Privacy Policy
This Privacy Policy (the "Policy") describes how AuditFlow processes personal data in connection with the AuditFlow Internal Audit ERP service made available at www.audit-flow.net (the "Service") and the related marketing site.
"AuditFlow", "we", "our"
and "us" refer to Clarity Software Solutions LLC (شركة كلاريتي لحلول البرمجيات ش.ذ.م.م.), a
company organised under the laws of Arab Republic of Egypt,
with its registered office at Office 208, Plus Mall, South Investors District, Fifth Settlement, New Cairo, Cairo, Egypt (مكتب 208، بلس مول، المستثمرين الجنوبية، التجمع الخامس، القاهرة الجديدة، القاهرة، مصر).
The authoritative field-level inventory of the personal data we hold is the
PII
Inventory; this Policy is the customer-facing summary of that document
and the legal framework around it.
- Scope and applicable laws
- Roles: controller, processor, joint-controller
- Personal data we process, why, and on what basis
- What we do not collect
- Retention periods
- Sub-processors and disclosures
- International transfers
- Security
- Cookies and similar technologies
- Children's data
- Automated decision-making and AI features
- Your rights and how to exercise them
- Marketing communications
- Right to lodge a complaint
- Changes to this Policy
- Contact
1. Scope and applicable laws
This Policy applies to all personal data processed by AuditFlow as part of operating the Service. Depending on where you or your organisation are established, one or more of the following laws will govern that processing, and we have written this Policy to be consistent with each of them:
- Egypt — Personal Data Protection Law (Law No. 151 of 2020) and the regulations issued by the Personal Data Protection Centre.
- Kingdom of Saudi Arabia — Personal Data Protection Law (Royal Decree M/19 of 2021, as amended) and its Implementing Regulations issued by the Saudi Data & Artificial Intelligence Authority (SDAIA).
- United Arab Emirates — Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.
- European Economic Area and United Kingdom — Regulation (EU) 2016/679 ("EU GDPR") and the United Kingdom General Data Protection Regulation ("UK GDPR") together with the UK Data Protection Act 2018.
Where a stricter standard applies under the law of your jurisdiction, that stricter standard prevails for you.
2. Roles: controller, processor, joint-controller
2.1 Customer workspace content — customer is the controller
When an organisation subscribes to AuditFlow (the "Customer") and uses its workspace to record findings, work papers, recommendations, contacts, and their own staff records, the Customer is the data controller and AuditFlow is the processor. We process that data only on the Customer's documented instructions, which are constituted by the service agreement, the Data Processing Agreement (DPA template) where one has been signed, the in-application configuration choices made by the Customer's administrator, and this Policy.
2.2 Marketing-site visitors and demo requests — AuditFlow is the controller
For data we collect directly from prospective customers and visitors to www.audit-flow.net — the demo request form, account-creation form, billing contacts, and consent-based marketing communications — AuditFlow is the data controller.
2.3 Account telemetry — AuditFlow is the controller for security
Sign-in attempts, IP addresses and user agents recorded for brute-force defence, and the platform super-admin audit log are processed by AuditFlow as a separate controller on the basis of our legitimate interest in the security of the Service. We do not commercialise this data.
3. Personal data we process, why, and on what basis
3.1 Customer workspace users (Customer's employees and contractors)
| Category | Examples | Purpose | Lawful basis |
|---|---|---|---|
| Identity and contact | Username, full name, email, manager link, role | Authentication, in-app display, email routing | Performance of contract (with the Customer) — processor |
| Authentication artefacts | bcrypt password hash, TOTP secret, hashed backup codes, hashed reset and activation tokens | Verify sign-in, deliver MFA, recover access | Performance of contract; legitimate interest in account security |
| Sign-in telemetry | Timestamps, IP, user agent, success/failure, reason | Brute-force defence, anomaly detection, customer-side audit | Legitimate interest in security of the Service |
| Activity attribution | Per-tenant append-only log of who-did-what inside the workspace | Customer-side accountability; regulatory audit evidence for the Customer | Performance of contract — processor on Customer's instructions |
3.2 Customer auditee contacts and other named individuals
| Category | Examples | Purpose | Lawful basis |
|---|---|---|---|
| Identity and business contact | Name, work email, phone, business unit | Distribute the report, request management responses, route follow-ups | Customer's legitimate interest in the performance of its internal-audit programme (Customer is controller) |
| Incidental personal data inside audit content | Persons named in finding descriptions, root-cause analyses, work papers | Recording the audit work; reporting | As determined by the Customer; we process as processor on Customer's instructions |
3.3 Prospective customers (marketing site)
| Category | Examples | Purpose | Lawful basis |
|---|---|---|---|
| Demo request | Name, company, work email, optional notes | Sales follow-up | Consent (form submission) and pre-contractual measures requested by you |
| Account creation | Owner name, owner work email, billing email(s) | Provisioning, billing communications | Performance of contract |
4. What we do not collect
For the avoidance of doubt, AuditFlow does not process:
- Government-issued identification numbers (national ID, passport, driver's licence).
- Payment-card numbers. Subscription payments are handled by an external payment processor; card numbers never reach our systems.
- Biometric data.
- Health data.
- Children's data — see section 10.
- Browser-tracker data on the marketing site. No third-party web analytics, no advertising pixels, no session-replay tools, no behavioural profiling.
5. Retention periods
| Data category | Default retention |
|---|---|
| Active workspace user records (whilst the Customer's subscription is active) | Lifetime of the account; deleted or anonymised within 30 days of the subscription ending |
| Audit log entries (per-tenant activity log, super-admin audit log) | Retained for the regulatory lifetime of the underlying audit (typically 7–10 years); the Customer's own retention obligations apply |
| Findings, recommendations, work papers | Retained for the regulatory lifetime of the audit they belong to; the Customer is the data controller for these records |
| Sign-in attempts log | 12 months |
| Rate-limit counters | Self-purges within 1 hour |
| Demo requests from the marketing site | 24 months from the last interaction with you |
| Billing records (invoices, payment confirmations) | The longer of (i) our legal retention obligation under applicable tax law and (ii) 7 years |
| Daily backups of the production database | 7 rolling days |
Where you exercise your right of erasure (see section 12),
we deliver it through anonymisation rather than full deletion of the underlying
row. Anonymisation removes every identifying attribute we hold about you and
replaces your username and display name with a stable placeholder such as
redacted-user-{id}, so the records of audit activity attributed
to your former account remain intact and the Customer's own regulatory
records are not destroyed. This is consistent with the recital-26 carve-out
under the GDPR for genuinely anonymised data and with the corresponding
provisions in Egyptian, KSA, and UAE law.
6. Sub-processors and disclosures
| Sub-processor | Purpose | Location |
|---|---|---|
| Render Inc. | Application hosting; managed PostgreSQL; daily backups | United States |
| OpenAI, L.L.C. | AI-generated drafts of risks, findings and recommendations; invoked only when the Customer's user triggers an AI feature. AuditFlow has opted out of training-data retention on this account. | Multi-region |
| SMTP provider | Outbound transactional email (activation, reset, distribution, security alerts) | Provider's stated region |
We will notify the Customer's account owner of any addition to, or replacement of, a sub-processor at least 30 days before that change takes effect. The Customer's right to object to a new sub-processor is set out in the DPA.
We do not sell, lease, share for monetary or other valuable consideration, or disclose personal data to any party other than the sub-processors listed above, except where:
- You instruct us to (e.g. you request that we share data with your own auditors, integrators, or counsel);
- We are compelled by a binding legal order. We will notify you before complying unless we are legally prohibited from doing so; or
- Disclosure is necessary to defend AuditFlow's legal rights, prevent fraud, or protect the vital interests of any natural person.
7. International transfers
The default hosting region for tenant data is the United States. Where this involves a transfer of personal data from a jurisdiction that imposes restrictions on international transfers, we rely on the following mechanisms:
- EU / UK / EEA: the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Two (controller-to-processor), supplemented by the transfer-impact-assessment measures set out in the DPA. For UK transfers, the International Data Transfer Addendum issued by the ICO is appended.
- KSA: compliance with the cross-border transfer requirements of Article 29 of the PDPL, including any standard contractual clauses or registration with SDAIA where required.
- Egypt: the cross-border transfer regime under Articles 14–15 of Law No. 151 of 2020 and the implementing decisions of the Personal Data Protection Centre.
- UAE: compliance with Article 22 of Federal Decree-Law No. 45 of 2021.
Enterprise customers requiring regional hosting (EU, KSA, UAE) can request a dedicated regional instance; please contact us before signing the order form so the deployment can be provisioned in your region.
8. Security
The technical and organisational measures protecting your personal data are documented in detail on our public Trust & Security portal and incorporated by reference into this Policy. Highlights include MFA on every account, a 12-character password policy with class diversity and common-password blocklist, account lockout after repeated failures, idle and absolute session timeouts, TLS in transit with HSTS, content-security policy and other defence-in-depth response headers, optional per-tenant IP allowlist, append-only audit log with SHA-256 hash chain, daily encrypted backups, and a documented incident-response runbook with a 72-hour breach-notification commitment.
Where AuditFlow becomes aware of a personal-data breach affecting Customer personal data, we will notify the Customer's account owner without undue delay and in any case within 72 hours of becoming aware. The Customer remains responsible for any onward notification to data subjects and to its own regulator.
9. Cookies and similar technologies
AuditFlow uses only the cookies strictly necessary to deliver the Service:
- The session cookie (HttpOnly, Secure, SameSite=Lax) — identifies your authenticated session.
- The optional "Remember me" cookie — extends your session lifetime when you ask us to.
- The CSRF token cookie — protects mutations against cross-site request forgery.
We do not set advertising cookies, analytics cookies, social-media cookies, session-replay cookies, or any other non-essential cookies. Because we use only strictly-necessary cookies, no consent banner is required under GDPR/ePrivacy, KSA PDPL, Egypt Law 151, or UAE Federal Decree-Law 45, and so we do not display one.
10. Children's data
The Service is a business-to-business product intended for use by qualified internal-audit professionals and is not directed at, or intended for use by, children under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verified consent of a parent or guardian, we will delete that data without delay. If you believe we have done so, please contact us at info@audit-flow.net.
11. Automated decision-making and AI features
AuditFlow does not subject any data subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning that data subject or which similarly significantly affects them.
Certain features of the Service generate draft text (e.g. a suggested risk description, a draft finding, an executive-summary paragraph) using a third-party large-language-model API. These features are decision support, not the decision. The Customer's qualified human auditor is required to review and accept any AI-generated content before it enters the audit record. Inputs sent to the AI sub-processor for inference are not retained by that sub-processor for training purposes — we have opted out of such retention at the sub-processor level.
12. Your rights and how to exercise them
Subject to the conditions of the law applicable to your processing, you have one or more of the following rights:
- Right of access: obtain confirmation of, and a copy of, the personal data we hold about you.
- Right of rectification: have inaccurate or incomplete personal data about you corrected.
- Right of erasure ("right to be forgotten"): have your personal data removed, delivered via anonymisation as described in section 5.
- Right of restriction: ask us to suspend processing of your personal data while we resolve a question of accuracy or legality.
- Right of portability: receive your personal data in a structured, commonly-used, machine-readable format (JSON) and transmit it to another controller.
- Right to object: object to processing carried out on the basis of legitimate interest.
- Right to withdraw consent: where processing is based on consent, withdraw that consent at any time.
- Right not to be subject to automated decision-making: see section 11.
12.1 How to make a request
If you are an employee or contractor of an AuditFlow Customer, your most direct route is to ask your Customer's administrator to fulfil the request using the in-app DSAR tooling (User Management screen — export and anonymise actions). The administrator can deliver the full data export and the anonymisation immediately.
If that route is unavailable to you, or if you are a prospective customer or marketing-site visitor, you may contact us directly at info@audit-flow.net. We will acknowledge your request within 5 business days and respond substantively within 30 days (extendable by a further 60 days for objectively complex requests, in line with GDPR Article 12(3) and equivalent provisions of KSA, Egyptian and UAE law). Where we cannot fulfil a request — for example because the data has already been deleted or because fulfilment would prejudice the rights and freedoms of other persons — we will explain why.
We may need to verify your identity before fulfilling a request. We will not ask you for sensitive information (e.g. your password) to do so.
13. Marketing communications
We send marketing communications only to recipients who have either (i) explicitly consented (e.g. by submitting the demo-request form on the marketing site) or (ii) are existing business contacts at a Customer organisation and have not opted out. Every marketing email contains a one-click unsubscribe link, and opt-outs are honoured within 5 business days. Transactional emails (activation, password reset, distribution, security alerts) are not subject to the unsubscribe mechanism because they are necessary to deliver the Service the recipient or their employer has subscribed to.
14. Right to lodge a complaint with a supervisory authority
If you believe that our processing of your personal data infringes the law that applies to you, you have the right to lodge a complaint with the competent supervisory authority. The principal authorities relevant to this Service are:
- Egypt: Personal Data Protection Centre.
- KSA: Saudi Data & Artificial Intelligence Authority (SDAIA).
- UAE: UAE Data Office.
- EU / EEA: the supervisory authority of the member state of your habitual residence, place of work, or place of the alleged infringement.
- UK: the Information Commissioner's Office (ICO).
We would, however, appreciate the chance to address your concerns directly first — info@audit-flow.net.
15. Changes to this Policy
We may update this Policy from time to time. When we do, we will publish the updated text at this URL and update the "Last reviewed" and "Version" markers at the top. Where the change is material — meaning, where it affects the categories of data we collect, the purposes of processing, the sub-processors we use, or your rights — we will notify the account owner of every active Customer by email at least 30 days before the new version takes effect, and we will keep the previous version available on request.
Non-material changes (clarifications, corrections of typographical errors, updated cross-references) take effect immediately on publication.
16. Contact
All correspondence in relation to this Policy — including privacy questions, data-subject requests, security disclosures, and DPA requests — should be addressed to:
Clarity Software Solutions LLC (شركة كلاريتي لحلول البرمجيات ش.ذ.م.م.)
Office 208, Plus Mall, South Investors District, Fifth Settlement, New Cairo, Cairo, Egypt (مكتب 208، بلس مول، المستثمرين الجنوبية، التجمع الخامس، القاهرة الجديدة، القاهرة، مصر)
Email: info@audit-flow.net
Website: www.audit-flow.net