Data Processing Agreement
Last Updated: February 11, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Data Controller" or "Customer") and FSC Audit Pro ("Data Processor" or "we") and governs the processing of personal data in connection with the Service. This DPA is designed to comply with the requirements of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person as defined under applicable data protection law
- Processing: Any operation performed on personal data, including collection, storage, use, and deletion
- Subprocessor: A third party engaged by us to process personal data on your behalf
- Data Subject: An individual whose personal data is processed
3. Scope and Purpose of Processing
We process personal data solely for the following purposes:
- Providing the FSC Audit Pro quality control auditing service
- Processing uploaded documents through AI analysis to generate audit reports
- Managing user accounts and authentication
- Processing payments and managing subscriptions
- Providing customer support
4. Obligations of the Data Processor
We shall:
- Process personal data only on documented instructions from you
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Not engage subprocessors without prior authorization (see Section 6)
- Assist you in responding to data subject requests
- Delete or return all personal data upon termination of services, at your choice
- Make available all information necessary to demonstrate compliance with data protection obligations
5. Security Measures
We implement the following technical and organizational measures to protect personal data:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Controls: Role-based access control with least-privilege principle
- Authentication: Secure authentication with session management
- Infrastructure: Hosted on SOC 2-compliant infrastructure
- Data Isolation: Database-level access policies ensuring users can only access their own data
- Monitoring: Logging and monitoring for unauthorized access attempts
- Incident Response: Documented procedures for security incident handling
6. Subprocessors
We engage the following categories of subprocessors to deliver the Service. All subprocessors are based in the United States and operate under enterprise service agreements.
| Category | Data Processed |
|---|---|
| Cloud infrastructure provider | Account data, authentication credentials, document storage |
| Payment processor | Billing and payment information |
| AI processing providers | Document content for real-time audit analysis |
| Application hosting provider | Server logs and request metadata |
A complete list of named subprocessors is available upon request by contacting dpa@fscauditpro.com. We will also provide this list as part of any executed DPA.
We will notify you before adding or replacing subprocessors. You may object to a new subprocessor within 30 days of notification. If we cannot reasonably accommodate your objection, you may terminate the agreement.
7. Data Breach Notification
In the event of a personal data breach, we shall:
- Notify you without undue delay, and no later than 72 hours after becoming aware of the breach
- Provide details of the nature of the breach, categories of data affected, and approximate number of records
- Describe the measures taken or proposed to address the breach
- Cooperate with you in any required notifications to supervisory authorities or data subjects
8. Data Retention and Deletion
- We retain personal data only for as long as necessary to provide the Service
- Uploaded documents (PDFs) are permanently deleted from storage immediately upon completion of audit processing
- Extracted text data is automatically purged within 14 days of audit completion
- Upon termination or expiration of your subscription, audit reports and account data will be retained for 30 days to allow for data export, then securely deleted
- You may request early deletion at any time, subject to legal retention requirements
9. International Data Transfers
All data processing occurs within the United States. If personal data originates from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for cross-border transfers. We ensure that all subprocessors maintain adequate data protection standards.
10. Audits and Compliance
Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. You may conduct audits, either directly or through an independent third-party auditor, with reasonable advance notice and during normal business hours.
11. Term and Termination
This DPA is effective for the duration of your use of the Service. The obligations regarding data protection, confidentiality, and deletion survive the termination of this agreement.
12. Contact
For questions about this DPA or to exercise your data protection rights, contact us at dpa@fscauditpro.com.