Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Auditbase on behalf of the Customer through the Service.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• "Sub-processor" means any third party engaged by Auditbase to process Personal Data on behalf of the Customer.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Purpose

2.1 Subject Matter

This DPA governs the processing of Personal Data that the Customer submits to Auditbase through the API in the course of using the Service.

2.2 Nature and Purpose of Processing

Auditbase processes Personal Data for the purpose of:

• Receiving, validating, and storing audit log entries submitted by the Customer via the API
• Computing and storing SHA-256 cryptographic hashes of log entries for tamper-proof verification
• Serving log entries back to the Customer upon authenticated API request
• Maintaining usage records for billing and rate-limiting purposes

2.3 Types of Personal Data

The types of Personal Data processed depend entirely on what the Customer includes in log entry payloads. This may include, but is not limited to:

• Actor identifiers (user IDs, usernames, email addresses)
• Agent names and identifiers
• Action descriptions
• Any other data the Customer chooses to include in the payload object

The Customer has full control over what Personal Data, if any, is included in log payloads.

2.4 Categories of Data Subjects

Data subjects may include:

• Customer's end users whose actions are logged
• AI agents or automated systems (where identifiers relate to natural persons)
• Customer's employees or contractors

2.5 Duration

Processing shall continue for the duration of the service agreement between the Customer and Auditbase, including any applicable data retention period as defined by the Customer's subscription plan.

3. Controller Obligations

The Customer, as Controller, shall:

• Ensure that it has a valid lawful basis under applicable data protection law for any Personal Data included in log payloads.
• Inform Data Subjects about the processing of their Personal Data through Auditbase, including through appropriate privacy notices.
• Ensure that any instructions given to Auditbase regarding the processing of Personal Data comply with applicable data protection laws.
• Not include Special Category Data (Article 9 GDPR) or criminal offence data (Article 10 GDPR) in log payloads unless explicitly agreed in writing with Auditbase and appropriate safeguards are in place.

4. Processor Obligations

4.1 Processing Instructions

Process Personal Data only on the documented instructions of the Customer. The Customer's use of the API constitutes documented instructions. Auditbase shall not process Personal Data for any purpose other than providing the Service unless required by applicable law, in which case Auditbase shall inform the Customer of such requirement before processing (unless prohibited by law).

4.2 Confidentiality

Ensure that all personnel authorized to process Personal Data are bound by obligations of confidentiality.

4.3 Security Measures

Implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

• Encryption in Transit: All API communications are encrypted using TLS 1.2 or higher.
• Encryption at Rest: All stored data is encrypted using AES-256 encryption.
• API Key Protection: API keys are stored as SHA-256 hashes; full keys are never retained after initial generation.
• Access Controls: Strict role-based access controls on all internal systems and databases.
• Access Logging: All access to production systems and data is logged and monitored.
• Infrastructure Security: Hosting on Supabase and Vercel with their respective security certifications and controls.

4.4 Sub-processors

Auditbase engages the following sub-processors:

Auditbase shall notify the Customer of any intended changes to sub-processors with at least 30 days' notice. Each sub-processor is bound by data protection obligations no less protective than those in this DPA. Auditbase remains fully liable for the acts and omissions of its sub-processors.

The Customer may object to a new sub-processor within 14 days of notification. If the objection cannot be reasonably resolved, the Customer may terminate the service agreement.

4.5 Data Subject Rights

Auditbase shall assist the Customer in responding to Data Subject rights requests, including requests for access, rectification, erasure, restriction, portability, and objection. The Customer may fulfill erasure requests using the API endpoint DELETE /v1/project/{project_id}. Upon receiving such a request, Auditbase shall action the deletion within 30 days.

4.6 Assistance with Compliance

Auditbase shall provide reasonable assistance to the Customer in ensuring compliance with obligations under Articles 32 to 36 of the GDPR, including data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and information available to Auditbase.

4.7 Audits

Auditbase shall make available to the Customer, upon reasonable written request and no more than once per calendar year, information necessary to demonstrate compliance with this DPA. The Customer may conduct or commission an audit, provided that:

• The Customer gives at least 30 days' written notice.
• The audit is conducted during normal business hours and does not unreasonably disrupt Auditbase's operations.
• The auditor is bound by confidentiality obligations.
• The Customer bears the costs of the audit.

Auditbase may satisfy audit requests by providing relevant third-party audit reports, certifications, or compliance documentation where available.

5. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or Switzerland, Auditbase shall ensure that appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs): Auditbase incorporates the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) for transfers to the United States or other countries without an adequacy decision. The SCCs are incorporated by reference into this DPA.
• Supplementary Measures: Auditbase implements technical measures including encryption in transit and at rest as supplementary measures to the SCCs.

Where the Customer selects a Supabase EU region for data storage, primary data processing occurs within the EEA.

6. Data Breach Notification

In the event of a Breach involving Personal Data processed under this DPA, Auditbase shall:

• Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the Breach.
• Provide the Customer with sufficient information to enable the Customer to meet its obligations to report the Breach to supervisory authorities and Data Subjects, including:
  • The nature of the Breach, including categories and approximate number of Data Subjects and records affected
  • The likely consequences of the Breach
  • The measures taken or proposed to address the Breach and mitigate its effects
• Cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Breach.

7. Data Deletion and Return

Upon termination or expiration of the service agreement:

• Auditbase shall delete all Personal Data processed on behalf of the Customer within 30 days, unless retention is required by applicable law.
• Prior to deletion, the Customer may export their data using the API (GET /v1/logs).
• Auditbase shall provide written confirmation of deletion upon the Customer's request.

8. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein.

Where the GDPR applies, the parties agree that the competent supervisory authority shall be determined in accordance with GDPR Article 55. For disputes relating to the SCCs, the courts of the EU Member State where the Data Subject is resident shall have jurisdiction.

9. Precedence

In the event of any conflict between this DPA and the Terms of Service or any other agreement between the parties, this DPA shall prevail with respect to the processing of Personal Data.

10. Contact

For questions or requests related to this DPA, contact:

Email: legal@auditbase.dev
Website: https://auditbase.dev

Auditbase is operated by Renesis Tech.

How to Execute This DPA

To execute this DPA, send an email to legal@auditbase.dev with the following:

• Your company's legal name
• Contact name and email for the DPA signatory
• The text: "I accept the Auditbase DPA"

We will countersign and return a fully executed PDF within 5 business days.