Data Processing Agreement

Effective date: 19 May 2026

Overview

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Customer" or "Data Controller") and Auditara Ltd (the "Processor"), for the use of the Auditara programme management platform. This DPA complies with UK GDPR Article 28 and governs the processing of personal data on behalf of the Customer.

Your use of the platform constitutes acceptance of this DPA. No separate signature is required.

1. Definitions

  • Customer: The individual or organisation using Auditara and determining the purposes of processing.
  • Processor: Auditara Ltd, processing data on the Customer's behalf.
  • Customer Personal Data: Any personal data processed by Auditara on the Customer's behalf, including client names, engagement notes, and uploaded files.
  • Sub-processor: Any third party engaged by Auditara Ltd to process Customer Personal Data.
  • Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised access to Customer Personal Data.

2. Scope of Processing

  • Subject matter: Providing programme management tools for ISO 27001 and ISO 42001 implementation engagements.
  • Nature: Storage and retrieval of programme data and evidence files. Auditara does not process Customer Personal Data through AI models.
  • Purpose: As instructed by the Customer through the platform interface.
  • Duration: For the term of the Customer's active subscription plus any applicable retention period.
  • Categories of data: Client names, engagement notes, evidence file contents, activity commentary, and completion records.
  • Categories of data subjects: The Customer's clients and any individuals referenced in uploaded evidence files.

3. Processor Obligations

3.1 Instructions

Auditara Ltd will process Customer Personal Data only on the Customer's documented instructions as provided through the platform interface.

3.2 Confidentiality

All personnel with access to Customer Personal Data are subject to confidentiality obligations and receive appropriate data protection training.

3.3 Security

Auditara Ltd implements the following technical and organisational measures:

  • Encryption in transit (TLS) and at rest for all stored data and files.
  • Row-level security in the database preventing cross-account data access.
  • Private storage bucket for evidence files, accessible only by the account owner.
  • OAuth-only authentication with no passwords stored.
  • EU West data residency for all Customer Personal Data.
  • Automated backups and uptime monitoring via Betterstack.

3.4 Sub-processors

Auditara Ltd engages the following sub-processors:

Sub-processorPurposeLocation
SupabaseDatabase, authentication, file storageEU West
StripePayment processingGlobal, PCI DSS Level 1
GoogleOAuth authenticationGlobal
LovableWeb application hostingEU
BetterstackUptime monitoringEU

Auditara Ltd will provide at least 30 days notice before adding or replacing any sub-processor that processes Customer Personal Data. You may object within that period by emailing hello@auditara.io.

3.5 Data Subject Rights

Auditara Ltd will assist you in responding to data subject rights requests including access, rectification, erasure, and portability. Requests should be sent to hello@auditara.io and will be fulfilled within 30 days.

3.6 Data Breach Notification

In the event of a confirmed Personal Data Breach affecting Customer Personal Data, Auditara Ltd will notify you within 48 hours of confirmation, providing details of the breach, the data affected, and the steps being taken to address it. You remain responsible for notifying the ICO within 72 hours where required under UK GDPR Article 33.

3.7 Deletion of Data

On termination of your subscription or on request, all Customer Personal Data will be permanently deleted within 30 days. Anonymised billing records are retained for 7 years as required by HMRC. Written confirmation of deletion is available on request.

3.8 Audit Rights

You may request evidence of Auditara Ltd's compliance with this DPA by emailing hello@auditara.io. Formal on-site audits may be conducted with 60 days advance written notice, no more than once per year, at the Customer's cost unless non-compliance is confirmed.

4. International Data Transfers

All programme data and evidence files are stored in the EU West region and do not leave the EU. Stripe and Google operate globally under their own GDPR-compliant terms and standard contractual clauses. No Customer Personal Data is processed by AI providers.

5. Customer Obligations

You warrant that you have a lawful basis for processing any personal data you upload to the platform, that you have informed data subjects as required, and that you maintain your own records of processing activities under UK GDPR Article 30.

6. Governing Law

This DPA is governed by the laws of England and Wales. The supervisory authority is the UK Information Commissioner's Office (ICO).

7. Contact

For DPA-related questions, email hello@auditara.io with the subject line "DPA Request".

Auditara Ltd

hello@auditara.io

auditara.io

← Back to home