loader image
Get A Demo

AUDIT SENSE PRIVATE LIMITED

Data Security & AI Privacy Statement
  • Version: 1.0
  • Effective Date: 1ST May, 2026
At Audit Sense Private Limited, we understand that financial data is the lifeblood of your organisation. Our platform is built on a “Security-First” architecture, ensuring that your data remains private, protected, and under your absolute control. This statement describes the security measures currently in place and those planned for upcoming releases.

1. Data Encryption & Storage

We employ encryption to protect sensitive data from unauthorised access:

1. In-Transit:
All data transmitted between your browser and our servers is protected using TLS encryption, enforced at the reverse proxy layer.

2. Application-Level Encryption:
Sensitive credentials, including API keys stored in our database, are encrypted using AES-256-GCM prior to storage. Encryption keys are managed via environment-level configuration. Dedicated key management and automated key rotation are on our security roadmap.

3. Database & File Storage:
Database and uploaded file volumes are hosted on our cloud infrastructure. Volume-level encryption at rest is currently under review as part of our infrastructure hardening programme.

4. Infrastructure Certifications:
We are working toward formal cloud infrastructure certification (SOC 2 Type II, ISO 27001). This policy will be updated when certifications are confirmed.

2. The “Ask Athena” AI Privacy Guarantee

A primary concern with AI-powered tools is “Data Leakage” into public models. Audit Sense addresses this with a Zero-Training Guarantee:

5. No Public Training:
Your proprietary financial data is never used to train public AI models. We use enterprise API connections to OpenAI, Anthropic, Google, and DeepSeek under terms that contractually prohibit the use of customer data for model training.

6. Session-Based Processing Isolation:
Each user session is assigned a unique identifier, and all AI queries, uploaded files, and analysis results are scoped to that session. Sessions are not shared between users.

7. API-Only Processing:
We do not self-host AI models. All AI inference is conducted via API calls to third-party providers, with no persistent data retention on provider infrastructure beyond what is contractually required for request processing.

8. Annual AI Provider Review:
We conduct an annual review of all AI service providers to verify continued compliance with our no-training requirements. Enterprise customers may request copies of relevant provider commitments.

3. Access Control & Governance

We follow the Principle of Least Privilege (PoLP):

9. Internal Access:
No AuditSense employee can view your uploaded financial records unless explicitly granted permission by you for support purposes.

10. Multi-Factor Authentication (MFA):
MFA is supported and available within our user management module. We strongly recommend MFA for all accounts and are working to enforce it as a mandatory control for administrative roles.

11. Activity Logging:
User actions within the platform — including data uploads, AI queries, and administrative changes — are recorded in activity logs accessible to authorised administrators. We are developing enhanced log immutability and automated 12-month retention policies as part of our compliance roadmap.

12. Role-Based Access Control (RBAC):
Our user management module implements role-based access control, allowing administrators to assign permissions appropriate to each user’s function.

4. Data Residency & Regulatory Compliance

13. Hosting:
Our platform is deployed on cloud-hosted infrastructure via containerised deployment. We are in the process of formally confirming and documenting the geographic region of all infrastructure components. This policy will be updated when data residency is confirmed.

14. India:
Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable rules.

15. UAE:
Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL).

16. EEA / UK:
General Data Protection Regulation (GDPR) and UK GDPR, where applicable.

17. Data Subject Rights:
All data subjects have the right to access, correct, export, or request deletion of their personal data. Requests are processed within 30 days via privacy@auditsense.ai.

5. Data Breach Response

We maintain a documented incident response process. In the event of a confirmed personal data breach:

18.
We will notify relevant supervisory authorities within the timeframe required by applicable law (72 hours under GDPR; as required under India DPDP Act rules and UAE PDPL).

19.
We will notify affected customers and individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

20.
We will provide details of the breach, the data involved, and the remediation steps taken.

21.
All incidents are documented and subject to post-incident review.

6. Responsible AI & “Human-in-the-Loop” Auditing

22. Traceability:
Every insight provided by Athena includes a direct reference to the source data (e.g., the specific ledger entry or transaction) so auditors can verify each finding independently.

23. Verification:
AuditSense is designed to augment the auditor’s expertise, not replace it. We provide the evidence and pattern recognition; the professional judgement, interpretation, and sign-off remains with the qualified auditor.

Contact Us

For security or privacy enquiries, email privacy@auditsense.ai or security@auditsense.ai.