Skip to content

Data Processing Agreement

Last updated and effective as of: June 16, 2025 (the “DPA Effective Date”).

This Data Processing Agreement (“DPA”) is by and between SquareWorks Consulting, Inc. (“SquareWorks”), a Delaware corporation with offices at 101 Arch Street, 8th Floor, Boston, MA, 02110, and the entity that has engaged SquareWorks to provide the Services (“Customer”). and forms part of the Software Subscription and Professional Services Agreement (the “Agreement”) entered into by and between SquareWorks and the Customer. Any terms not defined in this DPA shall have the meaning set forth in the Agreement. In the event of a conflict between the terms and conditions of this DPA and the Agreement, the terms and conditions of this DPA shall take precedence with regard to the subject matter of this DPA. By signing this DPA, the parties are deemed to have signed all Exhibits, Attachments, Annexes, Schedules, and Appendices, including those incorporated by reference, to this DPA where applicable.

  1.         Definitions

“Affiliate” means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.

“Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable Data Subject.

“Authorized Sub-Processor” means a third-party who has a need to know or otherwise access Customer’s Personal Data to enable SquareWorks to perform its obligations under this DPA or the Agreement (a “Sub-Processor”), and who is either (1) listed as a Sub-Processor on SquareWorks’ Sub-Processor List (as defined below) and/or (2) authorized by Customer to do so under this DPA.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data, including as applicable “business” as defined under the CCPA or “organisations” under the PDPA.

“Data Protection Laws” means (i) the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 and any regulations promulgated thereunder (collectively, “CCPA”); (ii) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) and related data protection and privacy laws of the member states of the European Economic Area; (iii) the Data Protection Act 2018 of the United Kingdom (“UK GDPR”);and (iv) the Singapore Personal Data Protection (Amendment) Act 2020 (“PDPA”); each as applicable and as amended, repealed, consolidated, implemented or replaced from time to time.

“Data Subject” means an identified or identifiable person to whom Personal Data relates, or as otherwise termed and defined by Data Protection Laws.

“Personal Data” means any information relating to an identified or identifiable natural person Processed by SquareWorks solely on behalf of Customer.

“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

“Processing” (including grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, including as applicable “service provider” as defined under the CCPA or “data intermediary” under the PDPA.

“Services” means the services provided by SquareWorks pursuant to the Agreement.

“Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission’s decision 2021/914/EC of June 4, 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”); (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, and as revised under Section 18 of the International Data Transfer Addendum (the “UK Addendum”).

“Supervisory Authority” means an independent public authority which is established under applicable Data Protection Laws.

2.         Relationship of the Parties; Processing of Data

2.1       The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer may act either as a Controller or Processor and, except as expressly set forth in this DPA or the Agreement, SquareWorks is a Processor.

2.2       SquareWorks has the right to Process Personal Data as necessary to provide the Services and as permitted in the Agreement. SquareWorks shall Process Personal Data (i) for the purposes set forth in the Agreement and this DPA, including Schedule 1 hereto, (ii) in accordance with the terms and conditions set forth in this DPA and any other documented instructions provided by Customer, and (iii) in compliance with the Data Protection Laws. Customer hereby instructs SquareWorks to Process Personal Data in accordance with the foregoing and as part of any Processing initiated by Customer in its use of the Services.

2.3       The rights and obligations of the Customer with respect to the Processing of Personal Data are described herein. Customer shall, in its use of the Services, at all times Process Personal Data, and provide instructions to SquareWorks for the Processing of Personal Data, in compliance with the Data Protection Laws. Customer shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Personal Data, and that the Processing of Personal Data in accordance with Customer’s instructions will not cause SquareWorks to be in breach of the Data Protection Laws.

2.4       Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to SquareWorks by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to SquareWorks regarding the Processing of such Personal Data. Customer shall not provide or make available to SquareWorks any Personal Data in violation of the Agreement.

2.5       Customer represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all Personal Data in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable SquareWorks to lawfully Process Personal Data as permitted by the Agreement and/or this DPA; (ii) it has (and will continue to have) full right and authority to make the Customer Data available to SquareWorks under the Agreement and this DPA; and (iii) SquareWorks’ Processing of the Personal Data in accordance with the Agreement, this DPA, and/or Customer’s instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Customer shall indemnify, defend, and hold SquareWorks harmless against any claims, actions, proceedings, expenses, damages, and liabilities (including without limitation any governmental investigations, complaints, and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 2.5. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 2.5 shall not be subject to any limitations of liability set forth in the Agreement.

2.6       The subject matter, nature, purpose, and duration of this Processing, as well as the types of Personal Data Processed and categories of Data Subjects, are described in Schedule 1 to this DPA. Following completion of the Services, SquareWorks shall delete the Personal Data in accordance with the Agreement, except as required to be retained by the Data Protection Laws or other applicable laws, or for the limited scope and purposes specified in the Agreement. If Customer and SquareWorks have entered into Standard Contractual Clauses, the parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 and 16 of the EU SCCs shall be provided by SquareWorks to Customer only upon Customer’s written request.

2.7       SquareWorks shall have the right to create, maintain, and use Anonymous Data and shall not attempt to re-identify the Anonymous Data, except solely for the purpose of determining whether its de-identification processes satisfy the requirements of applicable law.

3.         Confidentiality; Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, SquareWorks shall maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of Processing Personal Data. SquareWorks shall provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with Customer’s obligations under the Data Protection Laws. Schedule 2 hereto sets forth additional information about SquareWorks’ technical and organizational security measures.

4.         Authorized Sub-Processors

4.1       Customer acknowledges and agrees that SquareWorks may (1) engage its Affiliates and the Authorized Sub-Processors available at: https://squareworks.com/sub-processor-list-2/ (the “Sub-Processor List”), as updated from time to time, to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this DPA, Customer provides general written authorization to SquareWorks to engage Sub-Processors as necessary to perform the Services.
4.2       At least thirty (30) days before enabling any third-party Sub-Processors other than Authorized Sub-Processors to access or participate in the Processing of Personal Data, SquareWorks will add such third-party Sub-Processors to the Sub-Processor List and notify Customer of such updates to the email address listed on the applicable Order Document. Customer may object to such an engagement on reasonable grounds related to Customer’s material compliance with Data Protection Laws in writing within ten (10) days of receipt of the aforementioned notice by Customer. If the parties cannot in good faith resolve such objection, then either party may terminate this DPA and the Agreement upon written notice. Termination shall not relieve Customer of any fees owed to SquareWorks under the Agreement. If Customer does not object to the engagement of a third-party Sub-Processor in accordance with this Section 4.2 within ten (10) days of notice by SquareWorks, that third-party Sub-Processor will be deemed an Authorized Sub-Processor for the purposes of this DPA.

4.3       SquareWorks shall, by way of contract or other legal act under Data Protection Laws (including the Standard Contractual Clauses), ensure that every Authorized Sub-Processor is subject to obligations regarding the Processing of Personal Data in accordance with Data Protection Laws.

4.4       SquareWorks shall be liable to Customer for the acts and omissions of Authorized Sub-Processors to the same extent that SquareWorks would itself be liable under this DPA had it conducted such acts or omissions. If Customer and SquareWorks have entered into Standard Contractual Clauses, (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by SquareWorks of the Processing of Personal Data if such consent is required under the Standard Contractual Clauses; and (ii) the parties agree that to the extent SquareWorks is required by the Standard Contractual Clauses to provide to Customer copies of the agreements with Authorized Sub-Processors, such copies may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by SquareWorks beforehand, and that such copies will be provided by SquareWorks only upon reasonable request by Customer.

5.         Transfer of Personal Data

5.1       The parties agree that SquareWorks may transfer Personal Data processed under the Agreement and this DPA from member states of the European Union, Iceland, Liechtenstein, or Norway to any countries and such countries may not ensure an adequate level of data protection within the within the meaning of the laws and regulations of these countries shall, to the extent such transfer is subject to such laws and regulations, be undertaken by SquareWorks through the Standard Contractual Clauses, which are automatically incorporated by reference and form an integral part of the DPA, as follows:

5.2       SquareWorks as Processor or Sub-Processor. In relation to Personal Data that is processed by SquareWorks as a Processor or Sub-Processor, the EU SCCs shall apply as follows:

  1. Where Customer is a Controller and SquareWorks is a Processor under the Agreement, Module Two (Controller to Processor) will apply; or where Customer is a Processor and SquareWorks is a Sub-Processor under the Agreement, Module Three (Processor to Processor) will apply;
  2. Clause 7, the optional docking clause is included;
  3. Clause 9, Option 2 will apply, and the time period for prior notice is thirty (30) days;
  4. Clause 11, the optional language will not apply;
  5. Clause 13, the parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable;
  6. Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
  7. Clause 18(b), disputes shall be resolved before the courts of Ireland;
  8. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this DPA; and
  9. Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this DPA.

      5.3       The parties agree that SquareWorks may transfer Personal Data processed under the Agreement to which the UK GDPR applies in which case the parties agree to Process such Personal Data in compliance with the UK Addendum, which is automatically incorporated by reference and form an integral part of the DPA, as follows:

      1. the EU SCCs as implemented under Section 5.2 of this DPA shall be deemed amended as specified by Part 2 of the UK Addendum;
      2. Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Schedules 1 and 2 of this DPA (as applicable) and the start date shall be the later of the DPA Effective Date or the date the Agreement is entered into by the parties; and
      3. Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “Importer” and “Exporter.”

       5.4      Customer acknowledges that SquareWorks’ primary processing operations take place in the United States, and that the transfer of Customer’s Personal Data to the United States is necessary for the provision of the Services to Customer.

      6.         Rights of Data Subjects

      6.1       SquareWorks shall, to the extent permitted by applicable law, promptly notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction of or objection to Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If SquareWorks receives a Data Subject Request in relation to Personal Data, SquareWorks will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services.

      6.2       SquareWorks shall, at the request of the Customer, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request, where possible, provided that (i) Customer is itself unable to respond without SquareWorks’ assistance and (ii) SquareWorks is able to do so in accordance with all applicable laws, rules, and regulations.

      7.         Actions and Access Requests; Audits

      7.1       SquareWorks shall, taking into account the nature of the Processing and the information available to SquareWorks, provide Customer with reasonable cooperation and assistance (a) where necessary for Customer to comply with obligations applicable to it under the Data Protection Laws to conduct a data protection impact assessment, provided that Customer does not otherwise have access to the relevant information; and (b) with respect to Customer’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and/or where required by the Data Protection Laws. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by SquareWorks.

      7.2       Upon at least thirty (30) days prior written notice at and Customer’s expense Customer may appoint an independent third party (each, an “Auditor”) to audit, SquareWorks’ material compliance with the terms of this DPA (each, an “Audit”), provided that no Auditor shall be a competitor of SquareWorks, nor shall any Auditor be compensated on a contingency basis (no more often than once in any 12-month period). The Audit must be conducted during SquareWorks’ regular business hours and subject to applicable SquareWorks policies. The Audit may not unreasonably interfere with SquareWorks’ business operations and in no event shall Customer have access to the information of any other client of SquareWorks and the disclosures made pursuant to this Section7 shall be held in confidence as the SquareWorks confidential information and subject to any confidentiality obligations in the Agreement. Customer may use the Audit reports only for the purposes of meeting its regulatory requirements and/or confirming compliance with the requirements of the Agreement and this DPA. The Audit report(s) and any information obtained by Customer under this Section 7 are SquareWorks’ Confidential Information under the terms of the Agreement. If the parties have entered into Standard Contractual Clauses, the parties agree that the Audits described in Clause 8.9 of the EU SCCs shall be conducted in accordance with this Section 7.

      7.3       Notwithstanding anything to the contrary herein, no Audit shall be undertaken unless or until Customer has requested, and SquareWorks has provided, documentation pursuant to Section 7.1 and Customer reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this DPA. 

      7.4       Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard information disclosed by to Customer under this Section 7 that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of information disclosed by SquareWorks to Customer under this Section 7 by Customer or its agents.

      8.         Breach Notification

      8.1       In the event of a confirmed Personal Data Breach, SquareWorks shall, within 72 hours, inform Customer of the Personal Data Breach and, to the extent such Personal Data Breach was caused by SquareWorks’ negligence, take such steps as SquareWorks in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach (to the extent that remediation is within SquareWorks’ reasonable control).

      8.2       In the event of a confirmed Personal Data Breach, SquareWorks shall, taking into account the nature of the Processing and the information available to SquareWorks, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with Customer’s obligations under the applicable Data Protection Laws with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.

      8.3       SquareWorks will also, to the extent known by SquareWorks and not otherwise prohibited by Data Protection Laws, provide Customer with (i) a description of the nature and reasonably anticipated consequences of the Personal Data Breach; (ii) the measures taken that are designed to mitigate any possible adverse effects and prevent a recurrence; and (iii) where possible, information about the types of Personal Data that were the subject of the Personal Data Breach. Unless prohibited by applicable law, Customer agrees to coordinate with SquareWorks on the content of Customer’s intended public statements or required notices for the affected Data Subjects and/or notices to the relevant Supervisory Authority regarding the Personal Data Breach. Further, Customer understands and agrees that it shall bear sole responsibility for communicating any updates related to a confirmed Personal Data Breach to its impacted Controllers (where Customer acts as the Processor pursuant to the Agreement, if applicable) and/or Data Subjects.

      8.4       No notification provided by SquareWorks to Customer under this Section 8 shall be construed as an admission of fault, liability, or responsibility. Any disclosures made pursuant to this Section 8 shall be held in confidence as the SquareWorks confidential information and subject to any confidentiality obligations in the Agreement. SquareWorks’ obligations in this Section 8 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer.

      9.         Limitation of Liability

      Except as set forth in Section 2.5, the total liability of each of Customer and SquareWorks (and their respective employees, directors, officers, Affiliates, successors, and assigns), arising out of or related to this DPA, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.

      10.       Miscellaneous

      The parties’ signature to the Agreement shall be considered as signature to the Standard Contractual Clauses, including the EU SCCs and UK Addendum, as applicable. If there is any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail with respect to Personal Data that is subject to GDPR or UK GDPR.

      Schedule 1

      Details of Processing

      Section A: List of Parties

      Data Importer: SquareWorks Consulting, Inc.Data Exporter: Customer
      Address: 101 Arch St, 8th Fl, Boston, MA 02110Address: see the Agreement
        Contact person’s name, position, and contact details: Bernardo Enciso, CEO Bernardo.enciso@squareworks.com  Contact person’s name, position, and contact details: see the Agreement
      Role: Processor (where Customer is a Controller), or Sub-Processor (where Customer is a Processor pursuant to the Agreement, if applicable)   Activities Relevant to the data transferred: Provision of the Services.   Signature and date: As set out in the Agreement.  Role: Controller, or Processor on behalf of its customers pursuant to the Agreement, if applicable.   Activities Relevant to the data transferred: Receipt of the Services.   Signature and date: As set out in the Agreement.

      Section B: Description of Processing/Transfer

      Categories of Data Subjects: Customer may submit Personal Data to the Service, the extent to which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

      1. Customer employees, independent contractors, and agents.
      2. Customer prospects, customers, business partners and vendors, or their respective employees, independent contractors, agents, or and contact persons.

      Categories of Personal Data: The Personal Data included in the Customer Data provided by Customer to SquareWorks in connection with the Services the extent to which is determined and controlled by the Customer in its sole discretion, which may include, but is not limited to the following categories of Personal Data:

      1. First and Last Name
      2. Business Name, if applicable
      3. IP Address
      4. Email
      5. Address
      6. Invoice vendors and amounts
      7. Currency
      8. Payment method and terms
      9. Tax ID
      10. Bank account information

      Sensitive data transferred (if applicable): The contents of the Personal Data are varied and under the data exporter’s control, but may, from time to time, include sensitive data under the relevant Data Protection Laws. Data exporter acknowledges and agrees that SquareWorks provides facilities for special handling of sensitive data, including data retention periods and data masking. See SquareWorks’ technical and organizational measures outlined in Schedule 2.

      The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Frequency of the transfer is controlled by the data exporter and is a continuous basis for the duration of the Agreement.

      Nature and Purpose of Processing: SquareWorks will Process Personal Data as necessary to perform the Services pursuant to the Agreement, and as further instructed by Customer and its authorized users in the use of the Services.

      Frequency and Duration of Processing: SquareWorks will Process Personal Data for the duration of the Agreement unless as otherwise required by law.

      For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: Personal Data will be transferred to Sub-Processors in order for SquareWorks to provide the Services to Customer. The nature of the processing by such Sub-Processors will be as necessary to perform the Services pursuant to the Agreement, and as further instructed by Customer and its authorized users in the use of the Services. The duration of the processing by such Sub-Processors shall continue as long as such sub-processors carry out Personal Data processing operations on behalf of SquareWorks.

      Schedule 2

      Data Security Measures

      Data Security

      SquareWorks Consulting implements the following technical and organizational measures with respect to SquareWorks’ Processing of Personal Data through the Services.

      Automate: AP Automation Suite (All Editions)

      The secure transfer of PDF invoice documents from NetSuite’s servers to SquareWorks’ servers, hosted in AWS, is facilitated through the use of HTTPS TLS 1.2 encryption in transit. The document and scanning results are encrypted at rest using AES-256 encryption, ensuring the confidentiality and integrity of the information. The uploaded documents and scanning results are stored for a maximum of 5 days in a SquareWorks managed AWS S3 private bucket for processing purposes. While SquareWorks uses Artificial Intelligence (AI) as part of its scanning technology, uploaded documents are restricted to SquareWorks’ infrastructure and not shared for training purposes with third party AI platforms.

      The Advanced Document Management feature of SquareWorks Automate offers the option for attachments, excluding invoice documents, to be stored in a customer’s self-managed AWS account. Access keys to AWS are securely stored within the customer’s NetSuite account, and SquareWorks does not have access to these keys. The transfer of file data to and from AWS is performed using TLS 1.2 encryption, bypassing SquareWorks and NetSuite servers, ensuring the confidentiality and privacy of the information. It is the responsibility of the customer to maintain the security of the data and conduct backups within their AWS account.

      SquareWorks Server and Data Security

      The SquareWorks Automate servers operate within a Virtual Private Cloud hosted on AWS. The security of our AWS account is fortified through the implementation of two-factor authentication, ensuring the confidentiality and privacy of the data. Internal access to SquareWorks servers and data is carefully managed through the use of a bastion host within AWS, which undergoes regular patching to maintain security. Access to the bastion host is limited and utilizes AWS SSH private keys for authentication, providing an additional layer of security. SquareWorks’ databases reside within a private subnet with strict network controls allowing inbound traffic only from resources within the VPC of our AWS account.

      SquareWorks Software Development

      Before software is made available for customer usage, either through installation in their NetSuite account or deployment to our AWS servers, SquareWorks Consulting implements a rigorous software development policy.

      This policy requires that all code changes be versioned in Git and undergo peer review and testing. Changes undergo a combination of automated and manual testing before they are promoted to production. All changes are documented through our public release notes.

      Deployment of versioned, reviewed, and tested changes is managed by a minimal subset of the SquareWorks team with restricted access to our NetSuite release account. The deployment of changes impacting SquareWorks in AWS is conducted through a fully automated zero-downtime deployment process within CI/CD framework and access to our AWS accounts is secured through the implementation of two-factor authentication.

      Furthermore, all NetSuite scripts and customizations are built in accordance with NetSuite’s BFN SAFE guidelines and best practices, ensuring the reliability and security of the software.

      NetSuite Software Updates

      In order to ensure the compatibility of its software with NetSuite’s bi-annual updates, SquareWorks Consulting conducts regression testing ahead of each NetSuite release. Prior to NetSuite’s production account upgrade, SquareWorks will send email confirmation to customers confirming the successful testing of the software.

      SquareWorks does not have access to customer NetSuite accounts and therefore is not able to rule out compatibility issues with customer data or other companies’ software. We recommend that customers test the software in their own release preview account provided by NetSuite.

      SquareWorks Software Updates

      SquareWorks Consulting will automatically update all managed software (via SuiteBundler) as required to maintain software compatibility, provide security updates or bug fixes or offer new features, functionality or versions. No access to the customer’s NetSuite account is necessary for these updates.

      For non-managed software, updates must be performed by the customer’s NetSuite Administrator (via SuiteBundler). If SquareWorks has been granted Administrator access to the customer’s account, it can update non-managed software on their behalf upon request.

      SquareWorks Consulting SOC 2


      SquareWorks Consulting recognizes the importance of data security and privacy and provides its customers with the necessary tools and resources to meet their internal audit controls. SquareWorks is SOC 2 Type II certified. The combination of SOC 2 certification, which ensures the secure storage and control of all transactional data, and suggested manual testing prior to each software release, provides customers with a comprehensive approach to data security.