Data Processing Agreement

Last updated: March 2026

Introduction

This Data Processing Agreement (“DPA”) is entered into between the Customer (Controller) and AuditEvidenceAI Ltd (Processor). This DPA forms part of and supplements the Terms and Conditions governing the Customer's use of the AuditEvidenceAI platform.

1. Parties

Controller: The organisation or individual subscribing to and using the AuditEvidenceAI platform.

Processor: AuditEvidenceAI Ltd, incorporated in England and Wales.

2. Scope

This DPA applies to the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the AuditEvidenceAI platform services.

3. Roles

The parties acknowledge that the Controller determines the purposes and means of processing personal data it uploads or generates on the Platform. The Processor processes personal data only on the documented instructions of the Controller as set out in this DPA.

4. Nature of Processing

The Processor will carry out:

• Storage of personal data uploaded to the Platform
• Display and retrieval of personal data within the Platform
• Generation of PDF outputs containing personal data
• Maintenance of audit logs
• Authentication and access management

5. Types of Personal Data

Categories of personal data may include:

• Names, email addresses, and job titles of users and data subjects referenced in documentation
• Organisational and business data entered into evidence packs
• Documentation and supporting evidence uploaded to the Platform
• Audit log data

The Controller is responsible for ensuring special category data is only uploaded where lawful and necessary.

6. Purpose of Processing

Personal data is processed solely for the purpose of providing the Platform services to the Controller.

7. Processor Obligations

The Processor agrees to:

• Process personal data only on documented instructions
• Ensure authorised persons are subject to confidentiality obligations
• Implement appropriate technical and organisational security measures per UK GDPR Article 32
• Not engage sub-processors without authorisation
• Assist the Controller with data subject rights requests
• Assist with breach notification and data protection impact assessments
• Delete or return all personal data upon termination
• Provide information to demonstrate compliance

8. Sub-Processors

The Controller provides general written authorisation for the Processor to engage sub-processors. Current sub-processors include:

• Supabase Inc — database hosting and authentication (US-based, with SCCs in place)
• Cloud hosting and CDN providers used to operate the Platform infrastructure

A full list is available on request from hello@auditevidence.ai.

9. International Transfers

Where personal data is transferred outside the United Kingdom, the Processor will ensure appropriate safeguards including adequacy decisions, IDTAs, or equivalent standard contractual clauses. Transfers to Supabase are governed by appropriate contractual safeguards.

10. Data Retention and Deletion

Personal data will be retained for the duration of the Services. Upon termination, data will be retained for 30 days to allow export, then securely deleted. The Controller is responsible for exporting any required data before the end of the retention period.

11. Security Measures

The Processor implements:

• Encryption of all data in transit (TLS/HTTPS) and at rest
• Role-based access controls
• Hashed password storage
• Regular security monitoring
• Incident detection and response procedures
• Staff access controls and confidentiality obligations

12. Audit Rights

The Processor will provide all information reasonably necessary to demonstrate compliance. The Controller may, with reasonable prior written notice and no more than once per calendar year, commission an audit. The Processor may satisfy audit rights by providing third-party audit reports or certifications. Contact: hello@auditevidence.ai