Confidentiality and Engagement Scope
All engagements are conducted under written agreement and, where appropriate, mutual non-disclosure terms. Information provided in connection with an audit or governance review is treated as confidential and used solely for the purposes defined in the engagement letter.
Independent evaluation requires access to sensitive operational, technical, and financial information. Such information is handled in accordance with the controls described below.
Secure Document Transmission and Storage
Client materials are transmitted and stored using encrypted file-sharing systems designed for professional use.
- Data is encrypted in transit using industry-standard transport encryption.
- Data is encrypted at rest within the storage environment.
- Storage regions may be selected to align with client jurisdictional requirements.
- Access is restricted to named individuals and protected by multi-factor authentication.
- Public or anonymous access links are not used for sensitive materials.
Local workstations used for review are protected by full-disk encryption and hardware-backed multi-factor authentication.
Access Control and Operational Safeguards
Access to client materials is limited to the independent auditor. No subcontractors or third parties are granted access unless explicitly agreed in writing.
Administrative access to storage systems is restricted and protected by hardware-backed authentication. Activity logging is enabled where supported by the platform.
Sensitive datasets are downloaded locally only when required for analysis and are not retained beyond engagement necessity.
Use of Analytical Tools and External Processing Systems
Client materials are analyzed using locally controlled tools and environments under the direct control of the auditor.
Client data is not submitted to external analysis platforms, artificial intelligence systems, large language models, or other third-party processing services unless explicitly authorized in writing by the client.
Client information is not used for model training, product improvement, or any secondary purpose unrelated to the engagement.
If an engagement would materially benefit from the use of a specialized external processing system, the proposed use and associated data handling implications will be discussed and agreed in advance.
Working Papers and Client-Supplied Materials
Client-supplied operational materials are retained only for the duration of the engagement and a limited post-delivery period necessary to address follow-up questions or clarifications.
After that period, such materials are securely deleted from both local systems and cloud storage.
Working papers prepared by the auditor document the basis of findings and conclusions and are retained only to the extent necessary to support professional standards and engagement documentation requirements. Such working papers do not include client operational datasets beyond the engagement period described above.
Administrative Record Retention
Administrative engagement records — including engagement letters, invoices, records of payment, and evidence of report delivery — are retained in accordance with applicable business recordkeeping requirements.
Such records consist solely of contractual and billing documentation and do not include client operational datasets.
Independence and Reliance
Reports are prepared for the use of the client’s board, audit committee, or designated governing authority as specified in the engagement letter.
Copyright in all reports and written materials remains with the auditor. Upon payment in full, the client is granted a non-exclusive license to use and distribute the report for internal governance purposes and for disclosure to investors, regulators, or other stakeholders as appropriate to its governance obligations.
No reliance rights are granted to third parties except as expressly agreed in writing.
Jurisdictional Considerations
Where relevant to client operations, storage regions may be selected to align with applicable jurisdictional requirements. Encryption controls are designed to ensure that client materials remain protected against unauthorized access.
Clients with specific regulatory or cross-border data considerations are encouraged to identify those requirements at the outset of the engagement so that appropriate storage configurations may be selected.
Encrypted Communications (PGP)
Encrypted email communication is available.
A public OpenPGP (PGP) key is maintained for secure message exchange where appropriate to the engagement. Clients who prefer encrypted correspondence may download the public key or retrieve it from the OpenPGP keyserver.
Long Key ID: F70B41DEBB3E9765 Fingerprint: D489 C57D 0C4F 82D9 C307 43A0 F70B 41DE BB3E 9765