Data Processing Agreement
Last Updated: November 14, 2025
GDPR & Enterprise Compliance
This Data Processing Agreement (DPA) is designed for enterprise customers who require GDPR compliance and detailed data processing terms. It supplements our standard Terms of Service and Privacy Policy.
1. Introduction
This Data Processing Agreement ("DPA") forms part of the service agreement between Aura Audit AI ("Processor," "we," "our") and you, the customer ("Controller," "you," "your"), and governs the processing of Personal Data (as defined by the GDPR) in connection with the Services.
This DPA applies when:
- You are subject to European data protection laws (GDPR)
- Personal Data of EU residents is processed through our Services
- You require a formal DPA for regulatory compliance
- Your organization's data protection officer requires executed DPA terms
2. Definitions
For the purposes of this DPA, the following definitions apply:
"Controller"
The entity that determines the purposes and means of processing Personal Data (you, the customer).
"Processor"
The entity that processes Personal Data on behalf of the Controller (Aura Audit AI).
"Personal Data"
Any information relating to an identified or identifiable natural person, as defined by the GDPR.
"Processing"
Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Sub-processor"
Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject"
An identified or identifiable natural person whose Personal Data is processed.
"GDPR"
The General Data Protection Regulation (EU) 2016/679.
3. Scope and Roles
3.1 Data Controller and Processor
You (the Controller) determine the purposes and means of processing Personal Data. You are responsible for:
- Ensuring lawful basis for processing under GDPR
- Obtaining necessary consents from Data Subjects
- Providing privacy notices to Data Subjects
- Responding to Data Subject rights requests
- Conducting Data Protection Impact Assessments (DPIAs) when required
We (the Processor) process Personal Data solely on your documented instructions. We are responsible for:
- Processing Personal Data only as instructed by you
- Implementing appropriate technical and organizational measures
- Ensuring confidentiality of personnel who process Personal Data
- Assisting with Data Subject rights requests
- Assisting with data breach notifications
- Deleting or returning Personal Data upon termination
3.2 Subject Matter and Duration
- Subject Matter: Provision of AI-powered audit automation services
- Duration: For the term of your service agreement with us
- Nature and Purpose: Processing of financial, audit, and client data to deliver audit automation services
- Types of Personal Data: Names, email addresses, financial data, business contact information
- Categories of Data Subjects: Your employees, clients, and their employees
4. Processing Instructions
4.1 Scope of Instructions
We will process Personal Data only:
- As necessary to provide the Services under our service agreement
- As documented in this DPA and our Terms of Service
- As instructed by you through use of the Services
- As required by applicable law (with notice to you when legally permissible)
4.2 Prohibited Processing
We will not:
- Sell or rent Personal Data to third parties
- Use Personal Data for our own purposes except as permitted by GDPR (e.g., anonymized analytics)
- Process Personal Data outside your instructions without your prior written consent
- Combine Personal Data with data from other sources for profiling or targeted advertising
5. Sub-processors
5.1 Authorization
You authorize us to engage Sub-processors to assist in providing the Services, subject to the conditions in this section.
5.2 Current Sub-processors
We currently engage the following Sub-processors:
| Sub-processor | Service Provided | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and data storage | United States (us-east-1) |
| Microsoft Azure | Alternative cloud infrastructure | United States / EU (customer choice) |
| OpenAI | AI model API services | United States |
| Stripe | Payment processing | United States |
| SendGrid | Email delivery services | United States |
5.3 Sub-processor Changes
We will provide at least 30 days' advance notice of:
- Addition of new Sub-processors
- Replacement of existing Sub-processors
If you object to a new Sub-processor on reasonable data protection grounds, you may:
- Request that we use an alternative Sub-processor (if technically feasible)
- Terminate the service agreement with 30 days' notice
5.4 Sub-processor Obligations
We ensure that all Sub-processors:
- Are bound by written agreements with data protection obligations equivalent to this DPA
- Implement appropriate technical and organizational measures
- Are subject to regular audits and assessments
- Provide Standard Contractual Clauses for international data transfers
6. Technical and Organizational Measures
We implement and maintain the following security measures to protect Personal Data:
6.1 Encryption
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Encrypted database backups
- Encryption key management through AWS KMS or Azure Key Vault
6.2 Access Controls
- Role-based access control (RBAC) with least-privilege principles
- Multi-factor authentication (MFA) required for all access
- Row-level security for multi-tenant data isolation
- Automated session timeout after 8 hours
- Regular access reviews and deprovisioning procedures
6.3 Data Minimization
- Collection of only data necessary for service provision
- Automated data retention policies
- Secure deletion procedures for expired data
- Anonymization for analytics and reporting
6.4 System Security
- SOC 2 Type II certified infrastructure
- 24/7 security monitoring and intrusion detection
- Regular penetration testing and vulnerability assessments
- Automated security patching and updates
- DDoS protection and rate limiting
- Incident response and disaster recovery plans
6.5 Personnel Security
- Background checks for all employees with data access
- Confidentiality agreements and data protection training
- Need-to-know access policies
- Regular security awareness training
6.6 Audit and Logging
- Comprehensive audit logging of all data access and modifications
- Immutable log storage with 7-year retention
- Real-time alerting for suspicious activities
- Regular log reviews and anomaly detection
7. Data Subject Rights
7.1 Assistance with Rights Requests
We will assist you in fulfilling Data Subject rights requests, including:
- Right of Access: Provide copies of Personal Data
- Right to Rectification: Correct inaccurate Personal Data
- Right to Erasure: Delete Personal Data (subject to legal obligations)
- Right to Restriction: Limit processing of Personal Data
- Right to Portability: Export Personal Data in machine-readable format
- Right to Object: Object to certain processing activities
7.2 Response Timeframe
We will respond to your requests for assistance within 5 business days and provide reasonable cooperation to help you meet GDPR's 30-day response requirement.
7.3 Fees
Assistance with Data Subject rights requests is included in your subscription. We may charge reasonable fees for excessive, repetitive, or manifestly unfounded requests.
8. Data Breaches
8.1 Notification
We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your data.
8.2 Breach Information
Our notification will include:
- Description of the breach and affected Personal Data
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact information for further inquiries
8.3 Cooperation
We will cooperate with you and provide reasonable assistance in investigating and remediating the breach, and in meeting your obligations to notify supervisory authorities and affected Data Subjects.
9. International Data Transfers
9.1 Standard Contractual Clauses
For transfers of Personal Data from the European Economic Area (EEA) to countries without an adequacy decision, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary measures to ensure adequate data protection
- Transfer Impact Assessments where required
9.2 Data Localization Options
For enterprise customers, we can accommodate data residency requirements:
- EU-based data storage (Azure West Europe)
- Restricted data transfers outside your jurisdiction
- Custom data processing locations (subject to technical feasibility)
10. Audits and Compliance
10.1 Audit Rights
Upon reasonable notice, you may:
- Request copies of our SOC 2 Type II reports and security certifications
- Submit written questions about our data protection practices
- Request evidence of compliance with this DPA
10.2 On-Site Audits
If you require an on-site audit:
- Provide at least 60 days' advance notice
- Conduct audits no more than once per year (unless required by supervisory authority)
- Execute mutual non-disclosure agreements
- Bear costs of the audit (unless significant non-compliance is found)
11. Data Deletion and Return
11.1 Upon Termination
Upon termination of the service agreement, we will:
- Provide you with 30 days to export your data
- Delete all Personal Data within 90 days after termination
- Provide certification of deletion upon request
11.2 Exceptions
We may retain Personal Data to the extent required by:
- Legal obligations (e.g., 7-year audit documentation retention)
- Pending litigation or investigations
- Backup systems (deleted within 90 days)
12. Limitation of Liability
Each party's liability under this DPA is subject to the limitation of liability provisions in the service agreement. However, nothing in this DPA limits either party's liability for:
- Violations of data protection laws
- Data breaches caused by gross negligence or willful misconduct
- Unauthorized disclosure of Personal Data
13. How to Execute This DPA
Enterprise Customers
To execute this DPA for your organization, please contact us at:
Email: dpa@auraaudit.ai
Subject: DPA Execution Request - [Your Company Name]
Include:
- Your company's legal name and registration details
- Contact information for your data protection officer (if applicable)
- Any specific data processing requirements or restrictions
- Preferred data residency location (if applicable)
14. Contact Information
Aura Audit AI - Data Protection Team
Email: dpa@auraaudit.ai
Data Protection Officer: dpo@auraaudit.ai
Privacy Team: privacy@auraaudit.ai
Address: 1234 Audit Way, Suite 100, Wilmington, DE 19801
Phone: (555) 123-4567
This Data Processing Agreement is effective as of November 14, 2025, and supplements our Terms of Service and Privacy Policy. For standard (non-enterprise) customers, our Privacy Policy governs data processing practices.