Trust & Compliance
Security & Trust
Everything a procurement or InfoSec team needs to complete their review. Full documentation packs — including security architecture document, DPA, and sub-processor list — available on request.
Request Procurement Pack →Credentials & Certifications
SOC 2 Type II
In ProgressQ3 2026 expected
ISO 27001
PlannedQ4 2026 assessment
ISO 42001 (AI Management)
PlannedQ1 2027 assessment
UK GDPR / GDPR
CompliantUK & EU data residency
Penetration Test
ScheduledQ2 2026
1. Architecture Overview
Audital’s security architecture is built on three cryptographic pillars that together guarantee the integrity, authenticity, and non-repudiation of every AI governance event.
Core Primitives
- ✓Append-only audit log — events are immutable once written. No record can be modified or deleted, enforced at both application and infrastructure level with write-once object storage and immutability locks.
- ✓SHA-256 hash chain — every event is cryptographically chained to its predecessor. Any retroactive alteration breaks every subsequent hash, making tampering mathematically detectable.
- ✓RFC 3161 timestamping — each chain entry receives an independent timestamp from a trusted third-party Timestamping Authority (DigiCert), proving when an event was recorded. These timestamps are verifiable by any third party — including regulators and courts — without Audital's involvement.
Together these primitives produce a tamper-evident, independently verifiable record of every AI governance decision — the evidential backbone that regulators and auditors require.
2. Encryption & Data Protection
Encryption Architecture
- ✓AES-256-GCM encryption with per-organisation key derivation using HKDF-SHA-256
- ✓Encryption keys are never stored alongside encrypted data
- ✓Audital infrastructure cannot access raw client records without the client's key
- ✓All data in transit encrypted via TLS 1.3 minimum
- ✓Integration credentials encrypted using AES-256-GCM before storage at rest
- ✓Per-organisation key derivation: org_key = HKDF-SHA-256(master_key, salt=org_id, info="audital-v1", len=32)
3. Cryptographic Integrity
Hash Chain Architecture
- ✓SHA-256 hash chain: every event chained to the previous record
- ✓Chain formula: H(n) = SHA-256(H(n-1) ‖ event_id ‖ event_type ‖ payload_hash ‖ timestamp)
- ✓RFC 3161 timestamping via DigiCert Timestamping Authority — independent of Audital
- ✓RFC 3161 timestamps remain verifiable by any third party, including a regulator or court, without Audital's involvement
- ✓Tamper detection: any retroactive alteration breaks every subsequent hash, verifiably and mathematically
- ✓Append-only audit log enforced at application and infrastructure level
- ✓Write-once object storage with immutability locks
4. Data Residency
United Kingdom
UK South. UK GDPR compliant. Data does not leave UK jurisdiction.
European Union
EU West. GDPR compliant. Data does not leave EEA.
Residency is selected at onboarding and cannot be changed after provisioning without full data migration. Global Enterprise clients receive dedicated data residency confirmation in their Data Processing Agreement.
5. Access Controls & Authentication
Authentication
- ✓Multi-factor authentication (MFA) available for all users and enforced for admin roles
- ✓JWT-based session tokens with short expiry (15-minute access tokens, rotating refresh tokens)
- ✓Tokens are signed and validated on every request; revocation takes effect immediately
- ✓All authentication events — login, logout, MFA challenge, failed attempt — are recorded in the audit log
Role-Based Access Control (RBAC)
- ✓Granular role-based access control scoped per organisation
- ✓Predefined roles: Owner, Admin, Member, Viewer — each with least-privilege permissions
- ✓Owners can create custom roles with fine-grained permission sets
- ✓All permission changes are logged immutably in the audit trail
- ✓API keys are scoped to specific roles and can be revoked instantly
- ✓Privileged access requires MFA re-authentication and is time-limited
6. Incident Response
Incident Response Policy
- —Defined incident severity levels (P1 Critical through P4 Low) with documented escalation paths
- —P1/P2 incidents: engineering on-call alerted within 15 minutes, customer notification within 1 hour
- —P3/P4 incidents: triaged within 4 hours, resolved within standard SLA windows
- —All incidents are logged with root-cause analysis and published internally within 5 business days
- —Data breach notification to affected clients within 72 hours, in compliance with UK GDPR Article 33
- —Post-incident review conducted for all P1/P2 events, with remediation actions tracked to completion
- —Incident response plan tested quarterly through tabletop exercises
- —Full incident response policy available in the procurement pack on request
7. Penetration Testing
Testing Programme
- —External penetration test by a Crest-accredited third-party firm scheduled Q2 2026
- —Scope: web application, API endpoints, authentication, session management, cryptographic implementation
- —Results summary available to clients and prospective clients under NDA
- —Annual penetration testing cadence post-Q2 2026
- —Internal vulnerability scanning: continuous (automated) via infrastructure security tooling
8. Sub-processors
Audital uses the following sub-processors. The full sub-processor list with legal entity names, data categories processed, and transfer mechanisms is available in the procurement pack.
| Provider | Role | Region |
|---|---|---|
| Railway | API server hosting and managed PostgreSQL database | EU West / UK |
| Vercel | Web application hosting and edge CDN | Global CDN / UK origin |
| Upstash | Managed Redis for session store and job queue | EU West |
| DigiCert | RFC 3161 Timestamping Authority for audit chain timestamps | Global (timestamp service only) |
| Resend | Transactional email (account notifications, alerts) | EU |
| BACS/CHAPS | Invoice billing via bank transfer (Net-30 terms) | UK |
9. Compliance Documentation Available on Request
- —Master Service Agreement (MSA) template
- —Commercial Terms and SLA documentation
- —Data Processing Agreement (DPA)
- —Security Architecture Document
- —Sub-processor List (full legal entity detail)
- —Penetration Testing Summary (under NDA)
- —Business Continuity & Disaster Recovery Policy
- —Encryption Implementation Details
- —Access Control & Privileged Access Policy
Global Enterprise clients receive MSA, DPA, and SLA documentation within 24 hours of provisioning. Professional clients receive DPA on request.
Request Contract Documentation →10. Certification Roadmap
Q1 2026
External penetration test (Crest-accredited firm). Report available on request under NDA.
Q2 2026
Business Continuity & Disaster Recovery policy finalised and tested. RTO < 4 hours, RPO < 1 hour.
Q3 2026
SOC 2 Type II audit completed. Report distributed to clients under NDA.
Q4 2026
ISO 27001 certification assessment begins. Auditor engagement underway.
Q1 2027
ISO 42001 (AI Management Systems) assessment. Aligned with EU AI Act Article 9 requirements.
11. Responsible Disclosure
To report a security vulnerability, contact us at contact@audital.ai with subject line “Vulnerability Report.”
- ✓All reports acknowledged within 24 hours
- ✓Critical vulnerabilities resolved within 72 hours
- ✓High severity vulnerabilities resolved within 7 days
- ✓Responsible disclosure co-ordination offered — contact us before public disclosure
- ✓We do not pursue legal action against good-faith security researchers
12. FCA Innovation Hub
Audital is built for FCA-regulated firms. Our platform is designed to meet the evidentiary standards set out in FCA SS1/23 and the broader AI governance expectations emerging from the FCA’s innovation ecosystem. Learn more at fca.org.uk/firms/innovation ↗.
Procurement Pack
Ready to complete your InfoSec review?
The full procurement pack — security architecture document, DPA, sub-processor list, encryption details, and penetration test summary — is available on request. Contact us to arrange delivery.