Privacy Policy

Overview

SOX&AUDIT ("we," "us," or "Company") provides an AI-powered audit automation platform to enterprise customers ("Customer," "you"). This Privacy Policy describes how we collect, process, and protect data in connection with our Services.

This policy applies to Customer organizations and their authorized users. Individual data processing terms are governed by your organization's policies and your Master Service Agreement (MSA) or Data Processing Agreement (DPA) with SOX&AUDIT.

Data Categories

Customer Data

Data uploaded or created by Customer within the platform, including:

• Audit evidence and supporting documentation
• Control definitions and test procedures
• Workpapers and audit findings
• Internal communications within the platform

Customer owns all Customer Data. We process Customer Data solely to provide the Services as directed by Customer.

Account Data

Information about Customer's organization and authorized users:

• Organization name, billing address, and contact information
• User names, email addresses, and role assignments
• Authentication credentials (managed via SSO/SAML where configured)

Usage Data

Aggregated, non-identifiable data about platform usage for service improvement, including feature adoption metrics, performance data, and error logs. Usage data does not include Customer Data content.

AI Processing & Responsible AI

Our platform uses artificial intelligence to analyze documents, generate test procedures, and assist with audit workflows. We are committed to responsible AI practices:

How AI Processes Your Data

• AI models analyze Customer Data to extract information, classify documents, and generate outputs
• Processing occurs within our secure infrastructure or through contracted AI providers bound by data processing agreements
• AI outputs are tools to assist qualified professionals, not substitutes for professional judgment

Our AI Commitments

• No model training on Customer Data: We do not use Customer Data to train, fine-tune, or improve general-purpose AI models
• Human oversight: AI-generated outputs require human review before finalization
• Transparency: AI-generated content is clearly identified within the platform
• Data minimization: We process only the data necessary for requested functions
• Confidentiality: AI providers are contractually bound to confidentiality and data protection obligations

AI Sub-processors

We use third-party AI services (such as OpenAI, Anthropic, or similar providers) to power certain platform features. These providers process data under strict contractual terms that prohibit use of Customer Data for model training and require enterprise-grade security controls. A current list of AI sub-processors is available upon request.

Data Retention

We retain data according to the following principles:

• Customer Data: Retained for the duration of the subscription plus a configurable retention period (default 90 days) to allow for data export
• Audit Logs: Retained for compliance purposes as specified in your agreement (typically 7 years for audit trail integrity)
• Account Data: Retained while the account is active and for a reasonable period thereafter for legal and business purposes
• Backups: Encrypted backups are retained according to our disaster recovery policy and deleted according to retention schedules

Data Deletion

Upon subscription termination or Customer request, we will delete or anonymize Customer Data within 90 days, except where retention is required for legal compliance or legitimate business purposes (e.g., billing records, audit logs required by regulation). Customers may request a certificate of destruction.

Data Security

We implement comprehensive security measures appropriate for enterprise audit data:

• Encryption: AES-256 encryption at rest; TLS 1.3 in transit
• Access Controls: Role-based access control (RBAC), multi-factor authentication, SSO/SAML integration
• Infrastructure: SOC 2 Type II certified cloud infrastructure with isolated tenant environments
• Monitoring: 24/7 security monitoring, intrusion detection, and automated threat response
• Testing: Annual third-party penetration testing and continuous vulnerability scanning
• Personnel: Background checks, security training, and least-privilege access for employees

Data Location & Transfers

Customer Data is stored in the region specified in your agreement. For customers requiring specific data residency:

• We offer deployment options in US, EU, and other regions upon request
• Cross-border transfers comply with applicable frameworks (Standard Contractual Clauses, adequacy decisions)
• Sub-processors are disclosed and governed by appropriate data transfer mechanisms

Sub-processors

We engage sub-processors to provide infrastructure and services. Key categories include:

• Cloud Infrastructure: Hosting, storage, and compute services
• AI Services: Natural language processing and document analysis
• Security Services: Monitoring, logging, and threat detection
• Support Tools: Customer support and communication platforms

All sub-processors are bound by data processing agreements with security and confidentiality obligations. A complete list of sub-processors is available to Customers under NDA.

Customer Rights & Controls

Customers have the following rights regarding their data:

• Access: Export Customer Data at any time through the platform or via API
• Correction: Modify or correct data within the platform
• Deletion: Request deletion of Customer Data subject to retention requirements
• Portability: Receive data in standard formats (JSON, CSV, PDF)
• Audit: Request security documentation, certifications, and compliance attestations

Individual users within Customer organizations should direct privacy requests through their organization's designated administrator or privacy officer.

Compliance

We maintain the following compliance certifications and commitments:

• SOC 2 Type II certification
• GDPR compliance (for applicable Customer Data)
• CCPA compliance (for applicable Customer Data)
• Standard Contractual Clauses for international transfers

Compliance documentation and audit reports are available to Customers under NDA.

Incident Response

In the event of a security incident affecting Customer Data, we will notify affected Customers within 72 hours of confirmation, provide details about the nature and scope of the incident, and work with Customers on remediation. Our incident response procedures are documented and tested annually.

Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated to Customers via email or platform notification at least 30 days before taking effect. Continued use of the Services after changes become effective constitutes acceptance.

Contact

For privacy-related inquiries: