Data Processing Addendum

Last Updated: June 20, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between AuditFlo ("Processor," "Service Provider," "we," "our," or "us") and the customer organization using the AuditFlo platform ("Controller," "Customer," or "you").

This DPA applies when AuditFlo processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

Applicable Data Protection Laws means all laws applicable to the processing of Personal Data, including where applicable:

• GDPR
• UK GDPR
• Swiss Federal Data Protection Act
• California Consumer Privacy Act (CCPA), as amended by CPRA
• Other applicable privacy laws

Personal Data means information relating to an identified or identifiable natural person.

Processing means any operation performed on Personal Data.

Data Subject means an identified or identifiable individual.

2. Scope

AuditFlo processes Personal Data solely for the purpose of providing the Services described in the Terms of Service.

Customer remains the Controller of Personal Data.

AuditFlo acts as a Processor or Service Provider.

3. Nature and Purpose of Processing

Processing activities may include:

• Collection
• Storage
• Organization
• Retrieval
• Analysis
• Transmission
• Deletion

Processing occurs solely to:

• Provide platform functionality
• Support integrations
• Maintain security
• Deliver customer support
• Improve service reliability

4. Categories of Data

Depending on customer configuration, AuditFlo may process:

User Information

• Names
• Email addresses
• Job titles
• User IDs

Identity and Access Information

• Role assignments
• Group memberships
• Access permissions
• Authentication metadata

Operational Records

• Audit logs
• Change management records
• Pull request metadata
• Deployment records
• Approval records
• Evidence records

Technical Data

• Device identifiers
• IP addresses
• Log data
• Session information

5. Customer Responsibilities

Customer represents and warrants that:

• It has lawful authority to process Personal Data.
• It has provided required notices.
• It has obtained required consents where necessary.
• Its instructions comply with applicable law.

Customer remains solely responsible for determining the legality of data submitted to the Services.

6. Processor Obligations

AuditFlo shall:

• Process Personal Data only on documented instructions from Customer.
• Maintain confidentiality obligations for personnel.
• Implement appropriate technical and organizational safeguards.
• Assist Customer with applicable privacy obligations where reasonably requested.
• Notify Customer of confirmed Personal Data breaches as required by law.

7. Security Measures

AuditFlo maintains safeguards including:

• Encryption in transit
• Encryption at rest where applicable
• Access control mechanisms
• Logging and monitoring
• Multi-factor authentication for administrative access
• Secure development practices
• Vulnerability management procedures
• Least-privilege access controls

8. Subprocessors

Customer authorizes AuditFlo to engage subprocessors necessary for service delivery.

AuditFlo remains responsible for the performance of subprocessors to the extent required by law.

Current subprocessors may include:

• Cloud hosting providers
• Payment processors
• Monitoring providers
• Customer support providers
• Analytics providers

AuditFlo will maintain a current list of subprocessors upon request.

9. International Transfers

Where Personal Data is transferred internationally, AuditFlo shall implement appropriate safeguards required under applicable law.

Such safeguards may include:

• Standard Contractual Clauses
• Adequacy decisions
• Other lawful transfer mechanisms

10. Security Incidents

Upon becoming aware of a confirmed Personal Data Breach affecting Customer Data, AuditFlo shall:

• Notify Customer without undue delay
• Provide available information regarding the incident
• Take reasonable measures to mitigate impacts
• Cooperate in required investigations

11. Data Subject Requests

Where AuditFlo receives a request relating to Customer-controlled Personal Data, AuditFlo may:

• Refer the request to Customer
• Assist Customer where reasonably required

Customer remains responsible for responding to Data Subject requests.

12. Audits

Upon reasonable written request and no more than once annually, AuditFlo may provide information reasonably necessary to demonstrate compliance with this DPA.

AuditFlo may satisfy such obligations through:

• Security documentation
• Compliance reports
• Certifications
• Security questionnaires

13. Return and Deletion

Upon termination of Services:

• Customer may export Customer Data during the retention period.
• AuditFlo will delete Customer Data according to its retention schedule unless legally required to retain it.

14. Governing Law

This DPA shall be governed by the same governing law provisions contained within the Terms of Service.