This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service (the "Agreement") between IgniteHub, LLC d/b/a SimpleAudit ("SimpleAudit," "we," "us") and the customer that accepts the Agreement ("Customer," "you"). It applies where, and to the extent that, SimpleAudit processes Personal Data on the Customer's behalf in providing the SimpleAudit™ compliance management platform (the "Service").

Partner-managed accounts.Where the Service is provisioned and managed by a partner (such as a managed service provider or reseller) on behalf of a client, the partner is the "Customer" and controller under this DPA, and SimpleAudit is the processor acting on the partner's behalf. See "Partner-Managed Accounts" in our Privacy Policy.

This is a template made available for review. To request a counter-signed copy for your organization, contact legal@simpleaudit.io. In the event of a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA controls.

1. Definitions

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including U.S. state privacy laws such as the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and, to the extent applicable, the EU and UK General Data Protection Regulation ("GDPR").
"Controller," "Processor," "Data Subject," "Personal Data," and "Processing" have the meanings given in Applicable Data Protection Law. Where the CCPA applies, "Controller" means "Business" and "Processor" means "Service Provider."
"Customer Personal Data" means Personal Data contained within Content that SimpleAudit processes on the Customer's behalf under the Agreement.
"Sub-processor" means any third party engaged by SimpleAudit to process Customer Personal Data.

2. Roles & Scope of Processing

As between the parties, the Customer is the Controller and SimpleAudit is the Processor of Customer Personal Data. SimpleAudit processes Customer Personal Data only on the Customer's documented instructions, which consist of the Agreement, this DPA, and the Customer's configuration and use of the Service, unless required to act otherwise by law (in which case SimpleAudit will inform the Customer of that legal requirement before processing, unless the law prohibits it).

The subject matter, duration, nature and purpose of the processing, the types of Customer Personal Data, and the categories of Data Subjects are described in Annex A.

3. Customer Obligations

The Customer represents and warrants that it has a lawful basis for the processing of Customer Personal Data, that its instructions comply with Applicable Data Protection Law, and that it has provided all notices and obtained all consents required for SimpleAudit to process Customer Personal Data as contemplated by the Agreement. Where the Customer is a partner managing accounts on behalf of clients, the Customer is responsible for binding its clients to terms equivalent to the Agreement and for providing those clients with all required privacy notices.

4. Confidentiality

SimpleAudit ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process Customer Personal Data only as necessary to provide the Service.

5. Security Measures

SimpleAudit implements and maintains appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. A description of these measures is set out in Annex B.

6. Sub-processors

The Customer provides a general authorization for SimpleAudit to engage Sub-processors to process Customer Personal Data. A current list of Sub-processors is maintained at simpleaudit.io/subprocessors (Annex C).

SimpleAudit imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, gives advance notice of the addition or replacement of a Sub-processor (allowing the Customer a reasonable opportunity to object on reasonable data-protection grounds), and remains responsible for each Sub-processor's performance of its obligations.

7. Assistance with Data Subject Rights

Taking into account the nature of the processing, SimpleAudit provides reasonable assistance, including through appropriate technical and organizational measures, to help the Customer respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law. If SimpleAudit receives such a request directly from a Data Subject relating to a partner-managed or Customer account, it will, where permitted, direct the request to the Customer rather than respond on the Customer's behalf.

8. Personal Data Breach Notification

SimpleAudit notifies the Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and provides the Customer with information reasonably available to it to assist the Customer in meeting any obligation to notify supervisory authorities or affected Data Subjects. For partner-managed accounts, SimpleAudit notifies the managing partner (the Controller), who is responsible for notifying its affected end users and any relevant authorities.

9. Data Protection Impact Assessments

Taking into account the nature of the processing and the information available to it, SimpleAudit provides reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under Applicable Data Protection Law.

10. Return & Deletion of Data

Upon termination of the Agreement, SimpleAudit deletes or returns Customer Personal Data in accordance with the retention periods described in our Privacy Policy (generally, permanent deletion within 30 days of account closure), except to the extent SimpleAudit is required by law to retain a copy. The Customer may export its data at any time during the term as described in the Agreement.

11. Audits & Information

SimpleAudit makes available to the Customer the information reasonably necessary to demonstrate compliance with this DPA. Where the Customer reasonably requires further information, SimpleAudit may satisfy audit requests by providing its then-current SOC 2 report or a completed security questionnaire, or by permitting an audit on reasonable prior written notice, no more than once per year (except as required following a Personal Data breach or by a supervisory authority), during business hours, and subject to confidentiality obligations.

12. International Transfers

The Service is currently offered only to customers and organizations located in the United States, and Customer Personal Data is stored in Microsoft Azure U.S. regions. Certain AI processing performed through Azure AI Foundry may occur in Azure regions outside the United States. If and when SimpleAudit serves Data Subjects protected by the GDPR or UK GDPR, the parties will put in place an appropriate transfer mechanism (such as the applicable Standard Contractual Clauses and any required addendum), which will be incorporated into this DPA by reference.

13. U.S. State Privacy — Service Provider Terms

With respect to Customer Personal Data subject to the CCPA, SimpleAudit acts as a Service Provider and:

processes Customer Personal Data solely for the business purpose of providing the Service as specified in the Agreement, and not for any other purpose;
does not sell or share Customer Personal Data, and does not retain, use, or disclose it for any purpose other than the specified business purpose, including outside the direct business relationship between the parties;
does not combine Customer Personal Data with personal information received from, or on behalf of, any other person, except as permitted by the CCPA;
certifies that it understands and will comply with these restrictions; and
will notify the Customer if it determines it can no longer meet its obligations under the CCPA.

14. Artificial Intelligence & Model Training

SimpleAudit does not use Customer Personal Data, or the compliance content the Customer creates within the Service, to train artificial intelligence or machine learning models. AI features are provided through Microsoft Azure AI Foundry, which hosts the third-party models (currently OpenAI and Anthropic) SimpleAudit uses. Microsoft processes prompts and outputs as a data processor within its Azure environment, governed by the Microsoft Products and Services Data Protection Addendum; it does not share them with the model providers, and neither Microsoft nor those providers use them to train or improve their models. The models are stateless and do not retain prompts or outputs. AI processing occurs to provide the Customer with compliance guidance within the Customer's account, as described in our Privacy Policy. See also Microsoft's Azure AI Foundry data, privacy & security documentation and the providers' own commitments (OpenAI, Anthropic).

15. General

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. This DPA takes effect on the date the Customer accepts the Agreement and remains in effect for the duration of SimpleAudit's processing of Customer Personal Data. This DPA is governed by the laws of the State of Wisconsin, consistent with the Agreement. With respect to the processing of Personal Data, this DPA supersedes any conflicting term in the Agreement.

Annex A — Details of Processing

Subject matter: SimpleAudit's provision of the compliance management Service to the Customer.
Duration: The term of the Agreement, plus the retention periods described in the Privacy Policy.
Nature & purpose: Hosting, storage, and processing of Customer Personal Data to provide compliance management, AI-assisted guidance, audit-readiness tracking, and related features.
Types of Personal Data: Account and contact details (name, email, job title); company profile and compliance content created within the Service (policies, risk assessments, evidence, action items, control and audit records); vendor assessment respondent details (name, email, responses); AI chat content; and usage and log data.
Categories of Data Subjects: The Customer's personnel and authorized users; the Customer's vendor respondents; and, for partner-managed accounts, the managing partner's clients and their users.

Annex B — Technical & Organizational Measures

Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256, Azure-managed keys).
Azure Virtual Network isolation for application services.
Query-level access controls scoping data to the owning account, and partner access constrained to the partner's managed clients with every cross-account action recorded in an access audit log.
Authentication and session management through Clerk, with webhook signature verification.
Timing-safe comparison for secret values and Zod schema validation on API inputs to prevent injection.
Regular security reviews, dependency audits, and alignment with SOC 2 Trust Services Criteria.

Annex C — Sub-processors

The current, authoritative list of Sub-processors is maintained at simpleaudit.io/subprocessors. SimpleAudit gives advance notice of material changes to this list as described in Section 6.

Contact

Questions about this DPA or requests for a counter-signed copy:

IgniteHub, LLC d/b/a SimpleAudit
Email: legal@simpleaudit.io