Data Processing Agreement
Draft 0.2 • Status: Pending Legal Review • Updated: June 2026
Draft structure — not a binding agreement
This page is a structural outline for procurement discussion only. It sets out the categories of information a Data Processing Agreement (DPA) between Audit-IQ and a customer organisation would address. It does not constitute a legally binding contract, does not create enforceable obligations, and has not been reviewed by legal counsel.
Organisations requiring a binding DPA for procurement or regulatory purposes should contact legal@audit-iq.com to request a reviewed draft.
1. Status of This Document
This page describes the intended structure of a formal Data Processing Agreement between Audit-IQ and its customers. It is provided for transparency and to support early-stage procurement discussions.
- This is not a binding agreement.
- This page does not constitute legal advice.
- All sections marked [Placeholder] require legal drafting and review before they can form part of any binding instrument.
- Audit-IQ does not currently offer a signed DPA as a standard product feature. Enterprise customers may request a negotiated DPA by contacting legal@audit-iq.com.
2. Parties and Roles
In a formal DPA, the parties and their roles would be defined as follows:
| Party | Role | Description |
|---|---|---|
| Customer organisation | Controller / Business | The entity that determines the purposes and means of personal data processing (e.g., decides what compliance documents to upload and for what purpose). |
| Audit-IQ (RIO ENTERPRISE, India) | Processor / Service Provider | Processes personal data on behalf of the Customer solely to provide the Service, in accordance with the Customer's instructions and the agreed terms. |
Note: Audit-IQ also acts as a controller for account and billing data collected directly through the platform. See our Privacy Policy for details.
3. Subject Matter and Nature of Processing
Audit-IQ processes personal data to deliver the compliance operations platform, including:
- Storing and retrieving compliance documents and evidence uploaded by the Customer
- Extracting regulatory obligations using AI-assisted document analysis
- Providing workspace, project management, and audit period features
- Delivering platform notifications and account communications
- Operating monitoring, logging, and security functions
Processing is performed only to the extent necessary to provide the Service as described in the Terms of Service.
4. Data Categories Processed
The following categories of personal data may be processed by Audit-IQ on behalf of the Customer:
| Category | Examples |
|---|---|
| Account data | Names, email addresses, organisation name, user roles, login metadata |
| Workspace data | Project names, compliance notes, audit period records, evidence links, remediation items, exception records, comments |
| Uploaded content | Policy documents, regulatory frameworks, evidence files — may contain personal data depending on what the Customer uploads |
| Operational logs | Security event logs, error traces, limited request metadata (e.g., IP address, user-agent); does not include document content by default |
| Billing data | Billing identifiers, subscription status, invoice records (payment details held by Stripe — not stored by Audit-IQ) |
The Customer is responsible for ensuring they have the appropriate legal basis to upload and process any personal data provided to the Service.
5. Data Subject Categories
Personal data processed through the platform may relate to:
- Customer personnel:Employees, contractors, and authorised users of the Customer's Audit-IQ workspace
- Client contacts:Representatives of the Customer's own clients or regulated entities, where the Customer uses Audit-IQ to manage compliance engagements on their behalf
- Third parties named in uploaded documents: Individuals or entities referenced in compliance policies, audit reports, or evidence files uploaded by the Customer
6. Subprocessors
Audit-IQ engages third-party subprocessors to assist in delivering the Service. A current list of subprocessors, including their purpose and primary processing location, is available on the Subprocessors page.
In a binding DPA, the Customer would be notified of material subprocessor changes in advance, with a right to object subject to agreed terms.
[Placeholder: Subprocessor change notification period, objection rights, and authorisation mechanism to be defined in binding instrument — requires legal review.]
7. Security Measures
Audit-IQ implements technical and organisational measures to protect personal data. An overview of current security controls is available on our Security Overview page, including:
- AES-256 encryption at rest; TLS 1.2+ in transit
- Role-based access control and organisation-level data isolation
- Production access restricted to authorised personnel
- Continuous monitoring and incident response procedures
[Placeholder: Specific technical and organisational security measures (TOMs) to be documented in binding instrument as Annex II — requires legal review.]
8. Cross-Border Data Transfers
Some data processing occurs outside the Customer's primary jurisdiction due to the nature of our infrastructure providers. Details are available on the Data Residency page.
[Placeholder: Transfer mechanisms, adequacy decisions, contractual safeguards, and jurisdiction-specific clauses (e.g., Standard Contractual Clauses for applicable jurisdictions) to be defined in binding instrument — requires legal review. Do not assert specific regulatory compliance (GDPR, APPs) without legal sign-off.]
9. Retention and Deletion
Audit-IQ retains customer data for the duration of the subscription and as required by operational, legal, or security obligations. Customers may request deletion of workspace data subject to the terms described in our Privacy Policy.
[Placeholder: Specific retention periods, post-termination deletion timelines, return-of-data procedures, and backup purge schedules to be defined in binding instrument — requires legal review.]
10. Incident Notification
In the event of a confirmed security incident affecting Customer personal data, Audit-IQ will notify the affected Customer in accordance with applicable legal requirements and contractual obligations. Incident reports should be directed to security@audit-iq.com.
[Placeholder: Binding notification timelines, content requirements, escalation contacts, and post-incident reporting obligations to be defined in binding instrument — requires legal review. Specific regulatory timelines (e.g., 72-hour notification) must be confirmed against applicable law by legal counsel.]
11. Audit Rights
Enterprise customers may request information to support their own compliance assessments and vendor due diligence processes. Requests should be directed to legal@audit-iq.com.
[Placeholder: Scope of audit rights, notice periods, access restrictions, third-party auditor requirements, and cost allocation to be defined in binding instrument — requires legal review.]
12. Contact
For DPA enquiries, to request a reviewed draft, or to discuss data processing arrangements for enterprise procurement:
- Legal and DPA enquiries: legal@audit-iq.com
- Privacy and data subject rights: privacy@audit-iq.com
- Security incidents and vulnerability reports: security@audit-iq.com
Legal Review Notice
This document is a draft structural outline for procurement discussion only. It has not been reviewed or approved by legal counsel. It does not constitute a legal instrument and creates no binding obligations on either party. All sections marked [Placeholder] require legal drafting before they can be included in any binding agreement.
Before using any version of this document in a procurement or compliance context, Audit-IQ strongly recommends that both parties obtain independent legal advice. For a reviewed draft suitable for execution, contact legal@audit-iq.com.