Effective: February 7, 2022
Your Stuff & Your Permissions
When you use our Services, you provide us with things like your files, content, messages, contacts, and so on ("Your Stuff"). Your Stuff is yours. These Terms don’t give us any rights to Your Stuff except for the limited rights that enable us to offer the Services.
We need your permission to do things like hosting Your Stuff, backing it up, and sharing it when you ask us to. Our Services also provide you with features like eSign, file sharing, email newsletters, appointment setting and more. These and other features may require our systems to access, store, and scan Your Stuff. You give us permission to do those things, and this permission extends to our affiliates and trusted third parties we work with.
Sharing Your Stuff
Our Services let you share Your Stuff with others, so please think carefully about what you share.
You’re responsible for your conduct. Your Stuff and you must comply with applicable laws. Content in the Services may be protected by others’ intellectual property rights. Please don’t copy, upload, download, or share content unless you have the right to do so. We may review your conduct and content for compliance with these Terms. With that said, we have no obligation to do so. We aren’t responsible for the content people post and share via the Services.
Help us keep you informed and Your Stuff protected. Safeguard your password to the Services, and keep your account information current. Don’t share your account credentials or give others access to your account.
You may use our Services only as permitted by applicable law, including export control laws and regulations. Finally, to use our Services, you must be at least 13, or in some cases, even older. If you live in France, Germany, or the Netherlands, you must be at least 16. Please check your local law for the age of digital consent. If you don’t meet these age requirements, you may not use the Services.
Some of our Services allow you to download client software (“Software”) which may update automatically. So long as you comply with these Terms, we give you a limited, nonexclusive, nontransferable, revocable license to use the Software, solely to access the Services. To the extent any component of the Software may be offered under an open source license, we’ll make that license available to you and the provisions of that license may expressly override some of these Terms. Unless the following restrictions are prohibited by law, you agree not to reverse engineer or decompile the Services, attempt to do so, or assist anyone in doing so.
We sometimes release products and features that we are still testing and evaluating. Those Services have been marked beta, preview, early access, or evaluation (or with words or phrases with similar meanings) and may not be as reliable as other non-beta services, so please keep that in mind.
The Services are protected by copyright, trademark, and other US and foreign laws. These Terms don’t grant you any right, title, or interest in the Services, others’ content in the Services, CountingWorks and our trademarks, logos and other brand features. We welcome feedback, but note that we may use comments or suggestions without any obligation to you.
We respect the intellectual property of others and ask that you do too. We respond to notices of alleged copyright infringement if they comply with the law, and such notices should be reported to legal@CountingWorks.com. We reserve the right to delete or disable content alleged to be infringing and terminate accounts of repeat infringers. Our designated agent for notice of alleged copyright infringement on the Services is:
You’re free to stop using our Services at any time. We reserve the right to suspend or terminate your access to the Services with notice to you if:
We won’t provide notice before termination where:
Discontinuation of Services
We may decide to discontinue the Services in response to unforeseen circumstances beyond CountingWorks control or to comply with a legal requirement. If we do so, we’ll give you reasonable prior notice so that you can export Your Stuff from our systems.
Services “AS IS”
We strive to provide great Services, but there are certain things that we can't guarantee. TO THE FULLEST EXTENT PERMITTED BY LAW, CountingWorks AND ITS AFFILIATES, SUPPLIERS AND DISTRIBUTORS MAKE NO WARRANTIES, EITHER EXPRESS OR IMPLIED, ABOUT THE SERVICES. THE SERVICES ARE PROVIDED "AS IS." WE ALSO DISCLAIM ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. Some places don’t allow the disclaimers in this paragraph, so they may not apply to you.
Limitation of Liability
WE DON’T EXCLUDE OR LIMIT OUR LIABILITY TO YOU WHERE IT WOULD BE ILLEGAL TO DO SO—THIS INCLUDES ANY LIABILITY FOR CountingWorks OR ITS AFFILIATES’ FRAUD OR FRAUDULENT MISREPRESENTATION IN PROVIDING THE SERVICES. IN COUNTRIES WHERE THE FOLLOWING TYPES OF EXCLUSIONS AREN’T ALLOWED, WE'RE RESPONSIBLE TO YOU ONLY FOR LOSSES AND DAMAGES THAT ARE A REASONABLY FORESEEABLE RESULT OF OUR FAILURE TO USE REASONABLE CARE AND SKILL OR OUR BREACH OF OUR CONTRACT WITH YOU. THIS PARAGRAPH DOESN’T AFFECT CONSUMER RIGHTS THAT CAN'T BE WAIVED OR LIMITED BY ANY CONTRACT OR AGREEMENT.
IN COUNTRIES WHERE EXCLUSIONS OR LIMITATIONS OF LIABILITY ARE ALLOWED, CountingWorks, ITS AFFILIATES, SUPPLIERS OR DISTRIBUTORS WON’T BE LIABLE FOR:
THESE EXCLUSIONS OR LIMITATIONS WILL APPLY REGARDLESS OF WHETHER OR NOT CountingWorks OR ANY OF ITS AFFILIATES HAS BEEN WARNED OF THE POSSIBILITY OF SUCH DAMAGES.
IF YOU USE THE SERVICES FOR ANY COMMERCIAL, BUSINESS, OR RE-SALE PURPOSE, CountingWorks, ITS AFFILIATES, SUPPLIERS OR DISTRIBUTORS WILL HAVE NO LIABILITY TO YOU FOR ANY LOSS OF PROFIT, LOSS OF BUSINESS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS OPPORTUNITY. CountingWorks AND ITS AFFILIATES AREN’T RESPONSIBLE FOR THE CONDUCT, WHETHER ONLINE OR OFFLINE, OF ANY USER OF THE SERVICES.
Let’s Try To Sort Things Out First. We want to address your concerns without needing a formal legal case. Before filing a claim against CountingWorks or our affiliates, you agree to try to resolve the dispute informally by contacting legal@CountingWorks.com. We’ll try to resolve the dispute informally by contacting you via email.
Judicial forum for disputes. You and CountingWorks agree that any judicial proceeding to resolve claims relating to these Terms or the Services will be brought in the federal or state courts of Orange County, California, subject to the mandatory arbitration provisions below. Both you and CountingWorks consent to venue and personal jurisdiction in such courts. If you reside in a country (for example, European Union member states) with laws that give consumers the right to bring disputes in their local courts, this paragraph doesn’t affect those requirements.
IF YOU’RE A U.S. RESIDENT, YOU ALSO AGREE TO THE FOLLOWING MANDATORY ARBITRATION PROVISIONS:
These Terms will be governed by California law except for its conflicts of laws principles. However, some countries (including those in the European Union) have laws that require agreements to be governed by the local laws of the consumer's country. This paragraph doesn’t override those laws.
These Terms constitute the entire agreement between you and CountingWorks with respect to the subject matter of these Terms, and supersede and replace any other prior or contemporaneous agreements, or terms and conditions applicable to the subject matter of these Terms. These Terms create no third party beneficiary rights.
Waiver, Severability & Assignment
CountingWorks failure to enforce a provision is not a waiver of its right to do so later. If a provision is found unenforceable, the remaining provisions of the Terms will remain in full effect and an enforceable term will be substituted reflecting our intent as closely as possible. You may not assign any of your rights under these Terms, and any such attempt will be void. CountingWorks may assign its rights to any of its affiliates or subsidiaries, or to any successor in interest of any business associated with the Services.
We may revise these Terms from time to time to better reflect:
If an update affects your use of the Services or your legal rights as a user of our Services, we’ll notify you prior to the update's effective date by sending an email to the email address associated with your account or via an in-product notification. These updated terms will be effective no less than 30 days from when we notify you.
If you don’t agree to the updates we make, please cancel your account before they become effective. By continuing to use or access the Services after the updates come into effect, you agree to be bound by the revised Terms.
Effective: February 7, 2022
Thanks for visiting our website. Our mission is to create a web based experience that makes it easier for us to work together. Here we describe how we collect, use, and handle your personal information when you use our websites, software, and services (“Services”).
What & Why
We collect and use the following information to provide, improve, and protect our Services:
Account information. We collect, and associate with your account, the information you provide to us when you do things such as sign up for your account, opt-in to our client newsletter or request an appointment (like your name, email address, phone number, and physical address). Some of our Services let you access your accounts and your information via other service providers.
Your Stuff. Our Services are designed to make it simple for you to store your files, documents, comments, messages, and so on (“Your Stuff”), collaborate with others, and work across multiple devices. To make that possible, we store, process, and transmit Your Stuff as well as information related to it. This related information includes your profile information that makes it easier to collaborate and share Your Stuff with others, as well as things like the size of the file, the time it was uploaded, collaborators, and usage activity. Our Services provide you with different options for sharing Your Stuff.
Contacts. You may choose to give us access to your contacts (spouse or other company staff) to make it easy for you to do things like share and collaborate on Your Stuff, send messages, and invite others to use the Services. If you do, we’ll store those contacts on our servers for you to use.
Usage information. We collect information related to how you use the Services, including actions you take in your account (like sharing, viewing, and moving files or folders). We use this information to improve our Services, develop new services and features, and protect our users.
Cookies and other technologies. We use technologies like cookies to provide, improve, protect, and promote our Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with our Services, and improving them based on that information. You can set your browser to not accept cookies, but this may limit your ability to use the Services.
Marketing. We give users the option to use some of our Services free of charge. These free Services are made possible by the fact that some users upgrade to one of our paid Services. If you register for our free Services, we will, from time to time, send you information about the firm or tax and accounting tips when permissible. Users who receive these marketing materials can opt out at any time. If you do not want to receive marketing materials from us, simply click the ‘unsubscribe’ link in any email.
We sometimes contact people who do not have an account. For recipients in the EU, we or a third party will obtain consent before contacting you. If you receive an email and no longer wish to be contacted by us, you can unsubscribe and remove yourself from our contact list via the message itself.
Bases for processing your data. We collect and use the personal data described above in order to provide you with the Services in a reliable and secure manner. We also collect and use personal data for our legitimate business needs. To the extent we process your personal data for other purposes, we ask for your consent in advance or require that our partners obtain such consent.
We may share information as discussed below, but we won’t sell it to advertisers or other third parties.
Other users. Our Services display information like your name, profile picture, device, and email address to other users in places like your user profile and sharing notifications. You can also share Your Stuff with other users if you choose. When you register your account with an email address on a domain owned by your employer or organization, we may help collaborators and administrators find you and your team by making some of your basic information—like your name, team name, profile picture, and email address—visible to other users on the same domain. This helps you sync up with teams you can join and helps other users share files and folders with you. Certain features let you make additional information available to others.
Team Admins. If you are a user of a team, your administrator may have the ability to access and control your team account. Please refer to your organization’s internal policies if you have questions about this. If you are not a team user but interact with a team user (by, for example, joining a shared folder or accessing stuff shared by that user), members of that organization may be able to view the name, email address, profile picture, and IP address that was associated with your account at the time of that interaction.
Law & Order and the Public Interest. We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to: (a) comply with any applicable law, regulation, legal process, or appropriate government request; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of our platform or our users; (d) protect our rights, property, safety, or interest; or (e) perform a task carried out in the public interest.
Stewardship of your data is critical to us and a responsibility that we embrace. We believe that your data should receive the same legal protections regardless of whether it’s stored on our Services or on your home computer’s hard drive. We’ll abide by Government Request Policies when receiving, scrutinizing, and responding to government requests (including national security requests) for your data:
Security. We have a team dedicated to keeping your information secure and testing for vulnerabilities. We also continue to work on features to keep your information safe in addition to things like blocking repeated login attempts, encryption of files at rest, and alerts when new devices and apps are linked to your account. We deploy automated technologies to detect abusive behavior and content that may harm our Services, you, or other users.
User Controls. You can access, amend, download, and delete your personal information by logging into your account.
Retention. When you sign up for an account with us, we’ll retain information you store on our Services for as long as your account is in existence or as long as we need it to provide you the Services. If you delete your account, we will initiate deletion of this information after 30 days. But please note: (1) there might be some latency in deleting this information from our servers and back-up storage; and (2) we may retain this information if necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.
Around the world. To provide you with the Services, we may store, process, and transmit information in the United States and locations around the world—including those outside your country. Information may also be stored locally on the devices you use to access the Services.
EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. When transferring data from the European Union, the European Economic Area, and Switzerland, We rely upon a variety of legal mechanisms, including contracts with our customers and affiliates. We comply with the EU-U.S. and Swiss–U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the European Economic Area, and Switzerland to the United States.
We are subject to oversight by the U.S. Federal Trade Commission. JAMS is the US-based independent organization responsible for reviewing and resolving complaints about our Privacy Shield compliance—free of charge to you. We ask that you first submit any such complaints directly to us via privacy@CountingWorks.com. If you aren’t satisfied with our response, please contact JAMS at https://www.jamsadr.com/eu-us-privacy-shield. In the event your concern still isn’t addressed by JAMS, you may be entitled to a binding arbitration under Privacy Shield and its principles.
If we are involved in a reorganization, merger, acquisition, or sale of our assets, your information may be transferred as part of that deal.
Your Right to Control and Access Your Information
You have control over your personal information and how it is collected, used, and shared. For example, you have a right to:
Your personal information is controlled by CountingWorks, Inc. Have questions or concerns about CountingWorks, our Services, and privacy? Contact our Data Protection Officer at privacy@CountingWorks.com. If they can’t answer your question, you have the right to contact your local data protection supervisory authority.
Third Party Vendors
Amazon Web Services
Updated: June 2020.
strives to ensure that its services are accessible to people with disabilities. has invested a significant amount of resources to help ensure that its website is made easier to use and more accessible for people with disabilities, with the strong belief that every person has the right to live with dignity, equality, comfort and independence.
makes available the UserWay Website Accessibility Widget that is powered by a dedicated accessibility server. The software allows us to improve its compliance with the Web Content Accessibility Guidelines (WCAG 2.1).
Enabling the Accessibility Menu
The accessibility menu can be enabled either by hitting the tab key when the page first loads or by clicking the accessibility menu icon that appears on the corner of the page. After triggering the accessibility menu, please wait a moment for the accessibility menu to load in its entirety.
continues its efforts to constantly improve the accessibility of its site and services in the belief that it is our collective moral obligation to allow seamless, accessible and unhindered use also for those of us with disabilities.
In an ongoing effort to continually improve and remediate accessibility issues, we also regularly scan with UserWay's Accessibility Scanner to identify and fix every possible accessibility barrier on our site. Despite our efforts to make all pages and content on fully accessible, some content may not have yet been fully adapted to the strictest accessibility standards. This may be a result of not having found or identified the most appropriate technological solution.
Here For You
If you are experiencing difficulty with any content on or require assistance with any part of our site, please contact us during normal business hours as detailed below and we will be happy to assist.
If you wish to report an accessibility issue, have any questions or need assistance, please contact customer support.
We keep you up-to-date on the latest tax changes and news in the industry.
Whether we are dealing with Service Organization Controls (SOC) 1 audit or talking about Service Organization Controls (SOC) 2 audit, the operating effectiveness of controls is of paramount importance. Not only for passing an audit (in a type 2 audit), but more importantly for benefiting from the existence of those controls. SOC 1 audit focuses on the controls at a Service Organization relevant to User Entities’ Internal Control Over Financial Reporting, while SOC 2 audit centers on the controls at a Service Organization relevant to security, availability, and processing integrity of the systems the Service Organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
Both SOC 1 and SOC 2 have type 1 and type 2 reports. In a SOC 1 type 1 report, the focus is on the fair presentation of a Service Organization’s description of its system and the suitability of the design of controls to achieve the related control objectives included in the description. SOC 1 type 2 report takes it a little further by reporting not only on the fair presentation of the Service Organization’s description of its system and the suitability of the design of controls, but also on the operating effectiveness of those controls. Similarly, in a SOC 2 type 1 audit, the focus is on the fair presentation of a Service Organization’s description of its system and the suitability of the design of controls. SOC 2 type 2 examines the fair presentation of system description, suitability of design of controls, and the operating effectiveness of those controls to meet the relevant trust services criteria.
For control (s) to achieve the desired purpose(s), a few things must happen:
The control (s) must be adequate for the purpose
The control (s) must be suitably designed and implemented (put into operation)
The control (s) must be operated properly as intended
Relationships between adequacy, suitability of design, and operating effectiveness of controls
The three are intertwined. Let us consider each of these in turn.
Adequacy of controls simply means that the control(s) address all the relevant risks inherent in a particular process, function, or system in the given environment. While there are situations where a single control may be sufficient to take care of a risk, in many cases, a combination of controls is necessary to achieve the desired purpose.
For example, consider the controls for physically protecting a data center from unauthorized access. You would need to have a combination of controls, including perimeter security measures such as fence, secured gate(s), security guards, surveillance cameras, etc. Further, you would need to have physical control measures such as doors, locks, cameras, etc. within the facility to limit and monitor access of people to specific areas. If any of those control measures that are necessary in the environment is missing, and without a compensating control, the controls for protecting the data center would not be seen as adequate.
To ensure adequacy of control(s) therefore, all relevant risks in the situation and environment must be considered and addressed by appropriate control measures. This explains why it is not sufficient for an organization preparing for an audit to only rely on generic control templates in a SaaS solution to design and implement its controls in readiness for audit. A thorough risk assessment needs to be done to identify relevant risks in the organization process, system, and unique environment to ensure that controls are specifically customized to address relevant risks.
Suitability of Design
A control is suitability designed if, when operated as intended individually or in combination with other controls, it will achieve the desired or intended purpose (i.e., achieve the control objective(s) or applicable trust service criteria, in the case of SOC 2 audit). You can see the link between adequacy and designing appropriate control(s) to mitigate applicable risks. Suitability of design also includes appropriate implementation of the designed control for the controls to operate as intended. The two elements of adequacy and suitability of design are intertwined and must be present in the control(s) before you can expect a valid operating effectiveness.
Operating effectiveness of control simply means that the control has been applied or operated consistently, either manually by competent personnel or automatically by a system, to provide a reasonably assurance that the control objective(s) (or the applicable trust services criteria) have been achieved. Again, you can see the connections between adequacy, suitability of design, and operating effectiveness. If a control is not adequate and suitably designed it would not achieve the desired objective, even if it was properly operated or applied.
In preparing for your type 2 of SOC 1 or 2 audit, it is of utmost importance that you have a reliable and efficient system of tracking and keeping records of the operations of your controls to enable you prove to the auditor the operating effectiveness of those controls over the scope period. Such records also serve as ingredient for reporting to senior management the progress and success of cybersecurity and compliance efforts. They can also become important source of defense before investigators and regulators in the unpleasant situation of any breach.
A lot of resources are often spent on designing, implementing, and operating security controls. The returns on such investments are realized only when the controls operated effectively and achieved the desired objectives (either by preventing bad things from happening or facilitating the achievement of some other good goals). Such good goals include passing your SOC 1 or 2 audit, giving confidence to your stakeholders concerning your systems.
Please contact us at CAS Assurance LLC to leverage the expertise of our team if your organization needs professional assistance in preparing for or performing your SOC 1, SOC 2, or SOC 2 + CSA STAR audit.
Each month, we will send you a roundup of our latest blog content covering the tax and accounting tips & insights you need to know.