Terms of Service
Our service guarantees
Our mission is to build trust through audits and compliance. This drive to build trust influences everything we do, including our terms of service.
- Money-back: If you're not satisfied with our services or products, we'll forfeit our fees and help you transition to a new provider.
- Confidentiality: We secure and protect your data at all times. Any breaches affecting your data will be communicated to you.
- Partner independence: We never receive any kick-backs. We refrain from any partnerships that would impact our independence as auditors.
- Impartiality: We only accept engagements where we are adequately impartial to protect our auditor independence obligations. Our services never design or implement our clients' compliance activities.
- Audit standards: We comply with the audit standards that govern our services. Our terms of service below are formed in accordance with those standards.
- Liability limitation: We maintain cyber liability and professional indemnity insurance. Our liability is limited by the professional standards established for our audit industry.
Certification Marks and Accreditation Logos
AssuranceLab provides certifications, accreditation logos, and assurance reports that can be communicated to your customers to represent your status of compliance. The following terms apply:
- You may refer to our services when speaking with your customers and other stakeholders. All references need to be factual in nature and accurately represent the state of your compliance. We provide status letters, accreditation logos, certification documents and other ways to help you communicate your state of compliance.
- Our accreditation logos can be used for a maximum of 15 months from the date of the most recently issued report or certification for that relevant accreditation.
- Logos and accreditation marks can only be used for the standards and regulations covered by the attestations, assurance reports or certifications issued by AssuranceLab.
- Where there are any scope limitations, or changes to the scope of your accreditations, it is your responsibility to ensure this is clearly communicated to those requesting details of your compliance. All references to your compliance status should communicate these limitations.
- Our certifications, accreditation logos, and reports issued cannot be modified in any form. They can only be communicated in their original form as issued by AssuranceLab.
Feedback, Complaints and Appeals
We value your feedback that helps us continually improve our services. We have formal processes for handling complaints and appeals, with independent review and governance committees to ensure we resolve matters appropriately. In the first instance, complaints should be raised with your appointed account manager, lead auditor, or person responsible for the complaint or appeal. Where escalation is required, our Co-founder and Chief Compliance Officer, Erika Villanueva, handles complaints. Erika can be contacted at: email@example.com.
Our Engagement Terms apply to our audit and assurance reporting services that are agreed in a Statement of Work for the respective compliance frameworks and report types. Each engagement is based on an agreed scope as defined by the relevant frameworks and the needs of interested parties. As an example, this may be your "software as a service system", that includes the software you develop in house, data collected and processed by that software, the supporting infrastructure and software, and the people and processes that manage those systems and services (collectively, the "System"). Our scoping checklist and system description automation are provided to you, to help prepare a clear and agreed scope of your system.
We will conduct our assurance engagement in accordance with the standards of assurance engagements. These standards require that we comply with ethical requirements applicable to assurance engagements and plan and perform procedures to obtain reasonable assurance about whether, in all material respects, the controls are suitably designed to achieve the criteria and objectives, the description of your System is fairly presented, and the controls operated effectively throughout the period (Type 2 only). An assurance engagement involves performing procedures to obtain evidence about the design, description, and operating effectiveness of controls (Type 2 only). The procedures selected depend on the assurance practitioner’s professional judgment, including the assessment of the risks of material deficiencies in the design of controls, misstatements in the description or deviations in the operating effectiveness (Type 2 only) of controls within the System.
Based on the inherent limitations of an assurance engagement, together with the inherent limitations of any System of controls, there is an unavoidable risk that some deficiencies in the design, misstatements in the description or deviations in the operating effectiveness (Type 2 only) of controls may not be detected, even though the engagement is properly planned and performed in accordance with the standards for assurance engagements.
The System, within which the controls that we will test operate, will not be examined except to the extent the System is relevant to the achievement of the criteria and objectives. Accordingly, no opinion will be expressed as to the effectiveness of the System of controls as a whole for any other purposes beyond the criteria or objectives expressed in the report.
Our assurance engagement will be conducted on the basis that you acknowledge and understand that your responsibility includes:
- the preparation of a written Attestation Statement that as at the report date (Type 1) and throughout the period (Type 2), in all material respects, and based on suitable criteria:
- the controls within the System were suitably designed to achieve the identified control objectives; and
- the description fairly presents the System as designed, including changes in controls; and
- the controls stated in the description of its System operated effectively to achieve the control objectives (Type 2 only);
- the identification of the suitable standards, control objectives and criteria to meet end user requirements;
- the identification of risks that threaten achievement of the standards, control objectives and criteria identified;
- design of the System, comprising controls which will mitigate those risks so that those risks will not prevent achievement of the identified control objectives and therefore that the control objectives will be achieved;
- preparation of a description of the System, including identification of any controls operated by a third party, service or sub-service organisation and whether the inclusive or carve-out method has been used in relation to those third party controls;
- operation of the controls as designed throughout the period;
- to provide us with:
- access to all information of which those charged with governance and management are aware that is relevant to the description of the System and design of the controls within that System;
- additional information that we may request from those charged with governance and management for the purposes of this assurance engagement; and
- unrestricted access to persons within the entity from whom we determine it necessary to obtain evidence.
As part of our assurance process, we will request from management and, where appropriate, those charged with governance, written confirmation concerning representations made to us in connection with the engagement.
Our Assurance Procedures
We will examine and evaluate the control objectives, criteria and controls of your System based on the agreed scope.
Our procedures will extend to the control objectives, criteria and related controls at relevant third parties only to the extent that those controls are included in the description of the System and are necessary to achieve the relevant control objectives.
Due to the complex nature of internal control, our assurance procedures will not encompass all individual controls, but will be restricted to an examination of those controls reported which achieve the control objectives identified by the responsible party in the Description provided to us.
Our assurance procedures are likely to include:
- obtaining an understanding of the control environment relevant to the System;
- evaluating the design of specific controls by:
- assessing the risks that threaten achievement of the control objectives; and
- evaluating whether the controls described are capable of addressing those risks and achieving the related control objectives;
- evaluating the completeness, accuracy and presentation of the Description of the System against the controls as designed; and
- making enquiries, inspecting documents, conducting walkthroughs and querying the operation of controls to ascertain whether the degree of compliance with controls is sufficient to achieve their control objectives throughout the period (Type 2).
The format of the report will be in accordance with the standards of attestation engagements with respect to reasonable assurance engagements and will consist of an opinion on the description and an accompanying description of the tests of controls that we performed and the results of those tests (Type 2 only). AT-C Section 105 addresses Concepts Common to all Attestation Engagements. AT-C section 205 addresses Examination Engagements.
Our opinion will be phrased in terms of your Attestation Statement regarding the suitability of the design of controls to achieve the control objectives, the fair presentation of the description and the operating effectiveness (Type 2 only) of controls as designed.
Our reports are prepared for the purpose of sharing with existing customers that rely on your System. The assurance report will be prepared based on this purpose and we disclaim any assumption of responsibility for any reliance on our report to any person other than your management, existing customers, regulators, or for any purpose other than that for which it was prepared. If the reports are shared with prospective customers or other third-parties, appropriate disclaimers should be used regarding the purpose in which the report was prepared, accordingly.
We will issue an assurance report without modification, to provide a reasonable assurance conclusion on the controls within the System where our procedures do not identify a material deficiency in the design of controls necessary to achieve the control objectives, misstatement in the description of the System, or deviation in the operating effectiveness (Type 2 only) of controls as designed. For this purpose, a material deviation, misstatement, or deficiency exists when:
- the controls as designed or the degree of compliance with them will not or may not achieve the control objectives in all material respects or the description contains material inaccuracies, inadequacies or omissions; and
- knowledge of that deficiency, misstatement, or deviation would be material to users of the assurance report.
For Type 2 reports, if our assurance engagement discloses that there are material deficiencies in the design or deviations in the operating effectiveness of controls during the period covered by the report, such deficiencies will be disclosed in our report even if they were corrected prior to the end of the reporting period. However, our report will indicate that such deviations were corrected if that is the case. If any material deficiencies disclosed in our report have been corrected subsequent to this period (or are in the process of being corrected), we will refer to this in our report.
AssuranceLab has four service models that determines the engagement timing and service level standards we strive to meet:
- Drata Starter: We aim to complete the full audit within 2 weeks of when your compliance is implemented. The audit is started when you have reached over 90% "Ready" status in Drata and we receive confirmation that you are ready to start it.
- Premium Foundations: We conduct an agile audit process that aims to respond to queries within 24 hours, and review documents uploaded within five (5) business days. This is on a "best efforts" basis and subject to operating conditions at the time.
- Premium Plus: We conduct an agile audit process that commits to responding to queries within 24 hours, and reviewing documents uploaded within three (3) business days.
- Continuous Audit: We conduct a continuous audit process throughout your audit period (applies to Type 2 engagements only). This will provide updates at least monthly with the audits progress.
In all cases, we do our best to meet your deadlines, satisfy your end users' and customers' expectations, and we have various status letter templates and other methods to help manage key stakeholder expectations with the timing of our audits and reports.
Changes to our Terms of Service
If our Terms of Service materially change in a way that impacts our service agreements or raises new requirements, we'll let you know.
Terms of Business
- We will perform our audit services with reasonable skill and care. You confirm that the agreed scope is sufficient for your purpose. The services (including deliverables) are provided solely for you for the purpose set out in the engagement letter or the relevant deliverable.
- You may not disclose a deliverable or make the benefit of the services available to anyone else or refer to the contents of a deliverable or the findings of our work, except (i) as stated in the engagement letter, (ii) with our prior written consent on terms to be agreed, (iii) where required by law or regulation, or (iv) to your lawyers or group members as long as you tell them, in advance, that we accept no liability to them and that no onward disclosure may be made.
- We accept no liability to anyone, other than you, in connection with our services, unless otherwise agreed by us in writing.
- Either we or you may request a change to the services or this agreement. A change will be effective only when agreed in writing.
- You may rely only on our final written deliverables and not on oral advice or draft deliverables. If you wish to rely on something we have said to you, please let us know so that we may prepare a written deliverable on which you can rely.
- In performing the services, we will not be deemed to have information from other services.
- For compliance purposes, we are required to retain the final audit file for 7 years. This includes any evidence and documentation provided by our clients to support our audit conclusions. All materials and the final audit file are subject to confidentiality including clause 8.1 below.
- We will endeavour to limit our requests to only those materials required to deliver the services and to support redacted documents to protect confidentiality.
- You agree that we will not be liable for (i) loss or corruption of data from your systems, (ii) loss of profit, goodwill, business opportunity, anticipated savings or benefits or (iii) indirect or consequential loss.
- You agree that our total liability (including interest) for all claims connected with the services or this agreement (including but not limited to negligence) is limited to 10 times the fees payable for the services (excluding GST) or $250,000, whichever is the greater.
- Nothing in this agreement will limit a person’s liability for (i) death or personal injury caused by that person’s negligence, (ii) that person’s fraud or (iii) anything else that cannot by law be limited.
- The audits conducted and reports prepared are intended for users of your System. You are wholly responsible for the distribution of these reports and should only do so in their complete form with appropriate disclaimers when shared with any other parties. AssuranceLab assumes no responsibility for the reports being shared in partial form or with any other parties that were not users of your System at the time of the audits being completed. AssuranceLab will not disclose the reports to any party unless required to do so by law or for compliance purposes.
- In order for us to guide you properly and complete the services you will make sure that (i) any information given to us by you, or anyone else working with or for you, is (a) given promptly, (b) accurate and (c) complete; and (ii) any assumptions are appropriate.
- We will not verify all information given to us relating to the services. Our performance depends on you performing your obligations under this agreement.
- We are not liable for any loss arising from you not fulfilling your obligations.
- You agree to pay us for our services.
- Our fees may reflect not only time spent, but also such factors as complexity, urgency, inherent risks, use of techniques, know-how and research together with the level of skills and expertise required of the personnel needed to perform and review the services. All our fees are fixed and agreed prior to commencing our engagements.
- You will also pay any taxes, including GST, that may be due in relation to our services.
- All invoices are payable within 30 days of the date on the invoice.
- AssuranceLab reserves the right to pause work and or withhold a final report until outstanding and overdue account balances are settled.
- We and you agree to use the other’s confidential information only in relation to the services, and not to disclose it, except where required by law or regulation or where required by a professional body of which we are a member.
- We may wish to refer to you and the services we have performed for you when marketing our services. You agree that we may do so, as long as we do not disclose your confidential information.
- You agree that we may perform services for your competitors or other parties whose interests may conflict with yours, as long as we do not disclose your confidential information and we comply with our ethical obligations.
- We may process personal data received from you, or anyone else working with or for you, for the purposes of any of (i) providing the services, (ii) maintaining and using relevant IT systems, (iii) quality and risk management reviews, (iv) providing you with information about us and our range of services, and (v) complying with any requirement of law, regulation or a professional body of which we are a member.
- You confirm that you have all necessary authority from all relevant data subjects for us to use and disclose such personal data in accordance with the agreement.
- Where we act as your data processor, we will act only on your lawful instructions and we will comply with obligations equivalent to those imposed on you to take appropriate security measures against I access to, or I alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing in accordance with our obligations.
- Either we or you may end this agreement immediately by giving written notice to the other if (i) the other materially breaches it and does not remedy the breach within 14 days, (ii) the other is or appears likely to be unable to pay its debts or becomes insolvent or (iii) the performance of it (including the application of any fee arrangements) may breach a legal or regulatory requirement.
- Either we or you may end this agreement on 30 days’ written notice subject to any minimum terms agreed upon.
- You agree to pay us for all services we perform up to the date of termination.
- If the termination is based on substandard services or any disagreement that cannot be mutually resolved, we will return the service fees and endeavour to assist you in transitioning to a new service provider without any transition costs.
- If a dispute arises, the parties will attempt to resolve it by discussion, negotiation and mediation before commencing legal proceedings.
- This agreement and any dispute arising from it, whether contractual or non- contractual, will be governed by Australian law and be subject to the exclusive jurisdiction of the Australian courts.
- Any claims must be brought no later than 2 years after the date the claimant should have been aware of the potential claim and, in any event, no later than 4 years after any alleged breach.
- We may be obliged in certain circumstances by law or by professional requirements to make disclosures to statutory or regulatory authorities.
- No party will be liable to another if it fails to meet its obligations due to matters beyond its reasonable control
- Where you consist of more than one party, an act or omission of one party will be regarded as an act or omission of all.
- Any clause that is meant to continue to apply after termination of this agreement will do so, including but not limited to confidentiality and data protection.