ADAudit

Security & Compliance

Last updated: April 23, 2026 · Questions? enterprise@adaconfig.com

Our Commitment to Enterprise Security

ADAudit is built with government and enterprise procurement requirements in mind. We provide transparent documentation on data handling, encryption, and compliance so your security and legal teams can move fast during vendor evaluation.

🔒AES-256 Encryption

🇺🇸U.S. Data Residency

📋SOC 2 In Progress

🛡️GDPR Compliant

Data Residency & Location

All audit data is stored exclusively on U.S.-based cloud infrastructure. ADAudit uses Supabase (Amazon Web Services, US-East-1 region) and Fly.io (U.S. regions) for hosting.

No data is transferred outside the United States. Audit URLs, violation records, and user data remain within U.S. borders at all times.

FedRAMP Note

ADAudit is built on FedRAMP-ready infrastructure. For formal FedRAMP Authorization to Operate (ATO) requests, contact enterprise@adaconfig.com.

Encryption

In TransitTLS 1.2+ encryption for all data transmitted between users and ADAudit services
At RestAES-256 encryption for all data stored in Supabase databases
API KeysSHA-256 hashed before storage — plaintext keys are never stored or logged
SecretsEnvironment variables stored encrypted via Fly.io secret management

SOC 2 & Security Audits

ADAudit is committed to SOC 2 Type II compliance. Our security controls are designed around the Trust Services Criteria (TSC): Security, Availability, Confidentiality, Processing Integrity, and Privacy.

Current Status

SOC 2 Type II audit in progress — security documentation, policies, and control evidence available upon request for Enterprise customers. Contact enterprise@adaconfig.com.

Enterprise customers may request our completed security questionnaires (CAIQ, OVAL, SIG) as part of procurement. These are available via the /api/security-report endpoint for authenticated Enterprise users.

Privacy & GDPR

Data Collected:Email address (account), audit URLs submitted, violation records
Data Not Collected:No personal information beyond account credentials
Data Retention:Audit data retained until user deletes account; automatic deletion after 90 days of inactivity
Third Parties:Supabase (database), OpenRouter (AI analysis), Stripe (payments), Fly.io (hosting)
User Rights:Export all data, delete account and all associated data on request

Access Controls

Supabase Auth with email/password and OAuth (Google)
Role-based access control (Admin, Auditor, Viewer) for Enterprise teams
Row-level security (RLS) on all database tables — users can only access their own data
No shared credentials between users or between environments
API keys are prefixed (ak_), hashed, and never returned in plaintext after creation
Audit log of API key usage available for Enterprise accounts

Subprocessors

Vendor	Service	Data Processed	Data Location
Supabase	Database & Auth	User records, audit metadata, violation data	U.S. (AWS US-East)
OpenRouter	AI Analysis	Page HTML for violation detection (no PII)	U.S. (inference endpoints)
Stripe	Payments	Billing email, subscription tier — no card data	U.S.
Fly.io	Hosting	Application code, audit data (encrypted at rest)	U.S. (configurable)

⚠️

ITAR / EAR Export Control Notice

This service may be subject to ITAR (International Traffic in Arms Regulations) or EAR (Export Administration Regulations) export control requirements. Users are solely responsible for determining whether their use of ADAudit complies with applicable export control laws and regulations. ADAudit does not knowingly accept users from embargoed or sanctioned jurisdictions.

For security vulnerability disclosures, enterprise procurement, or custom compliance requests:

enterprise@adaconfig.com