Does CASO Comply process documents in the cloud?

No. Our Docker Agent processes documents entirely on your infrastructure. Documents never leave your network.

Is CASO Comply SOC 2 certified?

Yes. CASO Document Management holds SOC 2 Type II certification, audited annually.

Is CASO Comply HIPAA compliant?

Yes. Our on-premise deployment model means PHI never leaves your environment, and we execute BAAs for healthcare clients.

Can we get your SOC 2 report?

Yes. Contact us to request our SOC 2 Type II report, penetration test summary, or security questionnaire responses.

Security & Privacy

Your documents never leave your servers

CASO Comply processes documents on your infrastructure — not ours. We built the only remediation platform where your files stay exactly where they are: under your control, behind your firewall, on your terms.

SOC 2 Type II

Certified

WCAG 2.1 AA

Compliant

Section 508

Conformant

TLS 1.2+

All Communications

Security by architecture

Most remediation platforms require you to upload documents to their cloud. We took the opposite approach — the engine comes to you.

On-Premise Processing

The CASO Comply Docker agent runs entirely on your infrastructure. Documents are processed locally — they never leave your network, your servers, or your control.

Zero Document Exposure

Your files are never uploaded to our cloud. The agent reads from your directories, processes in-memory, and writes remediated files back to your storage. We never see your documents.

Encrypted Communications

All communication between the agent and our API uses TLS 1.2+ encryption. The only data transmitted is licensing metadata and usage counts — never document content.

API Key Authentication

Every agent authenticates with a cryptographically generated API key. Keys are hashed before storage — even we can't see them. Revoke access instantly from your dashboard.

How your data flows

From input to output, your documents stay on your infrastructure.

Agent scans your folders

The Docker agent monitors directories you configure. New or modified documents are detected automatically.

Local only — no network traffic

Documents processed in-memory

Remediation happens entirely within the container. Structure analysis, tag assignment, and metadata correction all run locally.

Zero cloud uploads

AI verification (optional)

If enabled, page-level data is sent to our AI service for tag verification and alt text generation. Full documents are never transmitted — only the minimum data needed for verification.

Minimal data, encrypted in transit

Remediated files saved locally

Compliant documents are written back to your output directory. Original files can be preserved or overwritten based on your configuration.

You control retention

Compliance & certifications

Built for regulated industries. Our on-premise architecture simplifies compliance across frameworks.

SOC 2 Type II

Certified

Independently audited controls for security, availability, and confidentiality. Request our report during procurement.

WCAG 2.1 AA

Compliant

Our platform is built to the same accessibility standards we help you achieve. We practice what we preach.

PDF/UA (ISO 14289)

Output Standard

Every remediated document conforms to the PDF/UA standard for universal accessibility.

Section 508

Compliant

Full conformance with federal ICT accessibility requirements. VPAT available on request.

HIPAA

Architecture Ready

Docker agent processes PHI on your infrastructure — documents never leave your HIPAA boundary. No BAA required for on-premise deployment.

FedRAMP

Not Required

Our Docker agent runs on your infrastructure, not our cloud. FedRAMP applies to cloud services — on-premise software falls under your existing ATO.

View Container Security Scan Results

Cloud upload vs. on-premise

See why on-premise processing eliminates entire categories of risk.

Typical cloud platform

Upload to their servers

Documents uploaded to vendor cloud
Files stored on third-party infrastructure
Data crosses network boundaries
Requires BAAs, DPAs, and vendor trust
FedRAMP required for federal use
You hope they delete your files

CASO Comply

Runs on your servers

Documents processed on your infrastructure
Files never leave your network
No data crosses trust boundaries
No BAA needed — you control the data
Falls under your existing ATO
You control retention and deletion

Questions procurement teams ask

We answer these in every security questionnaire. Here they are upfront.

Where is my data processed?

On your infrastructure. The CASO Comply Docker agent runs on your servers. Documents are read, processed, and written locally. They never leave your network.

What data does the agent send to CASO?

Only licensing metadata: a license key validation on startup, and page count usage reports for billing. No document content, filenames, or personally identifiable information is transmitted.

Do you store our documents?

No. We never receive, store, or have access to your documents. The Docker agent operates entirely within your environment. We couldn't access your files even if we wanted to.

How does AI verification work without uploading files?

When AI Verified mode is enabled, the agent sends only the minimum data needed for verification — structural metadata and page-level information. Complete documents are never transmitted to any external service.

Is this FedRAMP authorized?

FedRAMP applies to cloud service providers. Since the CASO Comply agent runs on your infrastructure (not ours), it falls under your agency's existing Authority to Operate (ATO), not FedRAMP. This is the same model used by other on-premise software in government environments.

Can we use this with HIPAA-protected documents?

Yes. Because documents are processed entirely on your infrastructure, protected health information (PHI) never leaves your HIPAA boundary. No Business Associate Agreement is required for on-premise deployment since we never handle PHI.

How do you handle API key security?

API keys are cryptographically generated with 256 bits of entropy. We store only a one-way SHA-256 hash — the raw key is shown once at creation and never stored. Keys support expiration dates and can be revoked instantly.

Do you have a SOC 2 report?

Yes. CASO Document Management maintains SOC 2 Type II certification. Our report is available under NDA during procurement. Contact sales@caso.com to request a copy.

What happens if we need to process classified or FOUO documents?

Use the agent in local-only mode — all AI verification is disabled and the agent makes zero network calls during processing. Documents are processed entirely offline within your air-gapped or classified environment.

Can we run the agent in an air-gapped environment?

Yes. The agent supports a fully offline mode. License validation can be configured for initial activation only, after which the agent operates without any network connectivity.

Need our SOC 2 report?

We provide our SOC 2 Type II report, security whitepaper, and completed SIG/CAIQ questionnaires under NDA. Contact our team to start the security review process.

Request Security Package View Setup Guide