Back to Legal

Security Addendum

Last updated: December 20, 2025

This Security Addendum (“Security Addendum”) forms part of the Platform Agreement and applies to the Processing of Customer Data by Caeli in connection with the Services.

All capitalized terms not defined in this Security Addendum have the meanings set forth in the Platform Agreement or the Data Processing Addendum.


1. INFORMATION SECURITY PROGRAM

Caeli maintains a written information security program designed to protect the confidentiality, integrity, and availability of Customer Data.

Caeli’s security program is designed to align with generally recognized industry security principles and frameworks, such as SOC 2 Trust Services Criteria and ISO/IEC 27001, taking into account the nature of the Services, the sensitivity of Customer Data, and the size and risk profile of Caeli’s operations.

Nothing in this Security Addendum shall be construed as a representation that Caeli has obtained any specific security certification unless expressly stated in writing.


2. ORGANIZATIONAL SAFEGUARDS

Caeli implements organizational safeguards designed to support secure operations, including:

  • defined internal security policies and procedures;
  • role-based access management and least-privilege principles;
  • personnel onboarding and offboarding controls;
  • confidentiality obligations for personnel with access to Customer Data; and
  • security awareness and training appropriate to personnel roles.

3. TECHNICAL SAFEGUARDS

Caeli implements technical measures designed to protect Customer Data, which may include, as appropriate:

  • encryption of Customer Data in transit using industry-standard protocols;
  • encryption of Customer Data at rest where appropriate;
  • logical separation of Customer Data;
  • authentication and access controls for systems and services;
  • monitoring and logging of system activity; and
  • secure development and deployment practices.

4. OPERATIONAL AND PHYSICAL SAFEGUARDS

Caeli implements operational and physical safeguards designed to protect systems and infrastructure, including:

  • use of reputable cloud infrastructure providers with robust physical security controls;
  • change management practices for production systems;
  • vulnerability management and remediation practices; and
  • backup and recovery procedures designed to support system availability.

5. INCIDENT RESPONSE AND NOTIFICATION

Caeli maintains incident response procedures designed to identify, respond to, and mitigate security incidents involving Customer Data.

In the event of a confirmed Security Incident (as defined in the Data Processing Addendum), Caeli shall notify Customer without undue delay and cooperate with Customer’s reasonable requests for information, in accordance with the Data Processing Addendum.


6. SUBPROCESSOR SECURITY

Caeli requires Subprocessors that process Customer Data to implement security measures designed to protect such data and to enter into written agreements imposing data protection and confidentiality obligations consistent with this Security Addendum and the Data Processing Addendum.

A current list of Subprocessors is available at the Subprocessor List.


7. ASSESSMENTS AND CONTINUOUS IMPROVEMENT

Caeli regularly reviews and evaluates its security practices and may update its controls as its business, Services, and risk profile evolve.

Caeli may pursue independent audits, assessments, or certifications as part of its ongoing security program, but makes no commitment to obtain or maintain any specific certification unless otherwise agreed in writing.


8. CUSTOMER RESPONSIBILITIES

Customer is responsible for:

  • configuring the Services in a secure manner;
  • managing Authorized User access credentials;
  • implementing appropriate internal security practices; and
  • ensuring that its use of the Services complies with applicable law and the Platform Agreement.

9. LIMITATION OF LIABILITY

This Security Addendum is subject to the limitations of liability set forth in the Platform Agreement.


10. ORDER OF PRECEDENCE

In the event of a conflict between this Security Addendum and the Platform Agreement or the Data Processing Addendum, this Security Addendum shall control with respect to information security matters.