Privacy Policy

Application

This policy applies to all employees, contractors, and vendors while doing business with Casabase Software, LLC and others who have access to personally identifiable information (PII) also referred to as consumer information (“personal data”) in connection with Casabase Software, LLC’s operating activities.

Purpose

Casabase Software, LLC is committed to protecting the security, confidentiality, and privacy of its information resources including consumers’ personal data in accordance with the requirements set forth in SOC 2 Privacy Criteria and all relevant privacy frameworks, laws and regulations. Personal data shall only be processed when there is a legal basis to do so, data shall be managed to ensure that security, confidentiality, and privacy are maintained, and data will be used only for authorized purposes. All employees and contractors of Casabase Software, LLC share the responsibility for safeguarding personal data to which they have access.

When performing commercial activities in support of Casabase Software, LLC products and services (ExoInsight and Casabase Cube) that impacts consumer personal data (PII), Casabase Software, LLC may engage in certain activities which may require it to receive, store, process, transmit, create, or access and use data which may trigger compliance requirements with the provisions applicable to privacy regulations.

This policy and the data privacy and information security policies adopted hereunder are intended to support the mission of Casabase Software, LLC and to facilitate data processing activities that are important to Casabase Software, LLC by:

• Ensuring compliance with requirements imposed by relevant data privacy regulations
• Providing for the establishment of data privacy policies that set forth, among other things, the required technical, physical, and administrative safeguards to maintain the security, confidentiality, and privacy of personal data
• Setting forth the roles and responsibilities necessary for Casabase Software, LLC to meet its obligations with respect to activities related to the processing of personal data

Information We Collect

Casabase Software, LLC collects the following categories of personal information:

Contact and Business Information

• Name and business contact details (email addresses, phone numbers, company names)
• Job titles and professional information
• Business addresses and billing information

Support and Service Information

• Support ticket data and communications through Zendesk
• Customer-provided debugging datasets and query samples (handled as confidential data under the Data Management Policy)
• Phone conversation recordings for support purposes (retained for 3 years)

Technical Information

• Security event data (retained for 1 year in cloud instances)
• Vulnerability scan results (retained for 6 months)

Marketing and Communication Preferences

• Newsletter subscriptions and communication preferences
• Marketing interaction data and preferences

How We Use Your Information

We use personal information only for legitimate business purposes, including:

Business Operations

• Providing and improving our software products and services
• Processing customer orders and managing billing
• Communicating about products, services, and updates
• Providing customer support and technical assistance

Legal and Compliance

• Complying with legal obligations and regulatory requirements
• Responding to lawful requests from government authorities
• Protecting our legal rights and interests

Service Improvement

• Analyzing usage patterns to improve our applications
• Quality assurance and testing (data retained for 3 years)
• Security monitoring and incident response

We do not sell personal information to third parties and will only share information as described in this policy.

Data Sharing and Third-Party Disclosure

Casabase Software, LLC shares personal information only in the following circumstances:

Service Providers

We may share personal information with trusted service providers who assist us in operating our business, including:

• Zendesk: For customer support ticket management (support data retained for 7 years)
• Snowflake: As the platform for our native applications (customer data remains in customer’s Snowflake environment)
• Other authorized service providers under appropriate data protection agreements

Legal Requirements

We may disclose personal information when required by law, including:

• In response to valid legal process (subpoenas, court orders, search warrants)
• To comply with regulatory requirements
• To protect the rights, property, or safety of Casabase Software, LLC, our customers, or others

Business Transfers

In connection with any merger, acquisition, or sale of assets, personal information may be transferred to the acquiring entity, subject to appropriate confidentiality commitments.

All third-party service providers are required to maintain appropriate technical, physical, and administrative safeguards to protect personal information and are contractually prohibited from using personal information for purposes other than providing services to Casabase Software, LLC.

Data Retention and Disposal

Casabase Software, LLC retains personal information only as long as necessary for legitimate business purposes or as required by law. Retention periods are documented in our Data Management Policy and include:

Data Type	Retention Period
Support tickets	7 years
Support phone conversations	3 years
Security event data (cloud instances)	1 year
Customer-provided support data	30 days after ticket resolution
QA and testing data	3 years

Personal information is securely deleted or de-identified when no longer needed. For detailed retention periods, please refer to the Data Retention Matrix in Appendix B of our Data Management Policy.

Secure Disposal

All personal information is securely disposed of using industry-standard methods:

• Electronic data is securely wiped or cryptographically erased
• Physical media is destroyed with certificates of destruction maintained
• Paper records are securely shredded
• Disposal methods comply with applicable data protection requirements

Data Security

Casabase Software, LLC implements comprehensive security measures to protect personal information:

Technical Safeguards

• Encryption of data at rest and in transit using strong cryptography
• Multi-factor authentication for system access
• Regular vulnerability assessments and security testing
• Network security controls and monitoring

Physical Safeguards

Casabase Software is a remote-only organization with no physical office locations. Physical security is managed as follows:

• Physical security for personnel workstations and remote work environments is governed by the Acceptable Use and Mobile Device policies
• Physical security for third-party infrastructure providers (such as Snowflake and Google Workspace) is managed by those providers and assessed by Casabase Software through reviews of their independent audit reports (e.g., SOC 2 or ISO 27001)
• Secure disposal of physical media and equipment

Administrative Safeguards

• Regular security awareness training for all personnel
• Background checks for employees with access to personal information
• Incident response procedures and breach notification protocols
• Regular security policy reviews and updates

Your Rights and Choices

Individuals have the following rights regarding their personal information:

Access Rights

• Request information about what personal data we collect and how we use it
• Obtain copies of personal information we maintain about you
• Receive information about data sharing and retention practices

Correction Rights

• Request correction of inaccurate or incomplete personal information
• Update contact information and communication preferences
• Challenge data accuracy through our dispute resolution process

Choice and Consent

• Opt out of marketing communications at any time
• Withdraw consent for processing where consent is the legal basis
• Choose how we communicate with you (email, phone, mail)

Deletion Rights

• Request deletion of personal information in certain circumstances
• Request de-identification of personal information
• Exercise “right to be forgotten” where applicable

To exercise these rights, contact us at support@casabasesoftware.com.

Access and Correction

Casabase Software, LLC provides clear processes for individuals to access, review, and correct their personal information:

Request Process

• Submission: Submit requests via support@casabasesoftware.com
• Identity Verification: We verify the identity of requesters using reasonable methods
• Response Timeline: We respond within 30 days of receiving a complete request
• Information Provided: We provide the categories and specific pieces of personal information as appropriate

Identity Verification

We implement reasonable security measures to verify the identity of requesters:

• For customers with password-protected accounts, we may use existing authentication
• For other requests, we may require additional identification documents
• Verification methods are designed to prevent unauthorized access while ensuring legitimate access

Correction Process

When personal information is found to be inaccurate or incomplete:

• We promptly correct the information in our systems
• We notify relevant third parties who received the inaccurate information
• We provide confirmation of corrections to the requesting individual

Breach Notification

In the event of a security incident that compromises personal information:

Internal Response

• Immediate containment and investigation of the incident
• Assessment of the scope and impact of the breach
• Documentation of incident details and response actions

Notification Process

• Individual Notification: Affected individuals are notified without unreasonable delay
• Regulatory Notification: Relevant regulatory authorities are notified as required by law
• Content: Notifications include the nature of the breach, types of information involved, steps taken to address the breach, and contact information for questions

Timeline

• Internal incident team is notified immediately upon discovery
• Individual notifications are provided as soon as reasonably possible
• Regulatory notifications are made within required timeframes (typically 72 hours)

All breach response activities are conducted in accordance with our Incident Response Plan and applicable breach notification laws.

Data Quality

Casabase Software, LLC is committed to maintaining accurate, complete, and relevant personal information:

Data Accuracy

• We implement processes to ensure personal information is accurate and current
• We regularly review and update information systems and databases
• We provide mechanisms for individuals to correct inaccurate information

Data Relevance

• We collect only personal information that is necessary for stated purposes
• We regularly review data collection practices to ensure continued relevance
• We delete or archive information that is no longer needed

Data Completeness

• We strive to maintain complete records for business and compliance purposes
• We identify and address gaps in personal information where necessary
• We validate data accuracy during collection and processing

Monitoring and Enforcement

Compliance Monitoring

Casabase Software, LLC monitors compliance with this Privacy Policy through:

• Regular internal audits and assessments
• External compliance audits (including SOC 2 examinations)
• Employee training and awareness programs
• Continuous monitoring of data processing activities

Dispute Resolution

Individuals may file complaints regarding privacy practices by:

We investigate all complaints promptly and provide written responses within 30 days.

Enforcement Actions

Violations of this policy may result in:

• Corrective action and additional training
• Disciplinary action up to and including termination
• Legal action where appropriate
• Notification to regulatory authorities as required

Special Considerations for Snowflake Native Applications

For our Snowflake-native applications (ExoInsight and Casabase Cube):

Data Residency

• Customer data remains within the customer’s own Snowflake environment at all times
• Casabase Software does not have direct access to customer data within Snowflake
• Data processing occurs within the customer’s Snowflake instance under their control

Customer Responsibilities

• Customers maintain control over their data access policies and permissions
• Customers are responsible for their own data retention and deletion practices
• Customers manage their own compliance requirements for data within their Snowflake environment

Casabase Software Responsibilities

• We ensure our application logic respects customer data boundaries
• We provide secure application logic that does not export customer data
• We maintain appropriate security controls for application infrastructure

Support Data Handling

When customers provide data for support purposes:

• Support data is handled as confidential information under our Data Management Policy
• Data is stored in secure, encrypted environments
• Access is restricted to authorized support personnel
• Data is deleted within 30 days of ticket resolution

Contact Information

For privacy-related questions, concerns, or requests:

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or business operations. When we make material changes:

• We will post the updated policy on our website
• We will notify affected individuals via email or other appropriate means
• We will update the effective date at the top of this policy
• We will maintain previous versions for reference as needed

We encourage you to review this policy regularly to stay informed about our privacy practices.

Applicable Laws and Regulations

This Privacy Policy is designed to comply with relevant privacy laws and regulations, including:

• SOC 2 Privacy Criteria
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• State privacy laws (Colorado, Connecticut, Virginia, Utah)
• Other applicable federal and state privacy regulations