Third-party Subprocessors
Backend API hosting and infrastructure (App Service / Container Apps). All compute runs in the East US region.
Region: East US
EU–US Data Privacy Framework, Standard Contractual Clauses, ISO 27001
Primary database for engagement data, RCM matrices, work programs, process maps, and all auditor-generated content.
Region: East US 2
Standard Contractual Clauses, ISO 27001 certified
User authentication and session management.
Region: United States
EU–US Data Privacy Framework, Standard Contractual Clauses
Payment processing and subscription management. Card details are never stored by Audit Canvas.
Region: United States
EU–US Data Privacy Framework, PCI DSS Level 1
Frontend hosting, edge delivery, and web analytics for the Next.js application. Captures anonymised performance metrics and visitor analytics; no audit content is included.
Region: Global CDN (primary: United States)
Standard Contractual Clauses, SOC 2 Type II
Product analytics and page-view tracking. Captures anonymised usage events (page views, feature interactions). No audit content is included.
Region: United States (us.i.posthog.com)
Standard Contractual Clauses, GDPR compliant
Error monitoring and performance tracing. No audit content is captured.
Region: United States
EU–US Data Privacy Framework, Standard Contractual Clauses
We will update this list when subprocessors are added or removed.
International Data Transfers
Where data is transferred outside the EEA we rely on:
- EU–US Data Privacy Framework — for certified providers.
- Standard Contractual Clauses — incorporated into our data processing agreements.
Your Rights
You may have the right to access, correct, delete, or port your personal data. To exercise any of these rights, email privacy@smarthubs.net.au. We respond within 30 days.
Questions about data processing?
Reach out to our privacy team and we'll get back to you within 30 days.
Contact Privacy Team →