← Back to caast.tech

Compliance

Caast commitment to security

Keeping customer data safe is one of the most important things we care about at Caast Technologies. Below is a high-level summary of our current security measures and practices. For the contractual security schedule and supporting documentation, reach out to contact@caast.tech.

Experienced team

Our team has designed and operated finance and AI systems for high-growth companies. Personnel are bound by confidentiality obligations. Security training is required during onboarding and at least annually thereafter, and access is granted based on least privilege (job function and need-to-know) with periodic reviews.

Cloud infrastructure

Customer Data is hosted primarily on OVHcloud. We scope environments to keep customer workloads isolated, enforce strict identity controls, and rely on our hosting provider’s physical and organizational safeguards for data center security. Where applicable, third-party hosting attestations and certifications can be shared upon request, subject to the provider’s disclosure process.

Best practices in progress

We implement common security controls such as encryption in transit (TLS 1.2+), encryption at rest (encrypted volumes), centralized secrets management (not hardcoded), and secure SDLC practices (code review and security design). Caast is not currently SOC 2 Type II certified; we intend to undergo an independent SOC 2 Type II audit when commercially and operationally feasible.

User rights & access

Employee accounts follow the principle of least privilege. Multi-factor authentication (MFA) is required for core identity systems, and access to production systems and logs is restricted to authorized personnel on a need-to-know basis. Caast employees access Customer Data only when needed for troubleshooting or recovery and, where applicable, with the Customer’s permission.

Monitoring & incidents

We use tooling such as Sentry to ingest logs, exceptions, and traces and route alerts to engineering. We operate an incident management plan that covers identification, containment, investigation, eradication, recovery, and follow-up. Where a security incident involves Customer Personal Data, we notify impacted customers without undue delay, as set out in our contractual data protection terms.

Risk management

We perform vulnerability scanning and dependency monitoring, and we patch externally- and internally-facing services regularly. Public ingress (where required) is filtered and hosts are firewalled based on least privilege. To report a vulnerability, email contact@caast.tech; Caast does not currently run a formal bug bounty program.

Network isolation

Customer environments and administrative endpoints are protected using encryption in transit (TLS 1.2+) and industry‑standard isolation controls. For customer third‑party tools, access is established via OAuth 2.0 (or similar delegated access standards) with static callback URLs; we never request raw passwords to those systems.

Third parties & data lifecycle

Where we use vendors to operate the Services (for example hosting, monitoring, secure network access, and secrets management), they are contractually bound as subprocessors under data protection terms. Backups, archiving, and restore services are not included unless expressly purchased in an Order Form. Customers can request export or deletion of their data, subject to applicable legal retention requirements.