This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and AuditFront ("Processor") for the use of the AuditFront platform ("Service").
1. Scope
This DPA applies to the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Service. It supplements our Terms of Service and Privacy Policy.
2. Processing Details
- Subject matter: Provision of the AuditFront compliance self-assessment platform.
- Duration: For the term of the agreement between Controller and Processor.
- Nature and purpose: Storage, retrieval, and display of audit data entered by the Controller; authentication and account management.
- Types of personal data: Email addresses, names, authentication identifiers, and any personal data contained within audit content entered by the Controller.
- Categories of data subjects: Controller's employees, contractors, and other individuals whose data may be included in audit content.
3. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by applicable law.
- Ensure that persons authorised to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest.
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).
- Delete or return all personal data at the end of the agreement, at the Controller's choice.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA.
4. Sub-processors
The Controller authorises the Processor to engage the sub-processors listed on our Sub-processor List. The Processor shall:
- Notify the Controller of any intended changes to sub-processors at least 30 days in advance.
- Ensure each sub-processor is bound by data protection obligations no less protective than those in this DPA.
- Remain fully liable for the acts and omissions of its sub-processors.
5. International Transfers
Personal data is processed and stored within the European Union. Where a sub-processor is located outside the EU, transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission, or another lawful transfer mechanism.
6. Audit Rights
The Controller may, upon reasonable notice and no more than once per year, request information or conduct an audit to verify the Processor's compliance with this DPA. The Processor shall cooperate with such requests and provide relevant documentation.
7. Data Breach Notification
The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a personal data breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
- The name and contact details of the Processor's contact point for further information.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach.
8. Term & Termination
This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller. Upon termination, the Processor shall, at the Controller's choice, delete or return all personal data within 30 days and certify the deletion in writing, unless retention is required by applicable law.