Data Processing Agreement
The terms under which Audaitly processes personal data on your behalf when you use the service.
Last updated: July 4, 2026
1. Background and Parties
This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the agreement between the customer identified in the applicable order, account registration, or Terms of Service(the “Customer”) and Solution Bowl, the operator of the Audaitly service (“Audaitly”, “we”, “us”) (together, the “Agreement”). It governs the processing of Customer Personal Data by Audaitly in the course of providing the website-audit service described in the Agreement (the “Service”).
The parties acknowledge that, with respect to Customer Personal Data, the Customer acts as the controller (or, where the Customer is itself a processor acting for a third-party controller, as a processor) and, for the purposes of the CCPA/CPRA, as the “business”; and Solution Bowl (Audaitly) acts as the processor and, for the purposes of the CCPA/CPRA, as the “service provider”. Where the DPDP Act applies, the Customer is the data fiduciary and Audaitly is the data processor. Where the LGPD applies, the Customer is the controller (controlador) and Audaitly is the operator (operador).
By using the Service, or by otherwise indicating acceptance of this DPA, the Customer and Audaitly agree to its terms. Each party warrants that the person accepting this DPA on its behalf is authorised to bind it.
2. Definitions
In this DPA, the following terms have the meanings set out below:
- “Applicable Data Protection Law”means all laws and regulations applicable to the processing of Customer Personal Data under the Agreement, including, to the extent applicable: (a) Regulation (EU) 2016/679 (the “GDPR”) and EU member state laws implementing or supplementing it; (b) the GDPR as retained in United Kingdom law together with the UK Data Protection Act 2018 (the “UK GDPR”); (c) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020, and its regulations (“CCPA/CPRA”); (d) India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”); and (e) Brazil’s Lei Geral de Protecao de Dados, Law No. 13.709/2018 (“LGPD”), in each case as amended or replaced from time to time.
- “Customer Personal Data” means any personal data (or personal information, as defined in Applicable Data Protection Law) that Audaitly processes on behalf of the Customer in connection with the Service, as further described in Annex 1.
- “Sub-processor”means any third party engaged by Audaitly to process Customer Personal Data on the Customer’s behalf in connection with the Service.
- “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Implementing Decision (EU) 2021/914, as amended or replaced from time to time.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by Audaitly.
The terms “personal data”, “processing”, “controller”, “processor”, “data subject”, “supervisory authority”, and their cognates have the meanings given to them, or to their closest equivalents, in Applicable Data Protection Law.
3. Scope, Roles and Order of Precedence
This DPA applies only to the extent Audaitly processes Customer Personal Data that is subject to Applicable Data Protection Law. It does not apply to personal data that Audaitly processes as an independent controller, such as account, billing, and marketing data relating to the Customer’s own personnel, which is governed by our Privacy Policy.
In the event of any conflict or inconsistency between this DPA and the remainder of the Agreement with respect to the protection of Customer Personal Data, this DPA prevails to the extent of the conflict. In the event of any conflict between this DPA and the SCCs, where they apply, the SCCs prevail.
4. Processing Instructions
Audaitly will process Customer Personal Data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by law to which Audaitly is subject; in that case, Audaitly will inform the Customer of that legal requirement before processing, unless the law prohibits such disclosure on important grounds of public interest. The Agreement, this DPA, and the Customer’s configuration and use of the Service, including each instruction to crawl and audit a website, constitute the Customer’s complete documented instructions as at the date of this DPA. Additional or alternative instructions must be agreed in writing between the parties.
Audaitly will promptly inform the Customer if, in Audaitly’s opinion, an instruction infringes Applicable Data Protection Law. Audaitly may suspend performance of that instruction until the Customer confirms or modifies it, without liability for the resulting delay.
The Customer is responsible for ensuring that it has a lawful basis for the processing it instructs, including the crawling and analysis of any website it submits to the Service, and that its instructions comply with Applicable Data Protection Law.
5. Processor Personnel and Confidentiality
Audaitly will ensure that all persons it authorises to process Customer Personal Data are bound by written or statutory obligations of confidentiality, are informed of the confidential nature of the data, and process it only as necessary to provide the Service. Access to Customer Personal Data is restricted to personnel who need it to perform their role, consistent with the least-privilege access controls described in Annex 3, and confidentiality obligations survive the end of the relevant person’s engagement.
6. Security Measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, Audaitly will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against Personal Data Breaches, including the measures described in Annex 3.
Audaitly may update the measures in Annex 3 from time to time, provided that no update materially reduces the overall level of protection of Customer Personal Data. A current description of our security practices is maintained on our Security page.
7. Sub-processing
The Customer grants Audaitly a general written authorisation to engage the Sub-processors listed in Annex 2, and to add or replace Sub-processors subject to this Section 7. The identities of current Sub-processors will be disclosed to Customer upon written request to privacy@audaitly.ai, and Customer will receive notice of changes as described in Section 7.
- Notice of changes.Audaitly will give the Customer at least 30 days’ advance notice of any intended addition or replacement of a Sub-processor, by email to the Customer’s registered address or by updating the Sub-processor list published on our website, before the new Sub-processor processes Customer Personal Data.
- Right to object. The Customer may object to a change on reasonable, documented data-protection grounds within the notice period. The parties will discuss the objection in good faith; if no resolution is reached, the Customer may terminate the affected portion of the Service and receive a pro-rata refund of any prepaid, unused fees for it.
- Flow-down obligations. Audaitly will impose on each Sub-processor, by written contract, data-protection obligations no less protective of Customer Personal Data than those set out in this DPA, including appropriate security measures.
- Responsibility.Audaitly remains fully liable to the Customer for the performance of each Sub-processor’s obligations, to the same extent it would be liable if it had performed the relevant processing itself.
8. International Transfers
The Service is hosted on cloud infrastructure in the Asia-Pacific region, and our infrastructure and AI inference Sub-processors listed in Annex 2 may process Customer Personal Data in the United States and other locations. Audaitly will not transfer Customer Personal Data subject to Applicable Data Protection Law to a third country unless the transfer is made under a lawful transfer mechanism.
- EU transfers. Where Customer Personal Data subject to the GDPR is transferred to a country without an adequacy decision, the SCCs are incorporated into this DPA by reference, with Module Two (controller to processor) applying where the Customer is a controller and Module Three (processor to processor) applying where the Customer is a processor. The Customer is the data exporter and Audaitly is the data importer; Annexes 1, 2, and 3 of this DPA serve as the corresponding annexes to the SCCs; and the optional docking clause applies.
- UK transfers. Where the UK GDPR applies, the parties adopt the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner or, where agreed, the UK International Data Transfer Agreement (IDTA), which amends the SCCs as required for transfers from the United Kingdom.
- DPDP and LGPD transfers. Where the DPDP Act or the LGPD applies, Audaitly will ensure that any cross-border transfer is subject to safeguards providing an equivalent level of protection to that required by the relevant law, and will not transfer Customer Personal Data to any country to which transfers have been restricted by the relevant regulator or government.
9. Assistance to Customer
Taking into account the nature of the processing, Audaitly will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer’s obligation to respond to requests from data subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection. If Audaitly receives a request from a data subject relating to Customer Personal Data, it will forward the request to the Customer without undue delay and will not respond to it directly, except to direct the data subject to the Customer or as required by law.
Audaitly will further assist the Customer, taking into account the nature of the processing and the information available to Audaitly, in ensuring compliance with the Customer’s obligations regarding security of processing, notification of Personal Data Breaches to supervisory authorities and data subjects, data protection impact assessments, and prior consultation with supervisory authorities.
10. Personal Data Breach
Audaitly will notify the Customer without undue delay after becoming aware of a Personal Data Breach. To the extent the information is available, the notification will describe: (a) the nature of the breach, including, where possible, the categories and approximate numbers of data subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its possible adverse effects; and (d) a contact point for further information. Where it is not possible to provide all of this information at the same time, Audaitly may provide it in phases without undue further delay.
Audaitly will cooperate with the Customer and take reasonable steps, as directed by the Customer, to assist in the investigation, mitigation, and remediation of the breach. Audaitly’s notification of, or response to, a Personal Data Breach is not, and will not be construed as, an acknowledgment of fault or liability.
11. Audits and Certifications
Audaitly will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including summaries of its security practices, and will respond to reasonable written security questionnaires submitted by the Customer.
Audaitly will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer, subject to the following conditions: (a) audits may be conducted no more than once in any 12-month period, except following a Personal Data Breach affecting the Customer or where required by a supervisory authority; (b) the Customer must give at least 30 days’ prior written notice; (c) audits must take place during normal business hours, must not unreasonably disrupt Audaitly’s operations, and must not provide access to other customers’ data or to information that would compromise Audaitly’s security; (d) the auditor must enter into confidentiality obligations reasonably acceptable to Audaitly; and (e) each party bears its own costs, and the Customer will reimburse Audaitly’s reasonable costs for audit support exceeding one business day at Audaitly’s then-current professional services rates.
12. Return and Deletion
Upon termination or expiry of the Agreement, Audaitly will, at the Customer’s choice, delete or return all Customer Personal Data and delete existing copies within 90 days of termination, unless storage is required by law to which Audaitly is subject, in which case Audaitly will isolate and protect the retained data from further processing except to the extent required by that law. Copies held in backups are deleted through the normal expiry of the rolling backup retention cycle described in Annex 3. Upon the Customer’s written request, Audaitly will certify in writing that it has complied with this Section 12.
13. CCPA/CPRA Service Provider Terms
To the extent the CCPA/CPRA applies to Customer Personal Data, Audaitly acts as a service provider to the Customer, and the Customer discloses Customer Personal Data to Audaitly only for the limited and specified business purposes described in Annex 1. Audaitly will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement and this DPA, or as otherwise permitted by the CCPA/CPRA, including retaining, using, or disclosing it for a commercial purpose other than providing the Service; (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Audaitly and the Customer; or (d) combine Customer Personal Data with personal information received from other sources, except as permitted by the CCPA/CPRA.
Audaitly certifies that it understands the restrictions in this Section 13 and will comply with them. Audaitly will notify the Customer if it determines that it can no longer meet its obligations under the CCPA/CPRA, in which case the Customer may take reasonable and appropriate steps to stop and remediate any unauthorised use of Customer Personal Data.
14. India DPDP Addendum
To the extent the DPDP Act applies to Customer Personal Data: (a) Audaitly processes Customer Personal Data as a data processor only on behalf of, and under a valid contract with, the Customer as data fiduciary, which contract is constituted by the Agreement and this DPA; (b) Audaitly will implement reasonable security safeguards to prevent personal data breaches, as described in Annex 3; (c) Audaitly will assist the Customer, to the extent reasonably possible, in fulfilling its obligations as a data fiduciary, including responding to requests from data principals and, where required, notifying the Data Protection Board of India and affected data principals of a personal data breach; and (d) Audaitly will support erasure of Customer Personal Data when the Customer withdraws its instruction to process it or when the specified purpose of processing is no longer being served, subject to any retention required by law.
15. Brazil LGPD Addendum
To the extent the LGPD applies to Customer Personal Data, Audaitly acts as operator and will: (a) process Customer Personal Data only in accordance with the Customer’s lawful instructions and inform the Customer if an instruction appears to violate the LGPD; (b) implement the security, technical, and administrative measures described in Annex 3 to protect Customer Personal Data from unauthorised access and from accidental or unlawful destruction, loss, alteration, communication, or diffusion; (c) assist the Customer in responding to requests from data subjects and from the Brazilian national data protection authority (ANPD); (d) notify the Customer without undue delay of any security incident that may result in relevant risk or damage to data subjects; and (e) delete Customer Personal Data in accordance with Section 12 when processing ends.
16. Liability
Each party’s total aggregate liability arising out of or relating to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service, and any reference in the Terms of Service to the liability of a party means that party’s aggregate liability under the Agreement and this DPA together. Nothing in this Section 16 limits either party’s liability to data subjects under Applicable Data Protection Law or any liability that cannot be limited by law.
17. Term
This DPA takes effect on the date the Customer accepts it or first uses the Service, whichever is earlier, and remains in force for as long as Audaitly processes Customer Personal Data on the Customer’s behalf, notwithstanding the expiry or termination of the Agreement, until all Customer Personal Data has been deleted or returned in accordance with Section 12.
18. Governing Law
This DPA is governed by, and construed in accordance with, the law that governs the Terms of Service, and the parties submit to the same jurisdiction, except where the SCCs or Applicable Data Protection Law mandate a different governing law or forum for specific provisions, in which case that law or forum applies to those provisions only.
19. Contact
Notices and questions relating to this DPA, including data-protection enquiries, objections to Sub-processor changes, and audit requests, should be sent to privacy@audaitly.ai. See also our Privacy Policy and Security page for how we protect data across the Service.
Annex 1: Details of Processing
- Subject matter: the provision of the Audaitly website-audit service, under which Audaitly crawls websites authorised by the Customer and generates audit findings and reports.
- Duration: the term of the Agreement, plus the deletion window set out in Section 12 of this DPA.
- Nature and purposes of processing: collection (scoped crawling of authorised URLs in an isolated browser environment), storage, analysis (including AI-assisted analysis via the API of our AI inference Sub-processor), organisation, structuring, retrieval, display, export, and deletion of website content and derived findings, solely to provide, secure, and support the Service.
- Categories of personal data:(a) account and workspace data of the Customer’s authorised users (name, email address, role, authentication identifiers, session records); (b) any personal data appearing on or within the web pages the Customer instructs Audaitly to crawl, which is determined by the Customer and may include names, contact details, images, testimonials, and other published content; and (c) technical and usage data generated in the course of providing the Service. The Service does not require special categories of data; any such data processed is incidental to the content of the pages the Customer submits.
- Categories of data subjects:the Customer’s personnel and authorised users; personnel of the Customer’s clients where the Customer audits client websites; and individuals whose personal data appears on the web pages the Customer instructs Audaitly to crawl, such as employees, customers, and testimonial authors featured on those pages.
- Frequency of processing: continuous for account and workspace data; per audit run for crawled content, as initiated by the Customer.
Annex 2: Sub-processors
Audaitly currently engages Sub-processors in the following categories. The identities of current Sub-processors will be disclosed to Customer upon written request to privacy@audaitly.ai, and Customer will receive notice of changes as described in Section 7.
| Sub-processor category | Service | Location |
|---|---|---|
| AI inference provider | AI inference for audit analysis. API content is not used to train models. | USA |
| Cloud hosting and database infrastructure provider | Cloud hosting, compute, and managed databases | Asia-Pacific / USA |
| Transactional email delivery provider | Transactional email delivery | USA |
| Identity provider for optional single sign-on (Google) | Optional sign-in (OAuth authentication) | USA / global |
| Payment processor (Stripe) | Payment processing and billing | USA / global |
Annex 3: Technical and Organisational Measures
- Tenant isolation: PostgreSQL Row-Level Security policies scope every read and write to the owning organisation. The application connects through a database role that cannot bypass RLS (NOBYPASSRLS), with a fail-closed, default-deny posture: absent a valid tenant context, queries return no rows.
- Privilege separation: a separate least-privilege maintenance role is used for administrative database operations, distinct from the application role.
- Encryption: data in transit is encrypted using TLS; data at rest resides on encrypted volumes.
- Access control: database-backed sessions and role-based access control (member, admin, superadmin), with server-side authorisation checks on privileged actions.
- Crawl safety: crawling is scoped to Customer-authorised URLs and protected by SSRF navigation guards that prevent requests from being redirected to internal or private infrastructure.
- AI pipeline safety: prompt-injection defenses are applied in the audit analysis loop; content sent to the AI Sub-processor via API is not used to train models.
- Backups and continuity: nightly database backups (pg_dump) with a rolling retention window of approximately 14 days, plus snapshots taken before each deploy.
- Network and host hardening: host firewall limited to ports 22, 80, and 443; fail2ban intrusion mitigation; unattended security upgrades applied automatically.
- Secrets management: credentials and API keys are held in server-side environment configuration and are never exposed to clients.
- Secure development: independent adversarial code reviews are performed before security-sensitive releases.
- Certifications: a SOC 2 Type II examination is planned; Audaitly is not yet certified and does not claim certification.