Skip to main content
AuditProven

Trust

Security at AuditProven

Our Own Compliance Posture

We build compliance tools. We hold ourselves to the same standards we help our clients meet.

Architecture Security

Data Processing Model

AuditProven Shield processes documents in memory. Uploaded files are parsed, analyzed, and discarded after the assessment completes. Document content is never written to persistent storage, never transmitted to third parties, and never used for training or model improvement.

No AI Training on Your Data

AuditProven Shield does not use large language models for content generation. The pipeline is deterministic and template-based. Your documents are never sent to any external AI service. There is no model to train and no training data to protect.

Cryptographic Provenance

Every generated claim carries a SHA-256 hash linking it to its source. The complete provenance chain is sealed with a Merkle root. This is not just a feature — it is an architectural guarantee that no content appears in a report without a traceable origin.

Deterministic Processing

The pipeline produces identical output from identical input across every run. There is no randomness in the system. This means your compliance report is reproducible and verifiable at any time.

Infrastructure Security

Hosting

AuditProven Shield is hosted within the European Union on infrastructure that meets ISO 27001 and SOC 2 Type II requirements. All data remains within EU borders unless the client explicitly requests otherwise.

Encryption

  • Data in transit: TLS 1.3 minimum
  • Data at rest: AES-256 for any assessment reports retained during the plan period
  • Encryption keys: Managed independently per tenant with regular rotation

Access Control

  • Multi-factor authentication required for all accounts
  • Role-based access control with principle of least privilege
  • All administrative actions logged with immutable audit trail
  • Session timeout after 30 minutes of inactivity

Network Security

  • Web application firewall on all public endpoints
  • DDoS mitigation
  • Network segmentation between application, data, and management tiers
  • No direct database access from public networks

Data Handling

What We Store

  • Account information (email, name, organization)
  • Assessment reports for the duration of your plan
  • Provenance records associated with reports
  • Usage logs for billing and support

What We Never Store

  • Uploaded document content after assessment completion
  • Payment card numbers (processed by our payment provider)
  • Passwords in plaintext (bcrypt hashed)

Data Retention

  • Starter plan: 30 days after assessment
  • Professional plan: retained until account cancellation
  • Enterprise plan: per contractual agreement
  • All data deleted within 30 days of account closure

Data Subject Rights

As an EU-based company subject to GDPR, we support all data subject rights: access, rectification, erasure, portability, restriction, and objection. Submit requests to [email protected].

Vulnerability Disclosure

If you discover a security vulnerability in AuditProven Shield, please report it to [email protected]. We commit to acknowledging your report within 24 hours and providing a resolution timeline within 72 hours. We do not pursue legal action against researchers who report in good faith.

Certifications

AuditProven Compliance Systems B.V. is pursuing ISO 27001:2022 certification and SOC 2 Type II attestation. Certification status will be published here upon completion.