How can I trust AI to analyse my compliance documents?

AuditReady uses a dual-engine architecture: Engine 1 performs a deep, control-by-control assessment of your document, while Engine 2 independently reviews and validates every finding. Triple Engine mode doubles the analysis with two engines working in parallel. Every finding is traceable back to the specific section of your document and the specific framework requirement.

Is my policy document safe? How do you handle my data?

Your documents are encrypted everywhere (TLS 1.3 in transit, AES-256 at rest). PII is automatically masked via Google Cloud DLP before any AI model sees your document. Documents are never used for AI training. You control deletion with a 30-day hard-delete policy. Hosted on Google Cloud Platform with SOC 2-compliant database infrastructure.

What's the difference between a gap analysis and a full compliance audit?

A gap analysis tells you where you stand by mapping your existing documents against a compliance framework and identifying what's missing. A full compliance audit is the formal assessment by a qualified auditor that results in certification. AuditReady handles the gap analysis — so when you engage an auditor, you walk in prepared.

How much does Audit Ready cost?

AuditReady offers four tiers: Free (200 credits, documents up to 15 pages), Starter ($19 one-time, 500 credits, up to 30 pages), Pro ($49/month, 1,500 credits/month, up to 150 pages), and Enterprise ($149/month, 6,000 credits/month, up to 300 pages). No annual contracts, no hidden fees.

What if I find gaps I can't fix right away?

Every organisation has gaps. Your AuditReady report prioritises findings by severity so you can focus on critical gaps first. You don't need to fix everything overnight — you need a roadmap, and that's exactly what we provide. Better to discover gaps privately than have a regulator discover them for you.

Which compliance frameworks do you support?

AuditReady supports 30+ compliance frameworks including ISO 27001, SOC 2, NIST CSF 2.0, GDPR, UK GDPR, CCPA/CPRA, HIPAA, PCI DSS, FedRAMP, CMMC, EU AI Act, ISO 42001, NIST AI RMF, DORA, and many more spanning information security, data privacy, AI governance, and industry-specific regulations.

Does this replace my auditor or consultant?

No. AuditReady handles the time-consuming, repetitive part: reading your policy document against every control requirement. It does not provide legal advice or issue certifications. For consultants, it's a force multiplier. For organisations, it's your first look before engaging a consultant.

How is Audit Ready different from other compliance tools?

Most compliance platforms monitor your infrastructure. AuditReady focuses on your policy documents — reading them word-by-word against framework requirements. Key differences: instant results in minutes, transparent pricing starting at $0, 30+ frameworks from day one, and dual-engine AI that verifies every finding.

What kind of document do I need to upload?

Any document describing how your organisation manages operations: information security policies, privacy policies, AI governance policies, business continuity plans, acceptable use policies, or vendor management policies. Your document doesn't need to be perfect — finding where it falls short is the point. PDF format only (use the built-in converter for Word or RTF).

Can I try Audit Ready for free?

Yes. Create a free account with no credit card required and receive 200 credits immediately. The Free tier includes full gap analysis reports, all 30+ frameworks, PDF downloads, AI Gap Advisor, and documents up to 15 pages. No trial period and no feature walls.

Privacy Policy | AuditReady

This Privacy Policy describes how Audit Ready Systems (“Audit Ready”, “we”, “us”, or “our”) collects, uses, and discloses personal information when you access or use our platform at auditready.systems and any related services (collectively, the “Service”). It also describes your choices and rights regarding your personal information.

This policy applies to all users of the Service, including website visitors, registered users, and anyone who interacts with us. It does not apply to third-party websites or services that may be linked from our platform — those are governed by their own privacy policies.

1. About Us

Audit Ready Systems is a B2B company that develops and operates Audit Ready — a Software-as-a-Service (SaaS) platform providing AI-powered compliance auditing services to organisations globally.

Data Protection Roles

When you upload documents for compliance auditing, Audit Ready acts as a data processor on your behalf — processing your content solely to deliver the audit service.

For all other data (account information, usage data, billing), Audit Ready acts as a data controller.

We do not enter into joint controller arrangements. Where we process data uploaded by our users, we act as a data processor under their instructions.

If you are located in the EU/EEA or other jurisdictions, additional regional protections may apply — see Section 16 (Regional Privacy Supplements).

Anonymity and Pseudonymity

Where practicable, you may interact with our website without identifying yourself. However, to use the Service, you must create an account with a valid email address, as this is necessary for authentication and delivery of audit results.

2. Information We Collect

We collect only the personal information reasonably necessary to provide the Service. If you choose not to provide certain information (such as your email address), we may be unable to create your account or deliver audit results to you.

2.1 Account Information

Email address (used for authentication, notifications, and correspondence)
Securely hashed password (we never see or store plaintext passwords)
Account tier and billing status

2.2 Audit Data

Documents you upload for compliance assessment
AI-generated audit results (compliance scores, findings, and remediation guidance)
Audit metadata: framework selected, industry sector, region, organisation size, and document type

Documents you upload may contain personal information about third parties, including sensitive information such as health data or financial identifiers. Our automated data loss prevention technology detects and masks structured personal identifiers — including phone numbers, email addresses, street addresses, national identity numbers (such as Tax File Numbers, Social Security Numbers, and passport numbers), dates of birth, financial account numbers, credit card numbers, medical record numbers, IP addresses, and technical credentials — before any AI processing.

However, person names, organisation names, locations, dates, and information described in narrative form (such as health conditions, employment history, or personal circumstances) are not masked, as they are necessary for accurate compliance analysis. We process uploaded documents solely to deliver the audit service and do not use their contents for any other purpose.

Uploaded documents may also incidentally contain references to criminal convictions or offences in narrative form. Such references are not individually detected or masked by our automated systems. This content is processed solely to deliver the audit service and is subject to the same retention and deletion controls as all uploaded documents.

We are generally unable to directly notify third parties whose personal information may appear in documents uploaded by other users. This is because: (a) we do not hold contact details for these individuals, (b) structured personal identifiers are automatically masked before AI processing, and (c) we have no independent relationship with these individuals. Users who upload documents are responsible for ensuring they have appropriate authority to do so.

2.3 Usage Data

Chat Assistant queries and responses (stored for service quality and billing)
Credit transaction history
Basic analytics: pages visited and features used (collected via privacy-respecting, cookie-free analytics)

2.4 Payment Data

Payment card details are processed directly by our payment processor (Stripe) and are never received, stored, or accessible by Audit Ready. We receive only a confirmation of payment status and a customer identifier from the payment processor.

3. How We Use Your Information

Purpose	Data Used	Legal Basis
Provide audit services	Uploaded documents, audit metadata	To fulfil our contract with you
Authenticate your account	Email, password hash	To fulfil our contract with you
Process payments and manage credits	Payment processor ID, transaction records	To fulfil our contract with you
Send transactional emails	Email address, scan metadata	Our legitimate business interest
Improve AI accuracy and reliability	Aggregated, anonymised scoring patterns	Our legitimate business interest
Comply with legal obligations	Account data, audit trail	To comply with legal obligations

We do not rely on consent as a legal basis for any of our current processing activities. All processing is based on contractual necessity, legitimate business interest, or legal obligation as described in the table above.

4. Artificial Intelligence

Audit Ready uses artificial intelligence to analyse your uploaded documents for compliance assessment. This is a core function of the Service, not a secondary use of your data.

How We Protect Your Data During AI Processing

Before any AI processing, structured personal identifiers in your documents are automatically detected and masked using industry-standard data loss prevention technology.
AI models only ever see the masked version of your document — never the original.
Our AI providers do not retain your data after processing, in accordance with their data processing terms.
Your data is never used to train AI models.
No automated decisions with legal or similarly significant effects are made about you.

Automated Decision-Making Transparency

In accordance with the Privacy Act 1988 (APP 1.7–1.9), we disclose the following about our use of automated systems:

Personal information used: Text extracted from documents you upload, which may include organisational policies, procedures, and metadata you provide (framework, industry sector, region, organisation size).
Decisions made by AI: Compliance scores, individual control findings, remediation guidance, and scope classifications are generated by AI models.
Human oversight: AI-generated outputs are presented as advisory assessments to assist your compliance efforts. They do not constitute legal advice and do not make binding decisions about your rights or obligations.

Impact Assessment

A formal Data Protection Impact Assessment (DPIA) has been conducted for our AI processing activities, assessing the risks to data subjects and the measures in place to mitigate them. The DPIA is reviewed annually or upon significant changes to the AI pipeline.

5. How We Share Information

We do not sell, rent, or trade your personal data. We share data only with trusted sub-processors who are essential to delivering the Service, each operating under a Data Processing Agreement (DPA).

A current list of our sub-processors, including their purposes and data regions, is available on request by emailing privacy@auditready.systems.

Our sub-processors fall into the following categories:

Cloud infrastructure and AI processing providers
Database and authentication services
Frontend hosting and content delivery
Payment processing
Transactional email delivery

We may also disclose personal information where required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of Audit Ready, our users, or the public.

6. International Data Transfers

Audit Ready Systems is an Australian business. Your data is processed using cloud services hosted in the following locations:

United States — cloud infrastructure, AI processing, database, authentication, payment processing, and email delivery
Global CDN — frontend hosting is served via a globally distributed content delivery network

For all international transfers, we ensure overseas recipients are bound by contractual obligations that provide a comparable level of data protection, through executed Data Processing Agreements with each sub-processor.

For transfers from Australia, we comply with Australian Privacy Principle 8 by ensuring all overseas recipients are bound by obligations substantially similar to the APPs.

Additional transfer safeguards for EU/EEA and UK residents are described in Section 16 (Regional Privacy Supplements).

7. Data Retention

Data Type	Retention Period
Account data	Until account deletion + 30-day recovery window
Uploaded documents	Until you delete the scan + 30-day soft-delete window
Audit results	Until you delete the scan + 30-day soft-delete window
Chat conversation history	Retained for quality and billing; deleted with parent scan
Credit transaction ledger	7 years (Australian tax record-keeping requirements)
Payment data (held by Stripe)	Per Stripe's retention policy — not stored by Audit Ready
Deletion audit log	7 years (compliance record — who was deleted, when, and item counts)
Credit history (anonymised)	7 years after deletion (identity removed, amounts retained for tax compliance)

8. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Right of Access — Request a copy of the personal information we hold about you. We will provide your data in a commonly used electronic format.
Right to Rectification — Correct inaccurate or incomplete information without undue delay.
Right to Erasure — Delete your data via Settings → Danger Zone (self-service) or by contacting us. Data is soft-deleted immediately and permanently erased after 30 days. Financial records are anonymised and retained for 7 years per tax law.
Right to Restriction — Restrict processing of your data where accuracy is contested, processing is unlawful, you need the data for a legal claim, or you have objected to processing pending verification.
Right to Data Portability — Receive your data in a portable, structured format. You may also request we transmit your data directly to another controller, where technically feasible.
Right to Object — Object to processing based on our legitimate interests. We will cease processing unless we demonstrate compelling grounds that override your interests. Objection to direct marketing is absolute.
Right to Complain — Lodge a complaint with us (see Section 11) or a supervisory authority (see Section 18).

Where personal identifiers in uploaded documents have been replaced by automated masking tokens (e.g., [EMAIL_ADDRESS], [PHONE_NUMBER]), and we have no other means to identify the data subject, we may not be able to fulfil certain rights (such as access, rectification, or erasure) in relation to that specific masked data.

To exercise any of these rights, use the self-service options in your account Settings, or email privacy@auditready.systems from the email address associated with your account.

We will respond to all rights requests within one calendar month of receipt. For complex or numerous requests, we may extend this period by up to two additional months, and we will inform you of any extension within the first month.

9. Your California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:

Right to Know — Request the categories and specific pieces of personal information we have collected about you
Right to Delete — Request deletion of your personal information
Right to Correct — Request correction of inaccurate personal information
Right to Opt Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioural advertising
Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at privacy@auditready.systems. We will verify your identity using the information associated with your account.

10. Direct Marketing

We may occasionally send you product updates or feature announcements by email. You can unsubscribe from these communications at any time by:

Using the unsubscribe link in any marketing email
Contacting us at privacy@auditready.systems

This does not affect transactional communications (such as audit completion notifications or account alerts), which are a necessary part of the Service.

11. Complaints

If you believe we have breached the Australian Privacy Principles or otherwise mishandled your personal information, you may lodge a complaint with us:

Contact us at privacy@auditready.systems with details of your complaint
We will acknowledge your complaint within 5 business days
We will investigate and respond with a resolution within 30 days
If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au

We take all complaints seriously and will work to resolve them promptly and fairly.

12. Cookies and Tracking Technologies

Audit Ready uses only essential cookies required for authentication (session tokens). We do not use:

Advertising or marketing cookies
Third-party tracking pixels
Cross-site tracking technologies

Our analytics provider collects anonymous, aggregated page view data without the use of cookies.

13. Age Requirements

Audit Ready is a professional compliance tool intended for business use. You must be at least 16 years of age to create an account. We do not knowingly collect personal data from anyone under 16. If we discover that a user is under 16, we will promptly delete their account and associated data.

14. Security and Data Quality

We take the security of your data seriously and implement industry-standard technical and organisational measures to protect it, including:

All data transmitted over HTTPS (TLS 1.3+)
Database encryption at rest using industry-standard encryption
Malware scanning on all uploaded files before processing
Automated PII detection and masking before AI processing
Access controls ensuring users can only access their own data
Server-side authentication verification on every API request
Multi-factor authentication on all privileged infrastructure accounts
A formal information security management system aligned to ISO 27001:2022 and ISO 42001:2023
Backup and disaster recovery capabilities
Regular testing and evaluation of the effectiveness of our security measures

We apply data protection by design and by default. Documents are private and accessible only to your account by default. Automated PII masking is applied to all uploaded documents before AI processing and cannot be disabled.

While we employ robust safeguards, no method of transmission over the Internet or electronic storage is 100% secure. We continually review and improve our security practices.

15. Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988. We will take all reasonable steps to contain the breach, assess the risk, and prevent future occurrences.

16. Regional Privacy Supplements

For Australian Residents

Our processing complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). Your rights under APP 12 (access) and APP 13 (correction) are described in Section 8. Complaints should be directed per Section 11. Cross-border disclosure safeguards are described in Section 6 in accordance with APP 8.

For EU/EEA Residents

Under the General Data Protection Regulation (GDPR), our legal bases for processing your personal data are:

Performance of contract (Art. 6(1)(b)) — for providing the Service, authenticating your account, and processing payments
Legitimate interest (Art. 6(1)(f)) — for service improvement, transactional emails, and AI accuracy improvements
Legal obligation (Art. 6(1)(c)) — for regulatory and tax compliance

For international transfers from the EU/EEA, we rely on EU Standard Contractual Clauses (SCCs) incorporated into our sub-processor Data Processing Agreements, and the EU-US Data Privacy Framework where the sub-processor is certified.

We maintain a Record of Processing Activities (ROPA) documenting all processing activities, legal bases, data categories, recipients, retention periods, and transfer safeguards.

For UK Residents

We process your data under the UK GDPR with equivalent legal bases and transfer safeguards as described above for EU/EEA residents. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. If we make material changes, we will notify you by email or by placing a prominent notice on our website. The “Effective Date” at the top of this policy indicates when the latest version took effect.

18. Supervisory Authorities

You have the right to lodge a complaint with a data protection supervisory authority:

Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au
EU: Your local Data Protection Authority
UK: Information Commissioner's Office (ICO) — ico.org.uk

19. Contact Us

If you have any questions about this Privacy Policy or our data practices:

Email: privacy@auditready.systems
Website: auditready.systems
Business: Audit Ready Systems

We aim to respond to all privacy-related enquiries within 30 days.

Audit Ready Privacy Policy