Microsoft AppSource Privacy Addendum

Version 1.0 · Effective 2026-04-11

Scope of this addendum

This addendum supplements the CASO Comply privacy policy at casocomply.com/privacy. It applies when you purchase CASO Comply through Microsoft AppSource with Transact enabled. In that case, CASO and Microsoft each play specific roles with specific data responsibilities; this addendum makes those roles explicit so there's no ambiguity about what data we receive from Microsoft and what we do with it.

If you did not purchase through AppSource, this addendum does not apply — the base privacy policy governs your relationship with CASO.

What Microsoft sends us when you subscribe

When you click Get it now on the CASO Comply AppSource listing and complete the purchase, Microsoft's commercial marketplace sends CASO the following information about your subscription via the SaaS Fulfillment API:

  • Microsoft subscription ID — a GUID Microsoft assigns to your subscription
  • Publisher ID, offer ID, and plan ID — identifies which CASO product and plan you purchased
  • Quantity — number of seats, users, or units purchased
  • Beneficiary identity — the email address, object ID, and Azure AD tenant ID of the Microsoft user who will use CASO Comply
  • Purchaser identity — the email address, object ID, and Azure AD tenant ID of the Microsoft user who completed the purchase (may be the same as the beneficiary)
  • Subscription term dates — start date and renewal date
  • Subscription status — pending, active, suspended, unsubscribed, etc.

This is the minimum data Microsoft requires us to receive in order to provision your CASO Comply account and bill you through your Microsoft Enterprise Agreement. We do not receive your payment method, credit card, or any financial information — Microsoft processes payments directly.

What we do with that information

We store the subscription metadata listed above in our marketplace subscriptions database (service-role-restricted, Postgres Row Level Security) for the duration of your subscription plus a six-year audit retention window to satisfy HIPAA audit control requirements under 45 CFR 164.316(b)(2)(i). The retention applies to marketplace metadata, not document content.

Specifically, we use the data to:

  1. Create your CASO tenant and map it to the Microsoft subscription so billing reconciles correctly
  2. Send a magic sign-in link to the beneficiary email so the account's first human user can access the dashboard
  3. Respond to Microsoft webhook events for the life of the subscription (plan changes, suspension, renewal, unsubscribe) so your account stays in sync with your Microsoft Enterprise Agreement
  4. Generate usage reports and invoicing metadata that Microsoft consumes to bill you on your Microsoft invoice

We do not use marketplace metadata for marketing, sales outreach to other contacts in your organization, or any purpose other than fulfilling the subscription you purchased.

What we do not receive from Microsoft

Microsoft does not send us:

  • Your payment method or credit card information — payment runs through your Microsoft Enterprise Agreement, not CASO
  • Your organization's other users beyond the beneficiary and purchaser — we only learn about users who directly sign into CASO Comply after the initial activation
  • Your SharePoint documents or any document content — the document remediation flow is handled separately, via the Microsoft Graph API using your own Azure AD app registration that we never see
  • Your organization's financial, legal, or business data outside what's in the subscription metadata above

Document content specifically

CASO Comply is a document accessibility remediation product. The documents we remediate stay entirely within your Microsoft 365 tenant. Here's how:

The CASO Comply Docker agent runs on infrastructure you operate (your own Windows server, Azure VM, or on-premise Linux host). It authenticates to SharePoint using an Azure AD app registration that you create and control, with Sites.Selected application permission scoped to the specific document libraries you grant it access to. The agent downloads documents from SharePoint to the host it runs on, remediates them using CASO's bundled libraries (pikepdf, python-docx, openpyxl, python-pptx), and writes the remediated versions back to SharePoint.

At no point during this process do documents transit CASO-controlled infrastructure. The agent never uploads your documents to casocomply.com or any other CASO server. If you deploy the agent in HIPAA mode, it additionally disables the optional Google Gemini AI verification step, so no document content ever leaves your infrastructure at all.

This architecture means CASO is not a Business Associate under HIPAA for customers using the on-premise agent — we never receive, store, or process protected health information. Our subprocessor list at casocomply.com/subprocessors documents which third parties touch marketplace metadata, which is the only data category that leaves your tenant.

Data categories by storage location

CategoryWhere it livesRetention
Marketplace subscription metadataCASO Supabase (US), service-role RLS only6 years for HIPAA audit compliance
Your CASO tenant record, users, API keysCASO Supabase (US)For the life of your subscription plus 30 days for recovery
Remediated document contentYour own infrastructure where the Docker agent runsYou control — CASO never sees it
Marketplace webhook event logCASO Supabase (US)6 years for HIPAA audit compliance
Audit log events tied to your tenantCASO Supabase (US)6 years per 45 CFR 164.316(b)(2)(i)

Your rights

If you unsubscribe from CASO Comply through AppSource, we:

  1. Mark your marketplace subscription as unsubscribed in our database
  2. Set your CASO tenant to cancelled status — the Docker agent stops processing new documents
  3. Retain all marketplace metadata and audit logs for the 6-year HIPAA window
  4. Leave document content untouched — since we never had it, there's nothing to delete on our side

You can request a copy of your marketplace metadata, CASO tenant record, or audit log entries at any time by emailing privacy@casocomply.com with your Microsoft subscription ID. We respond within 30 days per GDPR Article 15 and CCPA standards, even if neither regulation technically applies to your organization.

If you're subject to HIPAA, GDPR, or CCPA and need a more formal data processing addendum, contact legal@casocomply.com.

Subprocessors

The full subprocessor list is at casocomply.com/subprocessors. The ones specifically relevant to AppSource subscriptions:

  • Microsoft — processes your payment, stores your Microsoft EA billing relationship, forwards subscription metadata to CASO
  • Supabase (US) — hosts the CASO database where marketplace metadata lives
  • Vercel (US, global edge) — hosts the CASO web dashboard and marketplace fulfillment endpoints
  • Render (US) — hosts the CASO cloud API (only used for non-HIPAA customers who opt in to cloud processing)
  • Resend (US) — sends transactional email including the first-time magic link

We maintain a 30-day advance notification policy for any new subprocessor. Subscribe to subprocessor change alerts by emailing privacy@casocomply.com.

Changes to this addendum

We will notify the primary contact on your subscription at least 30 days before any material change to this addendum. For non-material changes (typos, clarifications), we update the effective date below and publish the new version.

Effective date: 2026-04-11 · Version: 1.0