Skip to main content

Security & Compliance Architecture

Security & Compliance Architecture.

Verifiable Article 50 and outbound evidence. Documents, certifications, and contractual allocations procurement and DPO teams need to qualify Audact.

1. Data Processing Agreement (counsel-reviewed)

GDPR Article 28 DPA covering processing scope, sub-processors, data residency, Article 32 security measures, breach notification, and crypto-shredding for erasure.

2. Subprocessor matrix

Machine-readable CSV listing every sub-processor: purpose, data category, location, transfer mechanism (SCCs where applicable). 30-day change-notification window.

3. AI Act §14 liability allocation

Audact’s standard reseller-agreement template allocates AI Act Article 14 provider-side obligations (evidence-chain integrity, disclosure attestation) to Audact, and deployer-side obligations (script content, end-client onboarding, opt-in collection) to the agency. Capped financial liability per agency, with caps tied to underlying Audact platform liability allocation. Specific cap amounts are negotiated per contract — see DPA + MSA.

4. EU Data Act — switching & portability rights

In accordance with the EU Data Act (Regulation 2023/2854), Audact contracts guarantee:

  • Two-month exit notice (Annex C maximum) for customer-initiated switching
  • No switching fees from 12 January 2027 onward
  • Functional equivalence for exported evidence chains (W3C VC + C2PA, vendor-neutral)

5. SOC 2 Type II — roadmap

Target: Q4 2027, sequenced after the first 10 paying customers (so audit scope reflects real production controls). Vendor selection Q2 2027. Type I baseline in advance.

6. ISO/IEC 27001 — Q4 2026 ETA

Information Security Management System certification. Statement of Applicability (SoA) drafted Q2 2026; Stage 1 audit Q3 2026; Stage 2 / certification Q4 2026.

7. ISO/IEC 42001 — AI Management System (in progress)

Active alignment viaNEN membership(target Q3 2026), participating in the Dutch mirror committee. Certification track follows once the EU harmonised standards under the AI Act stabilise.

8. DPIA template

Pre-completed DPIA template for outbound voice AI deployments under GDPR Article 35. Includes the Audact data flow, retention defaults, lawful basis options, and risk-mitigation controls. Ready for adaptation by your DPO.