Audit-IQ RegTech

Data Residency Statement

Version 1.3 • Effective: June 2026 • See Legal Changelog

This statement explains where Audit-IQ stores and processes data and the controls we apply to protect it. It is provided for transparency and does not override our Terms of Service or Privacy Policy.

1. Data categories

  • Account data (name, email, organisation, access metadata)
  • Workspace data (projects, obligations, evidence links, notes, exports)
  • Uploaded content (framework PDFs, policies, evidence documents)
  • Operational logs (security logs, audit logs, limited telemetry, error traces)
  • Billing data (billing identifiers, invoices, payment status via Stripe)

2. Primary hosting region

Audit-IQ stores and processes core workspace data (including uploaded content) using infrastructure provided by Supabase and Vercel. The specific region used depends on the configuration of the environment your workspace is provisioned in.

We do not currently offer self-service selection of data residency region. If your organisation requires data to be hosted in a specific named region (for example, an Australian or EU-based region), please contact us before onboarding so we can confirm feasibility and any required configuration for your environment.

Procurement note: If data residency in a specific region is material to your procurement assessment, contact legal@audit-iq.com before completing your vendor review. We will confirm the current infrastructure region for your environment in writing.

3. Cross-border processing

Some processing occurs outside your primary data region due to the nature of our third-party infrastructure. Categories of processing that may involve cross-border data transfer include:

  • AI inference: Document analysis, obligation extraction, and AI-assisted features are processed by OpenAI (United States), whose infrastructure is located outside Australia
  • Payment processing and invoicing (Stripe — United States primary)
  • Transactional email delivery (email delivery provider — see Subprocessors)
  • Error monitoring and operational observability (monitoring provider — see Subprocessors)
  • Fraud prevention, abuse detection, and incident investigation
  • Support interactions (only when you contact us or request assistance)

Where cross-border processing occurs, we implement contractual safeguards with our subprocessors appropriate to their role and the data categories they handle. These safeguards do not constitute a claim of compliance with any specific regulatory framework.

Organisations with regulatory obligations regarding cross-border data transfers should conduct their own assessment of applicable requirements before uploading personal data. See our Subprocessors page for provider details and our DPA structure for the framework we use when engaging with customers on data processing obligations.

4. AI processing

Audit-IQ uses AI to extract, summarise, and organise regulatory obligations from uploaded content and to support platform features.

  • Customer content is processed only to provide the Service.
  • Audit-IQ does not intentionally use customer content to train AI models. We use OpenAI's API for AI-assisted features; AI provider data handling is governed by provider API usage policies.
  • AI inference calls are routed to OpenAI (United States). Data may be processed in infrastructure regions outside Australia or your home jurisdiction.
  • Audit-IQ does not intentionally retain AI inference content beyond operational requirements. Third-party AI provider data handling is governed by the provider's published policies and contractual terms.

You are responsible for ensuring you have the legal rights and appropriate basis to upload and process any documents or personal data you provide to the Service. If your regulatory context restricts cross-border processing of specific data categories, assess whether those categories should be included in content uploaded to the platform.

5. Retention, backups & deletion

We retain customer data for as long as your account remains active and as needed to provide the Service. You may request deletion of workspace data, subject to legal, security, and operational requirements.

Certain information may persist for limited periods in backups, logs, or security records, and will be deleted or overwritten in accordance with our retention practices unless required for legal compliance or incident response.

6. Contact