Privacy Policy
This Privacy Policy explains how Sovereign Audit Ltd ("we", "our", or "us") collects, uses, and protects information in connection with the SovereignAudit.io platform.
1. Who We Are
Sovereign Audit
128 City Road
London, EC1C 2NX
United Kingdom
Data Protection contact: info@sovereignaudit.io
2. What Data We Collect
- Account data: name, work email address, organisation name, job title.
- Authentication data: hashed passwords (bcrypt), SSO assertions (SAML/OIDC), session tokens.
- Usage data: scan events, workspace activity, API calls — stored in cryptographic audit logs.
- Technical data: IP addresses (audit log only), browser User-Agent, request identifiers.
- Billing data: organisation name, billing email, Stripe customer ID — no card numbers stored by us.
- Source code (transient only): code passed to the scanner is processed in-memory and hashed. Raw source code is never persisted to our database.
3. How We Use Your Data
- To provide and operate the SovereignAudit compliance platform.
- To authenticate users and enforce role-based access control.
- To generate compliance reports and Annex IV documentation on your behalf.
- To maintain a tamper-evident audit trail for SOC2 and ISO 42001 compliance.
- To send operational alerts (compliance drift, scan failures) where configured.
- To comply with legal obligations, including GDPR and applicable financial regulations.
4. Legal Basis for Processing (GDPR Article 6)
- Contract performance (Art. 6(1)(b)): account management, platform operation, report generation.
- Legitimate interest (Art. 6(1)(f)): security monitoring, fraud prevention, audit log integrity.
- Legal obligation (Art. 6(1)(c)): audit event retention for SOC2 Type II (12 months minimum) and ISO 42001 (7 years for high-risk AI decisions).
- Consent (Art. 6(1)(a)): marketing communications where you have opted in.
5. Source Code and PII Sanitisation
Before any source code snippet is sent to an external LLM provider (Anthropic Claude), it passes through our PII Sanitiser module, which redacts:
- API keys and credentials (OpenAI, Anthropic, AWS, GitHub)
- Email addresses, IP addresses, and UUIDs
- Database connection strings
- Names in string literals
If the sanitiser cannot confirm the snippet is safe to send, the external call is aborted. We store only a SHA-256 hash of scan results — never the raw source code.
6. Data Sharing and Third Parties
We share data with the following processors under Data Processing Agreements:
We do not sell your data. We do not share data with advertisers.
7. Data Retention
- User account data: retained for the duration of your subscription plus 90 days.
- Scan result payloads: 24 months from creation.
- Audit event records: 7 years (legal obligation — SOC2 and ISO 42001 requirements).
- Inference log analysis: 30 days rolling window.
- Session tokens: 15 minutes (access) / 7 days (refresh).
Audit event records are exempt from the right to erasure under GDPR Art. 17(3)(b) (legal obligation). You will be notified of this at registration.
8. Your Rights (GDPR)
- Right of Access (Art. 15): request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): correct inaccurate personal data.
- Right to Erasure (Art. 17): delete your account and associated personal data (subject to audit log exception above).
- Right to Restriction (Art. 18): restrict processing while a complaint is investigated.
- Right to Portability (Art. 20): export your organisation's compliance data as JSON via the Vault API.
- Right to Object (Art. 21): object to processing based on legitimate interest.
To exercise any of these rights, contact us at info@sovereignaudit.io. We will respond within 30 days.
9. Cookies
We use strictly necessary cookies for session management and authentication. No third-party tracking or advertising cookies are used. See our Cookie Policy for details.
10. Security
We implement technical and organisational measures including TLS 1.3 encryption in transit, AES-256 at rest, bcrypt password hashing, HMAC-SHA256 audit chain integrity, and role-based access controls. See our Security page for full details.
11. Changes to This Policy
We will notify registered users of material changes to this policy by email at least 30 days before they take effect. The current version is always available at sovereignaudit.io/privacy.
12. Contact and Supervisory Authority
For privacy questions: info@sovereignaudit.io
If you believe we have not addressed your concern adequately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or your local EU supervisory authority.