Security Addendum
This Security Addendum outlines the technical and organizational security measures implemented by Credicle Corporation to protect data processed through the August platform.
1. AUGUST AUDITS AND CERTIFICATIONS
August's information security management system undergoes annual assessment by independent third-party auditors. The company maintains SOC 2 Type II and ISO 27001 certifications. Third-Party Audit reports are made available to You as described in Section 10.1. Should August discontinue any audit, the firm commits to adopting an equivalent industry-recognized framework.
2. HOSTING LOCATION OF CUSTOMER DATA AND CONTENT
Customer data and content reside in data centers matching the geographic region specified in the customer's order form. You may request to have Your Customer Data and Content stored in a separate specific geographic region. August will use commercially reasonable efforts to do so where supported by our underlying cloud service provider(s).
3. ENCRYPTION
August implements AES 256-bit (or better) encryption for data at rest and Transport Layer Security 1.2 (or better) for data in transit across public networks. The company rotates encryption keys annually and uses hardware security modules to protect critical keys, maintaining logical separation between keys and protected data.
4. SYSTEM AND NETWORK SECURITY
Personnel access requires unique user IDs, multi-factor authentication, and strong passwords following least-privilege principles. August personnel will not access Customer Data or Content except (i) to provide or support the Service or (ii) to comply with the law. Company-issued laptops include encryption and endpoint detection tools. Industry-standard threat detection with daily updates monitors suspicious activity. August engages third parties for annual penetration testing and web application assessments covering OWASP vulnerabilities.
5. ADMINISTRATIVE CONTROLS
Personnel receive security awareness training at onboarding and annually thereafter, covering information security, IT policies, cyber threats, and device protection. Developers receive annual secure development training. Staff must sign confidentiality agreements and report security incidents. August removes access to critical systems (including systems containing Customer Data and Content) for all separated personnel within 1 day and removes access to all systems within 3 days. Quarterly reviews examine access privileges. Background checks include ID verification, work authorization, and criminal history screening.
6. VENDORS AND SUB-PROCESSORS
August ensures that any of its vendors that process Customer Data or Content maintain security measures consistent with our obligations under this Security Addendum. Sub-processor lists are maintained at https://www.august.law/legal.
7. PHYSICAL DATA CENTER CONTROLS
Cloud service providers maintain SOC 2 Type II audits and ISO 27001 certification with controls including: controlled building access, visitor ID requirements, access control devices, regular privilege reviews, monitoring/alarm systems, CCTV, fire protection, backup/redundancy systems, and climate control. August maintains no physical offices storing customer data.
8. INCIDENT DETECTION AND RESPONSE
Upon discovering a security breach affecting customer data, August will notify You without undue delay, and in any case, within 48 hours after becoming aware. The company promptly contains and investigates incidents, preserving relevant logs for one year. August provides timely incident information including nature, consequences, investigation status, mitigation measures, and contact points, though acknowledges potential limitations in analyzing specific data types impacted.
9. AUDIT LOGGING
August will create, protect, and retain information system audit records to the extent needed to maintain integrity, and will enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Logs retain for minimum one year, maximum ten years, protected against tampering.
10. CUSTOMER AUDIT RIGHTS
Upon request, and at no additional cost to You, August will provide You and/or Your appropriately qualified third-party representative access to reasonably requested documentation including SOC 2 Type II reports, penetration test summaries, and ISO 27001 certifications. Customers may submit up to 100 annual security questions. For incidents affecting customer data, August engages independent forensic specialists at company expense.
11. CUSTOMER RESPONSIBILITIES
Customers must ensure authorized use complying with legal obligations. Users bear responsibility for securing access methods and maintaining confidential credentials without sharing. You must promptly report any suspicious activities related to Your account(s). Customers must maintain updated, patched IT systems.
12. BUSINESS CONTINUITY AND DISASTER RECOVERY
August maintains business continuity plans that detail how operations will be maintained during an unplanned disruption in service. Plans cover business processes, assets, personnel, and partners. Senior management approves and annually tests continuity plans.
Last updated: January 2026