiles. SOC 2 reports are provided under NDA to clients. Our SOC 3 Report is available in PDF format here.

Production data is stored on Amazon Web Services (AWS). The application handles logical separation of client data through database isolation. Data that is transferred to and from our service (including backups) is 100% encrypted over an SSL connection (AES-256-bit – the same strength used in online banking). Data transmission occurs between client and server, and databases. Controls are in place for secure and encrypted bulk data transfers. There are no email transmissions. For more information on security, see: https://www.casewarecloud.com/security.html. Our legal team monitors our regulatory obligations. Please refer to our Cloud Services agreement for legal requirements here.

Business Continuity Management and Operational Resilience

Caseware has a consistent unified framework for business continuity planning and has established, documented, and adopted this to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements.

Requirements for business continuity plans include the following:

  • Defined purpose and scope, aligned with relevant dependencies
  • Accessible to and understood by those who will use them
  • Owned by a named person(s) who is responsible for their review, update, and approval
  • Defined lines of communication, roles, and responsibilities
  • Detailed recovery procedures, manual work-around, and reference information
  • Method for plan invocation

Our business continuity and security incident response plans are tested at planned intervals or upon significant organizational or environmental changes. Incident response plans involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies.

Our service is hosted on Amazon’s AWS and utilities services and environmental conditions (for example, water, power, temperature and humidity controls, telecommunications, and internet connectivity) are secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and are designed with automated failover or other redundancies in the event of planned or unplanned disruptions.

Our cloud service is completely virtual and hosted on Amazon Web Services (AWS). Amazon is also ISO and SOC2 compliant and responsible for restricting access to facilities housing the productions systems to authorized individuals. AWS is also responsible for environmental protection and preventative maintenance over production systems. AWS has published further details here: https://aws.amazon.com/compliance/data-center/controls. These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management. Physical access and environmental controls are managed and controlled by AWS. AWS physical protection assurance information can be found at: https://aws.amazon.com/compliance.

Caseware has aligned our security program to ISO 27001 and we have business continuity processes in place to address disruptions to critical services. We monitor all cloud instances for performance and availability and incorporate the following:

  • Identify critical products and services
  • Identify all dependencies, including processes, applications, business partners, and third party service providers
  • Understand threats to critical products and services
  • Determine impacts resulting from planned or unplanned disruptions and how these vary over time
  • Establish the maximum tolerable period for disruption
  • Establish priorities for recovery
  • Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption
  • Estimate the resources required for resumption

Customers can see our real-time operational status at our status page here: https://caseware.statuspage.io/.

We maintain a central system for documentation and train all staff on processes. Procedures include change management, security processes, roles and responsibilities of internal users. Our procedures are updated on an as needed basis and revision histories are logged. Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training.

Caseware maintains a records and retention policy for Cloud services. The retention policy is not client-specific. Backup and recovery procedures are documented and automated alerts are sent daily to operations staff. Backup and recovery measures have been incorporated into business continuity planning and tested accordingly for effectiveness. See the retention policy for each category of records below.

System transaction logs

Description: Database journals and other logs used for database recovery.

Retention period: 30 days.

Reason for retention: Based on backup and recovery strategy.

Allowable storage media: Electronic.

Audit logs

Description: Security logs, for example, records of logon/logoff and permission changes.

Retention period: 30 days.

Reason for retention: Maximum period of delay before forensic investigation.

Allowable storage media: Electronic.

Operational procedures

Description: Records associated with the completion of operational procedures.

Retention period: 2 years.

Reason for retention: Maximum period elapsed regarding dispute.

Allowable storage media: Electronic.

Customer

Description: Customer backups.

Retention period: 90 days.

Reason for retention: Data protection requirement.

Allowable storage media: Electronic.

Change Control and Configuration Management

Change management controls have been established for any new development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function. Our SDLC has a defined quality change control and testing process with established baselines, testing, and release standards which focus on system availability, confidentiality and integrity of systems and services.

Policies and procedures have been established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices and IT infrastructure network and systems components within the production cloud environment. Our change management policies and procedures include managing the risks associated with applying changes to business-critical or customer impacting applications and system-system interface (API) designs and configurations. Technical measures have also been implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer, and/or authorization by, the customer as per agreement prior to deployment.

Data Security and Information Lifecycle Management

Caseware has policies and procedures and supporting business processes and technical measures in place to inventory and maintain data flows within the SaaS network and systems for each geographic location. Controls are in place to ensure that data is placed in the geographic area determined by the client. Subscriber data within the production cloud environment resides on two-tier architecture and is not directly accessible from the internet.

Our security policy defines four levels of data classification: confidential, restricted, operational, and public. All data stored within the production cloud infrastructure is considered confidential, which is our highest level of security and only authorized staff have access to this environment. Logical access to the production cloud environment is restricted to the operations team alone.

All subscriber data is stored in the production cloud environment. Use of customer data in non-production environments is controlled through secure data-handling processes, which require explicitly documented approval from the customers whose data is affected, and must comply with legal and regulatory requirements for scrubbing of sensitive data elements.

There is a designated operations team responsible for all operational functions regarding the infrastructure and storage with assigned responsibilities that have been defined, documented, and communicated.

Caseware Cloud is hosted on Amazon web servers around the world. Upon subscribing to the Caseware Cloud Services, CWC informs clients of the jurisdiction in which the server that has been allocated to host your Subscriber Data and Personal Information is located. You may consent to such allocation, or refuse a server so allocated.

For performance reasons, we’ll typically set you up in:

  • United States/North Virginia if you’re located in the United States or South America
  • Canada/Montreal if you’re located in Canada
  • Australia/New South Wales if you’re located in the Asia-Pacific region
  • Ireland/Leinster if you’re located in any other region

Data center Security

The production infrastructure is completely hosted within Amazon’s AWS. AWS is responsible for restricting access to facilities housing the production systems to authorized individuals. AWS is also responsible for environmental protection and preventative maintenance over production systems. Physical access is controlled by AWS at the perimeter and at building ingress points. Full details can be found here: https://aws.amazon.com/whitepapers/#security. AWS has published further details here: https://aws.amazon.com/compliance/data-center/controls/.

Our production infrastructure is completely hosted within Amazon’s AWS. AWS has SOC 2 reports, which are reviewed annually. AWS governance processes can be found here: https://aws.amazon.com/compliance/.

Encryption and Key Management

Our cryptography policies and procedures are designed to support business process. Technical measures have been implemented based on business requirements for protection of data at rest and data in transit as per applicable legal, statutory, and regulatory compliance obligations.

Our cryptography policy requires all encryption keys to have identifiable owners within the organization. The cryptographic key lifecycle management ensures access controls are in place for secure key generation, exchange and storage, including segregation of keys used for encrypted data or sessions.

Data stored at the server level (data-at-rest) is encrypted using the industry standard AES-256 algorithm. Data that is transferred to and from our service (data-in-transit) is encrypted via TLS with ephemeral key exchange and use industry-accepted strong cipher suites. Certificates use a minimum of 2048-bit key strength with SHA-2 or stronger signature algorithm. Private keys are generated and stored in our secrets management systems. They are deployed and used on production systems as needed via our change control process. Certificates are obtained through a reputable vendor and follow the built-in and industry standard renewal/rotation process based on expiry or revocation as needed.

Governance and Risk Management

Security risk assessments are completed at least annually and consider the following:

  • Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure
  • Compliance with defined retention periods
  • Data classification and protection from unauthorized use, access, loss, destruction, and falsification

We have implemented an Information Security Management System based on ISO 27001 and SOC 2 controls. Our ISMS includes the following areas insofar as they relate to the characteristics of the business:

  • Information Security Policy (this document)
  • Access Control Policy
  • Availability Management
  • Clean Desk Policy
  • Cryptography Policy
  • IS Supplier Management Policy
  • Logging and Monitoring Policy
  • Mobile Device Policy
  • Network Security Policy
  • Password Management Policy
  • Patch Management Policy
  • Software Policy
  • Technical Vulnerability Management Policy
  • Risk Assessment Methodology
  • Malware, Email and ISMS Policy
  • Internet Acceptable Use Policy
  • Penetration Testing Policy
  • Teleworking Policy
  • Records Retention and Protection

Department managers are responsible for maintaining awareness of, and complying with, security policies, procedures, and standards that are relevant to their area of responsibility.

Risk acceptance levels have been defined within the risk management methodology and all risks are mitigated to an acceptable level with reasonable resolution time frames and stakeholder approval.

Our information security policies and procedures are posted and available for review by all impacted staff and external business relationships. The Information Security Steering Committee is responsible for developing, maintaining, and enforcing our service’s information security policies. The information security policy is reviewed annually and approved by the Information Security Steering Committee. Executive and line management provide support for information security through clearly documented direction and commitment, and shall ensure action has been assigned. There is a senior member of management who is responsible for information security governance and operations, including protection of customer data – this role reports to the CFO.

Policy reviews are conducted annually by the Information Security Steering Committee or as a result of changes to the organization to ensure its continuing alignment with the security strategy, effectiveness, accuracy, relevance, and applicability to legal, statutory, or regulatory compliance obligations.

Formal risk assessments are performed annually and in conjunction with any changes to information systems to determine the likelihood and impact of all identified risks. The likelihood and impact associated with inherent and residual risk is determined independently, considering all risk categories based on audit results, threat and vulnerability analysis, and regulatory compliance. Risk assessment results can include updates to security policies, procedures, standards, and controls to ensure that they remain relevant and effective. The results of risk assessments are:

  • Reported to senior management who then partake in a risk treatment process
  • Updated in a risk register
  • Prioritized based on possible impact to production systems

Our HR has a defined screening process for all staff. Reference checks are obtained with respect to all employees at time of hiring, with criminal and credit background checks for those who perform operational roles with the product cloud environment. All staff are required to sign a confidentiality agreement prior to employment to ensure protection of client information for the protection of data. Information security awareness training is provided during employee onboarding. Specific training is provided for developers on secure coding practices. Formal records are maintained for completion of internal staff training. Employee terminations and position changes are initiated by department managers. Our HR team reviews these requests and submits the request through our ticketing system for de-provisioning and provisioning requirements. Our HR team has an employee departure process to ensure all equipment is returned and accounts terminated to ensure that access to production environments is removed.

A security awareness training program has been established for all contractors, third-party users, and employees and is mandated. All individuals with access to confidential and restricted data receive appropriate awareness training and regular updates in organizational procedures, processes, and policies relating to their job function relative to the organization. Roles and responsibilities of contractors, employees, and third-party users are documented as they relate to information assets and security.

User responsibilities are defined within job descriptions for all staff and they are made aware of their roles and responsibilities for:

  • Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations
  • Maintaining a safe and secure working environment
  • Report any suspicious activity if detected

We have a clear screen policy which requires that unattended workspaces do not have openly visible sensitive documents and user computing sessions had been disabled after an established period of inactivity.

We have an Access Control policy in place that specifies how to manage access control to all system components and sensitive information in the organization. Policies governing acceptable use or access to subscriber data and metadata is included in the Caseware privacy policy (https://www.caseware.com/privacy-statement/). Caseware collects, uses and discloses information only for the following purposes:

  • To verify your identity
  • To provide you with the Caseware Cloud Services
  • To contact you for the purposes of product information, service updates, billing notifications, or notifications relating to the Caseware Cloud Services
  • To monitor and/or improve system usage, server and software performance
  • To assist with technical support issues
  • To comply with any laws, regulations, court orders, subpoenas or other legal process of investigation and to protect CWC, its Affiliates and other individuals from harm
  • To improve and enhance CWC Service offerings

Identity and Access Management

Policies and procedures have been established to store and manage identity information about every person who accesses the production cloud infrastructure and to determine their level of access. Access control policies and procedures have been established, and supporting business processes and technical measures implemented, for restricting user access as per defined segregation of duties to address business risks associated with a user-role conflict of interest. The access control repository is managed by the provider. We use a privileged identity manager and password management system.

Access to, and use of, audit tools that interact with production cloud environment is segmented and restricted to prevent compromise and misuse of log data. User access to diagnostic and configuration ports are restricted to authorized individuals and applications.

Controls are in place to ensure only approved software is installed within the production cloud infrastructure.

Access to the organization’s own developed applications, program, or object source code, or any other form of intellectual property (IP), and use of proprietary software is controlled following the rule of least privilege based on job function as per established user access policies and procedures.

Caseware Cloud Service requires password authentication to access the base system. Once in the system, users must be assigned security roles to perform additional operations and access certain content. With security roles, you can control who has access to what content. Your organization is responsible for developing appropriate security policies around passwords and security roles using the security features provided in Caseware Cloud. Caseware provides access to clients, who then control their own users and administrative accounts, including provisioning and de-provisioning. Two-factor authentication is employed. User access is authorized and revalidated quarterly, to ensure the rule of least privilege based on job function. For identified access violations, remediation activities are followed based on the established user access policies and procedures. Timely de-provisioning (revocation or modification) of user access to data or managed applications, infrastructure systems, and network components, has been implemented as per established policies and procedures and based on user’s change in status such as termination of employment or other business relationship, job change, or transfer. The provider manages service account provisioning and de-provisioning. Service account authentication utilizes multi-factor authentication.

Infrastructure and Virtualization Security

Caseware Cloud deploys a SaaS-based endpoint detection and response security endpoint to all hosts within our infrastructure. All user, process, and network activity is collected and stored in the tamper-proof central location and analyzed in near real-time for suspicious behaviors as well as for manual forensics. Protection, retention, and lifecycle management of audit logs, adhere to applicable legal, statutory, or regulatory compliance obligations and provide unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, that are required to support forensic investigative capabilities in the event of a security breach. Our tools have the capability to detect/prevent unauthorized or anomalous behavior based on network traffic or host activity. All authentication events, successful and failed, are logged.

Our production and non-production environments are separated to prevent unauthorized access or changes to information assets. Separation of the environments include logical separation and segregation of duties for personnel accessing these environments as part of their job duties.

Our production system and network environment is protected by centrally managed firewalls and ensures separation of production and non-production environments. Our production environment is designed, developed, deployed, and configured to ensure our operations team and clients user access is appropriately segmented from other client users, based on the following considerations:

  • Established policies and procedures
  • Isolation of business critical assets and/or sensitive user data and sessions that mandate stronger internal controls and high levels of assurance
  • Compliance with legal, statutory, and regulatory compliance obligations

The production cloud infrastructure has a reliable and mutually agreed upon external time source that is used to synchronize the system clocks of all relevant information processing systems to facilitate tracing and reconstitution of activity timelines.

Supply Chain Management, Transparency, and Accountability

Policies and procedures have been implemented to ensure the consistent review of service agreements between providers and customers across the relevant supply chain. Reviews performed at least annually and identify non-conformance to established agreements. Any non-conformances are identified as actions to address service-level conflicts or inconsistencies.

Threat and Vulnerability Management

Policies and procedures have been established, and supporting business processes and technical measures implemented, to prevent the execution of malware within the production cloud environment or end user devices and IT infrastructure network and system components. Policies and procedures have been established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed applications, infrastructure network and system components. We also perform ongoing application and code vulnerability evaluations of our products and have dual peer reviews of all code changes to ensure the efficiency of implemented security controls. Our risk management methodology is used for prioritizing remediation of identified vulnerabilities. Changes are managed through our defined change management process for all vendor-supplied patches, configuration changes, or changes to our applications. Our anti-malware solution is centrally managed and runs on all systems. The anti-malware solution includes mechanisms for detecting or preventing phishing. Malware signature updates are deployed within 1 day of release.

Lead your firm to accuracy, efficiency, and growth with Caseware.

The authority in AI-powered audit.

Get in touch