Security & Compliance

Your compliance data is isolated and protected

This page exists so your auditor doesn't have to ask.

Last updated: January 24, 2026

Security Guarantees

Complete tenant isolation

Your organization's data cannot be accessed by other organizations. Every database query and file access is scoped to your organization. This is enforced at the application level, not just a policy.

Tenant-safe by design

Authentication-based access

Organization context comes exclusively from your authenticated session. Request payloads cannot override or bypass organization boundaries. Your data stays within your organization.

Separate storage per organization

Evidence files and exports are stored in organization-specific directories. Physical and logical separation ensures no cross-organization data access.

Export boundaries

When you export your audit package, it contains only evidence from your organization. Export processes cannot access data outside your organization's scope.

Deterministic exports

Data Protection

What we store

We store your evidence files (PDFs, documents, images, text notes), control mappings, export packages, and organization metadata. All data is organization-scoped and isolated from other organizations.

Backups and retention

Regular automated backups protect your data. Backup retention policies are configured to meet compliance requirements. Deleted data may be retained in backups for a limited period. Specific retention details available on request.

Your control

Organization administrators control member access. You can export your data at any time. Account deletion removes data from active storage. Data processing agreements available for enterprise customers.

Compliance Alignment

Security practices

Our security practices are aligned with ISO 27001 principles. We use enterprise authentication (WorkOS), encrypt data in transit, and maintain strict access controls. We follow secure development practices and regularly update dependencies.

Data processing

Our data handling practices are aligned with GDPR requirements. Data processing agreements (DPAs) are available for enterprise customers. Subprocessor lists available on request.

AI Assistance (Optional & EU-Based)

AI is optional

All core Auditrail functionality works without any AI. AI assistance is disabled by default and must be explicitly enabled by users. You can choose whether to use AI features or operate Auditrail entirely without AI.

Purpose-limited usage

When enabled, AI is used only for assistive features such as summarisation, guidance, and explanations. AI never performs authoritative actions. AI output never replaces user judgement or deterministic exports.

EU-based processing

When enabled, AI requests are processed exclusively within the EU. Auditrail does not send data to US-based AI providers.

Provider transparency

Auditrail currently uses Mistral AI for optional AI assistance. This is an implementation choice, not a dependency.

Data handling guarantees

Only the minimum required context is sent to AI providers. No full tenant data dumps occur. There is no background training on customer data. Prompts and outputs are not persistently stored beyond the request lifecycle.

Control & isolation

AI requests are scoped per tenant. Tenant boundaries are enforced before any AI interaction. AI does not bypass access controls or permissions.

Compliance positioning

Our AI usage aligns with GDPR principles: data minimisation, purpose limitation, and user control. Organizations that prefer not to use AI can fully disable this functionality without impacting Auditrail's core features.

Security concerns or questions?

Contact our security team at security@auditrail.eu. We aim to respond within 48 hours.