CAST AI Group, Inc. Customer Data Processing Addendum

CAST AI Group, Inc.
Effective Date: June 21, 2023


Customer Data Processing Addendum

This Customer Data Processing Addendum (“DPA”) supplements and forms part of the CAST AI Terms of Service (“Agreement”) between CAST AI and Customer to reflect the Parties’ agreement with regard to the Processing of Personal Data. 

In the course of providing the Services to Customer pursuant to the Agreement, CAST AI may Process Personal Data on behalf of Customer, and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

1. Definitions. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. As used in this DPA:

1.1.“Controller” will have the following meanings: (a) “controller” as set forth in the GDPR; (b) “business” as set forth under the CCPA; and (c) “controller” as set forth under any other U.S. Privacy Laws. 

1.2. “Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including, European Union and EEA Member States’ laws and regulations with respect to Personal Data (including GDPR) and privacy of electronic communications, and any other applicable data protection or privacy laws and regulations of any other country or state, including U.S. Privacy Laws. 

1.3. “EEA” means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.

1.4. “EU Standard Contractual Clauses” means the standard contractual clauses annexed to Commission Implementing Decision (EU) (2021/914) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

1.5. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) together with implementing EEA Member States’ laws, and for purposes of this DPA includes the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

1.6. “Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”) that is included in the Customer Inputs and that CAST AI Processes on behalf of Customer.

1.7. “Personal Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data Processed by CAST AI or a Sub-processor.

1.8. “Processing” has the meaning given to it in the GDPR, and “process,” “processes”, and “processed” shall be interpreted accordingly.

1.9. “Processor” will have the following meanings: (a) “processor” as set forth in the GDPR; (b) “service provider” as set forth under the CCPA; (c) “processor” as set forth under any other U.S. Privacy Laws; and (d) “processor” or materially equivalent term as set forth in other Data Protection Laws. 

1.10. “Services” means the products and services described in the Agreement and any Order Form, including the CAST AI Cloud Services and Customer’s use of CAST AI Technology.

1.11. “Sub-processor” means any Processor engaged by CAST AI to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.

1.12. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses version B1.0 issued by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018 and in force as of 21 March 2022, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, and as revised by the UK Information Commissioner’s Office from time to time.

1.13. “U.S. Privacy Laws” means all United States laws, rules, regulations, directives, and government requirements and guidance, federal or state, currently in effect and as they become effective relating in any way to privacy, confidentiality, security or consumer protection that are applicable to Personal Data. U.S. Privacy Laws includes, but is not limited to, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA), Cal. Civ. Code 1798.100 et seq. and any regulations and guidance that may be issued thereunder (“CCPA”); the Consumer Data Protection Act, Code of Virginia Title 59.1 Chapter 52 § 59.1-571 et seq.; the Colorado Privacy Act, Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq.; the Act Concerning Personal Data Privacy and Online Monitoring, Connecticut Public Act No. 22-15; and the Consumer Privacy Act, Utah Code Annotated Title 13 Section 2 § 1 et seq.

2. Roles of the Parties; Processing of Personal Data by Customer and CAST AI. 

2.1. As between CAST AI and Customer, Customer is the Controller of Personal Data, except where Customer acts as a Processor for another Controller, in which case Customer warrants to CAST AI that its appointment of CAST AI as a Processor, and its Processing instructions to CAST AI, have been authorized by the relevant Controller. CAST AI is a Processor of Personal Data. 

2.2. The subject matter and duration of the Processing, the nature and purposes of the Processing, and the types of Personal Data and categories of data subjects are as described in Schedule 1 to this DPA.  

2.3. Customer agrees that: (i) it shall comply with its obligations as a Controller under the Data Protection Laws in respect of its Processing of Personal Data and any Processing instructions it issues to CAST AI, and (ii) it has provided notice and obtained all consents and rights necessary under Data Protection Laws for CAST AI to Process Personal Data and provide the Services. Customer shall immediately notify CAST AI and cease Processing Personal Data in the event any required authorization or legal basis for Processing is revoked or terminates.  

2.4. CAST AI shall Process Personal Data only to provide the Services and for the limited and specified purposes described in the Agreement and this DPA, or otherwise in accordance with Customer’s documented and agreed-upon lawful instructions unless Processing is required by applicable law, in which case CAST AI shall to the extent permitted by applicable laws inform Customer of that legal requirement before the relevant Processing. 

2.5. For purposes of U.S. Privacy Laws, CAST AI agrees it will not (i) “sell” or “share” (as those terms are defined in the CCPA) Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing functions under the Agreement and under this DPA, including retaining, using, or disclosing Personal Data for a commercial purpose other than performing the Services and for the specific purposes described in Schedule 1; (iii) retain, use, or disclose Personal Data outside of the direct business relationship between CAST AI and Customer; or (iv) with respect to Personal Data subject to the CCPA, combine Personal Data received in connection with performing functions under the Agreement and under this DPA with Personal Data it receives from another source except to perform Business Purposes (as defined by and specified in the CCPA). Notwithstanding the foregoing, Customer agrees that CAST AI may, if otherwise permitted by U.S. Privacy Laws and subject to CAST AI’s confidentiality obligations hereunder, Process Personal Data to the extent permitted or required by applicable law, including to perform other Processing functions permitted for Processors under U.S. Privacy Laws. In connection with providing the Services, CAST AI will also: (i) comply with the CCPA and provide the same level of privacy protection as is required by the CCPA for Personal Data; (ii) allow Customer to take reasonable and appropriate steps to help ensure that CAST AI uses Personal Data in a manner consistent with Customer’s obligations under the CCPA; (iii) notify Customer promptly in writing if it makes a determination that it can no longer meet its obligations under the CCPA; and (iv) permit Customer to, upon notice, take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data. CAST AI understands the restrictions set forth in this Section and will comply with them.

3. Confidentiality of Processing. CAST AI shall ensure that any person who is authorized by CAST AI to Process Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality.

4. Data Security. Each party shall take appropriate technical and organizational measures against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage. CAST AI will implement and maintain commercially reasonable technical and organizational security measures designed to protect Personal Data from Personal Data Breaches, to help ensure the ongoing confidentiality, integrity, and availability of the Personal Data and Processing systems, in accordance with CAST AI’s security standards, including, as appropriate, the measures specified in Schedule 2. Notwithstanding the above, Customer agrees that it is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit, and taking any appropriate steps to securely encrypt or backup Personal Data, as well as the security obligations outlined in the Agreement.

5. Sub-processing. Customer hereby generally authorizes CAST AI to engage Sub-processors to Process Personal Data on Customer’s behalf, including the Sub-processors currently engaged by CAST AI and listed in Schedule 1. CAST AI shall: (i) take commercially reasonable measures to ensure that Sub-processors have the requisite capabilities to Process Personal Data in accordance with this DPA; (ii) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by Data Protection Laws; (iii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause CAST AI to breach any of its obligations under this DPA; and (iv) notify Customer in the event that it intends to engage different or additional Sub-processors that will Process Personal Data pursuant to this DPA, which may be done by email or posting on a website identified by CAST AI to Customer at least 30 days in advance. Customer must raise any objection to posted Sub-processors within five (5) calendar days of the posted update. Customer’s objection shall only be effective if submitted to CAST AI in writing, specifically describing Customer’s reasonable belief that CAST AI’s proposed use of the Sub-processor(s) will materially, adversely affect Customer’s compliance with GDPR. In any such case, the parties will make reasonable efforts to reconcile the matter. In the event Customer’s concern cannot be resolved, CAST AI may terminate the Agreement with no penalty and Customer shall immediately pay all fees and costs then owing and incurred by CAST AI as a result of the termination.

6. Notification and Remediation of Personal Data Breaches. CAST AI shall notify Customer without undue delay after becoming aware of a Personal Data Breach. CAST AI shall make reasonable efforts to identify the cause of the Personal Data Breach and shall undertake such steps as CAST AI deems necessary and reasonable in order to remediate the cause of such Personal Data Breach. CAST AI shall provide information related to the Personal Data Breach to Customer in a timely fashion and as reasonably necessary for Customer to maintain compliance with the Data Protection Laws. The obligations herein shall not apply to incidents that are caused by Customer, including Customer’s employees, subcontractors, or agents.

7. Data Subject Requests. CAST AI shall, to the extent legally permitted, promptly notify Customer of any complaint, dispute or request it has received from a Data Subject relating to such Data Subject’s rights under the Data Protection Laws (each, a “Data Subject Request”). CAST AI shall not respond to a Data Subject Request itself, except that Customer authorizes CAST AI to redirect the Data Subject Request as necessary to allow Customer to respond directly. Taking into account the nature of the Processing, CAST AI shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under the Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, CAST AI shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent CAST AI is legally permitted to do so, and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from CAST AI’s provision of such assistance.

8. Data Protection Impact Assessments; Prior Consultations with Supervisory Authorities. Where appropriate in its discretion CAST AI will provide reasonable assistance and necessary information to Customer, at Customer’s expense, in the preparation of Customer’s data protection impact assessments and, where necessary, carrying out consultations with any supervisory authority that may be required in accordance with Data Protection Laws.

9. Return or Deletion of Personal Data. Upon termination or expiration of the Agreement, CAST AI shall, at the choice of Customer, delete or return, if feasible, to Customer all Personal Data remaining in its possession or control, save that this requirement shall not apply to the extent CAST AI is required by applicable laws to retain the Personal Data.

10. Information and Audits.  

10.1. CAST AI will, upon Customer’s request, provide and make available to Customer such information and assistance as may be reasonably required to confirm CAST AI’s compliance with this DPA and the Data Protection Laws.

10.2. CAST AI shall, annually and at CAST AI’ expense, arrange for a qualified and independent assessor to conduct an assessment of the policies and technical and organizational measures CAST AI has implemented to comply with its obligations under this DPA and Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. CAST AI shall provide a report of the assessment to Customer upon Customer’s written request, which report shall be considered CAST AI’s Confidential Information under the Agreement.  

10.3. To the extent that information provided by CAST AI under Sections 10.1 and 10.2 of this DPA is not sufficient to enable Customer to satisfy its obligations under Data Protection Laws, CAST AI will cooperate with audits and inspections performed by Customer or third party assessor of Customer reasonably acceptable to CAST AI, provided that any audit or inspection:; (i) must be conducted at Customer’s sole expense and subject to reasonable fees and costs charged by CAST AI; (ii) shall be limited to the Personal Data Processing and storage facilities operated by CAST AI; (iii) may be conducted on no less than thirty (30) days prior written notice from Customer, at a date and time and for a duration mutually agreed by the parties; and (iv) must be performed in a manner that does not cause any damage, injury, or disruption to  CAST AI’ premises, equipment, personnel, or business. Notwithstanding the foregoing, CAST AI will not be required to disclose any proprietary or privileged information to Customer or an agent or vendor of Customer in connection with any audit or inspection undertaken pursuant to this DPA. 

11. International Transfers.

11.1. CAST AI may Process Personal Data in the EEA, United States or anywhere in the world where CAST AI or its Sub-processors maintain data Processing operations. CAST AI shall at all times provide an adequate level of protection for the Personal Data Processed, in accordance with the requirements of Data Protection Laws, including where required under the Data Protection Laws, by entering into the into EU Standard Contractual Clauses with its Sub-processors.

11.2. If Personal Data is transferred by Customer from the EEA and received by CAST AI in a country that does not ensure an adequate level of protection under Data Protection Laws in the foregoing jurisdictions, the Parties agree to abide by and Process such Personal Data in accordance with the EU Standard Contractual Clauses, which the Parties hereby incorporate by reference into this DPA, as supplemented by the points below:

11.2.1. For the sake of clarity, the EU Standard Contractual Clauses apply when Customer acts as a ‘data exporter’, and CAST AI acts as a ‘data importer’ under this DPA.

11.2.2. Module Two (Transfer Controller to Processor) will apply when Customer is a Controller. Module Three (Transfer Processor to Processor) will apply when Customer is a Processor.

11.2.3. Clause 7 of the EU Standard Contractual Clauses, the ‘Docking Clause – Optional,’ shall be deemed incorporated. 

11.2.4. In clause 9 of the EU Standard Contractual Clauses (Modules Two and Three), the Parties select Option 2 (General Written Authorization), which shall be enforced in accordance with Section 5 of this DPA. 

11.2.5. The optional wording in clause 11 of the EU Standard Contractual Clauses shall not be deemed incorporated.

11.2.6. In clause 17 of the Clauses, the Parties agree that the EU Standard Contractual Clauses shall be governed by the laws of Lithuania. 

11.2.7. In clause 18 of the EU Standard Contractual Clauses, the Parties agree that any dispute arising from the Clauses shall be resolved by the courts of Lithuania. 

11.2.8. Annex I.A, I.B and I.C of the EU Standard Contractual Clauses shall be deemed completed with the information set out in Schedule 1. Annex II of the Clauses shall be deemed completed with the information set out in Schedule 2

11.2.9. If and to the extent the transfer involves Personal Data originating from Switzerland and is subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”), the EU Standard Contractual Clauses are deemed to be supplemented with an additional annex that provides as follows: 

(a) for purposes of Clause 13 and Annex I.C, the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner;

(b) the term “member state” as used in the EU Standard Contractual Clauses must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with clause 18.c; and

(c) references in the EU Standard Contractual Clauses to the GDPR should be understood as references to the FADP.

11.2.10. Nothing in this DPA or in the Agreement is intended by the Parties to be construed as prevailing over the EU Standard Contractual Clauses.

11.3. If Personal Data is transferred by Customer from the United Kingdom and received by CAST AI in a country that does not ensure an adequate level of protection under the Data Protection Laws of the United Kingdom, the Parties agree to abide by and Process such Personal Data in accordance with the UK Addendum, as supplemented by the points below:

11.3.1. Table 1 is deemed to be completed with the parties’ details and contact information as set forth in Schedule 1

11.3.2. For the purposes of Table 2, the Addendum EU SCCs are the EU Standard Contractual Clauses entered into between Customer and CAST AI under Section 11.1 of this DPA.

11.3.3. For the purposes of Table 3, the Appendix Information is set forth in Schedule 1 and Schedule 2 to this DPA. 

11.3.4. In Table 4, the parties select “Importer.” 

12. Limitation of Liability.  The total liability of each Party (and their respective employees, directors, officers, affiliates, successors, and assigns) to the other, arising out of or related to this DPA, whether in contract, tort, or other theory of liability, will not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement. This section is not intended to modify or limit the parties’ joint and several liability for Data Subject claims under GDPR Article 82 or the right of contribution under GDPR Article 82. Further, this section is not intended to limit either party’s responsibility to pay penalties imposed on that party by a regulatory authority for that party’s violation of Data Protection Laws.

13. Term. This term of this DPA will be coextensive with the term of the Agreement. Each Party’s obligations under this DPA will terminate upon expiration or termination of the Agreement, unless otherwise mandated under applicable laws, otherwise agreed by the Parties in writing, or otherwise provided in the EU Standard Contractual Clauses or UK Addendum. 

14. Miscellaneous. This DPA supersedes and replaces any existing data processing addendum that the Parties may have previously entered into in connection with the Services and all prior and contemporaneous agreements, oral and written, regarding the subject matter of this DPA between CAST AI and Customer. Customer acknowledges and agrees that CAST AI may update this DPA from time to time in case required as a result of (i) changes in Data Protection Laws; (ii) the release of new Services and/or features thereof or material changes thereto; (iii) a merger, acquisition, or other similar transaction; provided that CAST AI will provide at least thirty (30) days prior written notice to Customer. Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement regarding the parties’ respective privacy and security obligations, this DPA will control. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, except where otherwise indicated by the EU Standard Contractual Clauses, the UK Addendum, or Data Protection Laws.


Schedule 1

Details of the Processing

A.   LIST OF PARTIES

Data exporter(s): 

Name: The entity identified as “Customer” in the Agreement.

Address: The address for Customer as specified in the Agreement or as otherwise provided to CAST AI.

Contact person’s name, position and contact details: The contact details for Customer as specified in the Agreement. 

Activities relevant to the data transferred under these Clauses: Customer’s use of the Services pursuant to the Agreement and the DPA.

Signature and date: By entering into the Agreement, Customer will be deemed to have signed this Schedule 1.

Role (controller/processor): Controller or Processor, as set forth in Section 2.1 of the DPA.

Data importer(s): 

Name: The CAST AI Contracting Party as set forth in the Agreement.

Address: The address for the CAST AI Contracting Party As set forth in the Agreement.

Contact person’s name, position and contact details: [email protected]

Activities relevant to the data transferred under these Clauses: Provision of the Service to Customer pursuant to the Agreement and the DPA.

Signature and date: By entering into the Agreement, CAST AI will be deemed to have signed this Schedule 1.

Role (controller/processor): Processor.

B.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer may submit Personal Data to the Services, the extent of which is solely determined by Customer, and which may include Personal Data relating to the following categories of Data Subjects:

  • employees and contractors;
  • consultants and partners;
  • clients, customers, and other business contacts;
  • such other Data Subjects as may be the subjects of Personal Data included in Customer Inputs, as determined and controlled by Customer.

Categories of personal data transferred

Customer may submit Personal Data to the Service, the extent of which is solely determined by Customer, and may include the following categories: 

  • contact information, such as email address, phone number, social media identifiers, and postal or physical address; 
  • device information, such as device identifiers; 
  • professional information, such as job function, title, and employee identification number; and
  • such other categories of Personal Data included in Customer Inputs, as determined and controlled by Customer, provided that Customer shall ensure that such Personal Data does not include “special categories” of personal data or “sensitive data” as defined under the Data Protection Laws. 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Not Applicable.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Personal Data may be transferred on a continuous basis during the Term of the Agreement. 

Nature of the processing

The nature of the processing is CAST AI’s provision of the Service under the Agreement, including for the purposes of (a) setting up, operating, monitoring, and providing the Service; (b) communicating with Users; and (c) executing other agreed-upon written instructions of Customer. 

Purpose(s) of the data transfer and further processing

The purpose of the data transfer and further processing is CAST AI’s provision of the Service under the Agreement, including performing services on behalf of Customer that include providing analytic services and other similar services. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be retained for the duration of the Agreement and subject to the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Sub-processors will Process Personal Data as necessary to perform the Service pursuant to the Agreement. Subject to the DPA, Sub-processors will Process Personal Data for the duration of the Agreement.

As of the date of the Agreement, the Sub-Processors engaged by CAST AI are listed at: https://trust.cast.ai/ 

C.   COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

For the purposes of the EU Standard Contractual Clauses, the competent supervisory authority will be the supervisory authority that has supervision over Customer.  If Customer is not based in the EEA but is subject to the GDPR, the country of competent supervisory authority will be Lithuanian State Data Protection Inspectorate.


Schedule 2

Technical and Organizational Measures including Technical and Organizational Measures to Ensure the Security of the Data

CAST AI has implemented and will maintain the technical and organizational measures described below to ensure the security of Personal Data.

1. Security Organization and Program. CAST AI’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. CAST AI’s security program is intended to be appropriate to the nature of the Services and the size and complexity of CAST AI’s business operations. CAST AI has a dedicated Information Security team responsible for the management of information security throughout the organization. Information security policies and standards are reviewed and approved by management at least annually and are made available to all CAST AI employees. 

2. Confidentiality. CAST AI has controls in place to maintain the confidentiality of Customer Inputs in accordance with the Agreement. All CAST AI employees and contract personnel are bound by CAST AI’s internal policies regarding maintaining the confidentiality of Customer Inputs and are contractually obligated to comply with these obligations.

3. Hosting Architecture and Data Segregation. The CAST AI Services are hosted on Google Cloud Platform (“GCP”). Customer Inputs stored within GCP are encrypted in transit and at rest. GCP does not have access to unencrypted Customer Inputs. More information about GCP security is available at https://cloud.google.com/trust-center

4. Physical Security. GCP data centers are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, CAST AI headquarters and office spaces have a physical security program that manages visitors and overall office security. 

5. People Security. CAST AI performs background checks on all new employees at the time of hire in accordance with applicable local laws, including criminal, credit, immigration, and security checks depending on the nature and scope of a new employee’s role. At least once (1) per year, CAST AI employees must complete a security and privacy training which covers CAST AI’s security policies, security best practices, and privacy principles. 

6. Third Party Vendor Management. CAST AI uses third party vendors to provide the Services, and carries out a security risk-based assessment of prospective vendors before working with them to validate they meet CAST AI’s security requirements. CAST AI enters into written agreements with all of its vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for data that these vendors may process. CAST AI periodically reviews each vendor in light of CAST AI’s security and business continuity standards, to ensure the vendor continues to meet those standards.  

7. Security Certifications and Attestations. CAST AI holds the following security-related certifications and attestations: ISO/IEC 27001; SOC 2 Type 2 (Trust Service Principle: Security). 

8. Access Controls. CAST AI follows the principles of least privilege and segregation of duties when provisioning system access. CAST AI personnel are authorized to access Customer Inputs based on their job function, role, and responsibilities, and such access requires approval. Access rights to production environments are reviewed at least annually. An employee’s access to Customer Inputs is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password and multi-factor authentication enabled. 

9. Change Management. CAST AI has a formal change management process it follows to administer changes to the production environment for the Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Services. All changes, including the evaluation of the changes in a test environment, are documented using a formal, auditable system of record.

10. Encryption. Customer Inputs are always encrypted at rest and in transit. Internal users can only access production environments remotely through encrypted connections, and connections to its web application from customer Users are encrypted with TLS 1.2 or higher. 

11. Vulnerability Management. CAST AI maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. CAST AI uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in its production environments. Critical software patches are evaluated, tested, and applied proactively. 

12. Penetration Testing. CAST AI performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. CAST AI maintains a Bug Bounty Program which allows independent security researchers to report security threats and vulnerabilities on an ongoing basis.

13. Security Incident Management. CAST AI maintains an Incident Response and Recovery Plan (IRP) to respond to, recover from, and restore normal business operations after, a security incident, and to communicate with employees, customers, regulators, and other stakeholders about the incident and the actions taken in response. 

14. Disaster Recover and Business Continuity. CAST AI has a documented Disaster Recovery plan that is tested, reviewed, and updated annually.  The hosting infrastructure for the Services spans multiple fault-independent availability zones to ensure continuity of the Services.