Legal
Data Processing Agreement
Version 1.2 · Effective:
Summary
- Audulate acts as a data processor when processing personal data on behalf of your organisation.
- We only process data on your documented instructions.
- All EU/UK data stays within EU infrastructure unless SCCs are in place.
- Growth and Enterprise customers can request a signed DPA — email legal@audulate.com.
1. Scope and roles
This Data Processing Agreement (“DPA”) forms part of the Audulate Terms of Service and applies where Audulate Ltd (“Processor”) processes personal data on behalf of a customer (“Controller”) in the course of providing the Audulate platform.
The DPA is incorporated by reference into the Terms of Service. By using the Audulate platform, Growth and Enterprise customers agree to the terms of this DPA. Free plan customers are covered by the Terms of Service only.
2. Processor obligations (Article 28 GDPR)
Audulate, as data processor, commits to:
- Process personal data only on documented instructions from the Controller.
- Ensure authorised personnel are subject to confidentiality obligations.
- Implement appropriate technical and organisational security measures (Article 32).
- Assist the Controller with data subject rights requests (Articles 15–22).
- Assist the Controller with breach notification obligations (Articles 33–34).
- Delete or return all personal data at termination, at the Controller's choice.
- Make available all information necessary to demonstrate compliance and support audits.
- Not engage sub-processors without prior written authorisation from the Controller (met by acceptance of this DPA).
3. Sub-processors
Audulate uses the following sub-processors to deliver the platform. Each is bound by data processing agreements with equivalent obligations. This list is versioned — see the change log at the bottom of this page.
| Vendor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Supabase | PostgreSQL database & authentication | EU — Frankfurt (eu-central-1) | SCCs in place |
| Upstash | Redis queue (BullMQ) | EU — Frankfurt | SCCs in place |
| Railway | Worker service hosting | EU — Frankfurt | SCCs in place |
| Vercel | Frontend & API hosting | USA | SCCs in place |
| Stripe | Payment processing | USA | SCCs in place |
| OpenAI | AI risk summaries & remediation (gpt-4o-mini) | USA | SCCs in place |
| Resend | Transactional email | USA | SCCs in place |
| GitHub | PR scanning webhooks & source control | USA | SCCs in place |
4. Sub-processor change notification
Audulate will notify customers at least 30 days before adding or replacing a sub-processor via an in-app notification delivered to all account members in your Audulate dashboard. The notification will state the vendor name, the nature of the change, and the effective date.
Enterprise customers may object to a change within 14 days of notification; if we cannot reasonably accommodate the objection, either party may terminate the affected services without penalty. Free and Growth plan customers are deemed to accept changes unless they cancel their account before the effective date.
5. International data transfers
The majority of personal data processed by Audulate is stored within EU infrastructure (Supabase Frankfurt, Upstash Frankfurt, Railway Frankfurt). Where data is transferred outside the EU/UK — specifically to Vercel, Stripe, OpenAI, Resend, and GitHub in the USA — we rely on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) as the transfer mechanism.
For UK customers, we rely on the International Data Transfer Agreement (IDTA) addendum for UK-to-USA transfers. Transfer Impact Assessments (TIAs) for each non-EU processor are available to Enterprise customers on request.
6. Security measures (Article 32)
- Encryption at rest (AES-256) and in transit (TLS 1.2+) for all personal data.
- Passwords hashed with bcrypt (cost factor 12).
- Multi-factor authentication enforced for all internal staff accounts.
- Annual third-party penetration testing. Summary reports available to Enterprise customers on request.
- Role-based access control — only authorised personnel access production data.
- Documented incident response policy with 72-hour internal escalation SLA.
7. Data subject rights assistance
Audulate will assist the Controller in fulfilling data subject rights requests (Articles 15–22 GDPR) within the platform via the DSR Management module. Customers can also request manual assistance by emailing privacy@audulate.com.
8. Audit rights
Enterprise customers may request an audit of Audulate's data processing practices once per calendar year, with 30 days' notice. Audits will be conducted during business hours and must not unreasonably disrupt operations. Alternatively, Audulate may provide a summary audit report prepared by a qualified third party in lieu of an on-site audit.
9. Data return and deletion
On termination or expiry of the Agreement, Audulate will, at the Controller's election: (a) return all personal data in a machine-readable format within 30 days, or (b) securely delete all personal data within 30 days and confirm deletion in writing. Backups are purged within 90 days of the deletion request.
10. Request a signed DPA
Growth and Enterprise customers requiring a countersigned DPA for their own compliance records should contact our legal team. We will respond within 5 business days.
Request your signed DPA
Email us with your company name, registered address, and the email address of the signatory. We'll send a countersigned copy within 5 business days.
Email legal@audulate.com11. Version history
| Version | Effective date | Changes |
|---|---|---|
| v1.2 | 1 May 2026 | Added OpenAI as sub-processor (AI risk summaries, gpt-4o-mini). Updated SCC references to 2021 Commission SCCs. Changed sub-processor change notifications from email to in-app dashboard notifications. |
| v1.1 | 1 Jan 2026 | Added UK IDTA addendum for UK-to-USA transfers. Added audit rights clause. |
| v1.0 | 1 Jul 2023 | Initial DPA published. |
Questions about this DPA? Contact us or email legal@audulate.com. For the full Privacy Policy, see /privacy.