Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of and supplements the Terms of Use, Subscription Agreement, Master Services Agreement, Order Form, or other agreement governing the use of Auditly's services (the "Agreement"). This DPA applies whenever Auditly processes Personal Data on behalf of a customer in connection with the provision of the Services. The purpose of this DPA is to define the obligations, responsibilities, and commitments of both parties regarding the processing of Personal Data and to support compliance with applicable data protection laws, including where applicable: General Data Protection Regulation (GDPR), UK GDPR, Data Protection Act 2018, California Consumer Privacy Act (CCPA/CPRA), HIPAA (where applicable), and other applicable privacy and data protection laws.

For purposes of this DPA: The Customer acts as the Controller (or equivalent legal role), and Auditly acts as the Processor (or equivalent legal role) when processing Personal Data on behalf of the Customer.

Controller

The entity that determines the purposes and means of processing Personal Data.

Processor

The entity that processes Personal Data on behalf of the Controller.

Personal Data

Any information relating to an identified or identifiable natural person.

Processing

Any operation performed on Personal Data including collection, recording, organization, storage, use, transmission, disclosure, analysis, deletion, or destruction.

Data Subject

An identified or identifiable individual whose Personal Data is processed.

Subprocessor

Any third party engaged by Auditly to process Personal Data on behalf of the Customer.

Applicable Data Protection Laws

All laws, regulations, and requirements governing the processing of Personal Data that apply to the parties.

Auditly processes Personal Data solely for the purpose of providing the Services described in the Agreement. The subject matter, nature, purpose, duration, categories of Personal Data, and categories of Data Subjects are described in Annex A of this DPA. Auditly shall process Personal Data only on documented instructions from the Customer unless required to do otherwise by applicable law.

Depending on customer configuration, Auditly may process:

User Information

Names, Email addresses, Job titles, Department information, User IDs, and Access permissions.

Compliance Information

Compliance controls, Framework mappings, Readiness assessments, Remediation activities, and Compliance records.

Security Information

Access reviews, Security settings, Security controls, Audit logs, Security events, and Configuration information.

Risk Information

Risk assessments, Risk registers, Treatment plans, and Risk ownership information.

Vendor Information

Vendor contacts, Vendor assessments, Security questionnaires, and Due diligence records.

Documentation

Policies, Procedures, Standards, Certifications, Audit reports, Uploaded evidence, and Internal documentation.

Integration Data

Information retrieved through approved integrations including cloud providers, identity providers, development platforms, HR systems, ticketing systems, endpoint management tools, and security monitoring platforms.

The Customer instructs Auditly to process Personal Data for the following purposes: Providing the Services, Hosting customer environments, Compliance automation, Evidence collection, Risk management, Audit readiness, Vendor risk management, Reporting and analytics, Security monitoring, API functionality, Integrations, KIVO AI-powered assistance, and Customer support.

Auditly shall not process Personal Data for purposes inconsistent with the Agreement or this DPA.

Auditly shall ensure that individuals authorized to process Personal Data: Are subject to confidentiality obligations, receive appropriate training, access Personal Data only as necessary, and follow security and privacy policies.

Confidentiality obligations shall survive termination of employment or engagement.

Auditly shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures may include:

Infrastructure Security

Network segmentation, Firewalls, DDoS protection, and Infrastructure monitoring.

Data Protection

Encryption in transit, Encryption at rest, Backup protection, and Secure key management.

Access Controls

Role-based access controls, Multi-factor authentication, Least-privilege access, and Access reviews.

Monitoring & Detection

Audit logging, Threat detection, Security monitoring, and Vulnerability management.

Application Security

Secure development practices, Code reviews, Security testing, and Dependency monitoring.

The Customer grants Auditly general authorization to engage Subprocessors for the provision of the Services. Auditly shall: Maintain a list of Subprocessors, impose data protection obligations on Subprocessors, and remain responsible for Subprocessor performance relating to Personal Data processing.

Auditly may update Subprocessors from time to time. Where required by law, Auditly shall provide notice of material Subprocessor changes.

Taking into account the nature of processing and information available, Auditly shall reasonably assist the Customer with: Data Subject requests, Regulatory inquiries, Security assessments, Privacy impact assessments, Compliance obligations, and Data breach investigations to the extent required by applicable law.

Where a Data Subject submits a request relating to Personal Data processed through the Services, Auditly shall: Notify the Customer where appropriate, provide reasonable assistance, and enable the Customer to respond to requests.

Auditly shall not directly respond to Data Subject requests unless legally required or authorized by the Customer.

In the event Auditly becomes aware of a confirmed Personal Data Breach affecting Customer Personal Data, Auditly shall: Notify the Customer without undue delay, provide available information regarding the breach, describe the nature of the incident, identify affected categories of data where reasonably known, provide updates as additional information becomes available, and take reasonable steps to mitigate the impact.

Auditly does not guarantee that every security event constitutes a reportable Personal Data Breach.

Upon reasonable request and subject to confidentiality obligations, Auditly may make available information reasonably necessary to demonstrate compliance with this DPA. Auditly may satisfy audit requests through: Security reports, Compliance certifications, Audit reports, Trust center documentation, Questionnaires, and Independent assessments.

Auditly may limit audit activities where necessary to protect security, confidentiality, or other customer information.

Customer Personal Data may be processed, transferred, stored, replicated, or backed up in multiple jurisdictions as necessary to provide the Services. Where applicable, Auditly shall implement appropriate safeguards for international transfers, including: Standard Contractual Clauses (SCCs), Contractual safeguards, or other lawful transfer mechanisms where required under applicable law.

The Customer acknowledges that KIVO and related AI-powered features may process Personal Data submitted by authorized users. Such processing may include: Compliance assistance, Report generation, Policy generation, Summarization, Risk analysis, Audit preparation, and Search and retrieval.

Customers remain responsible for determining what information they choose to submit to AI-powered functionality.

Upon termination of the Agreement and upon Customer request, Auditly shall: Return Customer Personal Data, where technically feasible; or Delete Customer Personal Data, except where retention is required by law, security obligations, backup requirements, dispute resolution, fraud prevention, or legitimate business purposes.

The liability of each party under this DPA shall be subject to the liability limitations and exclusions set forth in the governing Agreement unless otherwise required by applicable law.

In the event of conflict between this DPA and the Agreement regarding Personal Data processing obligations, this DPA shall control to the extent of the conflict.

This DPA shall be governed by the governing law specified in the Agreement unless otherwise required by applicable data protection laws.

Subject Matter

Provision of Auditly's governance, risk, compliance, audit readiness, vendor risk management, policy management, AI assistance, integrations, APIs, and related services.

Duration

For the duration of the Agreement and any applicable retention period.

Nature Of Processing

Collection, storage, organization, analysis, transmission, retrieval, reporting, monitoring, deletion, and other processing activities necessary to provide the Services.

Categories Of Data Subjects

Customer employees, Contractors, Users, Administrators, Vendors, Auditors, Partners, Customers of the Customer, and other individuals whose information is submitted through the Services.

Categories Of Personal Data

Names, Email addresses, Job titles, Account information, Access information, Compliance information, Security information, Audit information, Vendor information, Documentation and uploaded content, and other Personal Data submitted by the Customer.