Data Processing Agreement
Last Updated: March 11, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Data Controller" or "Customer") and FSC Audit Pro ("Data Processor" or "we") and governs the processing of personal data in connection with the Service. This DPA is designed to comply with the requirements of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), Brazil's LGPD, Canada's PIPEDA, Singapore's PDPA, Australia's Privacy Act 1988, and South Africa's POPIA.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person as defined under applicable data protection law
- Processing: Any operation performed on personal data, including collection, storage, use, and deletion
- Subprocessor: A third party engaged by us to process personal data on your behalf
- Data Subject: An individual whose personal data is processed
3. Scope and Purpose of Processing
We process personal data solely for the following purposes:
- Providing the FSC Audit Pro quality control auditing service
- Processing uploaded documents through AI analysis to generate audit reports
- Managing user accounts and authentication
- Processing payments and managing subscriptions
- Providing customer support
4. Obligations of the Data Processor
We shall:
- Process personal data only on documented instructions from you
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Not engage subprocessors without prior authorization (see Section 6)
- Assist you in responding to data subject requests
- Delete or return all personal data upon termination of services, at your choice
- Make available all information necessary to demonstrate compliance with data protection obligations
5. Security Measures
We implement the following technical and organizational measures to protect personal data:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Controls: Role-based access control with least-privilege principle
- Authentication: Secure authentication with session management
- Infrastructure: Hosted on SOC 2-compliant infrastructure
- Data Isolation: Database-level access policies ensuring users can only access their own data
- Monitoring: Logging and monitoring for unauthorized access attempts
- Incident Response: Documented procedures for security incident handling
6. Subprocessors
We may engage the following authorized subprocessors to deliver the Service. All subprocessors operate under enterprise service agreements that prohibit use of your data for model training or any purpose beyond providing the Service.
| Category | Authorized Provider(s) | Data Processed |
|---|---|---|
| Cloud Infrastructure | Amazon Web Services (AWS), Google Cloud Platform, Supabase | Account data, authentication, database, document storage |
| Payment Processing | Stripe, Paddle, Braintree (PayPal) | Billing and payment information |
| AI Processing | Google (Gemini), Anthropic (Claude), OpenAI, Groq, xAI (Grok) | Document content for real-time audit analysis (enterprise API only, no model training) |
| Application Hosting | Vercel, Cloudflare, Netlify | Server logs and request metadata |
Not all listed providers are active at any given time. This list represents authorized subprocessors that may be engaged to deliver the Service. We will notify you before adding subprocessors not listed above. You may object to a new subprocessor within 30 days of notification. If we cannot reasonably accommodate your objection, you may terminate the agreement.
7. Data Breach Notification
In the event of a personal data breach, we shall:
- Notify you without undue delay, and no later than 72 hours after becoming aware of the breach
- Provide details of the nature of the breach, categories of data affected, and approximate number of records
- Describe the measures taken or proposed to address the breach
- Cooperate with you in any required notifications to supervisory authorities or data subjects
8. Data Retention and Deletion
- We retain personal data only for as long as necessary to provide the Service
- Uploaded documents (PDFs) are permanently deleted from storage immediately upon completion of audit processing
- Extracted text data is automatically purged within 14 days of audit completion
- Upon termination or expiration of your subscription, audit reports and account data will be retained for 30 days to allow for data export, then securely deleted
- You may request early deletion at any time, subject to legal retention requirements
9. International Data Transfers
All data processing occurs within the United States. When personal data is transferred from jurisdictions outside the United States, we rely on the following legal mechanisms:
- EU/EEA: Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by a Transfer Impact Assessment and technical safeguards including end-to-end encryption in transit (TLS 1.2+) and at rest (AES-256)
- United Kingdom: The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as approved by the Information Commissioner's Office
- Brazil: Contractual clauses consistent with LGPD requirements for international transfers, with standard contractual safeguards
- Canada: Transfers are conducted in accordance with PIPEDA requirements, ensuring a comparable level of data protection through contractual obligations
- Singapore, Australia, South Africa: Contractual data protection obligations with all subprocessors, ensuring processing standards equivalent to those required by PDPA, the Privacy Act 1988, and POPIA respectively
All subprocessors are contractually required to maintain data protection standards no less protective than those set forth in this DPA. We regularly assess the legal framework of jurisdictions where data is processed to ensure continued adequacy.
10. Audits and Compliance
Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. You may conduct audits, either directly or through an independent third-party auditor, with reasonable advance notice and during normal business hours.
11. Term and Termination
This DPA is effective for the duration of your use of the Service. The obligations regarding data protection, confidentiality, and deletion survive the termination of this agreement.
12. Contact
For questions about this DPA or to exercise your data protection rights, contact us at dpa@fscauditpro.com.