Effective: February 7, 2022
Your Stuff & Your Permissions
When you use our Services, you provide us with things like your files, content, messages, contacts, and so on ("Your Stuff"). Your Stuff is yours. These Terms don’t give us any rights to Your Stuff except for the limited rights that enable us to offer the Services.
We need your permission to do things like hosting Your Stuff, backing it up, and sharing it when you ask us to. Our Services also provide you with features like eSign, file sharing, email newsletters, appointment setting and more. These and other features may require our systems to access, store, and scan Your Stuff. You give us permission to do those things, and this permission extends to our affiliates and trusted third parties we work with.
Sharing Your Stuff
Our Services let you share Your Stuff with others, so please think carefully about what you share.
You’re responsible for your conduct. Your Stuff and you must comply with applicable laws. Content in the Services may be protected by others’ intellectual property rights. Please don’t copy, upload, download, or share content unless you have the right to do so. We may review your conduct and content for compliance with these Terms. With that said, we have no obligation to do so. We aren’t responsible for the content people post and share via the Services.
Help us keep you informed and Your Stuff protected. Safeguard your password to the Services, and keep your account information current. Don’t share your account credentials or give others access to your account.
You may use our Services only as permitted by applicable law, including export control laws and regulations. Finally, to use our Services, you must be at least 13, or in some cases, even older. If you live in France, Germany, or the Netherlands, you must be at least 16. Please check your local law for the age of digital consent. If you don’t meet these age requirements, you may not use the Services.
Some of our Services allow you to download client software (“Software”) which may update automatically. So long as you comply with these Terms, we give you a limited, nonexclusive, nontransferable, revocable license to use the Software, solely to access the Services. To the extent any component of the Software may be offered under an open source license, we’ll make that license available to you and the provisions of that license may expressly override some of these Terms. Unless the following restrictions are prohibited by law, you agree not to reverse engineer or decompile the Services, attempt to do so, or assist anyone in doing so.
We sometimes release products and features that we are still testing and evaluating. Those Services have been marked beta, preview, early access, or evaluation (or with words or phrases with similar meanings) and may not be as reliable as other non-beta services, so please keep that in mind.
The Services are protected by copyright, trademark, and other US and foreign laws. These Terms don’t grant you any right, title, or interest in the Services, others’ content in the Services, CountingWorks and our trademarks, logos and other brand features. We welcome feedback, but note that we may use comments or suggestions without any obligation to you.
We respect the intellectual property of others and ask that you do too. We respond to notices of alleged copyright infringement if they comply with the law, and such notices should be reported to legal@CountingWorks.com. We reserve the right to delete or disable content alleged to be infringing and terminate accounts of repeat infringers. Our designated agent for notice of alleged copyright infringement on the Services is:
You’re free to stop using our Services at any time. We reserve the right to suspend or terminate your access to the Services with notice to you if:
We won’t provide notice before termination where:
Discontinuation of Services
We may decide to discontinue the Services in response to unforeseen circumstances beyond CountingWorks control or to comply with a legal requirement. If we do so, we’ll give you reasonable prior notice so that you can export Your Stuff from our systems.
Services “AS IS”
We strive to provide great Services, but there are certain things that we can't guarantee. TO THE FULLEST EXTENT PERMITTED BY LAW, CountingWorks AND ITS AFFILIATES, SUPPLIERS AND DISTRIBUTORS MAKE NO WARRANTIES, EITHER EXPRESS OR IMPLIED, ABOUT THE SERVICES. THE SERVICES ARE PROVIDED "AS IS." WE ALSO DISCLAIM ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. Some places don’t allow the disclaimers in this paragraph, so they may not apply to you.
Limitation of Liability
WE DON’T EXCLUDE OR LIMIT OUR LIABILITY TO YOU WHERE IT WOULD BE ILLEGAL TO DO SO—THIS INCLUDES ANY LIABILITY FOR CountingWorks OR ITS AFFILIATES’ FRAUD OR FRAUDULENT MISREPRESENTATION IN PROVIDING THE SERVICES. IN COUNTRIES WHERE THE FOLLOWING TYPES OF EXCLUSIONS AREN’T ALLOWED, WE'RE RESPONSIBLE TO YOU ONLY FOR LOSSES AND DAMAGES THAT ARE A REASONABLY FORESEEABLE RESULT OF OUR FAILURE TO USE REASONABLE CARE AND SKILL OR OUR BREACH OF OUR CONTRACT WITH YOU. THIS PARAGRAPH DOESN’T AFFECT CONSUMER RIGHTS THAT CAN'T BE WAIVED OR LIMITED BY ANY CONTRACT OR AGREEMENT.
IN COUNTRIES WHERE EXCLUSIONS OR LIMITATIONS OF LIABILITY ARE ALLOWED, CountingWorks, ITS AFFILIATES, SUPPLIERS OR DISTRIBUTORS WON’T BE LIABLE FOR:
THESE EXCLUSIONS OR LIMITATIONS WILL APPLY REGARDLESS OF WHETHER OR NOT CountingWorks OR ANY OF ITS AFFILIATES HAS BEEN WARNED OF THE POSSIBILITY OF SUCH DAMAGES.
IF YOU USE THE SERVICES FOR ANY COMMERCIAL, BUSINESS, OR RE-SALE PURPOSE, CountingWorks, ITS AFFILIATES, SUPPLIERS OR DISTRIBUTORS WILL HAVE NO LIABILITY TO YOU FOR ANY LOSS OF PROFIT, LOSS OF BUSINESS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS OPPORTUNITY. CountingWorks AND ITS AFFILIATES AREN’T RESPONSIBLE FOR THE CONDUCT, WHETHER ONLINE OR OFFLINE, OF ANY USER OF THE SERVICES.
Let’s Try To Sort Things Out First. We want to address your concerns without needing a formal legal case. Before filing a claim against CountingWorks or our affiliates, you agree to try to resolve the dispute informally by contacting legal@CountingWorks.com. We’ll try to resolve the dispute informally by contacting you via email.
Judicial forum for disputes. You and CountingWorks agree that any judicial proceeding to resolve claims relating to these Terms or the Services will be brought in the federal or state courts of Orange County, California, subject to the mandatory arbitration provisions below. Both you and CountingWorks consent to venue and personal jurisdiction in such courts. If you reside in a country (for example, European Union member states) with laws that give consumers the right to bring disputes in their local courts, this paragraph doesn’t affect those requirements.
IF YOU’RE A U.S. RESIDENT, YOU ALSO AGREE TO THE FOLLOWING MANDATORY ARBITRATION PROVISIONS:
These Terms will be governed by California law except for its conflicts of laws principles. However, some countries (including those in the European Union) have laws that require agreements to be governed by the local laws of the consumer's country. This paragraph doesn’t override those laws.
These Terms constitute the entire agreement between you and CountingWorks with respect to the subject matter of these Terms, and supersede and replace any other prior or contemporaneous agreements, or terms and conditions applicable to the subject matter of these Terms. These Terms create no third party beneficiary rights.
Waiver, Severability & Assignment
CountingWorks failure to enforce a provision is not a waiver of its right to do so later. If a provision is found unenforceable, the remaining provisions of the Terms will remain in full effect and an enforceable term will be substituted reflecting our intent as closely as possible. You may not assign any of your rights under these Terms, and any such attempt will be void. CountingWorks may assign its rights to any of its affiliates or subsidiaries, or to any successor in interest of any business associated with the Services.
We may revise these Terms from time to time to better reflect:
If an update affects your use of the Services or your legal rights as a user of our Services, we’ll notify you prior to the update's effective date by sending an email to the email address associated with your account or via an in-product notification. These updated terms will be effective no less than 30 days from when we notify you.
If you don’t agree to the updates we make, please cancel your account before they become effective. By continuing to use or access the Services after the updates come into effect, you agree to be bound by the revised Terms.
Effective: February 7, 2022
Thanks for visiting our website. Our mission is to create a web based experience that makes it easier for us to work together. Here we describe how we collect, use, and handle your personal information when you use our websites, software, and services (“Services”).
What & Why
We collect and use the following information to provide, improve, and protect our Services:
Account information. We collect, and associate with your account, the information you provide to us when you do things such as sign up for your account, opt-in to our client newsletter or request an appointment (like your name, email address, phone number, and physical address). Some of our Services let you access your accounts and your information via other service providers.
Your Stuff. Our Services are designed to make it simple for you to store your files, documents, comments, messages, and so on (“Your Stuff”), collaborate with others, and work across multiple devices. To make that possible, we store, process, and transmit Your Stuff as well as information related to it. This related information includes your profile information that makes it easier to collaborate and share Your Stuff with others, as well as things like the size of the file, the time it was uploaded, collaborators, and usage activity. Our Services provide you with different options for sharing Your Stuff.
Contacts. You may choose to give us access to your contacts (spouse or other company staff) to make it easy for you to do things like share and collaborate on Your Stuff, send messages, and invite others to use the Services. If you do, we’ll store those contacts on our servers for you to use.
Usage information. We collect information related to how you use the Services, including actions you take in your account (like sharing, viewing, and moving files or folders). We use this information to improve our Services, develop new services and features, and protect our users.
Cookies and other technologies. We use technologies like cookies to provide, improve, protect, and promote our Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with our Services, and improving them based on that information. You can set your browser to not accept cookies, but this may limit your ability to use the Services.
Marketing. We give users the option to use some of our Services free of charge. These free Services are made possible by the fact that some users upgrade to one of our paid Services. If you register for our free Services, we will, from time to time, send you information about the firm or tax and accounting tips when permissible. Users who receive these marketing materials can opt out at any time. If you do not want to receive marketing materials from us, simply click the ‘unsubscribe’ link in any email.
We sometimes contact people who do not have an account. For recipients in the EU, we or a third party will obtain consent before contacting you. If you receive an email and no longer wish to be contacted by us, you can unsubscribe and remove yourself from our contact list via the message itself.
Bases for processing your data. We collect and use the personal data described above in order to provide you with the Services in a reliable and secure manner. We also collect and use personal data for our legitimate business needs. To the extent we process your personal data for other purposes, we ask for your consent in advance or require that our partners obtain such consent.
We may share information as discussed below, but we won’t sell it to advertisers or other third parties.
Other users. Our Services display information like your name, profile picture, device, and email address to other users in places like your user profile and sharing notifications. You can also share Your Stuff with other users if you choose. When you register your account with an email address on a domain owned by your employer or organization, we may help collaborators and administrators find you and your workspace by making some of your basic information—like your name, workspace name, profile picture, and email address—visible to other users on the same domain. This helps you sync up with workspaces you can join and helps other users share files and folders with you. Certain features let you make additional information available to others.
Workspace Admins. If you are a user of a workspace, your administrator may have the ability to access and control your workspace account. Please refer to your organization’s internal policies if you have questions about this. If you are not a workspace user but interact with a workspace user (by, for example, joining a shared folder or accessing stuff shared by that user), members of that organization may be able to view the name, email address, profile picture, and IP address that was associated with your account at the time of that interaction.
Law & Order and the Public Interest. We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to: (a) comply with any applicable law, regulation, legal process, or appropriate government request; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of our platform or our users; (d) protect our rights, property, safety, or interest; or (e) perform a task carried out in the public interest.
Stewardship of your data is critical to us and a responsibility that we embrace. We believe that your data should receive the same legal protections regardless of whether it’s stored on our Services or on your home computer’s hard drive. We’ll abide by Government Request Policies when receiving, scrutinizing, and responding to government requests (including national security requests) for your data:
Security. We have a team dedicated to keeping your information secure and testing for vulnerabilities. We also continue to work on features to keep your information safe in addition to things like blocking repeated login attempts, encryption of files at rest, and alerts when new devices and apps are linked to your account. We deploy automated technologies to detect abusive behavior and content that may harm our Services, you, or other users.
User Controls. You can access, amend, download, and delete your personal information by logging into your account.
Retention. When you sign up for an account with us, we’ll retain information you store on our Services for as long as your account is in existence or as long as we need it to provide you the Services. If you delete your account, we will initiate deletion of this information after 30 days. But please note: (1) there might be some latency in deleting this information from our servers and back-up storage; and (2) we may retain this information if necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.
Around the world. To provide you with the Services, we may store, process, and transmit information in the United States and locations around the world—including those outside your country. Information may also be stored locally on the devices you use to access the Services.
EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. When transferring data from the European Union, the European Economic Area, and Switzerland, We rely upon a variety of legal mechanisms, including contracts with our customers and affiliates. We comply with the EU-U.S. and Swiss–U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the European Economic Area, and Switzerland to the United States.
We are subject to oversight by the U.S. Federal Trade Commission. JAMS is the US-based independent organization responsible for reviewing and resolving complaints about our Privacy Shield compliance—free of charge to you. We ask that you first submit any such complaints directly to us via privacy@CountingWorks.com. If you aren’t satisfied with our response, please contact JAMS at https://www.jamsadr.com/eu-us-privacy-shield. In the event your concern still isn’t addressed by JAMS, you may be entitled to a binding arbitration under Privacy Shield and its principles.
If we are involved in a reorganization, merger, acquisition, or sale of our assets, your information may be transferred as part of that deal.
Your Right to Control and Access Your Information
You have control over your personal information and how it is collected, used, and shared. For example, you have a right to:
Your personal information is controlled by CountingWorks, Inc. Have questions or concerns about CountingWorks, our Services, and privacy? Contact our Data Protection Officer at privacy@CountingWorks.com. If they can’t answer your question, you have the right to contact your local data protection supervisory authority.
Third Party Vendors
Amazon Web Services
Updated: June 2020.
strives to ensure that its services are accessible to people with disabilities. has invested a significant amount of resources to help ensure that its website is made easier to use and more accessible for people with disabilities, with the strong belief that every person has the right to live with dignity, equality, comfort and independence.
makes available the UserWay Website Accessibility Widget that is powered by a dedicated accessibility server. The software allows us to improve its compliance with the Web Content Accessibility Guidelines (WCAG 2.1).
Enabling the Accessibility Menu
The accessibility menu can be enabled either by hitting the tab key when the page first loads or by clicking the accessibility menu icon that appears on the corner of the page. After triggering the accessibility menu, please wait a moment for the accessibility menu to load in its entirety.
continues its efforts to constantly improve the accessibility of its site and services in the belief that it is our collective moral obligation to allow seamless, accessible and unhindered use also for those of us with disabilities.
In an ongoing effort to continually improve and remediate accessibility issues, we also regularly scan with UserWay's Accessibility Scanner to identify and fix every possible accessibility barrier on our site. Despite our efforts to make all pages and content on fully accessible, some content may not have yet been fully adapted to the strictest accessibility standards. This may be a result of not having found or identified the most appropriate technological solution.
Here For You
If you are experiencing difficulty with any content on or require assistance with any part of our site, please contact us during normal business hours as detailed below and we will be happy to assist.
If you wish to report an accessibility issue, have any questions or need assistance, please contact customer support.
The GDPR Overview
The is Regulation lays down rules relating to the protection of natural persons regarding the processing of personal data and rules relating to the free movement of personal data. The GDPR protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. This Regulation applies to:
the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union (EU), regardless of whether the processing takes place in the Union or not.
the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
b) the monitoring of their behavior as far as their behavior takes place within the EU.
The GDPR is considered an extraterritorial regulation and is inclusive of data stored offshore from the EU. Potential fines for violation are up to four percent of organization’s worldwide gross sales based upon last year’s financial statements, with a limit of €20 million.
Under GDPR, data is classified as:
Personal Data – Any information relating to an identified or identifiable natural person (data subject).
Sensitive Data – Also called special categories of personal data, the processing of which could create significant risks to data subject’s fundamental rights and freedoms. GDPR prohibits (with certain exceptions) the processing of sensitive data revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, the processing of genetic data; or data concerning health or sex life, or criminal convictions and offenses or related security measures.
As defined by the regulation, processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Protecting personal data is a big deal
A survey coordinated by the European Commission, Directorate-General for Communication in 2016 reveals how much people care about their privacy. Survey result from over 26,000 respondents showed that:
92% says it is important that the confidentiality of their e-mails and online instant messaging is guaranteed,
90% wants the encryption of their messages and call to assure confidentiality
89% wants the default settings of their browser to stop the sharing of their information
82% wants online activities monitoring tools (e.g., cookies) to be used in monitoring their activities only with their permission.
Together, the expectation of data subjects, far reaching regulation such as the GDPR, and the emerging best practices create a compelling driver for organizations to take personal data protection seriously. The GDPR secures a broad range of rights specific rights for data subject which include:
Right of access
Right of rectification
Right of erasure (right to be forgotten)
Right to restriction of processing
Right to notification regarding rectification, erasure, or restriction of processing of personal data
Right to data portability
Right to object
Right not to be subject to a decision based solely on automated processing, including profiling
Right to lodge a complaint with a supervisory authority
Right to an effective judicial remedy against a supervisory authority
Right to an effective judicial remedy against a controller or processor
Right to compensation for the damage suffered
Pathway to Compliance
Supporting most of the data subject rights under the GDPR requires a combination of technical function and well-defined organizational measures and processes. Achieving GDPR compliance is a journey that needs to be well-planned in terms of approach(es), strategy, and resources. The compliance journey will have to be carried out in a phase: Preliminary phase and Implementation phase
In this phase of the journey, you will need to:
Secure senior management support, identify and involve key stakeholders in each affected business unit, assign responsibilities, and appoint a Data Protection Officer if required based on the nature and scale of your processing
Identify, analyze, classify, and inventory personal data held across the organization
Document processing activities to cover relevant details in Article 30 of the GDPR, including purpose of processing, types of processing, categories of data subject, and categories of personal data (details would depend on whether the organization serves as Data Controller or Processor)
Identify and document existing process and controls for:
Assuring that personal data is processed lawfully (lawful basis), including obtaining data subject consent
Assuring that personal data is adequate, accurate, limited to what is necessary for the intended purpose, and only stored for as long as necessary for purpose.
Protecting personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage throughout data lifecycle.
Data subject access, rectification, erasure, restriction, and transfer requests
International data transfers
Data breach detection, investigation, and reporting, including sending notifications to Supervisory Authority and data subjects
Perform Data Protection Impact Assessment (DPIA)
Determine and develop compliance approach (whether it would be full compliance, targeted enclave, reduced functionality, or combined approach).
Fully Compliant Approach (FCA): The goal of this approach is to ensure the IT infrastructure and associated processes across the organization are fully compliant with GDPR protection requirements and allows for cost-effective execution of data subject rights upon demand. This approach may be cost-effective for entirely new organizations or for organizations already operating in highly regulated industries.
Targeted Enclave Approach (TEA): This approach involves the creation of GDPR compliant enclaves or bounded areas within the larger organizational IT infrastructure. Access to the GDPR enclaves is restricted to a subset of staff with explicit need to access the data, and information systems within the enclave are designed to easily implement functions to support exercise of data subject rights. The targeted approach serves to control costs and limit risk to a defined area of the IT infrastructure and allows legacy systems and processes to continue where the costs of updating those systems or processes is prohibitive.
Reduced Functionality Approach (RFA): This approach involves reducing data with GDPR requirements in the organization’s environment or stopping to perform operations that require the use of data covered by the GDPR. For this approach, the value of processing GDPR-covered data would be weighed against the costs of GDPR compliance. If the cost-benefit analysis shows that the cost of compliance outweighs the business value, the best approach may be to cease or curtail business functions that involve GDPR-covered data
Combined Approach: In most realistic circumstances, a fully compliant infrastructure approach may be too impractical or too expensive to employ across the entire IT infrastructure. A combination of the TEA and RFA may therefore become the most expedient strategy.
Approaches to GDPR Compliance
Your organization will need to assess its unique data scenario to determine the most cost-effective and lowest-risk approach(es) to employ for GDPR compliance. Following the selection of the best approach would be the implementation phase.
This phase focuses largely of identifying and closing gaps between the current state and the target GDPR compliant status. You will need to:
Identify and close gaps related to documentation requirements for:
Data subject consent
Purposes (basis) of collection and processing
Procedures related to processing activities
Implemented technical and organization measures for protecting personal data and for ensuring compliance with the regulation
Identify and close gaps related to implementation of safeguards for protecting personal data
Identify training gaps and implement employee training programs to close identified gaps
Identify and close gaps related to governance practices to maintain ongoing GDPR compliant status
Without leveraging available relevant resources, to determine, implement, and document technical and organization measures for protecting personal data to fulfill GDPR requirements may be daunting. Articles 40 and 42 of the GDPR allow a Controller or Processor to leverage adherence to an approved Code of Conduct and data protection certification mechanism administered by an approved authority to facilitate and demonstrate compliance with the GDPR.
The Cloud Security Alliance (CSA) has developed a Code of Conduct (CoC) and Code of Practice (CoP) Template (awaiting necessary approval by Supervisory Authority) for privacy and data protection transparency, assurance, and compliance. The CSA CoC identifies, in an organic, structured, and systematic manner, all relevant GDPR provisions which Cloud Service Providers (CSPs) must comply with when handling personal data. The CoC goes beyond the GDPR’s requirements and provides a higher standard for adhering CSPs’ data protection practices. Combining adherence to the CSA CoC for GDPR Compliance with the CSA Cloud Control Matrix (CCM) and ISO 27001 or SOC 2 STAR certification (or attestation) should provide the needed help envisioned by article 40 and 42 for GDPR compliance.
How can we help?
CAS Assurance, LLC team provides necessary supports for organizations that need help with readiness assessment for SOC 2 audit, or assistance to complete and submit their self-assessment for Level 1 listing in the Cloud Security Alliance STAR Registry. We provide independent audit services for SOC 2, including SOC 2 + CCM attestation for level 2 listing in the CSA STAR Registry, and other security and privacy regulations, standards, and frameworks. For assistance, contact us at 954-362-7113 or schedule a free initial consultation to get started.
Sign up for our newsletter.