Compliance

1. Compliance Overview

Reaudit is committed to maintaining the highest standards of compliance with applicable laws, regulations, and industry standards. We continuously monitor regulatory changes and adapt our practices to ensure ongoing compliance.

2. GDPR Compliance

General Data Protection Regulation (EU)

2.1 Legal Basis

We process personal data under the following legal bases:

• Contract Performance: Processing necessary to provide our Services
• Legitimate Interests: Service improvement, security, fraud prevention
• Consent: Marketing communications, optional features
• Legal Obligations: Compliance with applicable laws

2.2 Data Subject Rights

We fully support all GDPR rights:

• Right to Access: Request copies of your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File complaints with supervisory authorities

2.3 Data Protection Officer

Contact our Data Protection Officer:

2.4 Data Transfers

For data transfers outside the EEA, we use:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Appropriate safeguards as required by GDPR Article 46

2.5 Data Protection Impact Assessments

We conduct DPIAs for high-risk processing activities and document our compliance measures.

2.6 Breach Notification

In the event of a data breach, we will:

• Notify supervisory authorities within 72 hours
• Notify affected individuals without undue delay
• Document all breaches and remediation actions

3. CCPA/CPRA Compliance

California Consumer Privacy Act & California Privacy Rights Act

3.1 Consumer Rights

California residents have the right to:

• Know: What personal information we collect and how we use it
• Access: Request copies of your personal information
• Delete: Request deletion of your personal information
• Opt-Out: Opt out of sale of personal information
• Non-Discrimination: Equal service regardless of privacy choices
• Correct: Request correction of inaccurate information (CPRA)
• Limit Use: Limit use of sensitive personal information (CPRA)

3.2 Do Not Sell

We do not sell your personal information. We do not and will not sell personal data to third parties for monetary consideration.

3.3 Categories of Information

We collect the following categories of personal information:

• Identifiers (name, email, IP address)
• Commercial information (purchase history, subscription data)
• Internet activity (browsing history, interactions)
• Geolocation data (general location)
• Professional information (job title, company)
• Inferences (preferences, characteristics)

3.4 Authorized Agent

California residents may designate an authorized agent to make requests on their behalf. We require proof of authorization.

4. Other US State Privacy Laws

4.1 Virginia CDPA

We comply with the Virginia Consumer Data Protection Act, providing Virginia residents with rights to access, delete, correct, and opt-out.

4.2 Colorado CPA

We comply with the Colorado Privacy Act, including requirements for data protection assessments and consumer rights.

4.3 Connecticut CTDPA

We comply with the Connecticut Data Privacy Act, providing Connecticut residents with comprehensive privacy rights.

4.4 Utah UCPA

We comply with the Utah Consumer Privacy Act, ensuring Utah residents can exercise their privacy rights.

5. ePrivacy Directive

EU ePrivacy Directive (Cookie Law)

• Cookie Consent: We obtain consent before setting non-essential cookies
• Cookie Banner: Clear information about cookies with opt-in/opt-out options
• Cookie Policy: Detailed information about all cookies we use
• Granular Controls: Users can accept/reject specific cookie categories

6. PCI DSS Compliance

Payment Card Industry Data Security Standard

• Third-Party Processing: We use Stripe (PCI DSS Level 1 certified) for payment processing
• No Card Storage: We do not store credit card information on our servers
• Tokenization: Payment data is tokenized for security
• Secure Transmission: All payment data transmitted via encrypted channels

7. SOC 2 Alignment

Service Organization Control 2 — Controls Aligned

7.1 Trust Service Criteria

Our security controls are aligned with all five AICPA Trust Service Criteria:

• Security: Protection against unauthorized access
• Availability: System uptime and accessibility
• Processing Integrity: Accurate and timely processing
• Confidentiality: Protection of confidential information
• Privacy: Collection, use, and disposal of personal information

7.2 Certification Status

Our security controls are aligned with SOC 2 Trust Service Criteria. Formal SOC 2 Type II certification is on our roadmap. See our Trust Center for details.

8. ISO 27001 Alignment

Information Security Management — Practices Aligned

• Security Practices: Our information security practices are aligned with the ISO 27001 framework
• Risk-Based Approach: Security decisions guided by risk assessment
• Continuous Improvement: Regular review and improvement of security controls

Formal ISO 27001 certification is on our roadmap.

9. AI Governance

As an AI visibility platform, we are preparing for the EU AI Act (enforcement begins August 2026):

• Risk Classification: Reaudit is classified as a limited-risk AI system under the transparency tier
• Transparency: Clear disclosure when content is AI-generated
• Data Practices: No user data is shared with or used to train third-party AI models
• Publicly Available Data: AI visibility monitoring uses only publicly available search results

10. Data Processing Agreements

We offer Data Processing Agreements (DPAs) to customers:

• GDPR DPA: Standard Contractual Clauses included
• CCPA DPA: Service provider agreement
• Custom DPAs: Available for enterprise customers
• Sub-Processors: List of sub-processors disclosed

Request a DPA: legal@reaudit.com

11. Vendor Management

We maintain a comprehensive vendor management program:

• Vendor Assessment: Security and compliance review before onboarding
• Due Diligence: Verification of vendor certifications and compliance
• Contracts: Data protection clauses in all vendor agreements
• Monitoring: Ongoing vendor performance and compliance monitoring
• Sub-Processor List: Maintained and updated regularly

12. Compliance Documentation

Available compliance documentation:

• Privacy Policy: Comprehensive privacy practices
• Terms of Service: Legal terms and conditions
• Cookie Policy: Detailed cookie usage information
• Security Practices: Technical security measures
• Trust Center: Comprehensive overview at reaudit.io/trust
• DPA Templates: Data processing agreements
• Sub-Processor List: Third-party service providers

Request documentation: compliance@reaudit.com

13. Security Assessment

• Dependency Scanning: Automated vulnerability scanning of third-party packages
• Code Review: All code changes undergo peer review
• Error Monitoring: Real-time error tracking and alerting via Sentry
• Structured Logging: Comprehensive application logging for security review

14. Secure Development Practices

• Code Review: Peer review required for all production code changes
• TypeScript Strict Mode: Type-safe development reducing security and runtime errors
• Dependency Management: Regular review and updating of third-party packages
• Environment Separation: Distinct development, staging, and production environments

15. Continuous Improvement

We continuously improve our compliance program:

• Regulatory Monitoring: Track changes in privacy and security regulations
• Gap Analysis: Regular assessment of compliance gaps
• Remediation Plans: Action plans for identified gaps
• Best Practices: Adoption of industry best practices
• Stakeholder Feedback: Incorporate customer and user feedback

16. Exercising Your Rights

To exercise your privacy rights:

17. Contact Compliance Team

For compliance questions or requests: