Compliance & Certifications

Cascade AI is committed to meeting the highest standards of data protection, privacy, and security compliance to ensure your business stays compliant and your data stays safe.

Last updated: January 12, 2025

SOC 2 Type II

Annual security audit certification

GDPR

European data protection regulation

CCPA

California privacy compliance

ISO 27001

Information security (in progress)

SOC 2 Type II Certification

Cascade AI is SOC 2 Type II certified, demonstrating our commitment to maintaining the highest standards for security, availability, processing integrity, confidentiality, and privacy of customer data.

Trust Service Criteria

  • Security: Protection against unauthorized access (physical and logical)
  • Availability: System is available for operation and use as committed
  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized
  • Confidentiality: Information designated as confidential is protected
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of in accordance with commitments

Annual Audit Process

Our SOC 2 Type II audit is performed annually by an independent third-party auditor:

  • Comprehensive evaluation of our security controls over a 12-month period
  • Testing of control effectiveness and operational procedures
  • Review of security policies, infrastructure, and development practices
  • Verification of incident response and business continuity plans

Request SOC 2 Report: Enterprise customers can request our latest SOC 2 Type II report by contacting compliance@cascade.ai

GDPR Compliance

We are fully compliant with the General Data Protection Regulation (GDPR), the comprehensive privacy regulation protecting the data rights of individuals in the European Union and European Economic Area.

Data Subject Rights

We support all GDPR-mandated data subject rights:

  • Right to Access: Individuals can request access to their personal data
  • Right to Rectification: Users can correct inaccurate or incomplete data
  • Right to Erasure: "Right to be forgotten" - data deletion upon request
  • Right to Data Portability: Export data in a machine-readable format
  • Right to Object: Object to processing of personal data
  • Right to Restrict Processing: Request limitation of data processing

GDPR Compliance Measures

  • Data Processing Agreements (DPAs) available for all customers
  • Standard Contractual Clauses (SCCs) for international data transfers
  • Privacy by Design and Default principles embedded in our platform
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Appointed Data Protection Officer (DPO) for GDPR matters
  • Breach notification procedures within 72 hours as required

Data Processing

As a data processor, we only process customer data according to documented instructions from our customers (data controllers). We maintain appropriate technical and organizational measures to ensure data protection.

GDPR Resources:

  • • Data Processing Agreement (DPA): Available in dashboard settings
  • • Exercise data rights: privacy@cascade.ai
  • • DPO Contact: dpo@cascade.ai

CCPA Compliance

We comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), providing California residents with enhanced privacy rights and transparency.

California Consumer Rights

  • Right to Know: Request disclosure of personal information collected
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt out of sale or sharing of personal information
  • Right to Correct: Request correction of inaccurate information
  • Right to Limit: Limit use and disclosure of sensitive personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices

Our CCPA Commitments

  • We do not sell personal information
  • We do not share personal information for cross-context behavioral advertising
  • We respond to verified consumer requests within 45 days
  • We provide notice at collection of personal information categories and purposes
  • We maintain reasonable security procedures and practices

ISO 27001 (In Progress)

We are actively pursuing ISO 27001 certification, the international standard for information security management systems (ISMS). Expected completion: Q2 2025.

ISO 27001 Framework

Our implementation includes:

  • Comprehensive risk assessment and treatment methodology
  • Information security policies and procedures
  • Asset management and classification
  • Access control and identity management
  • Cryptography and encryption standards
  • Incident management and business continuity
  • Compliance monitoring and continuous improvement

Industry-Specific Compliance

HIPAA (Healthcare)

For healthcare customers handling Protected Health Information (PHI):

  • Business Associate Agreements (BAAs) available for eligible customers
  • HIPAA-compliant infrastructure and security controls
  • Encrypted data storage and transmission
  • Audit logging and access controls
  • Training on HIPAA requirements for relevant staff

PCI DSS (Payment Card Data)

We do not directly process, store, or transmit payment card data. Payment processing is handled by PCI DSS Level 1 certified payment processors (Stripe), ensuring the highest level of payment security.

Data Residency and Localization

We offer flexible data residency options to meet regional compliance requirements:

Available Regions

  • United States (US East, US West)
  • European Union (Frankfurt, Ireland)
  • Asia Pacific (Singapore, Tokyo)
  • United Kingdom (London)

Data Transfer Safeguards

  • Standard Contractual Clauses (SCCs)
  • EU-US Data Privacy Framework
  • UK Adequacy Decisions
  • Binding Corporate Rules (BCRs)

Enterprise customers can specify their preferred data region and restrict data processing to specific geographic locations.

Third-Party Vendor Management

We maintain a rigorous vendor security and compliance program:

  • Due diligence assessments for all vendors with access to customer data
  • Vendor security questionnaires and compliance verification
  • Data Processing Agreements (DPAs) with all data sub-processors
  • Regular vendor security reviews and audits
  • Documented vendor inventory and risk assessments

Key Sub-Processors

  • Cloud Infrastructure: AWS, Google Cloud Platform
  • Payment Processing: Stripe
  • Email Services: SendGrid
  • Analytics: Google Analytics (anonymized)
  • Support: Intercom

Full sub-processor list available upon request at compliance@cascade.ai

Compliance Resources

Available Documentation

  • • SOC 2 Type II Report (enterprise customers)
  • • Data Processing Agreement (DPA)
  • • Standard Contractual Clauses (SCCs)
  • • Business Associate Agreement (BAA)
  • • Security White Paper
  • • Privacy Policy and Cookie Policy

Compliance Tools

  • • Self-service DPA signing in dashboard
  • • Data export and portability tools
  • • Data deletion request form
  • • Audit log access for compliance teams
  • • Security questionnaire responses
  • • Vendor risk assessment reports

Our Ongoing Commitment

Compliance is not a one-time achievement but an ongoing commitment. We continuously:

  • Monitor regulatory changes and update our practices accordingly
  • Conduct regular internal audits and assessments
  • Provide compliance training for all employees
  • Engage with external auditors and security experts
  • Maintain transparency with our customers about compliance status
  • Invest in tools and processes to enhance compliance posture

Compliance Questions?

Our compliance team is available to answer questions and provide documentation:

Compliance Team: compliance@cascade.ai

Data Protection Officer: dpo@cascade.ai

Security Team: security@cascade.ai

Enterprise Sales: enterprise@cascade.ai