Legal

Privacy Policy

Last updated: February 2026

1. Who We Are

Audital Ltd (“Audital”, “we”, “our”) operates the Audital AI governance platform. We are a data processor under UK GDPR, processing data on behalf of our clients (data controllers). This policy explains how we handle personal data in the context of our service.

2. Data We Process

We process the following categories of data:

  • -Account data: name, work email address, job role, organisation name
  • -Authentication data: hashed passwords (bcrypt, cost factor 12), session tokens (httpOnly cookies)
  • -Audit event data: AI model inputs and outputs, risk scores, decision metadata — submitted by your organisation
  • -Usage data: login timestamps, feature usage logs for security and compliance purposes
  • -Integration credentials: encrypted API keys and tokens for connected services (AES-256-GCM)

3. How Client Data Is Stored

Storage Architecture

All client audit data is stored in a cryptographically chained ledger. Each event is:

  • Hashed using SHA-256 and chained to the previous event hash — making tampering detectable immediately
  • Signed with RS256 asymmetric keys — your regulator can independently verify every record
  • Stored in an encrypted PostgreSQL database with AES-256 at rest
  • Protected by TLS 1.3 in transit — data never travels unencrypted
  • Backed up daily with point-in-time recovery for 30 days

Integration credentials (API keys, tokens) are encrypted using AES-256-GCM before storage. Passwords are never stored in plaintext — only bcrypt hashes with a cost factor of 12.

4. Data Residency

By default, data is hosted in EU-West data centres (London / Ireland). Enterprise customers can request dedicated data residency in a specific region. We do not transfer personal data outside the UK/EEA without appropriate safeguards.

5. Data Retention

Audit records are retained for the period specified in your service agreement (default: 7 years, aligned with FCA record-keeping requirements). Account data is retained for the duration of your subscription plus 90 days after termination. You may request deletion of personal account data subject to legal retention obligations.

6. Your Rights

Under UK GDPR you have the right to: access your personal data, rectification of inaccurate data, erasure where legally permitted, portability of your data, and to object to certain processing. To exercise these rights, contact hello@audital.ai.

7. Sub-processors

We use a limited number of sub-processors to deliver the Service. A current list is available on request. Key sub-processors include cloud infrastructure (AWS, London region), email delivery, and error monitoring. All sub-processors are bound by data processing agreements meeting UK GDPR requirements.

8. Security Measures

We implement appropriate technical and organisational measures including: multi-factor authentication requirements, role-based access controls, cryptographic audit trails of all admin actions, annual penetration testing, and a responsible disclosure programme.

9. Contact & DPO

For privacy enquiries or to exercise your rights, contact our data protection team at hello@audital.ai. We aim to respond within 72 hours.