1. Definitions
The Customer — the entity that determines the purposes and means of processing Personal Data by using the AuditDSS platform.
QuestFeed Pty Ltd (ABN 58 632 013 855) — the legal entity that processes Personal Data on behalf of the Controller. AuditDSS is the product name under which the Services are provided; all contractual obligations under this DPA are held by QuestFeed Pty Ltd.
A third party engaged by the Processor to process Personal Data on behalf of the Controller.
Any information relating to an identified or identifiable natural person that is processed by AuditDSS in the course of providing the Services.
Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, combination, erasure, or destruction.
All applicable data protection legislation, including but not limited to the GDPR (EU 2016/679), UK GDPR, the Privacy Act 1988 (Cth), the CCPA, and any other applicable data protection or privacy laws.
The AuditDSS compliance assessment platform, including document upload, AI-powered analysis, risk scoring, gap analysis, regulatory intelligence, and all related features.
The standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
2. Scope and Purpose of Processing
AuditDSS processes Personal Data solely for the purpose of providing the Services as instructed by the Controller. Processing is limited to what is necessary to perform compliance assessments on documents uploaded by the Customer.
Processing is strictly limited to:
- Receiving and storing compliance documents uploaded by the Customer
- Analyzing documents against regulatory obligation graphs using AI models
- Generating risk-scored compliance gap analysis reports
- Storing assessment results for the Customer's access and trend analysis
- Managing Customer accounts, authentication, and billing
AuditDSS will NOT: Process Personal Data for any purpose other than providing the Services; sell, rent, or trade Personal Data; use Personal Data for marketing, profiling, or advertising; or combine Personal Data with data from other customers.
3. Data Processing Details
The following details describe the nature and scope of processing activities:
| Subject matter | Provision of the AuditDSS compliance assessment platform |
| Duration | For the term of the Customer's subscription, plus up to 30 days for data deletion after termination |
| Nature of processing | Document ingestion, AI-powered analysis, risk scoring, report generation, storage and retrieval of assessment results |
| Purpose of processing | To provide regulatory compliance gap analysis and risk scoring services as requested by the Customer |
| Categories of data subjects | Customer employees and authorized users; individuals referenced in uploaded compliance documents (e.g., compliance officers, executives, policy authors) |
| Types of personal data | Account data (name, email, role); content of uploaded documents which may include names, titles, organizational roles, and other personal information embedded in compliance policies and procedures |
4. AI and LLM Data Processing
Assessment analysis is powered by enterprise-grade large language models (LLMs) via API. The following safeguards apply to all AI-assisted processing:
30-Day Auto-Deletion
The LLM provider (xAI) automatically deletes all API inputs and outputs within 30 days. During this period, data is retained solely for safety and abuse monitoring purposes, after which it is permanently purged.
No Model Training
Your documents are never used for model training, fine-tuning, or any form of machine learning improvement. This is explicitly prohibited under xAI's Enterprise Terms of Service and Data Processing Addendum.
Encrypted In-Transit Processing
Document text is sent to the LLM API over encrypted channels (TLS 1.3) and processed for inference. No customer content is used beyond providing the API response and temporary safety monitoring.
Data Minimization
Only the document text necessary for the compliance assessment is sent to the LLM. Customer account information, assessment history, billing data, and metadata are never transmitted to the LLM provider.
Current LLM Provider: xAI (Grok API). Enterprise-grade API infrastructure governed by xAI's Enterprise Terms of Service and Data Processing Addendum. No training on customer data. API inputs and outputs auto-deleted within 30 days. SOC 2 Type II compliant. AuditDSS will notify the Customer at least 30 days before changing LLM providers, and equivalent no-training and data deletion guarantees will apply to any replacement provider.
5. Sub-processors
AuditDSS engages the following sub-processors to deliver the Services. The Customer authorizes these sub-processors as of the effective date of this DPA:
| Sub-processor | Purpose | Location | Data Retention |
|---|---|---|---|
| xAI | LLM inference for document analysis | United States | 30-day auto-delete; no model training; governed by xAI Enterprise ToS and DPA |
| Amazon Web Services (AWS) | Cloud infrastructure — compute (Lambda), database (RDS), storage (S3) | US East (N. Virginia) | Duration of subscription + 30-day deletion |
| Cloudflare | CDN, DDoS protection, WAF, DNS | Global edge network | Transient — edge cache only, no persistent storage of customer data |
| Stripe | Payment processing and billing | United States | Per Stripe's data retention policy and PCI-DSS requirements |
AuditDSS will notify the Customer at least 30 days before engaging a new sub-processor or replacing an existing one. The Customer may object to a new sub-processor on reasonable grounds related to data protection. If AuditDSS cannot accommodate the objection, the Customer may terminate the affected Services.
6. Security Measures
AuditDSS implements appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:
Encryption
TLS 1.3 in transit, AES-256 at rest via AWS KMS. All data encrypted at every stage of its lifecycle.
Access Control
Role-based access control with least privilege. No engineer has persistent access to production. All access is just-in-time and audited.
Serverless Isolation
Ephemeral Lambda containers destroyed after each invocation. No persistent servers, no SSH access, no patch management surface.
Tenant Isolation
Logical data isolation per customer. No cross-account data access at the infrastructure level.
Monitoring & Logging
Continuous monitoring with automated alerting. Audit logs for all data access events. Anomaly detection for suspicious activity.
Backup & Recovery
Daily automated backups with 35-day retention. Point-in-time recovery. Multi-AZ database deployment for high availability.
For full details of our security practices, see our Security page.
7. Data Subject Rights
AuditDSS will assist the Controller in fulfilling its obligations to respond to data subject requests under applicable Data Protection Laws, including:
Right of Access
AuditDSS will provide the Controller with access to Personal Data processed on its behalf, in a structured, commonly used, and machine-readable format, within 30 days of a request.
Right to Rectification
AuditDSS will correct or update Personal Data upon instruction from the Controller.
Right to Erasure
AuditDSS will delete Personal Data upon instruction from the Controller, subject to any legal retention requirements. Deletion is completed within 30 days, including all backups.
Right to Data Portability
The Customer can export their assessment data and reports at any time via the platform. AuditDSS will provide data in standard formats (JSON, CSV, PDF) upon request.
Right to Restriction
AuditDSS will restrict processing of specific Personal Data upon instruction from the Controller, except for storage and legally required processing.
Right to Object
As AuditDSS processes data solely on the Controller's instructions, objections should be directed to the Controller. AuditDSS will assist the Controller in responding to such objections.
8. International Data Transfers
AuditDSS infrastructure is primarily located in the United States (AWS US East). For customers subject to data transfer restrictions, the following mechanisms apply:
EU/EEA & UK Transfers
Transfers of Personal Data from the EU/EEA or UK to the United States are governed by the EU Standard Contractual Clauses (SCCs) as approved by European Commission Decision (EU) 2021/914. The SCCs are incorporated into this DPA by reference and apply automatically where required.
Australian Transfers
AuditDSS complies with Australian Privacy Principle 8 (APP 8) regarding cross-border disclosure of personal information. We take reasonable steps to ensure that overseas recipients handle personal information in accordance with the APPs.
Swiss Transfers
For transfers from Switzerland, the SCCs apply as recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC), with the necessary modifications for Swiss law.
Additional Safeguards
In addition to transfer mechanisms, AuditDSS implements supplementary measures including encryption in transit and at rest, access controls, and contractual protections with all sub-processors.
9. Data Breach Notification
In the event of a Personal Data breach, AuditDSS will:
Notify
< 48 hours
Notify the Controller without undue delay and in any event within 48 hours of becoming aware of a Personal Data breach. This exceeds the 72-hour requirement under GDPR Article 33 and the "as soon as practicable" standard under the Australian Notifiable Data Breaches scheme.
Describe
With notification
Provide a description of the nature of the breach, including the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.
Assist
Ongoing
Assist the Controller in fulfilling its own breach notification obligations to supervisory authorities and affected data subjects, including providing all information reasonably necessary for such notifications.
Remediate
Immediate
Take immediate steps to contain the breach, mitigate its effects, and prevent recurrence. Conduct a root cause analysis and implement preventive measures.
10. Audit Rights
AuditDSS will make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws:
Documentation
AuditDSS will provide copies of relevant security certifications, audit reports (including SOC 2 Type II when available), and completed security questionnaires upon reasonable request.
Third-Party Audits
The Controller may, at its own cost, engage a qualified independent auditor to conduct an audit of AuditDSS's processing activities, subject to reasonable advance notice (at least 30 days), scope limitations to data protection matters, and confidentiality obligations.
Regulatory Cooperation
AuditDSS will cooperate with and assist any supervisory authority or regulator in the performance of their duties, where required by applicable Data Protection Laws.
11. Data Deletion and Return
Upon termination or expiry of the Customer's subscription:
Data Export
The Customer may export all assessment data, reports, and associated Personal Data from the platform at any time before termination. AuditDSS will provide reasonable assistance with data export upon request.
Deletion
AuditDSS will delete all Personal Data processed on behalf of the Controller within 30 days of termination, including all copies in primary storage, backups, and disaster recovery systems. AuditDSS will provide written confirmation of deletion upon request.
Retention Exceptions
AuditDSS may retain Personal Data beyond the 30-day deletion period only where required by applicable law (e.g., tax records, regulatory requirements). Any such retained data will continue to be protected under this DPA.
Sub-processor Deletion
AuditDSS will ensure that all sub-processors delete Personal Data in accordance with the same timelines. The LLM provider (xAI) operates under zero data retention — no customer data persists after API inference.
12. General Processor Obligations
AuditDSS, as Processor, undertakes to:
Process Personal Data only on documented instructions from the Controller, unless required by applicable law
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
Engage sub-processors only with prior authorization of the Controller and under a written contract imposing equivalent data protection obligations
Assist the Controller in ensuring compliance with its obligations regarding security, breach notification, impact assessments, and prior consultation
At the choice of the Controller, delete or return all Personal Data after the end of the provision of Services
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA
13. Governing Law and Jurisdiction
This DPA is governed by the laws of the State of Queensland, Australia, except where Data Protection Laws require the application of the law of the data subject's jurisdiction. For EU/EEA data subjects, the GDPR and applicable member state implementations prevail. For UK data subjects, the UK GDPR and Data Protection Act 2018 prevail.
Any disputes arising under this DPA will be resolved in accordance with the dispute resolution provisions of the Terms of Service, subject to the right of data subjects and supervisory authorities to pursue remedies under applicable Data Protection Laws.
14. Amendments
AuditDSS may update this DPA from time to time to reflect changes in our processing activities, sub-processors, or applicable Data Protection Laws. Material changes will be notified to the Customer at least 30 days before taking effect. Continued use of the Services after the effective date of a revised DPA constitutes acceptance of the updated terms.
DPA Contact
For questions about this DPA, data processing requests, or to exercise audit rights:
QuestFeed Pty Ltd
ABN: 58 632 013 855
Email: hello@auditdss.com
Document Version: 1.0 | Effective: March 2026
This DPA supplements the Terms of Service and Privacy Policy.