Data Processing Agreement

When your organization uses AuditOak to manage compliance programs, you are typically the data controller (or equivalent) for personal data contained in Customer Content, including evidence files, user account details, and organizational information you upload or configure in the Platform.

AuditOak acts as a data processor, processing personal data on your documented instructions as set out in your use of the Platform, these terms, and the applicable subscription agreement.

Subject matter and duration of processing depend on your subscription and use of the Platform. Categories of data subjects may include:

• Your employees, contractors, and authorized users
• Individuals identified in evidence files you upload
• External auditors or collaborators you invite with scoped access

Categories of personal data may include names, work contact details, authentication data, audit logs, and any personal data contained within files you choose to store in the Platform.

AuditOak commits to the following, consistent with Article 28 GDPR and standard B2B SaaS practice:

• Process personal data only on documented instructions from the customer, unless required by law
• Ensure personnel with access to personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Use subprocessors subject to written agreements with comparable data protection obligations
• Assist with data subject requests and security incident notifications as described in our agreement
• Delete or return personal data upon termination, subject to legal retention requirements
• Make available information necessary to demonstrate compliance with Article 28 obligations

We use third-party subprocessors to host infrastructure, deliver email, process payments, and support operations. A current list is published on our Subprocessors page. We will provide notice of material subprocessor changes as set out in your signed DPA or subscription agreement.

We maintain a security program designed to protect personal data, including access controls, encryption in transit, logging, vulnerability management, and role-based permissions. Summary details are available on our Security page. Customers may request additional security documentation during enterprise evaluation.

Personal data may be processed in the United States and other countries where AuditOak or subprocessors operate. Where required for transfers from the EEA, UK, or Switzerland, AuditOak offers Standard Contractual Clauses and supplementary measures as part of our signed DPA package.

A summary of processor commitments is available on this page for evaluation purposes. Enterprise customers requiring a countersigned Data Processing Agreement should contact contact@auditoak.com with your company name, primary contact, frameworks in scope, and any required legal entity details.

Please include "DPA request" in the subject line. We typically respond within five business days with our standard DPA or instructions for your paper process.

This page should be read together with our Privacy Policy, Terms of Service, and Subprocessor list.