Skip to content
AuditFront

Privacy Policy

Last updated: 19 February 2026

1. Who We Are

AuditFront (operated by the sole proprietor) operates the auditfront.com platform ("Service"), a SaaS tool for conducting internal compliance readiness assessments (ISO 27001, SOC 2, Tech DD, and other frameworks). We act as the data controller for your personal data.

Contact: support@auditfront.com
Data Protection: privacy@auditfront.com

2. Data We Collect

2.1 Account Data

When you register (directly or via social login), we collect:

  • Email address
  • Full name (if provided by identity provider)
  • Authentication provider identifier (Google, Apple, or Microsoft subject ID)

2.2 Audit Data

Data you enter while using the Service — audit questions, answers, scores, evidence attachments, advisory notes, and reports. This data may contain information about third-party organisations you are assessing.

You are the data controller for any personal data contained in audit content; we process it on your behalf.

2.3 Usage Data

We collect basic server-side logs (timestamps, request paths, error codes) for security monitoring and debugging. We do not use advertising cookies or tracking pixels.

On our marketing website (www.auditfront.com), we use Google Analytics 4 with IP anonymisation enabled to understand how visitors find and use the site. GA4 does not track logged-in application usage. You can opt out via your browser settings or a GA opt-out extension.

3. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud prevention, and product improvement based on aggregated usage patterns.
  • Legal obligation (Art. 6(1)(c)) — where we are required to retain data by applicable law.

4. How We Use Your Data

  • Provide and maintain the Service
  • Authenticate you via your identity provider
  • Improve the product based on aggregated usage patterns
  • Respond to support requests

5. Data Sharing & Sub-processors

We share personal data only with the sub-processors listed on our Sub-processor List. We do not sell personal data. All sub-processors are bound by data processing agreements.

6. Data Retention

  • Account data: retained while your account is active, then deleted within 30 days after account deletion.
  • Audit data: retained while your account is active. You can delete individual audits at any time.
  • Server logs: retained for up to 30 days, then automatically purged.

7. Your Rights (GDPR Art. 15-22)

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your personal data.
  • Data portability — receive your data in a structured, machine-readable format.
  • Restriction / Objection — restrict or object to certain processing activities.
  • Complaint — lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@auditfront.com.

8. Data Security

All data is encrypted in transit (TLS 1.2+) and at rest. Infrastructure is hosted on dedicated servers in the EU (Hetzner, Germany). Access to production systems is restricted to authorised personnel via SSH key authentication.

9. International Transfers

Your data is processed and stored within the European Union. Where a sub-processor is based outside the EU (e.g. Google LLC for OAuth and Analytics, Resend Inc. for transactional email, Cloudflare Inc. for website hosting), transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission. See our Sub-processor List for full details.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you at least 14 days in advance by email or through the Service. Continued use of the Service after the changes take effect constitutes acceptance of the revised policy.