1. Introduction

Aura Audit AI, LLC ("Aura," "we," "us," or "our") is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This document outlines our compliance measures and your rights as a data subject when using our AI-powered audit automation platform.

As a data processor for CPA firms and their clients, we implement stringent technical and organizational measures to ensure GDPR compliance throughout our services.

2. Our Role Under GDPR

Data Controller

For our direct customers (CPA firms), we act as a Data Controller for account information, billing data, and usage analytics.

Data Processor

For audit engagement data uploaded by CPA firms on behalf of their clients, we act as a Data Processor under instructions from the Controller.

3. Lawful Basis for Processing

We process personal data under the following lawful bases as defined in Article 6 of GDPR:

Contractual Necessity:Processing necessary to perform our services under your subscription agreement

Legitimate Interests:Processing for fraud prevention, security, and service improvement

Legal Obligation:Processing required to comply with PCAOB, SEC, and tax regulations

Consent:Marketing communications and optional analytics (where applicable)

4. Your Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, access to that data along with information about the processing.

Right to Rectification (Article 16)

You have the right to correct inaccurate personal data and to have incomplete data completed.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, subject to legal retention requirements.

Right to Restriction (Article 18)

You have the right to restrict processing of your personal data in certain circumstances, such as when contesting accuracy or objecting to processing.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests, including profiling, and to direct marketing at any time.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, with safeguards in place.

5. Data Processing Activities

Data Category	Purpose	Retention
Account Information	Service delivery, billing	Duration of contract + 7 years
Audit Engagement Data	AI analysis, report generation	Per PCAOB: 7 years minimum
Financial Statements	Transaction analysis, ratios	7 years
Usage Analytics	Service improvement	2 years (anonymized)
Support Communications	Customer service	3 years

6. International Data Transfers

When transferring personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): EU-approved contract terms for international transfers
Data Processing Agreements: Binding agreements with all sub-processors
Transfer Impact Assessments: Regular evaluation of destination country protections
Encryption in Transit: TLS 1.3 encryption for all data transfers

Data Residency Options

Enterprise customers can request EU-only data residency, ensuring all personal data remains within the European Economic Area. Contact our sales team for details.

7. Technical & Organizational Measures

We implement comprehensive security measures as required by Article 32 of GDPR:

Encryption

AES-256 encryption at rest
TLS 1.3 in transit
End-to-end encryption for sensitive data

Access Control

Role-based access (RBAC)
Multi-factor authentication
Least privilege principle

Monitoring

24/7 security monitoring
Intrusion detection systems
Automated threat response

Business Continuity

Redundant infrastructure
Regular backups
Disaster recovery plans

8. Data Breach Notification

In the event of a personal data breach, we follow strict notification procedures:

Breach Response Timeline

Within 72 hours: Notification to supervisory authority (as required)
Without undue delay: Notification to affected data subjects (if high risk)
Immediate: Containment measures and investigation initiation

9. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and GDPR compliance:

Data Protection Officer

dpo@auraaudit.ai

For all GDPR inquiries and data subject requests

10. Exercising Your Rights

To exercise any of your data subject rights, you may:

Email our DPO

dpo@auraaudit.ai

Use the in-app Privacy Center

Available in your account settings

Submit a formal request

privacy@auraaudit.ai (response within 30 days)

Verification Required

To protect your data, we may need to verify your identity before processing certain requests. This may include requesting additional information or using multi-factor authentication.

11. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. For EU residents, a list of supervisory authorities is available at the European Data Protection Board website.

12. Updates to This Policy

We may update this GDPR Compliance statement periodically. Material changes will be communicated via email and in-app notifications. We encourage you to review this page regularly for the latest information on our data protection practices.

13. Contact Information

Aura Audit AI, LLC

123 Innovation Drive
Suite 400
San Francisco, CA 94107
United States

Data Protection Contacts

DPO: dpo@auraaudit.ai
Privacy: privacy@auraaudit.ai
Security: security@auraaudit.ai

GDPR Compliance