Security Policy
Last updated: November 19, 2025
Caseworth, CO ("Caseworth," "we," "us," or "our") is committed to protecting the confidentiality, integrity, and availability of our customers' data and our own information assets. This Security Policy outlines the principles, practices, and controls we employ to maintain a secure environment for our software-as-a-service (SaaS) platform and all associated services (the "Services").
1. Scope and Commitment
This policy applies to all Caseworth employees, contractors, systems, and processes that handle, store, or transmit customer data or Caseworth's internal information. Our commitment is to implement and maintain a robust security program that aligns with industry best practices and applicable legal and regulatory requirements.
2. Security Program Overview
Our security program is built on a foundation of risk management and continuous improvement, encompassing the following key areas:
| Security Area | Key Practices and Controls |
|---|---|
| Organizational Security | Dedicated security team, security awareness training, background checks for personnel. |
| Asset Management | Inventory of all hardware and software assets, data classification, and secure disposal procedures. |
| Access Control | Principle of least privilege, role-based access control (RBAC), strong password policies, multi-factor authentication (MFA). |
| Physical Security | Secure hosting facilities, restricted access to Caseworth offices. |
| Operations Security | Change management, capacity planning, malware protection, logging, and monitoring. |
| Communications Security | Network segmentation, firewall management, secure configuration of network services. |
| System Acquisition, Development, and Maintenance | Secure development lifecycle (SDLC), testing, and vulnerability management. |
| Incident Management | Defined incident response plan, regular testing of the plan, clear communication protocols. |
| Compliance | Regular audits, adherence to legal and regulatory requirements (e.g., GDPR, CCPA, CPA). |
3. Data Protection and Encryption
3.1 Data Classification
All data handled by Caseworth is classified based on its sensitivity (e.g., Public, Internal, Confidential, Restricted). This classification dictates the minimum security controls required for its handling.
3.2 Encryption
- Data in Transit: All data transmitted between the user and the Services is encrypted using industry-standard protocols, such as Transport Layer Security (TLS 1.2 or higher).
- Data at Rest: Customer data is encrypted at rest using strong encryption algorithms (e.g., AES-256) within our hosting environment.
4. Access Control
4.1 User Authentication
- Strong Passwords: We enforce strong password policies, including minimum length and complexity requirements.
- Multi-Factor Authentication (MFA): MFA is required for all Caseworth personnel accessing production systems and is strongly recommended for all customer accounts.
4.2 Least Privilege
Access to customer data and production systems is granted strictly on a need-to-know basis and the principle of least privilege. Access rights are reviewed periodically and revoked immediately upon change of role or termination of employment.
5. Network and Infrastructure Security
5.1 Hosting Environment
Caseworth utilizes industry-leading cloud providers with certifications such as ISO 27001, SOC 1, and SOC 2. Our infrastructure is logically separated from other tenants and protected by multiple layers of security controls.
5.2 Vulnerability Management
We employ continuous monitoring and regular vulnerability scanning of our infrastructure and application code. Identified vulnerabilities are prioritized based on risk and remediated according to defined service level objectives (SLOs).
6. Incident Response and Business Continuity
6.1 Security Incident Response
We maintain a formal Security Incident Response Plan (SIRP) to address potential security breaches. The plan includes procedures for detection, containment, eradication, recovery, and post-incident analysis. Customers will be notified of security incidents affecting their data as required by law and contract.
6.2 Backup and Disaster Recovery
Customer data is backed up regularly and stored securely. We maintain a comprehensive Disaster Recovery (DR) plan to ensure the continuity of the Services in the event of a major disruption, with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
7. Security Audits and Testing
Caseworth engages independent third parties to conduct regular security assessments, including:
- Penetration Testing: Annual external penetration tests are performed to identify and address potential weaknesses in our application and infrastructure.
- Security Audits: We undergo regular security audits (e.g., SOC 2 Type II) to validate the effectiveness of our security controls.
8. Customer Responsibilities
While Caseworth is responsible for the security of the platform, customers are responsible for:
- Maintaining the confidentiality of their account credentials.
- Implementing strong, unique passwords and enabling MFA.
- Managing access controls within their Caseworth account.
- Ensuring the security of their own systems and networks used to access the Services.
9. Contact Information
For security-related inquiries, to report a vulnerability, or to request a copy of our latest security report (subject to NDA), please contact:
Email: security@caseworth.io