Welcome to eAuditor cloud® Trust Center!

eAuditor Cloud center

Table of contents

Overview

At eAuditor Cloud®, trust is the foundation of everything we do. In our Trust Center, you can see how we protect your data, ensure compliance, keep the system reliable, and stay transparent about how our platform works.

Compliance

ISO 27001:2022
ISO/IEC 27017:2015
ISO/IEC 27018:2019
ISO/IEC 27032:2012
HIPAA
SOC 2 Type II
Texas Risk and Authorization Management Program (TX-RAMP)
GDPR Compliance
CCPA
Cloud security certificate
Data Security
Data Encrypted In-Transit
Password Encryption
View all Data Security controls
Infrastructure Security
Physical Access Control
Multi-tenant Architecture
View 2 more Infrastructure Security controls
Application and Development Security
Change Management
Penetration Testing
View 1 more Application and Development Security controls

Subprocessors

View all subprocessors ›
OVHcloud
Stripe
Google
Microsoft Entra
OpenAI

Resources

Compliance
eAuditor cloud application security certificate

Controls

Data Security

Control Status
Data Encrypted In-Transit
Data in-transit is encrypted using TLS 1.3
Password Encryption
User account passwords are encrypted and hashed with a SHA-256 algorithm.

Infrastructure Security

Control Status
Physical Access Control - Data Center
eAuditor cloud operates on OVHcloud data center infrastructure that meets strict regulatory and industry requirements. This means our customers’ data is processed in an environment compliant with international standards for security, privacy, and availability.
Multi-tenant Architecture
BTC operates on a multi-tenant architecture, where customer environments are logically isolated to ensure data privacy and security.
Availability and Redundancy
Designed with high availability and redundancy in mind to ensure service continuity and minimal downtime, the eAuditor cloud platform is hosted in an OVHcloud data center located in Ożarów Mazowiecki (Kazimierza Kamińskiego 6, 05-850 Ożarów Mazowiecki, Poland). The facility is operated by OVHcloud sp. z o.o. and holds, among others, ISO 27001, ISO 27017, ISO 27018, ISO 27701 certifications, as well as SOC 1/2/3 standards (status as of 13.11.2025). More information: OVHcloud Compliance and Certifications.
eAuditor cloud uses load balancing modules to efficiently distribute traffic, optimize performance, and maintain service stability under varying loads. Redundant systems and infrastructure minimize the impact of potential failures. Together, these measures create a resilient platform customers can rely on, ensuring uninterrupted access and consistent performance.
Vulnerability Scans
BTC performs continuous vulnerability scanning to identify and remediate security issues.
Allowed Hosts and Origins
The system supports strict allowlists for Host and Origin headers. This protects the platform against host header injection, spoofing, and cross-origin abuse.
Restricted Outbound Connections
eAuditor allows restriction of external services the platform can communicate with, including SMTP servers, proxy connections, and remote import sources.
Secure Proxy and Forwarded Headers Handling
The platform supports secure handling of proxy configurations and forwarded headers to preserve correct client identification and prevent request manipulation.

Application and Development Security 

Control Status
Change Management
BTC follows a structured change management process ensuring all updates, configurations, and changes to its production and corporate environments are reviewed, tested and securely implemented to minimize risk and uphold security integrity.
Penetration Testing
BTC conducts annual applicative penetration testing through an independent third-party provider.
Environment Separation
BTC's infrastructure is segmented into distinct environments for development, production and QA operations, minimizing risk and limiting access between environments.
Brute-Force Protection
The platform enforces adaptive limits on failed login attempts and sensitive operations. Protection mechanisms dynamically introduce timeouts and lockouts to mitigate automated attacks and unauthorized access attempts.
Operation Rate Limiting
eAuditor applies rate limits not only to authentication, but also to critical system operations to prevent abuse, enumeration attempts, and denial-of-service scenarios.
Error Information Control
Detailed system error information is hidden from end users. This limits the risk of information disclosure that could otherwise support exploitation attempts.
Secure Update Control
System update mechanisms can be centrally controlled to prevent unauthorized or unsafe application updates.
Secure Backup Path Restrictions
Backup and report storage locations are restricted to approved directories, preventing unauthorized file system access.
Execution Timeouts and Resource Protection
The system enforces execution time limits on reports and background operations to prevent abuse, hangs, and service degradation.
Performance and Generation Time Monitoring
The platform supports monitoring of abnormal data generation times to detect performance anomalies and potential misuse.

AI Security 

Control Status
AI Model
eA Intelligence uses artificial intelligence services (ChatGPT) solely for data analysis, classification, and interpretation, and only upon the explicit request of the user. Data processed as part of eA Intelligence is transferred outside the eAuditor cloud system to the OpenAI service.
The use of eA Intelligence is optional and available in the base version of the system.
Data Isolation
Each tenant’s knowledge base, scripts, logs, and configurations are stored in a dedicated database.

Privacy

Control Status
GDPR
BTC is committed to protecting the privacy of its customers and, where applicable, complies with the EU General Data Protection Regulation (GDPR).
Data Processing Addendum
BTC's comprehensive Data Processing Agreement (DPA) sets forth the obligations and conditions related to the processing of personal data. Our DPA is available here. To request a signed DPA, please contact: iod@btc.com.pl
Data Protection Officer (DPO)
BTC has an appointed DPO that can be contacted by e-mailing: iod@btc.com.pl
Data Removal Requests
Should a customer ever decide to delete their BTC account, they may do so by emailing iod@btc.com.pl. Once an account is terminated, any association between the account and stored personal data will no longer be accessible through the account.
Subprocessors
BTC may engage with third-party data processors to support the delivery of services to customers. These sub-processors may have access to customer-provided personal data solely for the purpose of performing their contracted responsibilities. See the full list of sub-processors.
Privacy Policy
BTC’s Privacy Policy outlines how we collect, use, store, and protect personal data in accordance with applicable privacy laws and regulations. It reflects our commitment to transparency, user rights, and responsible data handling practices.

Product Security

Control Status
Password Complexity
When registering at https://app.eauditor.eu/register, users are required to set a password that complies with a defined security policy. The password must be at least 8 characters long and include at least one uppercase and one lowercase letter (A-Z, a-z), at least one digit (0-9), and at least one special character such as @ # $ % ! ?.
Multi-Factor Authentication
BTC mandates Multi-Factor Authentication (MFA) to provide an added layer of security and protect user accounts from unauthorized access.
Secure File Upload Controls
Uploaded files are restricted by allowed file extensions and maximum file size. This protects the platform from malicious payloads and resource exhaustion.
Metadata Removal from Uploaded Files
The system can automatically remove metadata from uploaded files, reducing the risk of unintentional sensitive information disclosure.
Secure Data Export Limits
eAuditor enforces configurable limits on data exports, reducing the risk of mass data exfiltration.
Secure Import Mechanisms
Import operations support protected CSV handling and restrictions on local and remote data sources, preventing injection and unauthorized data ingestion.
Secure Remote Access Configuration
Remote access services operate on dedicated ports and support SSL certificate configuration and trusted certificate authorities.
Restricted Remote Installation Sources
The platform allows limiting approved sources and repositories for remote installations, preventing unauthorized software delivery.

Corporate Security

Control Status
Password Complexity
When registering at https://app.eauditor.eu/register, users are required to set a password that complies with a defined security policy.
Multi-Factor Authentication
BTC mandates Multi-Factor Authentication (MFA) to provide an added layer of security.
DLP
BTC leverages Full Endpoint Protection to guard against advanced threats aimed at employee endpoints. All devices are continuously monitored for suspicious behavior, enabling rapid detection and containment of potential incidents.
Principle of Least Privilege
BTC enforces Role-Based Access Control to ensure that employees have access only to the resources necessary for their job functions.
Physical Access Control
BTC implements strict physical access controls to safeguard its offices.
Workstation Encryption
All corporate workstations at BTC are fully encrypted to protect sensitive data and prevent unauthorized access.
Secure-by-Default Cloud Configuration
In eAuditor Cloud, all security controls are centrally managed and enforced by BTC. Customers operate in a secure-by-default environment, eliminating risks related to misconfiguration.

Subprocessors 

OVHcloud sp. z o.o.
Cloud infrastructure and data centre provider. Responsible for hosting, availability, physical and network security of the environment in which eAuditor cloud operates.
Stripe
Electronic payment operator. Used for payment and settlement processing. eAuditor cloud does not process or store payment card data.
Google Workspace
Used to handle system logins, secure user accounts, and support processes related to authentication and access security.
Microsoft Entra ID
Identity and authentication management service. Used in login processes, identity integration and system access security, as well as importing data to eAuditor cloud, such as users, devices, and organisational structure.
OpenAI (ChatGPT)
Artificial intelligence services used as part of the eA Intelligence function. Used to analyse, classify and interpret data in response to user queries.
Data Privacy, AI and Compliance
Is customer data used to train AI models belonging to BTC or third parties?
No. Customer data is not used to train AI models belonging to BTC or any third parties. The exception is the eA Intelligence feature, which uses artificial intelligence services (ChatGPT) solely for the analysis, classification and interpretation of data at the express request of the user. In this case, the data is transferred only in the context of a specific query, is not permanently stored on the AI service side, and is not used to train models. Data processed within eA Intelligence is transferred outside the eAuditor cloud system to the OpenAI service. The use of eA Intelligence is an optional feature available in the basic version of the system.
Who can access customer data?
Access to customer data is strictly limited to authorised personnel of BTC sp. z o.o. who need this data solely for the purpose of customer service, service maintenance or the fulfilment of legal obligations. Access is granted in accordance with the principle of minimum privileges and is subject to control.
How can customers update or correct personal data stored by BTC sp. z o.o.?
Customers can independently update their personal data, such as contact details, billing information, or login-related data, directly in the eAuditor Cloud account settings. If additional corrections are required or if there are any questions regarding the processing of personal data, customers can contact BTC sp. z o.o. directly at [email protected].
Where can I find a list of subprocessors who may access customer data?
The current list of subprocessors used within the eAuditor cloud is available in the Subprocessors section at: Subprocessors section.
How does BTC sp. z o.o. protect confidential or personal information?
Data protection in eAuditor Cloud is based on a combination of technical and organisational security measures and regular security audits. Data is transmitted in encrypted form, logically separated between customers and processed in a certified cloud infrastructure. The security of the system is additionally verified through independent vulnerability and penetration tests. Access to the system is protected by authentication mechanisms, including multi-factor login, and user sessions are automatically terminated in case of inactivity.
Customer Isolation and Cloud Architecture
Is one customer's data accessible to other customers?
No. Each customer has their own separate database in the OVHcloud cloud environment. The eAuditor Cloud agent connects only to the assigned customer instance using an individual identifier, which prevents access to other customers' data.
Is each customer's data logically isolated?
Yes. All customer data is logically isolated within the cloud environment. Isolation includes application data, configurations, logs, and operational information, ensuring complete separation between customers using the service.
Access Control, Audit and Endpoint Responsibility
Can eAuditor Cloud agents make changes to client endpoints or systems?
The eAgent service runs on the endpoint as a system service, i.e. with high technical privileges. However, eAgent itself does not make any changes that would affect the operation of the station or the user. It only performs actions resulting from the system configuration. Administrative changes on endpoints can be made by the system administrator on the client side using the remote management function. The scope of these actions depends on the permissions granted and the system configuration. eAuditor Cloud does not perform such operations automatically or without the administrator's decision. The tool provides possibilities, but it is the client who decides how and whether to use them.
Does eAuditor cloud provide logs for data auditing?
Yes. Audit logs are available only to users with appropriate permissions granted in the system. The scope of visible data depends on the user's role, and logs can be exported for auditing, control, or internal analysis purposes.
Does eAuditor cloud support session time limits?
Yes. A user session is automatically terminated after 20 minutes of inactivity. Five minutes before the session expires, the system displays a visible warning, allowing the user to maintain continuity of work.
Platform Security and Attack Prevention
Does eAuditor cloud protect against brute-force and automated attacks?
Yes. eAuditor cloud uses built-in mechanisms to protect against brute-force and abuse attempts. This includes limits on failed login attempts, adaptive lockouts, and rate limiting on sensitive operations to prevent automated attacks and unauthorized access.
Does eAuditor cloud limit critical system operations to prevent abuse?
Yes. The platform enforces limits and timeouts on selected system operations, including reporting and data processing tasks. This protects the service from misuse, overload attempts, and denial-of-service scenarios.
Does eAuditor cloud monitor abnormal system behavior?
Yes. The platform supports monitoring of execution times and abnormal processing behavior. This helps detect performance anomalies, misconfigurations, and potential misuse.
Is the eAuditor cloud platform hardened by default?
Yes. All built-in security controls are centrally managed by BTC and enforced by default in the cloud environment. Customers operate in a secure-by-default model, eliminating risks related to misconfiguration.
Does eAuditor cloud include application-level security controls?
Yes. In addition to secure cloud infrastructure, eAuditor cloud includes an internal application security layer covering authentication protection, communication restrictions, file security, data operation controls, and platform hardening.
Does eAuditor cloud hide technical error details from users?
Yes. Detailed system error information is not exposed to end users. This limits the risk of sensitive technical data disclosure that could support exploitation attempts.
Data Transfer, Communication and File Security
Does eAuditor cloud restrict where the system can connect?
Yes. Outbound connections can be restricted to approved servers and services only. This includes controls for allowed SMTP servers, proxy connections, and remote data import sources, reducing the risk of unauthorized communication or data exfiltration.
Does eAuditor cloud protect against malicious file uploads?
Yes. The system enforces file security controls such as allowed file extensions, file size limits, and optional metadata removal from uploaded files. These mechanisms reduce the risk of malicious uploads.
Are data imports and exports secured?
Yes. eAuditor cloud applies safeguards to data import and export operations, including protected CSV processing, source restrictions, and export size limits. These controls help prevent injection attacks and mass data exfiltration.
How is remote access secured in eAuditor cloud?
Remote access services use dedicated ports and encrypted communication. Certificate-based security and trusted certificate authorities are used to protect remote connections and administrative operations.
Data Protection, DLP and Incident Response
What security gap mitigation features does eAuditor Cloud offer?
eAuditor Cloud offers advanced DLP (Data Loss Prevention) mechanisms that help reduce the risk of data leakage and unauthorised use. The system allows you to monitor data operations, enforce security policies, and respond to potential breaches in accordance with the administrator's configuration. A detailed description of DLP features is available in the documentation.
How can customers respond to potential security issues or vulnerabilities?
If a customer suspects a security vulnerability or notices a potential security-related issue, they can report it directly to the support team by sending an email to [email protected]. BTC sp. z o.o. supports responsible vulnerability disclosure and follows a structured process for receiving, analyzing, and handling security reports. Each report is verified, and if an issue is confirmed, appropriate remediation actions are taken.