Trust & Security
We hold ourselves to the same standard we set for our customers.
Audulate runs its own GDPR scanner on itself. Here's everything we do to keep your data safe and earn your trust.
Audulate scores 97/100 on its own GDPR scanner
We eat our own cooking. Our platform continuously monitors audulate.com and the app for GDPR compliance — the same way it monitors our customers. You can request our latest scan report as an Enterprise customer.
Certifications & audits
GDPR posture
Audulate scans its own platform using the same engine we sell. The current scan score is published in our most recent sample report.
SOC 2 Type II
Not yet pursued. Our sub-processor list is published in our Privacy Policy; the internal security questionnaire and DPA template are available on request. We will publish an engagement timeline only when the work is contracted.
ISO 27001
On our long-term roadmap, dependent on SOC 2 outcome. We will not publish a timeline until the ISMS work is funded and scoped.
Independent security review
No third-party penetration test has been completed yet. Internal review is ongoing. We will publish a summary report once an independent test is run.
Security measures
Encryption in transit and at rest
TLS 1.3 in transit across our hosting stack (Vercel, Supabase, Upstash defaults). AES-256 at rest for the PostgreSQL database (Supabase managed encryption). Passwords are hashed with bcrypt; secrets live in environment variable vaults, not source code.
EU data residency
Tenant data is stored in the EU: the primary PostgreSQL database runs on Supabase eu-west-1. Vercel serves the frontend and API from EU edge regions. Where US processors are involved (Vercel control plane, OpenAI for AI features, Stripe for billing), Standard Contractual Clauses cover the transfer.
Role-based access control
Five-tier RBAC inside the platform: Owner, Admin, Compliance Manager, Developer, Auditor. Each role has scoped permissions enforced server-side via Fastify route guards (see apps/api/src/plugins/rbac.ts).
Audit logging
All admin actions and member-management actions are written to immutable audit log tables (AdminAuditLog, MemberAuditLog). Logs are retained per the plan retention policy and exportable to Enterprise customers for their own audit needs.
Breach notification commitment
If a security incident materially affects customer data, we notify affected account owners by email within 72 hours of confirmation — aligned with GDPR Article 33. Our incident response runbook is internal but reviewable on request.
We scan ourselves
Every pull request to our own repositories runs through the same GitHub PR scanner we sell. Dependencies are watched for CVEs. The most recent scan of our marketing site is published as a sample report — no signup required.
What we don't do (yet)
We'd rather list the gaps than have you discover them mid-procurement. Each item below is on our radar; none are commitments with dates.
- No SOC 2 attestation yet — see Compliance posture above
- No independent penetration test yet
- No on-premises or air-gapped deployment
- No SAML SSO yet — Google + email login only (SSO on roadmap for Enterprise tier)
- No FedRAMP / IL5 / public-sector accreditations
Data Protection Officer
Data Protection Officer — Audulate Ltd
Article 37 GDPR — Appointed 1 July 2023
dpo@audulate.comOur DPO is responsible for overseeing our data protection strategy, ensuring compliance with GDPR, and acting as the primary point of contact for data subjects and supervisory authorities. The DPO operates independently and reports directly to senior management.
Responsible disclosure
If you believe you've found a security vulnerability in Audulate, please report it responsibly. We will acknowledge your report within 24 hours, keep you informed of our progress, and publicly credit you if you wish once the issue is resolved.
Report a vulnerability