Last updated: 13 May 2026

Privacy Policy

This Privacy Policy explains how Sovereign Audit Ltd ("we", "our", or "us") collects, uses, and protects information in connection with the SovereignAudit.io platform.

1. Who We Are

Sovereign Audit
128 City Road
London, EC1C 2NX
United Kingdom

Data Protection contact: info@sovereignaudit.io

2. What Data We Collect

  • Account data: name, work email address, organisation name, job title.
  • Authentication data: hashed passwords (bcrypt), SSO assertions (SAML/OIDC), session tokens.
  • Usage data: scan events, workspace activity, API calls — stored in cryptographic audit logs.
  • Technical data: IP addresses (audit log only), browser User-Agent, request identifiers.
  • Billing data: organisation name, billing email, Stripe customer ID — no card numbers stored by us.
  • Source code (transient only): code passed to the scanner is processed in-memory and hashed. Raw source code is never persisted to our database.

3. How We Use Your Data

  • To provide and operate the SovereignAudit compliance platform.
  • To authenticate users and enforce role-based access control.
  • To generate compliance reports and Annex IV documentation on your behalf.
  • To maintain a tamper-evident audit trail for SOC2 and ISO 42001 compliance.
  • To send operational alerts (compliance drift, scan failures) where configured.
  • To comply with legal obligations, including GDPR and applicable financial regulations.

4. Legal Basis for Processing (GDPR Article 6)

  • Contract performance (Art. 6(1)(b)): account management, platform operation, report generation.
  • Legitimate interest (Art. 6(1)(f)): security monitoring, fraud prevention, audit log integrity.
  • Legal obligation (Art. 6(1)(c)): audit event retention for SOC2 Type II (12 months minimum) and ISO 42001 (7 years for high-risk AI decisions).
  • Consent (Art. 6(1)(a)): marketing communications where you have opted in.

5. Source Code and PII Sanitisation

Before any source code snippet is sent to an external LLM provider (Anthropic Claude), it passes through our PII Sanitiser module, which redacts:

  • API keys and credentials (OpenAI, Anthropic, AWS, GitHub)
  • Email addresses, IP addresses, and UUIDs
  • Database connection strings
  • Names in string literals

If the sanitiser cannot confirm the snippet is safe to send, the external call is aborted. We store only a SHA-256 hash of scan results — never the raw source code.

6. Data Sharing and Third Parties

We share data with the following processors under Data Processing Agreements:

Anthropic (US)
LLM API — sanitised code patterns only · SCCs + Zero Data Retention option
Amazon Web Services (EU)
Cloud infrastructure — EU hosting only · Standard (EU region)
Stripe (US)
Payment processing — billing email only · SCCs
Mailgun / AWS SES (EU)
Transactional email delivery · SCCs

We do not sell your data. We do not share data with advertisers.

7. Data Retention

  • User account data: retained for the duration of your subscription plus 90 days.
  • Scan result payloads: 24 months from creation.
  • Audit event records: 7 years (legal obligation — SOC2 and ISO 42001 requirements).
  • Inference log analysis: 30 days rolling window.
  • Session tokens: 15 minutes (access) / 7 days (refresh).

Audit event records are exempt from the right to erasure under GDPR Art. 17(3)(b) (legal obligation). You will be notified of this at registration.

8. Your Rights (GDPR)

  • Right of Access (Art. 15): request a copy of all personal data we hold about you.
  • Right to Rectification (Art. 16): correct inaccurate personal data.
  • Right to Erasure (Art. 17): delete your account and associated personal data (subject to audit log exception above).
  • Right to Restriction (Art. 18): restrict processing while a complaint is investigated.
  • Right to Portability (Art. 20): export your organisation's compliance data as JSON via the Vault API.
  • Right to Object (Art. 21): object to processing based on legitimate interest.

To exercise any of these rights, contact us at info@sovereignaudit.io. We will respond within 30 days.

9. Cookies

We use strictly necessary cookies for session management and authentication. No third-party tracking or advertising cookies are used. See our Cookie Policy for details.

10. Security

We implement technical and organisational measures including TLS 1.3 encryption in transit, AES-256 at rest, bcrypt password hashing, HMAC-SHA256 audit chain integrity, and role-based access controls. See our Security page for full details.

11. Changes to This Policy

We will notify registered users of material changes to this policy by email at least 30 days before they take effect. The current version is always available at sovereignaudit.io/privacy.

12. Contact and Supervisory Authority

For privacy questions: info@sovereignaudit.io

If you believe we have not addressed your concern adequately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or your local EU supervisory authority.