Data Processing Addendum

Last updated: April 13, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other written or electronic agreement between Mataki Labs LLC (“AuditStore,” “Processor,” “we,” “us,” or “our”), a Wyoming limited liability company, and the entity or person agreeing to these terms (“Customer,” “Controller,” “you,” or “your”) for the provision of the AuditStore platform, APIs, and related services (the “Services”) as described in the Terms of Service (the “Agreement”).

This DPA applies to the extent that AuditStore processes Personal Data on behalf of Customer in the course of providing the Services. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings given to them in the Agreement.

“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the UK General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018 (“UK GDPR”); (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”); and (e) any other applicable data protection or privacy laws.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Customer is the Controller.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“EEA” means the European Economic Area, comprising the member states of the European Union plus Iceland, Liechtenstein, and Norway.
“Personal Data” means any information relating to an identified or identifiable natural person that is processed by AuditStore on behalf of Customer in connection with the Services. This includes, but is not limited to, data defined as “personal data” under the GDPR, “personal data” under the UK GDPR, and “personal information” under the CCPA. Personal Data may be contained within audit events emitted by Customer’s applications, including actor identifiers, IP addresses, email addresses, session identifiers, and other metadata fields.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by AuditStore.
“Processing” (and its cognates “Process,” “Processed,” and “Processes”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, AuditStore is the Processor.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any successor clauses adopted by the European Commission.
“Sub-Processor” means any third party appointed by AuditStore to process Personal Data on behalf of Customer in connection with the Services.
“Supervisory Authority” means an independent public authority established by an EU Member State, UK, or Swiss authority pursuant to Applicable Data Protection Law.

2. Roles and Scope

2.1 Roles of the Parties

The parties acknowledge and agree that:

(a) Customer is the Controller of Personal Data and determines the purposes and means of processing Personal Data through its use of the Services.

(b) AuditStore is the Processor of Personal Data and processes Personal Data solely on behalf of Customer and in accordance with Customer’s documented instructions as described in this DPA and the Agreement.

(c) Each party shall comply with its respective obligations under Applicable Data Protection Law with respect to the processing of Personal Data.

2.2 Scope of Processing

AuditStore shall process Personal Data only to the extent necessary to provide the Services in accordance with the Agreement and this DPA. The details of processing, including the subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects, are described in Annex 1 of this DPA.

2.3 Customer Obligations

Customer represents and warrants that:

(a) It has provided all necessary notices to, and obtained all necessary consents, permissions, or authorizations from, Data Subjects as required under Applicable Data Protection Law to enable the lawful processing of Personal Data by AuditStore as contemplated by this DPA.

(b) It has a lawful basis for processing Personal Data and for instructing AuditStore to process Personal Data on its behalf.

(d) It shall not emit audit events containing Personal Data to the Services that it is not authorized to process under Applicable Data Protection Law.

(e) It acknowledges that audit events emitted to the Services are immutable once recorded. Customer is responsible for ensuring that Personal Data included in audit events is appropriate for immutable storage, and that Customer has a lawful basis for such storage for the duration of the applicable Retention Policy.

3. Processor Obligations

3.1 Documented Instructions

(a) AuditStore shall process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which AuditStore is subject. In such a case, AuditStore shall inform Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

(b) Customer’s initial instructions are set forth in this DPA and the Agreement. Customer may issue additional reasonable written instructions consistent with the terms of the Agreement. If AuditStore believes that any instruction from Customer infringes Applicable Data Protection Law, AuditStore shall promptly notify Customer and shall not be required to comply with the infringing instruction.

(c) The Agreement (including this DPA) constitutes Customer’s complete and final documented instructions to AuditStore for the processing of Personal Data. Any additional or alternate instructions must be agreed upon separately in writing.

3.2 Confidentiality

(a) AuditStore shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(b) AuditStore shall not disclose Personal Data to any third party except as expressly permitted by this DPA, the Agreement, or as required by applicable law.

3.3 Security

(a) AuditStore shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Annex 2 of this DPA. Such measures shall include, as appropriate:

(i) the encryption of Personal Data at rest and in transit;

(ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, including through hash-chain integrity verification;

(iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

(iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

(b) In assessing the appropriate level of security, AuditStore shall take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

(c) AuditStore shall take reasonable steps to ensure that only authorized personnel have access to Personal Data and that such personnel process Personal Data only as instructed by Customer, except as required by applicable law.

3.4 Data Subject Rights

(a) Taking into account the nature of the processing, AuditStore shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction of processing, data portability, and the right to object.

(b) If AuditStore receives a request from a Data Subject in relation to Personal Data processed on behalf of Customer, AuditStore shall promptly redirect the Data Subject to Customer and notify Customer of the request. AuditStore shall not respond to the Data Subject directly unless authorized by Customer or required by applicable law.

(c) Customer acknowledges that due to the immutable nature of the audit ledger, individual event modification or deletion is not technically feasible within the active Ledger. AuditStore will assist Customer in responding to erasure requests through the application of Retention Policies, Ledger deletion, or other technically feasible measures. Customer is responsible for evaluating the compatibility of immutable audit storage with applicable erasure rights before emitting Personal Data to the Services.

(d) Customer acknowledges that AuditStore may charge a reasonable fee for any assistance provided under this Section 3.4, to the extent such assistance requires significant effort beyond what is included in the Services.

3.5 Data Protection Impact Assessments

AuditStore shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required under Applicable Data Protection Law and taking into account the nature of the processing and the information available to AuditStore.

4. Sub-Processors

4.1 General Authorization

Customer provides general written authorization for AuditStore to engage Sub-Processors to process Personal Data on behalf of Customer, subject to the requirements of this Section 4. The current list of Sub-Processors is available at /legal/sub-processors.

4.2 Sub-Processor Obligations

AuditStore shall:

(a) Enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA, including, in particular, providing sufficient guarantees to implement appropriate technical and organizational measures such that the processing meets the requirements of Applicable Data Protection Law.

(b) Remain fully liable to Customer for the performance of each Sub-Processor’s obligations. Where a Sub-Processor fails to fulfill its data protection obligations, AuditStore shall be liable to Customer for the acts and omissions of the Sub-Processor as if they were the acts and omissions of AuditStore itself.

4.3 Notification of New Sub-Processors

(a) AuditStore shall notify Customer before authorizing any new Sub-Processor to process Personal Data. Such notification shall be provided by updating the Sub-Processor list at /legal/sub-processors and by email notification to Customer’s designated contact or to the email address associated with Customer’s account. AuditStore shall provide at least thirty (30) days’ prior written notice before a new Sub-Processor begins processing Personal Data.

(b) Customer may subscribe to change notifications by emailing dpa@auditstore.dev.

4.4 Objection to New Sub-Processors

(a) Customer may object to AuditStore’s appointment of a new Sub-Processor by notifying AuditStore in writing within fifteen (15) days of receiving notice, provided that such objection is based on reasonable grounds relating to data protection.

(b) If Customer objects, AuditStore shall use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid processing of Personal Data by the objected-to Sub-Processor.

(c) If AuditStore is unable to provide such an alternative within thirty (30) days of receiving Customer’s objection, either party may terminate the applicable Services that cannot be provided without the use of the objected-to Sub-Processor by providing written notice. AuditStore shall refund Customer any prepaid fees for the terminated Services covering the remainder of the subscription term following the effective date of termination.

5. International Data Transfers

5.1 General

AuditStore primarily stores and processes Personal Data in the United States (AWS us-east-1 and us-west-2). To the extent that the processing of Personal Data under this DPA involves the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection by the applicable authority, the parties agree to the following transfer mechanisms.

5.2 Standard Contractual Clauses (EEA)

For transfers of Personal Data from the EEA to countries not recognized as providing an adequate level of data protection, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) shall apply and are hereby incorporated by reference. For the purposes of the SCCs:

(a) The “data exporter” is the Customer and the “data importer” is AuditStore.

(b) Clause 7 (Docking Clause) shall apply.

(c) Under Clause 9 (Use of Sub-Processors), the parties select Option 2 (General Written Authorization), and AuditStore shall provide notification of Sub-Processor changes in accordance with Section 4.3 of this DPA.

(d) Under Clause 11 (Redress), the optional language shall not apply.

(e) Under Clause 17 (Governing Law), the SCCs shall be governed by the laws of Ireland.

(f) Under Clause 18 (Choice of Forum and Jurisdiction), disputes shall be resolved before the courts of Ireland.

(g) Annex I of the SCCs shall be deemed completed with the information set out in Annex 1 of this DPA, and Annex II of the SCCs shall be deemed completed with the information set out in Annex 2 of this DPA.

5.3 UK Transfers

For transfers of Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”), as issued by the Information Commissioner’s Office under Section 119A(1) of the Data Protection Act 2018, shall apply and is hereby incorporated by reference. In the event of any conflict between the UK Addendum and this DPA, the UK Addendum shall prevail.

5.4 Swiss Transfers

For transfers of Personal Data from Switzerland, the SCCs as described in Section 5.2 shall apply, with the following modifications:

(a) References to the GDPR shall be interpreted as references to the Swiss FADP.

(b) References to “Member State” shall not be interpreted in a way that excludes Data Subjects in Switzerland from exercising their rights in their place of habitual residence.

5.5 Supplementary Measures

AuditStore shall implement and maintain supplementary measures as necessary to ensure that Personal Data transferred internationally receives an essentially equivalent level of protection as required by Applicable Data Protection Law. Such measures include the technical and organizational security measures described in Annex 2.

6. Personal Data Breach

6.1 Notification

(a) AuditStore shall notify Customer without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Customer.

(b) Such notification shall include, to the extent reasonably available:

(i) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(ii) the name and contact details of AuditStore’s point of contact from whom more information can be obtained;

(iii) a description of the likely consequences of the Personal Data Breach;

(iv) a description of the measures taken or proposed to be taken by AuditStore to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and

(v) an assessment of whether the breach affects the integrity of the hash chain or Merkle tree for any affected Ledgers.

6.2 Assistance

(a) AuditStore shall cooperate with and assist Customer in investigating, mitigating, and remediating the Personal Data Breach and in complying with Customer’s obligations under Applicable Data Protection Law with respect to the Personal Data Breach, including any obligation to notify a Supervisory Authority or Data Subjects.

(b) AuditStore’s obligation to notify Customer of a Personal Data Breach shall not be construed as an acknowledgment by AuditStore of any fault or liability with respect to the Personal Data Breach.

6.3 Communication

AuditStore shall not inform any third party of a Personal Data Breach without first obtaining Customer’s prior written consent, unless notification is required by applicable law, in which case AuditStore shall, to the extent permitted by law, inform Customer of such requirement before making the notification.

7. Audits and Inspections

7.1 Audit Rights

(a) AuditStore shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Law. AuditStore shall allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer, subject to the conditions set out in this Section 7.

(b) Customer may conduct an audit no more than once per twelve (12) month period, unless an audit is specifically requested by a Supervisory Authority or Customer has reasonable grounds to believe that AuditStore is not in compliance with this DPA.

7.2 Audit Procedures

(a) Customer shall provide AuditStore with at least thirty (30) days’ prior written notice of any audit, including the proposed scope and duration of the audit.

(b) Audits shall be conducted during normal business hours, with minimal disruption to AuditStore’s operations, and in compliance with AuditStore’s reasonable security and confidentiality requirements.

(c) Any third-party auditor shall be required to execute a confidentiality agreement acceptable to AuditStore before conducting the audit. AuditStore may object to a third-party auditor that is a direct competitor of AuditStore, in which case Customer shall appoint an alternative auditor.

(d) Customer shall bear all costs associated with the audit, except where the audit reveals a material breach of this DPA by AuditStore, in which case AuditStore shall bear the reasonable costs of the audit.

7.3 Certifications and Reports

At Customer’s request, AuditStore shall provide copies of relevant certifications, audit reports (including SOC 2 reports, if available), or summaries thereof, to the extent that such documentation reasonably demonstrates compliance with this DPA. Customer agrees that such documentation may satisfy Customer’s audit rights under this Section 7, provided the documentation adequately addresses the scope of the audit.

8. Data Return and Deletion

8.1 Return of Personal Data

Upon termination or expiration of the Agreement, or upon Customer’s written request, AuditStore shall, at Customer’s election:

(a) Return all Personal Data to Customer in a commonly used, machine-readable format (JSON Lines, CSV, or Parquet via the export API); or

(b) Delete all Personal Data in accordance with Section 8.2.

8.2 Deletion

(a) Upon Customer’s request or upon termination or expiration of the Agreement, AuditStore shall delete all Personal Data processed on behalf of Customer within thirty (30) days, unless applicable law requires further storage of the Personal Data or a Legal Hold prevents deletion of affected events.

(b) Upon deletion, AuditStore shall provide written certification of deletion to Customer upon request.

(c) AuditStore may retain Personal Data to the extent required by applicable law, provided that AuditStore shall (i) process such retained Personal Data solely for the purpose and duration required by applicable law, (ii) maintain the confidentiality and security of such retained Personal Data, and (iii) delete such Personal Data promptly upon the expiration of the applicable retention requirement.

8.3 Backup Copies

Notwithstanding the foregoing, AuditStore may retain copies of Personal Data in its backup systems for a period not to exceed ninety (90) days following deletion from production systems, after which such copies shall be permanently deleted. During such retention period, AuditStore shall maintain the confidentiality and security of such backup copies and shall not actively process them except as necessary for backup restoration purposes.

8.4 Immutability Considerations

Customer acknowledges that the immutable nature of the audit ledger means that individual events cannot be selectively deleted from an active Ledger without breaking hash-chain integrity. Deletion of Personal Data contained within audit events requires deletion of the entire Ledger or application of a Retention Policy that archives and then purges the relevant events. AuditStore will work with Customer to identify the most appropriate mechanism for data deletion that balances compliance obligations with audit trail integrity.

9. CCPA-Specific Provisions

9.1 Role of the Parties

For the purposes of the CCPA, Customer is a “Business” and AuditStore is a “Service Provider.” AuditStore processes Personal Data (as defined in the CCPA as “Personal Information”) on behalf of Customer solely for the business purposes specified in the Agreement and this DPA.

9.2 Restrictions on Use

AuditStore shall not:

(a) Sell or share (as those terms are defined in the CCPA) Personal Information received from Customer.

(b) Retain, use, or disclose Personal Information for any purpose other than for the business purposes specified in the Agreement and this DPA, including retaining, using, or disclosing Personal Information for a commercial purpose other than providing the Services.

(c) Retain, use, or disclose Personal Information outside of the direct business relationship between AuditStore and Customer, except as expressly permitted by the CCPA.

(d) Combine Personal Information received from Customer with Personal Information received from or on behalf of another person or persons, or collected from AuditStore’s own interactions with the Data Subject, except as expressly permitted by the CCPA to perform the Services.

9.3 Compliance and Certification

AuditStore certifies that it understands and shall comply with the restrictions set forth in this Section 9. AuditStore shall notify Customer if it determines that it can no longer meet its obligations under the CCPA.

9.4 Right to Monitor

Customer shall have the right to take reasonable and appropriate steps to help ensure that AuditStore uses Personal Information in a manner consistent with Customer’s obligations under the CCPA. Upon reasonable notice, Customer may take steps to stop and remediate unauthorized use of Personal Information.

10. General

10.1 Term

This DPA shall remain in effect for the duration of the Agreement and for as long as AuditStore processes Personal Data on behalf of Customer.

10.2 Amendments

This DPA may be amended by AuditStore from time to time to reflect changes in Applicable Data Protection Law or AuditStore’s data processing practices. AuditStore shall provide Customer with at least thirty (30) days’ notice of any material amendment. Continued use of the Services following such notice constitutes acceptance of the amended DPA.

10.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the intent of the parties.

10.4 Governing Law

This DPA shall be governed by and construed in accordance with the laws governing the Agreement, except where Applicable Data Protection Law requires otherwise.

10.5 Limitation of Liability

Each party’s liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement. Nothing in this DPA shall be construed to limit or exclude either party’s liability for breaches of confidentiality obligations, willful misconduct, or liability that cannot be limited or excluded under applicable law.

10.6 Contact

For questions about this DPA or to exercise your rights hereunder, contact dpa@auditstore.dev.

Annex 1: Details of Processing

A. List of Parties

Data Exporter (Controller):

Name: The Customer, as identified in the Agreement
Address: As specified in the Customer’s account
Contact: As specified in the Customer’s account
Activities relevant to the transfer: Use of the AuditStore platform for recording immutable audit trails of actor-initiated state changes in Customer’s applications
Role: Controller

Data Importer (Processor):

Name: Mataki Labs LLC (“AuditStore”)
Address: State of Wyoming
Contact: dpa@auditstore.dev
Activities relevant to the transfer: Provision of the AuditStore platform, including event ingestion, hash-chain computation, Ledger management, query execution, integrity proof generation, and data export
Role: Processor

B. Description of the Processing

Subject Matter of Processing:

The processing relates to AuditStore’s provision of immutable audit trail services, including event ingestion, hash-chain computation, Merkle tree construction, Ledger storage, structured query execution, integrity proof generation, and data export as described in the Agreement.

Duration of Processing:

The duration of the Agreement, plus any applicable data retention period as described in Section 8 and the Customer’s configured Retention Policies.

Nature of Processing:

Collection, recording, storage, retrieval, organization, hash-chain computation, Merkle tree construction, query execution, integrity verification, export (transmission to Customer-specified destinations), archival (to Customer-owned cold storage), and destruction (upon Retention Policy trigger or account termination).

Purpose of Processing:

Ingesting audit events emitted by Customer’s applications
Computing and maintaining SHA-256 hash chains per Ledger
Constructing and maintaining Merkle trees for integrity verification
Storing audit events in encrypted, append-only Ledgers
Executing structured queries against stored events
Generating Merkle inclusion proofs for event verification
Exporting events to Customer-specified destinations (S3-compatible storage, JSON Lines, CSV, Parquet)
Archiving events per configured Retention Policies
Enforcing Legal Holds on affected events
Providing customer support

Types of Personal Data:

Actor identifiers (user IDs, service account names, API key identifiers) as included in audit events by Customer
IP addresses, user agents, session identifiers, and request IDs (when included in event context fields by Customer or captured by SDK middleware)
Resource identifiers that may contain or relate to personal data
Freeform metadata fields that may contain personal data, depending on Customer’s event schema
Account information (name, email address) of Customer’s authorized users
API request metadata (timestamps, endpoints called, response codes)

Categories of Data Subjects:

Customer’s authorized users (individuals with access to the Customer’s AuditStore account and dashboard)
Customer’s end users (individuals whose actions are recorded as audit events by Customer’s applications)
Third parties whose interactions with Customer’s applications generate audit events

C. Competent Supervisory Authority

The competent Supervisory Authority shall be determined in accordance with Applicable Data Protection Law. For transfers subject to the GDPR, the Supervisory Authority shall be the Data Protection Commission of Ireland.

Annex 2: Technical and Organizational Security Measures

AuditStore implements and maintains the following technical and organizational security measures to protect Personal Data. These measures are reviewed and updated periodically to reflect evolving security best practices and threats.

1. Encryption

Encryption at rest: All Personal Data, including audit events, hash chains, and Merkle trees, is encrypted at rest using AES-256 encryption.
Per-Ledger isolation: Customer Ledgers are logically isolated at the database level. Cross-Ledger access requires explicit authorization.
Key management: Encryption keys are managed using cloud-native key management services (AWS KMS). Encryption keys are not accessible to AuditStore personnel in plaintext.
Encryption in transit: All data transmitted between Customer applications and the AuditStore API is encrypted using TLS 1.3. Older TLS versions are not supported.
Key rotation: Encryption keys are rotated on a regular schedule and can be rotated on demand in response to a security event.

2. Immutability and Integrity

Hash-chain integrity: Each audit event is cryptographically linked to its predecessor via SHA-256 hash, making any unauthorized modification detectable.
Merkle tree verification: Events are organized into Merkle trees enabling efficient, independently verifiable integrity proofs.
No modification API: No API endpoint exists for modifying or deleting individual events from an active Ledger. Administrative access cannot bypass immutability controls.
Tamper detection: AuditStore continuously monitors hash-chain consistency and will notify affected Customers within 24 hours of detecting any anomaly.

3. Access Controls

Principle of least privilege: Access to systems containing Personal Data is granted on a need-to-know basis and follows the principle of least privilege.
Multi-factor authentication: Multi-factor authentication is required for all AuditStore personnel accessing production systems and administrative interfaces.
Role-based access control: Access to Personal Data is restricted through role-based access control at both the infrastructure and application levels.
Unique authentication: Each authorized user has unique credentials. Shared accounts are prohibited for access to systems containing Personal Data.
API key scoping: Customer API keys can be scoped per-Ledger or account-wide, enabling granular access control.

4. Infrastructure Security

Cloud infrastructure: The AuditStore platform is hosted on Amazon Web Services (AWS) with data stored in us-east-1 and us-west-2 regions.
Network segmentation: Production networks are segmented from development and corporate networks. Firewalls and security groups restrict network traffic to authorized communications only.
DDoS protection: Distributed denial-of-service mitigation is deployed at the network edge.
Vulnerability management: Infrastructure and application components are regularly scanned for vulnerabilities. Critical and high-severity vulnerabilities are remediated in accordance with defined SLAs.
Patch management: Operating systems, runtime environments, and dependencies are kept up to date with security patches.

5. Application Security

Secure development lifecycle: AuditStore follows a secure software development lifecycle that includes security reviews, code reviews, and automated static analysis.
Input validation: All inputs are validated and sanitized to protect against injection attacks and other common web application vulnerabilities.
API security: API endpoints are authenticated and authorized. Rate limiting is enforced per-Ledger to prevent abuse.
Secrets management: Application secrets, database credentials, and internal API keys are stored in dedicated secrets management systems and are never committed to source code repositories.

6. Monitoring and Logging

Audit logging: Access to and actions on Personal Data are logged, including authentication events, API requests, Ledger operations, and administrative actions. AuditStore uses its own platform to record internal audit events.
Log protection: Internal audit logs are stored in tamper-evident, hash-chained storage.
Security monitoring: Automated monitoring and alerting systems detect anomalous activity, unauthorized access attempts, and potential security incidents.
Incident response: AuditStore maintains a documented incident response plan that defines roles, responsibilities, escalation procedures, and communication protocols.

7. Business Continuity and Disaster Recovery

Backups: Personal Data is backed up daily with point-in-time recovery capability. Backups are encrypted and stored in geographically separate availability zones.
Recovery testing: Backup restoration procedures are tested quarterly to ensure data can be recovered within defined recovery time objectives (RTO: 4 hours, RPO: 1 hour).
Redundancy: Critical platform components are deployed across multiple availability zones to minimize the impact of hardware or software failures.

8. Personnel Security

Background checks: Background checks are conducted on personnel with access to production systems, to the extent permitted by applicable law.
Confidentiality agreements: All personnel with access to Personal Data are bound by confidentiality obligations.
Security training: Personnel receive security awareness training upon onboarding and on a recurring basis thereafter.
Offboarding: Access credentials are revoked promptly upon termination of employment or engagement.

9. Vendor and Sub-Processor Management

Due diligence: Sub-Processors are evaluated for their security practices and data protection capabilities before engagement.
Contractual protections: Sub-Processors are bound by written agreements that impose data protection obligations no less protective than those in this DPA.
Ongoing monitoring: Sub-Processor compliance is monitored on an ongoing basis.
Sub-Processor list: The current list of Sub-Processors is maintained at /legal/sub-processors.

10. Physical Security

Data center security: AuditStore’s cloud infrastructure provider (AWS) maintains physical security controls at its data centers, including 24/7 security personnel, biometric access controls, video surveillance, and environmental controls. Details are available through AWS’s security documentation and compliance reports.

11. Data Minimization and Retention

Data minimization: AuditStore processes only the Personal Data contained within audit events emitted by Customer and account data necessary to provide the Services.
Retention limits: Personal Data is retained only for the duration of the applicable Retention Policy or as required by applicable law. Upon Retention Policy trigger or account termination, Personal Data is deleted in accordance with Section 8 of this DPA.
Secure disposal: When Personal Data is deleted, it is securely erased from production systems and, following the backup retention period, from backup systems.