Data processing agreement

foraudits processes personal data only to provide the platform and only on the customer's documented instructions, including those in the contract. foraudits informs the customer if it considers an instruction infringes data protection law.

Processing lasts for the term of the contract. The nature and purpose are the provision of the audit platform, including data extraction from documents and AI review of reports. Data types and categories of data subjects are in Annex 1.

foraudits ensures that persons processing the data are bound by confidentiality.

foraudits applies the technical and organisational measures in Annex 2, appropriate to the risk, under Article 32 GDPR.

The customer gives general authorisation to use the sub-processors listed on the sub-processors page. foraudits imposes equivalent data protection obligations on them and informs the customer of changes with reasonable notice, and the customer may object on reasonable grounds.

foraudits assists the customer, to a reasonable extent, with data subject requests, impact assessments and consultations with the supervisory authority.

foraudits notifies the customer without undue delay after becoming aware of a personal data breach, with the information available for the customer to meet its obligations.

At the end of the contract, foraudits deletes or returns personal data, at the customer's choice, unless legally required to retain it.

foraudits makes available to the customer the information needed to demonstrate compliance with this agreement and allows reasonable audits, directly or by a mandated third party, with prior notice.

foraudits processes data in the European Union. Where a sub-processor processes data outside the European Union, appropriate safeguards apply, for example the European Commission standard contractual clauses. [Confirm based on the AI provider and regions.]

foraudits does not use the customer's personal data to train its AI models or those of third parties. Configurations with AI providers reflect this rule. [Confirm that the configuration with the AI provider ensures this.]

• Categories of data subjects: contacts and staff of the customer and of the customer's customers, and individuals identified in uploaded documents.
• Data types: identification and contact data, data contained in bills and audit reports, and other data the customer chooses to upload. [Confirm and refine.]
• Operations: collection, storage, extraction, AI analysis and provision to the customer.

• Hosting in the European Union.
• Encryption in transit and at rest.
• Logical isolation of each customer's data.
• Access control and authentication.
• Activity logs and backups.
• [Complete with the actual measures, for example schema isolation and row level access rules in the database.]

See the sub-processors page, which forms an integral part of this agreement.