Audit-IQ

Audit-IQ applies industry-standard security practices to safeguard customer data and platform reliability. This page provides a high-level overview of our security posture and is updated when material controls change.

1. Infrastructure

Audit-IQ is built on established, third-party managed infrastructure. We do not operate self-managed data centres.

Frontend hosting & CDN: Vercel (global edge delivery, DDoS mitigation, TLS termination)
Backend API hosting: Fly.io (application server, United States primary)
Database, authentication & file storage: Supabase (managed PostgreSQL, row-level security, object storage)
Payment processing: Stripe (PCI-DSS certified; Audit-IQ does not store or process raw card data)
Email delivery: Resend and Zoho Mail (transactional notifications)
Regular patching and dependency updates across all services
Strict environment separation between development and production

See our Subprocessors page for the full list of third-party providers, purposes, and processing locations.

2. Data Protection

Encryption at rest: All customer data stored in Supabase is encrypted using AES-256
Encryption in transit: All connections use TLS 1.2 or higher; unencrypted connections are not accepted
Access-restricted document processing pipelines
Data minimisation and retention aligned with operational requirements

3. Access Controls

Role-based access control (RBAC): Owner, Admin, Member, Auditor, and Client roles enforce least-privilege access within each organisation
Strict organisation isolation — no cross-tenant data access by design
Multi-factor authentication (MFA) is supported for all user accounts
Production infrastructure access is restricted to authorised engineering staff
Administrative actions are logged and auditable

4. Logging & Monitoring

Continuous monitoring for errors, anomalies, and suspicious activity
Operational logs used for reliability, troubleshooting, and security investigations; logs do not contain full document content by default
Alerting for key system health and abnormal patterns

Logs are retained only as long as operationally and legally required.

5. Backup & Recovery

Routine automated database backups managed by Supabase
Recovery procedures designed to restore service from backup in the event of data loss
Business continuity controls reviewed as the platform scales

6. AI & Data Usage

Audit-IQ uses AI to assist with obligation extraction, control gap analysis, and remediation suggestions. We currently use OpenAI's API for these features. The following practices apply to AI-assisted processing:

No intentional training use: Audit-IQ does not intentionally use customer content to train or fine-tune AI models. We use commercially available AI API services designed for business workloads. AI provider data handling is governed by provider API usage policies; we do not authorise providers to use customer content for model training.
Request-scoped inference:AI calls process submitted content within the request context for feature delivery. Audit-IQ does not intentionally retain AI inference content beyond operational requirements. Third-party AI provider data handling is governed by the provider's published policies and contractual terms.
Advisory outputs only: AI-generated suggestions are advisory. They do not constitute legal, audit, or regulatory compliance conclusions.
Cross-border processing: AI inference is performed by OpenAI, whose infrastructure is located in the United States. See our Data Residency Statement for details.

Questions about AI data handling: privacy@audit-iq.com

7. Subprocessors & Vendor Security

We evaluate subprocessors based on the security and privacy controls appropriate to their role. We restrict data shared with subprocessors to what is necessary for service delivery. A full list of current subprocessors is available on our Subprocessors page. Organisations requiring a Data Processing Agreement for procurement purposes may review our DPA structure page.

8. Incident Response

We maintain internal procedures to identify, investigate, contain, and remediate security incidents, including:

Detection and triage through automated monitoring and alerting
Containment procedures to limit the impact of a confirmed incident
Customer notification in accordance with applicable law and contractual obligations in the event of a material breach affecting their data
Post-incident review to prevent recurrence

To report a security concern or request incident status information, contact: security@audit-iq.com

9. Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. To report a potential security issue:

security@audit-iq.com

We aim to acknowledge reports within 2 business days and provide a resolution timeline within 5 business days of confirmation.

We ask that researchers:

Do not access, modify, or delete data belonging to other users or organisations
Do not perform denial-of-service testing or disrupt platform availability
Allow us reasonable time to investigate and remediate before any public disclosure

We do not authorise testing that degrades service availability or attempts to access other customers' data.

10. Compliance Posture

Audit-IQ is not currently certified against third-party security frameworks. Our security controls are designed to support principles aligned with:

ISO 27001 information security management principles
SOC 2 security, availability, and confidentiality trust service criteria
Australian Privacy Act (Privacy Act 1988, as amended 2024) considerations
GDPR-aligned data protection practices for future EU expansion

As the platform matures, we will formalise controls, documentation, and certification efforts aligned with customer requirements.

11. Security FAQ

What cloud infrastructure does Audit-IQ use?

Application hosting and CDN are provided by Vercel. Database, authentication, and file storage are provided by Supabase (managed PostgreSQL). Payments are handled by Stripe. See our Subprocessors page for the full list.

Is customer data encrypted?

Yes. Data at rest is encrypted using AES-256 (Supabase standard). All connections use TLS 1.2 or higher. Unencrypted connections are not accepted.

Does Audit-IQ train AI models on my data?

Audit-IQ does not intentionally use customer content to train or fine-tune AI models. We use commercially available AI API services (currently OpenAI) designed for business workloads, and we do not authorise providers to use customer content for training purposes. AI provider data handling is governed by their API usage policies. Customers with specific AI data handling requirements should review our Subprocessors page and contact us before uploading sensitive content.

Is Audit-IQ SOC 2 or ISO 27001 certified?

No. Audit-IQ is not currently certified against SOC 2, ISO 27001, or any other third-party security framework. Our controls are designed to support those principles. We plan to pursue formal certification as the platform scales.

Can Audit-IQ staff access my data?

Audit-IQ engineering staff have infrastructure-level access necessary for operating and maintaining the platform. Access is logged and restricted to authorised personnel on a need-to-know basis. We do not access customer workspace data for any purpose other than security incident response or direct support you request.

How do I report a security vulnerability?

Email security@audit-iq.com with details of the potential vulnerability. We acknowledge reports within 2 business days. Please do not publicly disclose issues until we have had a reasonable opportunity to investigate and remediate.

Do you offer a Data Processing Agreement (DPA)?

We have published a DPA structural outline for procurement discussion. It is a draft structure only — not a binding agreement — and requires legal review before use. Enterprise customers requiring an executed DPA should contact legal@audit-iq.com.

12. Contact

Security concerns and vulnerability reports: security@audit-iq.com
Privacy and data handling: privacy@audit-iq.com
Legal and compliance: legal@audit-iq.com

Security Overview