AAuditus.ai

DPA

Data Processing Agreement

This page sets out the standard DPA Auditus.ai (The Upcapital Inc., the Processor) offers customers (Controllers) for processing of personal data under GDPR Art. 28. To countersign, email ceo@theupcapital.com.

1. Subject matter

Processing necessary to deliver the Auditus.ai pre-audit readiness platform, document analyzer, billing, and related services to the Controller and its authorized users.

2. Duration

Effective on the Controller's first use of the service, continuing until termination of all subscription orders plus the retention period set out in the Privacy policy.

3. Nature and purpose

Storage, retrieval, structured analysis, generation of audit-readiness findings, and delivery of reports. Categories: account, billing, audit working papers, optional WhatsApp/email contact data.

4. Sub-processors

Listed at /subprocessors. Auditus provides at least 30 days' prior notice of additions or changes. Controllers may object on legitimate grounds; if objection cannot be reasonably resolved, the affected order may be terminated for cause.

5. Security measures (Art. 32)

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control + tenant isolation gates on every tenant-scoped endpoint.
  • Cryptographic signature chain (SHA-256) on signed deliverables.
  • Forensic activity log retained per the retention policy.
  • Annual penetration test on the public surface (pilot phase: continuous bug bounty in development).

6. Data subject rights assistance (Art. 28(3)(e))

Controllers can self-serve access, rectification, and erasure for their authorized users from /account. For free-form requests (objection, restriction), Auditus responds within 5 business days.

7. Breach notification

Auditus notifies the Controller without undue delay and at the latest within 48 hours of becoming aware of a personal data breach affecting Controller data, with the information required by Art. 33(3).

8. International transfers

Transfers of EU/UK personal data to processors outside the EEA rely on the EU Standard Contractual Clauses (2021/914) Module 3 (processor-to-processor) where applicable, plus the supplementary measures described in the Privacy policy.

9. Return / deletion at end of services

On termination, the Controller may export all data via /api/account/export within 30 days. After 30 days, data is securely deleted, except where retention is required by law (tax, audit-paper minimum retention).

10. Audit rights

Auditus provides Controllers with SOC 2 Type II reports (when available) and responds in good faith to reasonable security questionnaires once per 12-month period. On-site audits available for Enterprise customers under NDA.

This page is the unsigned template. The countersigned PDF supersedes it as the operative agreement between Auditus and the Controller.