Audentis
Request access

Audentis legal

Privacy policy

Audentis is designed for regulated professional services work. This policy explains how we approach privacy, confidentiality, GDPR responsibilities, service providers, and sensitive workflow data.

1. Scope

This privacy policy applies to the Audentis public website, access-request process, controlled demonstrations, and related communications. It also describes the privacy principles we expect to apply to the Audentis platform when a professional firm proceeds to implementation.

Where a customer agreement, data processing agreement, order form, or security schedule applies, those documents will govern the specific production relationship. This public policy is intended to be transparent and practical, not a substitute for a signed DPA.

2. Our role under data protection law

For website visitors, access requests, commercial conversations, security administration, and our own operational records, Audentis will normally act as an independent controller because we decide why and how that information is used.

For client files, compliance workflows, professional-services records, transaction materials, identity information, counterparty records, screening inputs, and evidence packs uploaded or configured by a customer in the platform, the customer firm will normally act as controller and Audentis will normally act as processor, processing that data on the customer's documented instructions. The exact role allocation should be confirmed in the applicable agreement.

3. Information we may collect

  • Contact details, firm name, role, jurisdiction, firm type, workflow interest, and messages submitted through access requests.
  • Commercial and implementation information, such as current systems, provider portals, file structures, integrations, operational constraints, and requested workflows.
  • Account and user information, including names, business emails, roles, permissions, authentication events, workspace settings, and support interactions.
  • Workflow data provided by a customer, which may include client records, bank statements, transaction information, corporate structures, beneficial ownership information, identity materials, sanctions or adverse-media screening context, professional notes, reminders, and evidence-pack materials.
  • Technical, usage, device, log, and security data needed to operate, monitor, protect, troubleshoot, and improve the website and platform.
  • Information generated through configured providers, integrations, or AI-assisted workflow steps, such as extracted entities, review states, screening responses, summaries, draft outputs, and audit events.

4. How we use information

  • To assess, respond to, and manage access requests.
  • To understand whether Audentis is suitable for a firm's regulated workflows.
  • To provide, configure, secure, support, and improve the website and platform.
  • To prepare controlled demonstrations or implementations where agreed with the firm.
  • To authenticate users, enforce permissions, maintain audit trails, monitor reliability, and investigate security or misuse issues.
  • To generate workflow drafts, evidence packs, review queues, reminders, screening context, and other outputs requested by authorised users.
  • To comply with legal obligations, enforce agreements, protect rights, and maintain business records.

5. Legal bases

Where GDPR or similar laws apply and Audentis acts as controller, we rely on appropriate legal bases depending on the context. These may include steps before entering into a contract, performance of a contract, legitimate interests in operating and securing a business-to-business service, compliance with legal obligations, and consent where consent is required.

Where Audentis acts as processor for customer workflow data, the customer is responsible for establishing the lawful basis for its processing and for giving documented instructions to Audentis.

6. Sensitive professional-services data

Audentis is intended for workflows that can involve confidential and sensitive business information. This may include financial records, corporate structures, beneficial ownership information, identity and verification materials, AML/KYC context, risk indicators, sanctions or adverse-media references, internal professional notes, and client-file evidence.

Customers should only provide data they are authorised to provide, and should avoid uploading live client data until the workflow scope, access controls, confidentiality obligations, data processing terms, and implementation responsibilities are agreed.

7. AI-assisted processing

Audentis uses AI-assisted workflows to extract, classify, summarise, draft, route, and prepare compliance materials for human review. AI outputs are not final professional decisions, legal advice, regulatory advice, or compliance determinations.

Unless expressly agreed in writing, customer workflow data is not used to train public or general-purpose AI models. AI-assisted processing should be configured around the customer's approved workflow, provider choices, access controls, and review requirements.

8. Confidentiality

We treat customer workflow data, access discussions, implementation materials, and support communications as confidential. Personnel and service providers with access to such information are expected to be bound by confidentiality obligations or equivalent professional duties.

Access to sensitive information should be limited to authorised personnel who need it for product operation, security, support, implementation, or other agreed purposes.

9. Sub-processors and service providers

Audentis may use carefully selected service providers to support hosting, infrastructure, storage, security, authentication, communications, analytics, support, AI processing, document processing, and provider integrations. Where these providers process personal data on our behalf, they are expected to process it under contractual obligations covering confidentiality, data protection, security, and permitted use.

For production platform customers, sub-processor approval, notice, objection rights, audit support, and related terms should be handled through the applicable data processing agreement. A current sub-processor list or relevant provider details may be made available during diligence or implementation where appropriate.

10. Third-party providers and integrations

Audentis may connect to third-party screening services, data providers, customer systems, cloud services, identity services, communications tools, and other integrations requested or approved by a customer. Those providers may act as independent controllers, processors, or sub-processors depending on the integration and contractual arrangement.

Customers remain responsible for confirming that their use of third-party systems, data sources, and provider checks is lawful and appropriate for their professional obligations.

11. Security measures

Audentis is designed around controlled access, authenticated workspaces, permissioned users, audit trails, provider traceability, and review states. Security measures may include access controls, least-privilege permissions, encryption in transit, encryption at rest where supported by the relevant infrastructure, logging, monitoring, backups, vulnerability management, incident-response processes, and separation of customer workspaces.

No internet-based system can be guaranteed to be completely secure. Audentis expects customers to maintain appropriate internal controls, user access reviews, device security, credential protection, and approval procedures.

12. International transfers

Depending on the services, providers, and customer configuration used, personal data may be processed in countries outside the country where the customer or data subject is located. Where required, Audentis expects to use appropriate transfer safeguards, such as contractual commitments, standard contractual clauses, adequacy decisions, or other lawful mechanisms.

13. Retention and deletion

Access-request and commercial information is retained for as long as needed to evaluate, respond to, and manage the relationship, unless a longer retention period is required for legal, security, dispute, or operational reasons.

Customer workflow data should be retained, exported, returned, deleted, or anonymised according to the applicable customer agreement, data processing agreement, product settings, and legal requirements. Security logs and audit records may be retained for a reasonable period to protect the platform and evidence operational integrity.

14. Data subject rights

Depending on applicable law, individuals may have rights to be informed, access their personal data, correct inaccurate data, request erasure, restrict processing, object to certain processing, request portability, and withdraw consent where processing is based on consent.

Where Audentis acts as controller, requests can be raised through your Audentis contact or the access-request process. Where Audentis acts as processor for a customer, we will normally refer the request to the customer or assist the customer as required by the applicable agreement.

15. Incident response

If Audentis becomes aware of a security incident affecting personal data, we will assess the incident and take appropriate containment, investigation, remediation, and notification steps in line with applicable law and contractual commitments.

16. Changes to this policy

We may update this policy as Audentis, applicable law, security practices, service providers, and platform functionality evolve. Material changes should be reflected on this page or communicated through appropriate customer channels.