Audact Trust Center

Privacy, security, and compliance — without the theatre

EU-hosted from day one. Frankfurt-only data residency. Cryptographic evidence on every call. Our DPA is ready to countersign. Our sub-processors list is short and EU-only.

Request DPA View compliance docs

Frankfurt only

Data residency

AWS eu-central-1

Zero

US data transfers

No SCCs required

7 years

Evidence retention

GDPR Art. 5(2)

Ready

DPA status

Request countersign

Documentation

Everything your legal team needs

DPA, sub-processors list, Article 50 templates, ROPA, and security summary — all available on request. PDFs will be published as finalized.

Data Processing Agreement (DPA)

GDPR Art. 28

Our standard DPA under GDPR Art. 28. Covers controller-processor obligations, sub-processor chain, data subject rights, and breach notification (72-hour obligation). Ready to countersign.

Request via email

Sub-Processors List

GDPR Art. 28(4)

Full list of all sub-processors with purpose, location, transfer basis, and DPA reference. Updated when any sub-processor is added or removed (30-day notice to customers).

Request via email

Article 50 Disclosure Templates

EU AI Act Art. 50

Ready-to-deploy disclosure templates for EN/DE/NL markets. Covers mandatory AI-identity disclosure, purpose statement, and opt-out pathways. Reviewed by Bird and Bird.

Request via email

ROPA — Records of Processing Activities

GDPR Art. 30

Our Art. 30 Records of Processing Activities, structured by processing purpose. Demonstrates lawful-basis per activity, retention periods, and data flows.

Request via email

Security Summary

GDPR Art. 32

Technical and organisational measures (TOMs) per GDPR Art. 32. Encryption standards, access controls, vulnerability management, incident response SLAs, and penetration testing schedule.

Request via email

Sub-processors

Short list. EU-only.

We deliberately keep our sub-processor chain minimal. Every processor that touches personal data is EU-hosted with no US transfer.

Last updated May 2025

Sub-processorPurposeLocationTransfer basis

Amazon Web Services (AWS)

Cloud infrastructure, storage, compute — EU-only (Frankfurt, eu-central-1)

Germany (Frankfurt)

None — EU residency enforced by contract

AWS DynamoDB

Waitlist, agency applications, lead-magnet submissions

Germany (Frankfurt)

None

AWS S3

Lead-magnet PDF storage (gated resources)

Germany (Frankfurt)

None

AWS SNS

Internal notification pipeline for new applications

Germany (Frankfurt)

None

Vercel

Website edge CDN — static assets only, no personal data cached

EU edge nodes

No personal data transferred

Plausible Analytics

Privacy-first, cookie-free website analytics — no personal data

EU (Germany)

None — no personal data

Customers will be notified 30 days in advance of any sub-processor change per our DPA. Full sub-processor list available as PDF on request: privacy@audact.ai

Security

Technical and organisational measures

GDPR Art. 32 TOMs, implemented — not just documented.

Per-tenant encryption

All customer data is encrypted at rest with per-tenant keys. Key rotation is automated. AWS KMS (Frankfurt) manages keys — never leaves EU.

Frankfurt-only data residency

All personally identifiable information and call records are stored exclusively in AWS eu-central-1 (Frankfurt). No replication to US regions. No Standard Contractual Clauses required.

Crypto-shredding for erasure

Right-to-erasure (GDPR Art. 17) is implemented via cryptographic key deletion. When a data-subject requests erasure, the encryption key is destroyed — all derived ciphertext becomes permanently inaccessible.

Cryptographic evidence chain

Every call generates a SHA-256 hash-chained receipt. Merkle-tree aggregation links call-level hashes to a tamper-evident root. Evidence is court-admissible and regulator-exportable.

Audit logging

All administrative actions, data access events, and policy changes are logged with immutable timestamps. Logs are retained for 7 years per GDPR Art. 5(2) accountability requirement.

No US data transfer

Audact does not use any US-incorporated sub-processors that handle personal data. No Schrems II exposure. No SCCs required for the platform core.

Article 50 Templates

Disclosure templates — ready for deployment

EU AI Act Article 50 requires any deployer of an AI system that interacts with humans to disclose the AI nature of the system before the interaction begins. These templates are reviewed by Bird and Bird and ready for EN, DE, and NL markets.

ENEnglish

UK, IE, international

You are now connected to an AI-powered voice assistant. This interaction is governed by [Organisation]. Would you like to continue?

DEDeutsch

DE, AT, CH

Sie sind jetzt mit einem KI-gestützten Sprachassistenten verbunden. Diese Interaktion wird von [Organisation] durchgeführt. Möchten Sie fortfahren?

NLNederlands

NL, BE

U bent nu verbonden met een AI-gestuurde spraakassistent. Deze interactie wordt uitgevoerd door [Organisatie]. Wilt u doorgaan?

Templates are provided as a starting point. Final disclosure language must be reviewed by your legal counsel and tailored to your specific deployment context. Full templates with implementation guidance available as PDF on request. compliance@audact.ai

Privacy and compliance contacts

Use the right channel for the right request. We respond within 2 business days.

Privacy and DPA

privacy@audact.ai

DPA countersigning, data subject rights, sub-processor questions, ROPA requests

Compliance

compliance@audact.ai

Article 50 templates, EU AI Act questions, regulatory enquiries, FRIA support

Security

security@audact.ai

Vulnerability disclosure, penetration test results, security TOMs, incident reports

Registered address: Audact Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Compliance starts with transparency

We built the Trust Center so your procurement team, DPO, and legal counsel have everything they need without a back-and-forth. If something is missing, email us directly.

Request DPA See compliance docs