Compliance

1. Compliance Overview

Reaudit is committed to maintaining the highest standards of compliance with applicable laws, regulations, and industry standards. We continuously monitor regulatory changes and adapt our practices to ensure ongoing compliance.

2. GDPR Compliance

General Data Protection Regulation (EU)

2.1 Legal Basis

We process personal data under the following legal bases:

• Contract Performance: Processing necessary to provide our Services
• Legitimate Interests: Service improvement, security, fraud prevention
• Consent: Marketing communications, optional features
• Legal Obligations: Compliance with applicable laws

2.2 Data Subject Rights

We fully support all GDPR rights:

• Right to Access: Request copies of your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File complaints with supervisory authorities

2.3 Data Protection Officer

Contact our Data Protection Officer:

2.4 Data Transfers

For data transfers outside the EEA, we use:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Appropriate safeguards as required by GDPR Article 46

2.5 Data Protection Impact Assessments

We conduct DPIAs for high-risk processing activities and document our compliance measures.

2.6 Breach Notification

In the event of a data breach, we will:

• Notify supervisory authorities within 72 hours
• Notify affected individuals without undue delay
• Document all breaches and remediation actions

3. CCPA/CPRA Compliance

California Consumer Privacy Act & California Privacy Rights Act

3.1 Consumer Rights

California residents have the right to:

• Know: What personal information we collect and how we use it
• Access: Request copies of your personal information
• Delete: Request deletion of your personal information
• Opt-Out: Opt out of sale of personal information
• Non-Discrimination: Equal service regardless of privacy choices
• Correct: Request correction of inaccurate information (CPRA)
• Limit Use: Limit use of sensitive personal information (CPRA)

3.2 Do Not Sell

We do not sell your personal information. We do not and will not sell personal data to third parties for monetary consideration.

3.3 Categories of Information

We collect the following categories of personal information:

• Identifiers (name, email, IP address)
• Commercial information (purchase history, subscription data)
• Internet activity (browsing history, interactions)
• Geolocation data (general location)
• Professional information (job title, company)
• Inferences (preferences, characteristics)

3.4 Authorized Agent

California residents may designate an authorized agent to make requests on their behalf. We require proof of authorization.

4. Other US State Privacy Laws

4.1 Virginia CDPA

We comply with the Virginia Consumer Data Protection Act, providing Virginia residents with rights to access, delete, correct, and opt-out.

4.2 Colorado CPA

We comply with the Colorado Privacy Act, including requirements for data protection assessments and consumer rights.

4.3 Connecticut CTDPA

We comply with the Connecticut Data Privacy Act, providing Connecticut residents with comprehensive privacy rights.

4.4 Utah UCPA

We comply with the Utah Consumer Privacy Act, ensuring Utah residents can exercise their privacy rights.

5. ePrivacy Directive

EU ePrivacy Directive (Cookie Law)

• Cookie Consent: We obtain consent before setting non-essential cookies
• Cookie Banner: Clear information about cookies with opt-in/opt-out options
• Cookie Policy: Detailed information about all cookies we use
• Granular Controls: Users can accept/reject specific cookie categories

6. PCI DSS Compliance

Payment Card Industry Data Security Standard

• Third-Party Processing: We use Stripe (PCI DSS Level 1 certified) for payment processing
• No Card Storage: We do not store credit card information on our servers
• Tokenization: Payment data is tokenized for security
• Secure Transmission: All payment data transmitted via encrypted channels

7. SOC 2 Compliance

Service Organization Control 2 (In Progress)

7.1 Trust Service Criteria

We are implementing controls for all five Trust Service Criteria:

• Security: Protection against unauthorized access
• Availability: System uptime and accessibility
• Processing Integrity: Accurate and timely processing
• Confidentiality: Protection of confidential information
• Privacy: Collection, use, and disposal of personal information

7.2 Audit Status

SOC 2 Type II audit in progress. Expected completion: Q2 2026.

8. ISO 27001

Information Security Management System (In Progress)

• ISMS Implementation: Comprehensive information security management system
• Risk Assessment: Regular risk assessments and treatment plans
• Security Controls: Implementation of ISO 27001 Annex A controls
• Continuous Improvement: Regular audits and improvement cycles

Certification expected: Q3 2026.

9. Industry-Specific Compliance

9.1 HIPAA (Roadmap)

For healthcare customers, we are developing HIPAA compliance:

• Business Associate Agreements (BAAs)
• Protected Health Information (PHI) safeguards
• HIPAA Security Rule compliance
• HIPAA Privacy Rule compliance

9.2 FERPA (Roadmap)

For educational institutions, we plan to support FERPA compliance for student data protection.

10. Data Processing Agreements

We offer Data Processing Agreements (DPAs) to customers:

• GDPR DPA: Standard Contractual Clauses included
• CCPA DPA: Service provider agreement
• Custom DPAs: Available for enterprise customers
• Sub-Processors: List of sub-processors disclosed

Request a DPA: [email protected]

11. Vendor Management

We maintain a comprehensive vendor management program:

• Vendor Assessment: Security and compliance review before onboarding
• Due Diligence: Verification of vendor certifications and compliance
• Contracts: Data protection clauses in all vendor agreements
• Monitoring: Ongoing vendor performance and compliance monitoring
• Sub-Processor List: Maintained and updated regularly

12. Compliance Documentation

Available compliance documentation:

• Privacy Policy: Comprehensive privacy practices
• Terms of Service: Legal terms and conditions
• Cookie Policy: Detailed cookie usage information
• Security Whitepaper: Technical security measures
• DPA Templates: Data processing agreements
• Sub-Processor List: Third-party service providers
• Compliance Certifications: Current and in-progress certifications

Request documentation: [email protected]

13. Audit and Assessment

• Internal Audits: Quarterly compliance audits
• External Audits: Annual third-party security and compliance audits
• Penetration Testing: Annual penetration tests by certified professionals
• Vulnerability Assessments: Continuous vulnerability scanning
• Compliance Monitoring: Real-time compliance monitoring and alerting

14. Training and Awareness

• Employee Training: Mandatory compliance training for all employees
• Privacy Training: Data protection and privacy best practices
• Security Awareness: Regular security awareness programs
• Policy Updates: Communication of policy changes to all staff
• Incident Response: Training on breach notification procedures

15. Continuous Improvement

We continuously improve our compliance program:

• Regulatory Monitoring: Track changes in privacy and security regulations
• Gap Analysis: Regular assessment of compliance gaps
• Remediation Plans: Action plans for identified gaps
• Best Practices: Adoption of industry best practices
• Stakeholder Feedback: Incorporate customer and user feedback

16. Exercising Your Rights

To exercise your privacy rights:

17. Contact Compliance Team

For compliance questions or requests: